Cloning builder process: Operation not permitted when using Nix (under Linux) update channel

Question

I use Arch Linux 4.19.15-1-lts #1 SMP Sun Jan 13 13:53:52 CET 2019 x86_64 GNU/Linux. I do also have Nix installed: nix-env (Nix) 2.2.

I've never had any problems until the recent update to version 2.2. I always do the upgrades/updates with these two steps:

$ nix-channel --update
...
$ nix-env --upgrade
...

...but after the recent 2.2 update I can't find a way to make nix-channel --update work anymore. I'm always getting these errors:

error: cloning builder process: Operation not permitted
error: unable to start build process
error: program '/nix/store/876x7a35qbn3q062b6zcz6va88m0990d-nix-2.2/bin/nix-env' failed with exit code 1

...even if I do rollback the previous operation(s):

$ nix-channel --update 
unpacking channels...
error: cloning builder process: Operation not permitted
error: unable to start build process
error: program '/nix/store/876x7a35qbn3q062b6zcz6va88m0990d-nix-2.2/bin/nix-env' failed with exit code 1
$ nix-channel --rollback 
switching from generation 40 to 39
$ nix-channel --update 
unpacking channels...
error: cloning builder process: Operation not permitted
error: unable to start build process
error: program '/nix/store/876x7a35qbn3q062b6zcz6va88m0990d-nix-2.2/bin/nix-env' failed with exit code 1

This is what I have in the update list:

$ nix-channel --list 
nixpkgs https://nixos.org/channels/nixpkgs-unstable

...and eventually I can't even delete that:

$ nix-channel --remove nixpkgs 
uninstalling 'nixpkgs-19.03pre165281.7d864c6bd63'
error: cloning builder process: Operation not permitted
error: unable to start build process
error: program '/nix/store/876x7a35qbn3q062b6zcz6va88m0990d-nix-2.2/bin/nix-env' failed with exit code 1

I would like to avoid a reinstall.

---

UPDATE

I couldn't wait! O:)

I went ahead and removed the current installation...and when I do a fresh install I basically got the same result:

$ sh <(curl https://nixos.org/nix/install) --no-daemon 
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  2476  100  2476    0     0   5417      0 --:--:-- --:--:-- --:--:--  5406
downloading Nix 2.2.1 binary tarball for x86_64-linux from 'https://nixos.org/releases/nix/nix-2.2.1/nix-2.2.1-x86_64-linux.tar.bz2' to '/tmp/nix-binary-tarball-unpack.n5vqvsi4Uq'...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 22.5M  100 22.5M    0     0  4016k      0  0:00:05  0:00:05 --:--:-- 4377k
Note: a multi-user installation is possible. See https://nixos.org/nix/manual/#sect-multi-user-installation
performing a single-user installation of Nix...
directory /nix does not exist; creating it by running 'mkdir -m 0755 /nix && chown x80486 /nix' using sudo
[sudo] password for x80486: 
copying Nix to /nix/store.................................
initialising Nix database...
Nix: creating /home/x80486/.nix-profile
installing 'nix-2.2.1'
error: cloning builder process: Operation not permitted
error: unable to start build process
/tmp/nix-binary-tarball-unpack.n5vqvsi4Uq/unpack/nix-2.2.1-x86_64-linux/install: unable to install Nix into your default profile

...so looks like there is, in general, something going on with Linux (or specifically the distro that use) and Nix.

Answer 1

Following the suggestion in this comment resolves the problem:

sysctl kernel.unprivileged_userns_clone=1

Answer 2

Nix uses quite a lot of flags for the clone, mainly to detach some linux namespaces. I expect your system doesn't support some of these for unprivileged processes. IIRC some distros chose that because of security concerns.