diff options
| author | Vladimír Čunát <vcunat@gmail.com> | 2014-08-21 15:09:31 +0200 |
|---|---|---|
| committer | Vladimír Čunát <vcunat@gmail.com> | 2014-08-21 15:09:31 +0200 |
| commit | d4e9fd2a906b5227ae51a522a0708a0b6884ed1c (patch) | |
| tree | ca6bb53bb064b71b5ad9bf94dbcc27c47c2d652c /nixos/modules | |
| parent | 5c53f22492511d1d8de46ecd8f11fca20f1287fd (diff) | |
| parent | 2d03fbf75202272f37bf648d06922c2c624f126a (diff) | |
| download | nixlib-d4e9fd2a906b5227ae51a522a0708a0b6884ed1c.tar nixlib-d4e9fd2a906b5227ae51a522a0708a0b6884ed1c.tar.gz nixlib-d4e9fd2a906b5227ae51a522a0708a0b6884ed1c.tar.bz2 nixlib-d4e9fd2a906b5227ae51a522a0708a0b6884ed1c.tar.lz nixlib-d4e9fd2a906b5227ae51a522a0708a0b6884ed1c.tar.xz nixlib-d4e9fd2a906b5227ae51a522a0708a0b6884ed1c.tar.zst nixlib-d4e9fd2a906b5227ae51a522a0708a0b6884ed1c.zip | |
Merge recent master into staging
Hydra: ?compare=1148749 Conflicts (easy): nixos/modules/virtualisation/containers.nix
Diffstat (limited to 'nixos/modules')
| -rw-r--r-- | nixos/modules/config/users-groups.nix | 2 | ||||
| -rw-r--r-- | nixos/modules/installer/tools/nixos-install.sh | 2 | ||||
| -rw-r--r-- | nixos/modules/system/boot/systemd.nix | 2 | ||||
| -rw-r--r-- | nixos/modules/virtualisation/containers.nix | 48 | ||||
| -rw-r--r-- | nixos/modules/virtualisation/nixos-container.pl | 52 |
5 files changed, 85 insertions, 21 deletions
diff --git a/nixos/modules/config/users-groups.nix b/nixos/modules/config/users-groups.nix index f32138a814dd..afedc8e382e5 100644 --- a/nixos/modules/config/users-groups.nix +++ b/nixos/modules/config/users-groups.nix @@ -346,7 +346,7 @@ in { uid = ids.uids.root; description = "System administrator"; home = "/root"; - shell = cfg.defaultUserShell; + shell = mkDefault cfg.defaultUserShell; group = "root"; extraGroups = [ "grsecurity" ]; hashedPassword = mkDefault config.security.initialRootPassword; diff --git a/nixos/modules/installer/tools/nixos-install.sh b/nixos/modules/installer/tools/nixos-install.sh index 9d62ba131dc7..a55eda1cb8fd 100644 --- a/nixos/modules/installer/tools/nixos-install.sh +++ b/nixos/modules/installer/tools/nixos-install.sh @@ -81,7 +81,7 @@ mount -t tmpfs -o "mode=0755" none $mountPoint/var/setuid-wrappers rm -rf $mountPoint/var/run ln -s /run $mountPoint/var/run rm -f $mountPoint/etc/{resolv.conf,hosts} -cp -f /etc/resolv.conf /etc/hosts $mountPoint/etc/ +cp -Lf /etc/resolv.conf /etc/hosts $mountPoint/etc/ if [ -n "$runChroot" ]; then diff --git a/nixos/modules/system/boot/systemd.nix b/nixos/modules/system/boot/systemd.nix index 455c40693b00..e353e9246b0e 100644 --- a/nixos/modules/system/boot/systemd.nix +++ b/nixos/modules/system/boot/systemd.nix @@ -744,7 +744,7 @@ in # Make all journals readable to users in the wheel and adm # groups, in addition to those in the systemd-journal group. # Users can always read their own journals. - ${pkgs.acl}/bin/setfacl -nm g:wheel:rx,d:g:wheel:rx,g:adm:rx,d:g:adm:rx /var/log/journal + ${pkgs.acl}/bin/setfacl -nm g:wheel:rx,d:g:wheel:rx,g:adm:rx,d:g:adm:rx /var/log/journal || true ''; # Target for ‘charon send-keys’ to hook into. diff --git a/nixos/modules/virtualisation/containers.nix b/nixos/modules/virtualisation/containers.nix index 6933fbaa9eec..3942c41553cd 100644 --- a/nixos/modules/virtualisation/containers.nix +++ b/nixos/modules/virtualisation/containers.nix @@ -32,7 +32,10 @@ let fi fi - exec "$1" + # Start the regular stage 1 script, passing the bind-mounted + # notification socket from the host to allow the container + # systemd to signal readiness to the host systemd. + NOTIFY_SOCKET=/var/lib/private/host-notify exec "$1" ''; system = config.nixpkgs.system; @@ -175,17 +178,16 @@ in ip link del dev "ve-$INSTANCE" 2> /dev/null || true fi - mkdir -p -m 0755 $root/var/lib - # Create a named pipe to get a signal when the container - # has finished booting. - rm -f $root/var/lib/startup-done - mkfifo -m 0600 $root/var/lib/startup-done + if [ "$PRIVATE_NETWORK" = 1 ]; then + ip link del dev "ve-$INSTANCE" 2> /dev/null || true + fi ''; script = '' mkdir -p -m 0755 "$root/etc" "$root/var/lib" + mkdir -p -m 0700 "$root/var/lib/private" if ! [ -e "$root/etc/os-release" ]; then touch "$root/etc/os-release" fi @@ -194,6 +196,8 @@ in "/nix/var/nix/profiles/per-container/$INSTANCE" \ "/nix/var/nix/gcroots/per-container/$INSTANCE" + cp -f /etc/resolv.conf "$root/etc/resolv.conf" + if [ "$PRIVATE_NETWORK" = 1 ]; then extraFlags+=" --network-veth" fi @@ -210,13 +214,16 @@ in fi ''} - EXIT_ON_REBOOT=1 \ + # Run systemd-nspawn without startup notification (we'll + # wait for the container systemd to signal readiness). + EXIT_ON_REBOOT=1 NOTIFY_SOCKET= \ exec ${config.systemd.package}/bin/systemd-nspawn \ --keep-unit \ -M "$INSTANCE" -D "$root" $extraFlags \ --bind-ro=/nix/store \ --bind-ro=/nix/var/nix/db \ --bind-ro=/nix/var/nix/daemon-socket \ + --bind=/run/systemd/notify:/var/lib/private/host-notify \ --bind="/nix/var/nix/profiles/per-container/$INSTANCE:/nix/var/nix/profiles" \ --bind="/nix/var/nix/gcroots/per-container/$INSTANCE:/nix/var/nix/gcroots" \ --setenv PRIVATE_NETWORK="$PRIVATE_NETWORK" \ @@ -269,6 +276,8 @@ in Type = "notify"; + NotifyAccess = "all"; + # Note that on reboot, systemd-nspawn returns 10, so this # unit will be restarted. On poweroff, it returns 0, so the # unit won't be restarted. @@ -315,5 +324,30 @@ in environment.systemPackages = [ nixos-container ]; + # Start containers at boot time. + systemd.services.all-containers = + { description = "All Containers"; + + wantedBy = [ "multi-user.target" ]; + + unitConfig.ConditionDirectoryNotEmpty = "/etc/containers"; + + serviceConfig.Type = "oneshot"; + + script = + '' + res=0 + shopt -s nullglob + for i in /etc/containers/*.conf; do + AUTO_START= + source "$i" + if [ "$AUTO_START" = 1 ]; then + systemctl start "container@$(basename "$i" .conf).service" || res=1 + fi + done + exit $res + ''; # */ + }; + }; } diff --git a/nixos/modules/virtualisation/nixos-container.pl b/nixos/modules/virtualisation/nixos-container.pl index c0d30346e568..bf6f16fc6c77 100644 --- a/nixos/modules/virtualisation/nixos-container.pl +++ b/nixos/modules/virtualisation/nixos-container.pl @@ -17,25 +17,31 @@ umask 0022; sub showHelp { print <<EOF; Usage: nixos-container list - nixos-container create <container-name> [--config <string>] [--ensure-unique-name] + nixos-container create <container-name> [--system-path <path>] [--config <string>] [--ensure-unique-name] [--auto-start] nixos-container destroy <container-name> nixos-container start <container-name> nixos-container stop <container-name> + nixos-container status <container-name> nixos-container login <container-name> nixos-container root-login <container-name> nixos-container run <container-name> -- args... nixos-container set-root-password <container-name> <password> nixos-container show-ip <container-name> + nixos-container show-host-key <container-name> EOF exit 0; } +my $systemPath; my $ensureUniqueName = 0; +my $autoStart = 0; my $extraConfig; GetOptions( "help" => sub { showHelp() }, "ensure-unique-name" => \$ensureUniqueName, + "auto-start" => \$autoStart, + "system-path=s" => \$systemPath, "config=s" => \$extraConfig ) or exit 1; @@ -122,17 +128,13 @@ if ($action eq "create") { push @conf, "PRIVATE_NETWORK=1\n"; push @conf, "HOST_ADDRESS=$hostAddress\n"; push @conf, "LOCAL_ADDRESS=$localAddress\n"; + push @conf, "AUTO_START=$autoStart\n"; write_file($confFile, \@conf); close($lock); print STDERR "host IP is $hostAddress, container IP is $localAddress\n"; - mkpath("$root/etc/nixos", 0, 0755); - - my $nixosConfigFile = "$root/etc/nixos/configuration.nix"; - writeNixOSConfig $nixosConfigFile; - # The per-container directory is restricted to prevent users on # the host from messing with guest users who happen to have the # same uid. @@ -141,10 +143,21 @@ if ($action eq "create") { $profileDir = "$profileDir/$containerName"; mkpath($profileDir, 0, 0755); - system("nix-env", "-p", "$profileDir/system", - "-I", "nixos-config=$nixosConfigFile", "-f", "<nixpkgs/nixos>", - "--set", "-A", "system") == 0 - or die "$0: failed to build initial container configuration\n"; + # Build/set the initial configuration. + if (defined $systemPath) { + system("nix-env", "-p", "$profileDir/system", "--set", $systemPath) == 0 + or die "$0: failed to set initial container configuration\n"; + } else { + mkpath("$root/etc/nixos", 0, 0755); + + my $nixosConfigFile = "$root/etc/nixos/configuration.nix"; + writeNixOSConfig $nixosConfigFile; + + system("nix-env", "-p", "$profileDir/system", + "-I", "nixos-config=$nixosConfigFile", "-f", "<nixpkgs/nixos>", + "--set", "-A", "system") == 0 + or die "$0: failed to build initial container configuration\n"; + } print "$containerName\n" if $ensureUniqueName; exit 0; @@ -154,7 +167,14 @@ my $root = "/var/lib/containers/$containerName"; my $profileDir = "/nix/var/nix/profiles/per-container/$containerName"; my $gcRootsDir = "/nix/var/nix/gcroots/per-container/$containerName"; my $confFile = "/etc/containers/$containerName.conf"; -die "$0: container ‘$containerName’ does not exist\n" if !-e $confFile; +if (!-e $confFile) { + if ($action eq "destroy") { + exit 0; + } elsif ($action eq "status") { + print "gone\n"; + } + die "$0: container ‘$containerName’ does not exist\n" ; +} sub isContainerRunning { my $status = `systemctl show 'container\@$containerName'`; @@ -187,6 +207,10 @@ elsif ($action eq "stop") { stopContainer; } +elsif ($action eq "status") { + print isContainerRunning() ? "up" : "down", "\n"; +} + elsif ($action eq "update") { my $nixosConfigFile = "$root/etc/nixos/configuration.nix"; @@ -241,6 +265,12 @@ elsif ($action eq "show-ip") { print "$1\n"; } +elsif ($action eq "show-host-key") { + my $fn = "$root/etc/ssh/ssh_host_ecdsa_key.pub"; + exit 1 if ! -f $fn; + print read_file($fn); +} + else { die "$0: unknown action ‘$action’\n"; } |