| Commit message (Collapse) | Author | Age |
|
|
|
| |
(cherry picked from commit 05543ef6e038a834aa323d467c9ef02ad99c5adb)
|
|
|
|
| |
(cherry picked from commit e007559e9580c134f43ea9dc2279ff41cb3bd015)
|
|
|
|
| |
Fixes #2834.
|
| |
|
|
|
|
|
|
|
|
|
| |
instances.
(cherry picked from commit 35c76d917307b7ac405486855cfe63021810dba5)
Conflicts:
nixos/modules/virtualisation/amazon-image.nix
|
| |
|
|
|
|
| |
Fixes #2585.
|
|
|
|
| |
This removes the need to have an initially empty root password.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
By setting a line like
MACVLANS="eno1"
in /etc/containers/<name>.conf, the container will get an Ethernet
interface named mv-eno1, which represents an additional MAC address on
the physical eno1 interface. Thus the container has direct access to
the physical network. You can specify multiple interfaces in MACVLANS.
Unfortunately, you can't do this with wireless interfaces.
Note that dhcpcd is disabled in containers by default, so you'll
probably want to set
networking.useDHCP = true;
in the container, or configure a static IP address.
To do: add a containers.* option for this, and a flag for
"nixos-container create".
|
|
|
|
|
| |
Note that this causes the name of the host-side interface to change
from c-<name> to ve-<name>.
|
|
|
|
| |
This gets rid of some redundant scopes/slices.
|
|
|
|
|
|
|
|
| |
Fixes #2379.
The new name was a misnomer because the values really are X11 video
drivers (e.g. ‘cirrus’ or ‘nvidia’), not OpenGL implementations. That
it's also used to set an OpenGL implementation for kmscon is just
confusing overloading.
|
|
|
|
|
|
|
|
| |
By default, socat only waits 0.5s for the remote side to finish after
getting EOF on the local side. So don't close the local side, instead
wait for socat to exit when the remote side finishes.
http://hydra.nixos.org/build/10663282
|
|
|
|
|
|
|
|
|
| |
By enabling ‘services.openssh.startWhenNeeded’, sshd is started
on-demand by systemd using socket activation. This is particularly
useful if you have a zillion containers and don't want to have sshd
running permanently. Note that socket activation is not noticeable
slower, contrary to what the manpage for ‘sshd -i’ says, so we might
want to make this the default one day.
|
|
|
|
|
|
| |
The ability for unprivileged users to mount external media is useful
regardless of the desktop environment. Also, since udisks2 is
activated on-demand, it doesn't add any overhead if you're not using it.
|
| |
|
|
|
|
|
|
|
|
| |
Apparently systemd is now smart enough to figure out predictable names
for QEMU network interfaces. But since our tests expect them to be
named eth0/eth1..., this is not desirable at the moment.
http://hydra.nixos.org/build/10418789
|
| |
|
| |
|
| |
|
|
|
|
|
|
| |
This used to work with systemd-nspawn 203, because it bind-mounted
/etc/resolv.conf (so openresolv couldn't overwrite it). Now it's just
copied, so we need some special handling.
|
|
|
|
| |
Don't do a pointless ARP check in dhcpcd.
|
| |
|
|
|
|
| |
http://hydra.nixos.org/build/10350055
|
| |
|
| |
|
|
|
|
|
|
|
|
| |
Using pkgs.lib on the spine of module evaluation is problematic
because the pkgs argument depends on the result of module
evaluation. To prevent an infinite recursion, pkgs and some of the
modules are evaluated twice, which is inefficient. Using ‘with lib’
prevents this problem.
|
|\
| |
| |
| | |
Fixes #2105.
|
| | |
|
| |
| |
| |
| | |
And remove ‘root-shell’.
|
| | |
|
| | |
|
| | |
|
| |
| |
| |
| |
| | |
Systemd-nspawn doesn't support nesting, so providing nixos-container
inside a container doesn't make sense.
|
| |
| |
| |
| |
| | |
So now "systemctl start container@foo" will only return after the
container has reached multi-user.target.
|
| | |
|
| |
| |
| |
| |
| | |
Also fix race condition when multiple containers are created
simultaneously (as NixOps tends to do).
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The command nixos-container can now create containers. For instance,
the following creates and starts a container named ‘database’:
$ nixos-container create database
The configuration of the container is stored in
/var/lib/containers/<name>/etc/nixos/configuration.nix. After editing
the configuration, you can make the changes take effect by doing
$ nixos-container update database
The container can also be destroyed:
$ nixos-container destroy database
Containers are now executed using a template unit,
‘container@.service’, so the unit in this example would be
‘container@database.service’.
|
| | |
|
| |
| |
| |
| |
| | |
That NixOS containers use systemd-nspawn is just an implementation
detail (which we could change in the future).
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
For example, the following sets up a container named ‘foo’. The
container will have a single network interface eth0, with IP address
10.231.136.2. The host will have an interface c-foo with IP address
10.231.136.1.
systemd.containers.foo =
{ privateNetwork = true;
hostAddress = "10.231.136.1";
localAddress = "10.231.136.2";
config =
{ services.openssh.enable = true; };
};
With ‘privateNetwork = true’, the container has the CAP_NET_ADMIN
capability, allowing it to do arbitrary network configuration, such as
setting up firewall rules. This is secure because it cannot touch the
interfaces of the host.
The helper program ‘run-in-netns’ is needed at the moment because ‘ip
netns exec’ doesn't quite do the right thing (it remounts /sys without
bind-mounting the original /sys/fs/cgroups).
|
| |
| |
| |
| |
| |
| | |
These are stored on the host in
/nix/var/nix/{profiles,gcroots}/per-container/<container-name> to
ensure that container profiles/roots are not garbage-collected.
|