diff options
author | Frederik Rietdijk <fridh@fridh.nl> | 2019-08-28 08:26:42 +0200 |
---|---|---|
committer | Frederik Rietdijk <fridh@fridh.nl> | 2019-08-28 08:26:42 +0200 |
commit | 5061fe0c2c7743370e1d379d6fa60eed26ff1470 (patch) | |
tree | 4a4ee79a6e0694d3c7ad6fbeff33343d83458e6c /nixos/modules/virtualisation | |
parent | a2538606e3115e16db2e5075ecf37b886ad64ede (diff) | |
parent | 98640fd48212f8e6552517f667bba1901f5936d4 (diff) | |
download | nixlib-5061fe0c2c7743370e1d379d6fa60eed26ff1470.tar nixlib-5061fe0c2c7743370e1d379d6fa60eed26ff1470.tar.gz nixlib-5061fe0c2c7743370e1d379d6fa60eed26ff1470.tar.bz2 nixlib-5061fe0c2c7743370e1d379d6fa60eed26ff1470.tar.lz nixlib-5061fe0c2c7743370e1d379d6fa60eed26ff1470.tar.xz nixlib-5061fe0c2c7743370e1d379d6fa60eed26ff1470.tar.zst nixlib-5061fe0c2c7743370e1d379d6fa60eed26ff1470.zip |
Merge staging-next into staging
Diffstat (limited to 'nixos/modules/virtualisation')
-rw-r--r-- | nixos/modules/virtualisation/containers.nix | 38 | ||||
-rw-r--r-- | nixos/modules/virtualisation/google-compute-config.nix | 10 | ||||
-rw-r--r-- | nixos/modules/virtualisation/libvirtd.nix | 13 |
3 files changed, 48 insertions, 13 deletions
diff --git a/nixos/modules/virtualisation/containers.nix b/nixos/modules/virtualisation/containers.nix index 948b745212ed..9fe577bd83ed 100644 --- a/nixos/modules/virtualisation/containers.nix +++ b/nixos/modules/virtualisation/containers.nix @@ -138,7 +138,7 @@ let --bind-ro=/nix/var/nix/daemon-socket \ --bind="/nix/var/nix/profiles/per-container/$INSTANCE:/nix/var/nix/profiles" \ --bind="/nix/var/nix/gcroots/per-container/$INSTANCE:/nix/var/nix/gcroots" \ - --link-journal=try-guest \ + ${optionalString (!cfg.ephemeral) "--link-journal=try-guest"} \ --setenv PRIVATE_NETWORK="$PRIVATE_NETWORK" \ --setenv HOST_BRIDGE="$HOST_BRIDGE" \ --setenv HOST_ADDRESS="$HOST_ADDRESS" \ @@ -147,6 +147,7 @@ let --setenv LOCAL_ADDRESS6="$LOCAL_ADDRESS6" \ --setenv HOST_PORT="$HOST_PORT" \ --setenv PATH="$PATH" \ + ${optionalString cfg.ephemeral "--ephemeral"} \ ${if cfg.additionalCapabilities != null && cfg.additionalCapabilities != [] then ''--capability="${concatStringsSep " " cfg.additionalCapabilities}"'' else "" } \ @@ -247,6 +248,8 @@ let Type = "notify"; + RuntimeDirectory = lib.optional cfg.ephemeral "containers/%i"; + # Note that on reboot, systemd-nspawn returns 133, so this # unit will be restarted. On poweroff, it returns 0, so the # unit won't be restarted. @@ -419,6 +422,7 @@ let { extraVeths = {}; additionalCapabilities = []; + ephemeral = false; allowedDevices = []; hostAddress = null; hostAddress6 = null; @@ -511,6 +515,26 @@ in information. ''; }; + + ephemeral = mkOption { + type = types.bool; + default = false; + description = '' + Runs container in ephemeral mode with the empty root filesystem at boot. + This way container will be bootstrapped from scratch on each boot + and will be cleaned up on shutdown leaving no traces behind. + Useful for completely stateless, reproducible containers. + + Note that this option might require to do some adjustments to the container configuration, + e.g. you might want to set + <varname>systemd.network.networks.