buildpacks/nix: disable sandboxing

The version bump #915 broke the Nix buildpack in case one does a build. Nix 2.3 enables sandboxing by default. Building inside a Docker container, while Nix is having sandboxing enabled is not possible. Thus, sandbox = false should be set in /etc/nix/nix.conf.
2020-11-28 10:31:52 +01:00 · 2020-11-28 10:31:52 +01:00 · 5c4c2dc40e
commit 5c4c2dc40e
--- a/repo2docker/buildpacks/nix/init.py
+++ b/repo2docker/buildpacks/nix/init.py
@ -23,17 +23,22 @@ class NixBuildPack(BaseImage):
        """
        Return series of build-steps common to all nix repositories.
        Notice how only root privileges are needed for creating nix
-        directory.
+        directory and a nix.conf file.

         - create nix directory for user nix installation
+         - disable sandboxing because its unsupported inside a Docker container
         - install nix package manager for user
+
        """
        return super().get_build_scripts() + [
            (
                "root",
                """
            mkdir -m 0755 /nix && \
-            chown -R ${NB_USER}:${NB_USER} /nix /usr/local/bin/nix-shell-wrapper /home/${NB_USER}
+            chown -R ${NB_USER}:${NB_USER} /nix /usr/local/bin/nix-shell-wrapper /home/${NB_USER} && \
+            mkdir -p /etc/nix && \
+            touch /etc/nix/nix.conf && \
+            echo "sandbox = false" >> /etc/nix/nix.conf
            """,
            ),
            (
--- a/tests/nix/test-building/README.rst
+++ b/tests/nix/test-building/README.rst
@ -0,0 +1,4 @@
+Check that we can build
+-----------------------
+
+Test that actual building instead of substituting (downloading an existing build) works.
--- a/tests/nix/test-building/default.nix
+++ b/tests/nix/test-building/default.nix
@ -0,0 +1,27 @@
+let
+  # Pinning nixpkgs to specific release
+  # To get sha256 use "nix-prefetch-git <url> --rev <commit>"
+  commitRev="5574b6a152b1b3ae5f93ba37c4ffd1981f62bf5a";
+  nixpkgs = builtins.fetchTarball {
+    url = "https://github.com/NixOS/nixpkgs/archive/${commitRev}.tar.gz";
+    sha256 = "1pqdddp4aiz726c7qs1dwyfzixi14shp0mbzi1jhapl9hrajfsjg";
+  };
+  pkgs = import nixpkgs { config = { allowUnfree = true; }; };
+
+  # Test that we can actually build
+  test-build = pkgs.runCommand "test-build" { } ''
+    touch $out
+  '';
+
+in
+pkgs.mkShell {
+  buildInputs = with pkgs; [
+    python36Packages.numpy
+    python36Packages.notebook
+    test-build
+  ];
+
+  shellHook = ''
+    export NIX_PATH="nixpkgs=${nixpkgs}:."
+  '';
+}
--- a/tests/nix/test-building/verify
+++ b/tests/nix/test-building/verify
@ -0,0 +1,3 @@
+#!/usr/bin/env python
+
+import numpy