豆豆友情提示:这是一个非官方 GitHub 代理镜像,主要用于网络测试或访问加速。请勿在此进行登录、注册或处理任何敏感信息。进行这些操作请务必访问官方网站 github.com。 Raw 内容也通过此代理提供。
Skip to content

nix: fix permission denied on /nix/var/nix/db/big-lock#14568

Merged
JamieMagee merged 1 commit intomainfrom
jamiemagee/nix-container-chown
Mar 28, 2026
Merged

nix: fix permission denied on /nix/var/nix/db/big-lock#14568
JamieMagee merged 1 commit intomainfrom
jamiemagee/nix-container-chown

Conversation

@JamieMagee
Copy link
Copy Markdown
Member

@JamieMagee JamieMagee commented Mar 28, 2026
edited
Loading

What are you trying to accomplish?

The nix container image copies /nix from nixos/nix with root ownership, but the updater runs as the dependabot user. When nix flake update tries to write to the Nix store and SQLite database, it fails with:

error: opening lock file "/nix/var/nix/db/big-lock": Permission denied

Found while adding nix smoke tests: dependabot/smoke-tests#445 (failed run)

Anything you want to highlight for special attention from reviewers?

The fix is --chown=dependabot:dependabot on the COPY --from=nix line. This gives the dependabot user ownership of the entire /nix tree at copy time, which is how single-user Nix is supposed to work -- the running user owns /nix. No extra Docker layer needed compared to a separate RUN chown -R.

How will you know you've accomplished your goal?

Built the image locally and verified:

  • /nix/var/nix/db/big-lock and /nix/store are owned by dependabot
  • nix --version runs without error
  • nix flake update against a test flake completes and produces a flake.lock

The smoke test in dependabot/smoke-tests#445 should pass once this lands.

Checklist

  • I have run the complete test suite to ensure all tests and linters pass.
  • I have thoroughly tested my code changes to ensure they work as expected, including adding additional tests for new functionality.
  • I have written clear and descriptive commit messages.
  • I have provided a detailed description of the changes in the pull request, including the problem it addresses, how it fixes the problem, and any relevant details about the implementation.
  • I have ensured that the code is well-documented and easy to understand.

@JamieMagee
nix: fix permission denied on /nix/var/nix/db/big-lock
63e82fa 
The /nix tree was copied from nixos/nix with root ownership, but
the container runs as the dependabot user. nix flake update needs
to write to /nix/store and /nix/var, so it failed with
"Permission denied" on the SQLite lock file.

Add --chown=dependabot:dependabot to the COPY so the whole store
is owned by the running user, matching the single-user Nix model.
@JamieMagee JamieMagee requested a review from a team as a code owner March 28, 2026 03:04
Copilot AI review requested due to automatic review settings March 28, 2026 03:04
Copilot AI reviewed Mar 28, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Fixes Nix single-user operation inside the Dependabot Nix updater image by ensuring /nix is writable by the runtime dependabot user, preventing nix flake update from failing on the Nix DB lock file.

Changes:

  • Update the multi-stage COPY of /nix from nixos/nix to use --chown=dependabot:dependabot, making the Nix store and DB writable in the final image.

@JamieMagee JamieMagee merged commit c187ba7 into main Mar 28, 2026
89 checks passed
@JamieMagee JamieMagee deleted the jamiemagee/nix-container-chown branch March 28, 2026 03:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@kbukum1 kbukum1 kbukum1 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@JamieMagee @kbukum1