$interface.dhcpConfig.ClientIdentifier</varname> to "mac" + if you use <varname>macvlans</varname> option. + This way dhcp client identifier will be stable between the container restarts. + + Note that the container journal will not be linked to the host if this option is enabled. + ''; + }; + enableTun = mkOption { type = types.bool; default = false; @@ -659,12 +683,14 @@ in unit = { description = "Container '%i'"; - unitConfig.RequiresMountsFor = [ "/var/lib/containers/%i" ]; + unitConfig.RequiresMountsFor = "/var/lib/containers/%i"; path = [ pkgs.iproute ]; - environment.INSTANCE = "%i"; - environment.root = "/var/lib/containers/%i"; + environment = { + root = "/var/lib/containers/%i"; + INSTANCE = "%i"; + }; preStart = preStartScript dummyConfig; @@ -703,11 +729,13 @@ in } else {}); in - unit // { + recursiveUpdate unit { preStart = preStartScript containerConfig; script = startScript containerConfig; postStart = postStartScript containerConfig; serviceConfig = serviceDirectives containerConfig; + unitConfig.RequiresMountsFor = lib.optional (!containerConfig.ephemeral) "/var/lib/containers/%i"; + environment.root = if containerConfig.ephemeral then "/run/containers/%i" else "/var/lib/containers/%i"; } // ( if containerConfig.autoStart then { diff --git a/nixos/modules/virtualisation/google-compute-config.nix b/nixos/modules/virtualisation/google-compute-config.nix index 5c59188b68b2..79766970c757 100644 --- a/nixos/modules/virtualisation/google-compute-config.nix +++ b/nixos/modules/virtualisation/google-compute-config.nix @@ -159,12 +159,6 @@ in # functionality/features (e.g. TCP Window scaling). "net.ipv4.tcp_syncookies" = mkDefault "1"; - # ignores source-routed packets - "net.ipv4.conf.all.accept_source_route" = mkDefault "0"; - - # ignores source-routed packets - "net.ipv4.conf.default.accept_source_route" = mkDefault "0"; - # ignores ICMP redirects "net.ipv4.conf.all.accept_redirects" = mkDefault "0"; @@ -186,10 +180,10 @@ in # don't allow traffic between networks or act as a router "net.ipv4.conf.default.send_redirects" = mkDefault "0"; - # reverse path filtering - IP spoofing protection + # strict reverse path filtering - IP spoofing protection "net.ipv4.conf.all.rp_filter" = mkDefault "1"; - # reverse path filtering - IP spoofing protection + # strict path filtering - IP spoofing protection "net.ipv4.conf.default.rp_filter" = mkDefault "1"; # ignores ICMP broadcasts to avoid participating in Smurf attacks diff --git a/nixos/modules/virtualisation/libvirtd.nix b/nixos/modules/virtualisation/libvirtd.nix index 394b4ce56563..16b79d869193 100644 --- a/nixos/modules/virtualisation/libvirtd.nix +++ b/nixos/modules/virtualisation/libvirtd.nix @@ -104,6 +104,18 @@ in { ''; }; + onBoot = mkOption { + type = types.enum ["start" "ignore" ]; + default = "start"; + description = '' + Specifies the action to be done to / on the guests when the host boots. + The "start" option starts all guests that were running prior to shutdown + regardless of their autostart settings. The "ignore" option will not + start the formally running guest on boot. However, any guest marked as + autostart will still be automatically started by libvirtd. + ''; + }; + onShutdown = mkOption { type = types.enum ["shutdown" "suspend" ]; default = "suspend"; @@ -221,6 +233,7 @@ in { path = with pkgs; [ coreutils libvirt gawk ]; restartIfChanged = false; + environment.ON_BOOT = "${cfg.onBoot}"; environment.ON_SHUTDOWN = "${cfg.onShutdown}"; }; |