nixos: deactivate immutablity for /var/empty in container

2 files changed, 9 insertions, 0 deletions

diff --git a/nixos/modules/system/activation/activation-script.nix b/nixos/modules/system/activation/activation-script.nix
index 74c150a848d1..fe77094c52b7 100644
--- a/nixos/modules/system/activation/activation-script.nix
+++ b/nixos/modules/system/activation/activation-script.nix
@@ -184,7 +184,14 @@ in
         find /var/empty -mindepth 1 -delete
         chmod 0555 /var/empty
         chown root:root /var/empty
+
+        ${ # reasons for not setting immutable flag:
+           # 1. flag is not changeable inside a container
+           # 2. systemd-nspawn can not perform chown in case of --private-users-chown
+           #    then the owner is nobody and ssh will not start
+          optionalString (!config.boot.isContainer) ''
         ${pkgs.e2fsprogs}/bin/chattr -f +i /var/empty || true
+          ''}
       '';
 
     system.activationScripts.usrbinenv = if config.environment.usrbinenv != null
diff --git a/nixos/tests/systemd-machinectl.nix b/nixos/tests/systemd-machinectl.nix
index 3438722e3218..091f855d043b 100644
--- a/nixos/tests/systemd-machinectl.nix
+++ b/nixos/tests/systemd-machinectl.nix
@@ -45,6 +45,8 @@ in {
     $machine->succeed("machinectl start ${containerName}");
     $machine->waitUntilSucceeds("systemctl -M ${containerName} is-active default.target");
     $machine->succeed("ping -n -c 1 ${containerName}");
+    $machine->succeed("test `stat ${containerRoot}/var/empty -c %u%g` != 00");
+
     $machine->succeed("machinectl stop ${containerName}");
   '';
 })