feat: macOS sandbox support via Docker-based Nix builder#4
Merged
HashWarlock merged 13 commits intomasterfrom Apr 10, 2026
Merged
feat: macOS sandbox support via Docker-based Nix builder#4HashWarlock merged 13 commits intomasterfrom
HashWarlock merged 13 commits intomasterfrom
Conversation
On macOS, `nix build` cannot produce x86_64-linux derivations locally. This adds a Docker-based build path that runs `nix build` inside a `nixos/nix` container (linux/amd64 via Rosetta), with a persistent Docker volume for the Nix store so builds are incremental. - docker.rs: add builder image management, `nix_build_in_docker()` and `nix_build_expr_in_docker()`; sidecar now mounts shared `nixosandbox-nix` volume instead of host `/nix/store` - nix.rs: `build_profile`, `build_spec`, `build_with_catalog` delegate to Docker on non-Linux; `validate_rootfs` checks path format on macOS; `--accept-flake-config` added to all nix build invocations - ci.yml: add Linux E2E test (create → exec → destroy with isolation assertion) and macOS E2E test (Docker builder + sidecar) - New `docker/nixosandbox-builder.Dockerfile` with numtide cache config Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
docker/setup-docker-action uses Lima which crashes on GitHub's macOS runners (QEMU abort trap). Colima is more stable for CI environments. Uses --arch x86_64 to match the linux/amd64 builder requirement. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Lima 2.1.1 on ARM macOS lacks the x86_64 guest agent by default, causing `colima start --arch x86_64` to fail. The --arch flag is unnecessary: our Rust code already passes `--platform linux/amd64` to all Docker commands, which Docker handles via QEMU emulation inside the native arm64 VM. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
nix buildruns inside anixos/nixcontainer (linux/amd64via Rosetta) with a persistent Docker volume (nixosandbox-nix) for incremental buildsisolation=native) and macOS (Docker builder + sidecar,isolation=docker)What was broken
On macOS (aarch64-darwin),
nixosandbox createfailed with:The execution side (bwrap) had Docker sidecar support, but the build side had no macOS path.
Changes
docker/nixosandbox-builder.Dockerfilenixos/niximage with numtide cache + flakescrates/nixosandbox/src/docker.rsnix_build_in_docker(), sidecar uses shared volumecrates/nixosandbox/src/nix.rs--accept-flake-configon all builds.github/workflows/ci.ymlTest plan
cargo test— 20/20 passcreate --profile strictvia Docker buildercreate --with openclaw,bash,cacert,coreutilsvia Docker builderexec <id> -- echo "Hello"via Docker sidecar🤖 Generated with Claude Code