diff options
author | Franz Pletz <fpletz@fnordicwalking.de> | 2019-09-25 09:34:17 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2019-09-25 09:34:17 +0000 |
commit | 66967ec7521d065f605795d64ddbbbd4fcd448c3 (patch) | |
tree | c99735a34270f1ca9da366eafcc5b5fce16c7f7f | |
parent | fb6595eafdb90ef0bc7a31c2bfc9204e4cad11d9 (diff) | |
parent | db9b5f5525225acf20f0f030e95532d192b3baac (diff) | |
download | nixlib-66967ec7521d065f605795d64ddbbbd4fcd448c3.tar nixlib-66967ec7521d065f605795d64ddbbbd4fcd448c3.tar.gz nixlib-66967ec7521d065f605795d64ddbbbd4fcd448c3.tar.bz2 nixlib-66967ec7521d065f605795d64ddbbbd4fcd448c3.tar.lz nixlib-66967ec7521d065f605795d64ddbbbd4fcd448c3.tar.xz nixlib-66967ec7521d065f605795d64ddbbbd4fcd448c3.tar.zst nixlib-66967ec7521d065f605795d64ddbbbd4fcd448c3.zip |
Merge pull request #67232 from ck3d/container-useHostResolvConf
machinectl compliant NixOS installation
-rw-r--r-- | nixos/doc/manual/installation/installing-nspawn-container.xml | 37 | ||||
-rw-r--r-- | nixos/doc/manual/installation/installing.xml | 3 | ||||
-rw-r--r-- | nixos/modules/installer/tools/nixos-install.sh | 3 | ||||
-rw-r--r-- | nixos/modules/system/activation/activation-script.nix | 7 | ||||
-rw-r--r-- | nixos/modules/virtualisation/container-config.nix | 2 | ||||
-rw-r--r-- | nixos/tests/all-tests.nix | 1 | ||||
-rw-r--r-- | nixos/tests/systemd-machinectl.nix | 52 |
7 files changed, 103 insertions, 2 deletions
diff --git a/nixos/doc/manual/installation/installing-nspawn-container.xml b/nixos/doc/manual/installation/installing-nspawn-container.xml new file mode 100644 index 000000000000..ae893c53c905 --- /dev/null +++ b/nixos/doc/manual/installation/installing-nspawn-container.xml @@ -0,0 +1,37 @@ +<section xmlns="http://docbook.org/ns/docbook" + version="5.0" + xml:id="sec-installing-nspawn-container"> + <title>Installing into a nspawn container</title> + + <para> + For installing a NixOS into a systemd nspawn container the NixOS installation tools are needed. + If you run another distribution than NixOS on your host, + please follow <xref linkend="sec-installing-from-other-distro"/> steps 1, 2, and 3. + </para> + + <para> + Create a NixOS configuration file <filename>/var/lib/machines/my-container/etc/nixos/configuration.nix</filename>. + It is important that the container root file system is under <filename>/var/lib/machines</filename>. + This is the standard location where <command>machinectl</command> will look for containers. + If you choose place the root into another location you need to start the container directly with <command>systemd-nspawn</command>. + The file needs to have at least following options enabled: +<programlisting> +<xref linkend="opt-boot.isContainer"/> = true; +<xref linkend="opt-boot.loader.initScript.enable"/> = true; +</programlisting> + If your host uses <command>systemd-networkd</command> to configure the network, + you can also enable <xref linkend="opt-networking.useNetworkd"/> to use networkd default network configuration for your host and container. + </para> + + <para> + Install the container by running following command: + <screen>nixos-install --root /var/lib/machines/my-container \ + --no-channel-copy --no-root-passwd --no-bootloader</screen> + </para> + + <para> + Start the container by running following command: + <screen>machinectl start my-container</screen> + </para> + +</section> diff --git a/nixos/doc/manual/installation/installing.xml b/nixos/doc/manual/installation/installing.xml index f1e1568c0349..270372022fac 100644 --- a/nixos/doc/manual/installation/installing.xml +++ b/nixos/doc/manual/installation/installing.xml @@ -563,5 +563,8 @@ Retype new UNIX password: ***</screen> <xi:include href="installing-from-other-distro.xml" /> <xi:include href="installing-behind-a-proxy.xml" /> + + <xi:include href="installing-nspawn-container.xml" /> + </section> </chapter> diff --git a/nixos/modules/installer/tools/nixos-install.sh b/nixos/modules/installer/tools/nixos-install.sh index 8685cb345e1e..be3b5c0687a6 100644 --- a/nixos/modules/installer/tools/nixos-install.sh +++ b/nixos/modules/installer/tools/nixos-install.sh @@ -132,8 +132,9 @@ if [[ -z $noBootLoader ]]; then echo "installing the boot loader..." # Grub needs an mtab. ln -sfn /proc/mounts $mountPoint/etc/mtab - NIXOS_INSTALL_BOOTLOADER=1 nixos-enter --root "$mountPoint" -- /run/current-system/bin/switch-to-configuration boot + export NIXOS_INSTALL_BOOTLOADER=1 fi +nixos-enter --root "$mountPoint" -- /run/current-system/bin/switch-to-configuration boot # Ask the user to set a root password, but only if the passwd command # exists (i.e. when mutable user accounts are enabled). diff --git a/nixos/modules/system/activation/activation-script.nix b/nixos/modules/system/activation/activation-script.nix index ddfd1af4a319..2f716f92c62e 100644 --- a/nixos/modules/system/activation/activation-script.nix +++ b/nixos/modules/system/activation/activation-script.nix @@ -184,7 +184,14 @@ in find /var/empty -mindepth 1 -delete chmod 0555 /var/empty chown root:root /var/empty + + ${ # reasons for not setting immutable flag: + # 1. flag is not changeable inside a container + # 2. systemd-nspawn can not perform chown in case of --private-users-chown + # then the owner is nobody and ssh will not start + optionalString (!config.boot.isContainer) '' ${pkgs.e2fsprogs}/bin/chattr -f +i /var/empty || true + ''} ''; system.activationScripts.usrbinenv = if config.environment.usrbinenv != null diff --git a/nixos/modules/virtualisation/container-config.nix b/nixos/modules/virtualisation/container-config.nix index 604fb8a75932..ca7f126c59f6 100644 --- a/nixos/modules/virtualisation/container-config.nix +++ b/nixos/modules/virtualisation/container-config.nix @@ -10,7 +10,7 @@ with lib; services.udisks2.enable = mkDefault false; powerManagement.enable = mkDefault false; - networking.useHostResolvConf = mkDefault true; + networking.useHostResolvConf = mkDefault (!config.services.resolved.enable); # Containers should be light-weight, so start sshd on demand. services.openssh.startWhenNeeded = mkDefault true; diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index 5643da99e557..2c6c3a429707 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -262,6 +262,7 @@ in syncthing-relay = handleTest ./syncthing-relay.nix {}; systemd = handleTest ./systemd.nix {}; systemd-confinement = handleTest ./systemd-confinement.nix {}; + systemd-machinectl = handleTest ./systemd-machinectl.nix {}; systemd-timesyncd = handleTest ./systemd-timesyncd.nix {}; systemd-networkd-wireguard = handleTest ./systemd-networkd-wireguard.nix {}; pdns-recursor = handleTest ./pdns-recursor.nix {}; diff --git a/nixos/tests/systemd-machinectl.nix b/nixos/tests/systemd-machinectl.nix new file mode 100644 index 000000000000..091f855d043b --- /dev/null +++ b/nixos/tests/systemd-machinectl.nix @@ -0,0 +1,52 @@ +import ./make-test.nix (let + + container = { ... }: { + boot.isContainer = true; + + # use networkd to obtain systemd network setup + networking.useNetworkd = true; + + # systemd-nspawn expects /sbin/init + boot.loader.initScript.enable = true; + + imports = [ ../modules/profiles/minimal.nix ]; + }; + + containerSystem = (import ../lib/eval-config.nix { + modules = [ container ]; + }).config.system.build.toplevel; + + containerName = "container"; + containerRoot = "/var/lib/machines/${containerName}"; + +in { + name = "systemd-machinectl"; + + machine = { lib, ... }: { + # use networkd to obtain systemd network setup + networking.useNetworkd = true; + + # open DHCP server on interface to container + networking.firewall.trustedInterfaces = [ "ve-+" ]; + + # do not try to access cache.nixos.org + nix.binaryCaches = lib.mkForce []; + + virtualisation.pathsInNixDB = [ containerSystem ]; + }; + + testScript = '' + startAll; + + $machine->waitForUnit("default.target"); + $machine->succeed("mkdir -p ${containerRoot}"); + $machine->succeed("nixos-install --root ${containerRoot} --system ${containerSystem} --no-channel-copy --no-root-passwd --no-bootloader"); + + $machine->succeed("machinectl start ${containerName}"); + $machine->waitUntilSucceeds("systemctl -M ${containerName} is-active default.target"); + $machine->succeed("ping -n -c 1 ${containerName}"); + $machine->succeed("test `stat ${containerRoot}/var/empty -c %u%g` != 00"); + + $machine->succeed("machinectl stop ${containerName}"); + ''; +}) |