diff options
Diffstat (limited to 'nixpkgs/nixos/modules/virtualisation/lxc-container.nix')
-rw-r--r-- | nixpkgs/nixos/modules/virtualisation/lxc-container.nix | 76 |
1 files changed, 61 insertions, 15 deletions
diff --git a/nixpkgs/nixos/modules/virtualisation/lxc-container.nix b/nixpkgs/nixos/modules/virtualisation/lxc-container.nix index d3a2e0ed151d..55b285b69147 100644 --- a/nixpkgs/nixos/modules/virtualisation/lxc-container.nix +++ b/nixpkgs/nixos/modules/virtualisation/lxc-container.nix @@ -5,22 +5,22 @@ with lib; let templateSubmodule = { ... }: { options = { - enable = mkEnableOption "this template"; + enable = mkEnableOption (lib.mdDoc "this template"); target = mkOption { - description = "Path in the container"; + description = lib.mdDoc "Path in the container"; type = types.path; }; template = mkOption { - description = ".tpl file for rendering the target"; + description = lib.mdDoc ".tpl file for rendering the target"; type = types.path; }; when = mkOption { - description = "Events which trigger a rewrite (create, copy)"; + description = lib.mdDoc "Events which trigger a rewrite (create, copy)"; type = types.listOf (types.str); }; properties = mkOption { - description = "Additional properties"; + description = lib.mdDoc "Additional properties"; type = types.attrs; default = {}; }; @@ -51,14 +51,14 @@ in { imports = [ ../installer/cd-dvd/channel.nix - ../profiles/minimal.nix ../profiles/clone-config.nix + ../profiles/minimal.nix ]; options = { virtualisation.lxc = { templates = mkOption { - description = "Templates for LXD"; + description = lib.mdDoc "Templates for LXD"; type = types.attrsOf (types.submodule (templateSubmodule)); default = {}; example = literalExpression '' @@ -88,6 +88,16 @@ in }; ''; }; + + privilegedContainer = mkOption { + type = types.bool; + default = false; + description = lib.mdDoc '' + Whether this LXC container will be running as a privileged container or not. If set to `true` then + additional configuration will be applied to the `systemd` instance running within the container as + recommended by [distrobuilder](https://linuxcontainers.org/distrobuilder/introduction/). + ''; + }; }; }; @@ -113,8 +123,8 @@ in architecture = builtins.elemAt (builtins.match "^([a-z0-9_]+).+" (toString pkgs.system)) 0; creation_date = 1; properties = { - description = "NixOS ${config.system.nixos.codeName} ${config.system.nixos.label} ${pkgs.system}"; - os = "nixos"; + description = "${config.system.nixos.distroName} ${config.system.nixos.codeName} ${config.system.nixos.label} ${pkgs.system}"; + os = "${config.system.nixos.distroId}"; release = "${config.system.nixos.codeName}"; }; templates = templates.properties; @@ -140,19 +150,49 @@ in source = config.system.build.toplevel + "/init"; target = "/sbin/init"; } + # Technically this is not required for lxc, but having also make this configuration work with systemd-nspawn. + # Nixos will setup the same symlink after start. + { + source = config.system.build.toplevel + "/etc/os-release"; + target = "/etc/os-release"; + } ]; extraCommands = "mkdir -p proc sys dev"; }; - # Add the overrides from lxd distrobuilder - systemd.extraConfig = '' - [Service] - ProtectProc=default - ProtectControlGroups=no - ProtectKernelTunables=no + system.build.installBootLoader = pkgs.writeScript "install-lxd-sbin-init.sh" '' + #!${pkgs.runtimeShell} + ln -fs "$1/init" /sbin/init ''; + # Add the overrides from lxd distrobuilder + # https://github.com/lxc/distrobuilder/blob/05978d0d5a72718154f1525c7d043e090ba7c3e0/distrobuilder/main.go#L630 + systemd.packages = [ + (pkgs.writeTextFile { + name = "systemd-lxc-service-overrides"; + destination = "/etc/systemd/system/service.d/zzz-lxc-service.conf"; + text = '' + [Service] + ProcSubset=all + ProtectProc=default + ProtectControlGroups=no + ProtectKernelTunables=no + NoNewPrivileges=no + LoadCredential= + '' + optionalString cfg.privilegedContainer '' + # Additional settings for privileged containers + ProtectHome=no + ProtectSystem=no + PrivateDevices=no + PrivateTmp=no + ProtectKernelLogs=no + ProtectKernelModules=no + ReadWritePaths= + ''; + }) + ]; + # Allow the user to login as root without password. users.users.root.initialHashedPassword = mkOverride 150 ""; @@ -170,5 +210,11 @@ in # Containers should be light-weight, so start sshd on demand. services.openssh.enable = mkDefault true; services.openssh.startWhenNeeded = mkDefault true; + + # As this is intended as a standalone image, undo some of the minimal profile stuff + environment.noXlibs = false; + documentation.enable = true; + documentation.nixos.enable = true; + services.logrotate.enable = true; }; } |