Describe the bug
Running nix-collect-garbage inside a linux/amd64 container on Apple Silicon (Rosetta emulation) fails with:
error: read of 65536 bytes: Operation not permitted
0 store paths deleted, 0.0 KiB freed
(exit 1)
The same Dockerfile and image build cleanly on OrbStack 2.1.3, where nix-collect-garbage exits 0 and frees store paths normally.
The error appears to come from the Nix daemon (nix-daemon) during the GC root discovery phase, after profile generations have been removed and stale gcroot symlinks have been pruned. The failing read is 65536 bytes — consistent with a /proc-or-similar read — but the actual failing syscall is in nix-daemon, not the nix-collect-garbage client, so it's not visible in an strace of the client.
One observed difference between versions on an otherwise-identical container: /proc/1/exe resolves to /mnt/rv/[rosetta] on 2.1.3 and to /usr/bin/bash on 2.2.1. The 2.2.0 changelog mentions "Fixed Rosetta wrapper showing in process command lines", and the bug appears to start with 2.2.0; this may be the relevant change.
Versions:
- Broken: OrbStack 2.2.1, VM kernel
7.0.11-orbstack-00360-gc9bc4d96ac70
- Works: OrbStack 2.1.3, VM kernel
7.0.5-orbstack-00330-ge3df4e19b0a0-dirty
Environment:
- Host: macOS 15.6.1 on Apple Silicon (arm64)
- Container:
ubuntu:jammy running as linux/amd64 via Rosetta
- Nix: 2.34.7, multi-user (
--daemon) install
To Reproduce
Save this as Dockerfile:
FROM ubuntu:jammy
RUN apt-get update -y && apt-get install -y --no-install-recommends \
wget ca-certificates xz-utils sudo \
&& rm -rf /var/lib/apt/lists/*
RUN mkdir -p /etc/nix && echo "filter-syscalls = false" >> /etc/nix/nix.conf
RUN wget -qO- https://nixos.org/nix/install | sh -s -- --daemon
RUN echo "filter-syscalls = false" >> /etc/nix/nix.conf
RUN /root/.nix-profile/bin/nix-env --option filter-syscalls false -iA nixpkgs.helloThen, on an Apple Silicon Mac:
docker buildx build --platform linux/amd64 -t nix-gc-repro --load .
docker run --rm --platform linux/amd64 nix-gc-repro \
/root/.nix-profile/bin/nix-collect-garbage --delete-oldOn OrbStack 2.2.0/2.2.1 the final command exits 1 with:
error: read of 65536 bytes: Operation not permitted
0 store paths deleted, 0.0 KiB freed
On OrbStack 2.1.3 the same command exits 0 and frees ~640 KiB across ~260 store paths.
Expected behavior
nix-collect-garbage --delete-old should remove old profile generations and unreachable store paths and exit 0, as it does on OrbStack 2.1.3 with the same image.
Diagnostic report (REQUIRED)
OrbStack info:
Version: 2.2.1
Commit: 0e182b501fcd9e05b99ffb363fce03610390c400 (v2.2.1)
System info:
macOS: 15.6.1 (24G90)
CPU: arm64, 14 cores
CPU model: Apple M4 Pro
Model: Mac16,8
Memory: 48 GiB
Full report: https://orbstack.dev/_admin/diag/orbstack-diagreport_2026-06-12T21-01-13.976158Z.zip
Screenshots and additional context (optional)
No response
Describe the bug
Running
nix-collect-garbageinside alinux/amd64container on Apple Silicon (Rosetta emulation) fails with:(exit 1)
The same Dockerfile and image build cleanly on OrbStack 2.1.3, where
nix-collect-garbageexits 0 and frees store paths normally.The error appears to come from the Nix daemon (
nix-daemon) during the GC root discovery phase, after profile generations have been removed and stale gcroot symlinks have been pruned. The failing read is 65536 bytes — consistent with a/proc-or-similar read — but the actual failing syscall is innix-daemon, not thenix-collect-garbageclient, so it's not visible in anstraceof the client.One observed difference between versions on an otherwise-identical container:
/proc/1/exeresolves to/mnt/rv/[rosetta]on 2.1.3 and to/usr/bin/bashon 2.2.1. The 2.2.0 changelog mentions "Fixed Rosetta wrapper showing in process command lines", and the bug appears to start with 2.2.0; this may be the relevant change.Versions:
7.0.11-orbstack-00360-gc9bc4d96ac707.0.5-orbstack-00330-ge3df4e19b0a0-dirtyEnvironment:
ubuntu:jammyrunning aslinux/amd64via Rosetta--daemon) installTo Reproduce
Save this as
Dockerfile:Then, on an Apple Silicon Mac:
docker buildx build --platform linux/amd64 -t nix-gc-repro --load . docker run --rm --platform linux/amd64 nix-gc-repro \ /root/.nix-profile/bin/nix-collect-garbage --delete-oldOn OrbStack 2.2.0/2.2.1 the final command exits 1 with:
On OrbStack 2.1.3 the same command exits 0 and frees ~640 KiB across ~260 store paths.
Expected behavior
nix-collect-garbage --delete-oldshould remove old profile generations and unreachable store paths and exit 0, as it does on OrbStack 2.1.3 with the same image.Diagnostic report (REQUIRED)
Screenshots and additional context (optional)
No response