From cac38c8664fd60f4076061c16a44355e103d9d29 Mon Sep 17 00:00:00 2001 From: Ian-Woo Kim Date: Sun, 24 May 2015 16:31:59 +0000 Subject: extraBindsRO/extraBindsRW --- nixos/modules/virtualisation/containers.nix | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) (limited to 'nixos/modules') diff --git a/nixos/modules/virtualisation/containers.nix b/nixos/modules/virtualisation/containers.nix index da39dda85353..512b4ee15ec6 100644 --- a/nixos/modules/virtualisation/containers.nix +++ b/nixos/modules/virtualisation/containers.nix @@ -127,6 +127,27 @@ in Wether the container is automatically started at boot-time. ''; }; + + extraBindsRO = mkOption { + type = types.listOf types.str; + default = []; + example = [ "/home/alice" ]; + description = + '' + An extra list of directories that is bound to the container with read-only permission. + ''; + }; + + extraBindsRW = mkOption { + type = types.listOf types.str; + default = []; + example = [ "/home/alice" ]; + description = + '' + An extra list of directories that is bound to the container with read-only permission. + ''; + }; + }; config = mkMerge @@ -230,12 +251,15 @@ in fi ''} + + # Run systemd-nspawn without startup notification (we'll # wait for the container systemd to signal readiness). EXIT_ON_REBOOT=1 NOTIFY_SOCKET= \ exec ${config.systemd.package}/bin/systemd-nspawn \ --keep-unit \ -M "$INSTANCE" -D "$root" $extraFlags \ + $EXTRABINDS \ --bind-ro=/nix/store \ --bind-ro=/nix/var/nix/db \ --bind-ro=/nix/var/nix/daemon-socket \ @@ -334,6 +358,9 @@ in ${optionalString cfg.autoStart '' AUTO_START=1 ''} + + EXTRABINDS="${concatMapStrings (d: " --bind-ro=${d}") cfg.extraBindsRO + concatMapStrings (d: " --bind=${d}") cfg.extraBindsRW}" + ''; }) config.containers; -- cgit 1.4.1 From c4f66eb85d721dcb97f717d4a6f28c3de3ff0f47 Mon Sep 17 00:00:00 2001 From: Ian-Woo Kim Date: Mon, 25 May 2015 19:09:53 +0000 Subject: unify extraBindsRW/RO into extraBinds. Now arbitrary mount point is supported. --- nixos/modules/virtualisation/containers.nix | 37 ++++++++++++++++++----------- 1 file changed, 23 insertions(+), 14 deletions(-) (limited to 'nixos/modules') diff --git a/nixos/modules/virtualisation/containers.nix b/nixos/modules/virtualisation/containers.nix index 512b4ee15ec6..bfc75ea3efce 100644 --- a/nixos/modules/virtualisation/containers.nix +++ b/nixos/modules/virtualisation/containers.nix @@ -41,6 +41,9 @@ let system = config.nixpkgs.system; + mkBindFlag = d: if d.isReadOnly then " --bind-ro=${d.host}:${d.container}" else " --bind=${d.host}:${d.container}"; + mkBindFlags = bs: concatMapStrings mkBindFlag bs; + in { @@ -128,25 +131,28 @@ in ''; }; - extraBindsRO = mkOption { - type = types.listOf types.str; + extraBinds = mkOption { + type = types.listOf types.attrs; default = []; - example = [ "/home/alice" ]; + example = [ { host = "/home/alice"; + container = "/home"; + isReadOnly = false; } + ]; description = '' - An extra list of directories that is bound to the container with read-only permission. + An extra list of directories that is bound to the container. ''; }; - extraBindsRW = mkOption { - type = types.listOf types.str; - default = []; - example = [ "/home/alice" ]; - description = - '' - An extra list of directories that is bound to the container with read-only permission. - ''; - }; + #extraBindsRW = mkOption { + # type = types.listOf types.str; + # default = []; + # example = [ "/home/alice" ]; + # description = + # '' + # An extra list of directories that is bound to the container with read-only permission. + # ''; + #}; }; @@ -359,11 +365,14 @@ in AUTO_START=1 ''} - EXTRABINDS="${concatMapStrings (d: " --bind-ro=${d}") cfg.extraBindsRO + concatMapStrings (d: " --bind=${d}") cfg.extraBindsRW}" + EXTRABINDS="${mkBindFlags cfg.extraBinds}" ''; }) config.containers; + #"${concatMapStrings (d: " --bind-ro=${d}") cfg.extraBindsRO + concatMapStrings (d: " --bind=${d}") cfg.extraBindsRW}" + + # Generate /etc/hosts entries for the containers. networking.extraHosts = concatStrings (mapAttrsToList (name: cfg: optionalString (cfg.localAddress != null) '' -- cgit 1.4.1 From 4d551227c92614b1d180ec99682e714623dbbb3b Mon Sep 17 00:00:00 2001 From: Ian-Woo Kim Date: Tue, 26 May 2015 11:56:42 +0000 Subject: nixos-container: rename extraBinds to bindMounts and use attribute set format. --- nixos/modules/virtualisation/containers.nix | 70 ++++++++++++++++++----------- 1 file changed, 45 insertions(+), 25 deletions(-) (limited to 'nixos/modules') diff --git a/nixos/modules/virtualisation/containers.nix b/nixos/modules/virtualisation/containers.nix index bfc75ea3efce..86c17503fbcd 100644 --- a/nixos/modules/virtualisation/containers.nix +++ b/nixos/modules/virtualisation/containers.nix @@ -41,8 +41,40 @@ let system = config.nixpkgs.system; - mkBindFlag = d: if d.isReadOnly then " --bind-ro=${d.host}:${d.container}" else " --bind=${d.host}:${d.container}"; - mkBindFlags = bs: concatMapStrings mkBindFlag bs; + bindMountOpts = { name, config, ... }: { + + options = { + mountPoint = mkOption { + example = "/mnt/usb"; + type = types.str; + description = "Location of the mounted in the container file systems"; + }; + hostPath = mkOption { + default = null; + example = "/home/alice"; + type = types.uniq (types.nullOr types.string); + description = "Location of the host path to be mounted"; + }; + isReadOnly = mkOption { + default = false; + example = true; + type = types.bool; + description = "Determine whether the mounted path will be accessed in read-only mode"; + }; + }; + + config = { + mountPoint = mkDefault name; + }; + + }; + + mkBindFlag = d: + let flagPrefix = if d.isReadOnly then " --bind-ro=" else " --bind="; + mountstr = if d.hostPath != null then "${d.hostPath}:${d.mountPoint}" else "${d.mountPoint}"; + in flagPrefix + mountstr ; + + mkBindFlags = bs: concatMapStrings mkBindFlag (lib.attrValues bs); in @@ -131,29 +163,20 @@ in ''; }; - extraBinds = mkOption { - type = types.listOf types.attrs; - default = []; - example = [ { host = "/home/alice"; - container = "/home"; - isReadOnly = false; } - ]; + bindMounts = mkOption { + type = types.loaOf types.optionSet; + options = [ bindMountOpts ]; + default = {}; + example = { "/home" = { hostPath = "/home/alice"; + isReadOnly = false; }; + }; + description = - '' + '' An extra list of directories that is bound to the container. ''; }; - #extraBindsRW = mkOption { - # type = types.listOf types.str; - # default = []; - # example = [ "/home/alice" ]; - # description = - # '' - # An extra list of directories that is bound to the container with read-only permission. - # ''; - #}; - }; config = mkMerge @@ -265,7 +288,7 @@ in exec ${config.systemd.package}/bin/systemd-nspawn \ --keep-unit \ -M "$INSTANCE" -D "$root" $extraFlags \ - $EXTRABINDS \ + $EXTRABINDS \ --bind-ro=/nix/store \ --bind-ro=/nix/var/nix/db \ --bind-ro=/nix/var/nix/daemon-socket \ @@ -365,14 +388,11 @@ in AUTO_START=1 ''} - EXTRABINDS="${mkBindFlags cfg.extraBinds}" + EXTRABINDS="${mkBindFlags cfg.bindMounts}" ''; }) config.containers; - #"${concatMapStrings (d: " --bind-ro=${d}") cfg.extraBindsRO + concatMapStrings (d: " --bind=${d}") cfg.extraBindsRW}" - - # Generate /etc/hosts entries for the containers. networking.extraHosts = concatStrings (mapAttrsToList (name: cfg: optionalString (cfg.localAddress != null) '' -- cgit 1.4.1 From ae2279bcdb93cbe382832c1e0319be8b614ae63f Mon Sep 17 00:00:00 2001 From: Ian-Woo Kim Date: Tue, 26 May 2015 13:41:31 +0000 Subject: nixos-containers: bindMounts: change default to readOnly. use EXTRA_NSPAWN_FLAGS --- nixos/modules/virtualisation/containers.nix | 16 +++++++--------- 1 file changed, 7 insertions(+), 9 deletions(-) (limited to 'nixos/modules') diff --git a/nixos/modules/virtualisation/containers.nix b/nixos/modules/virtualisation/containers.nix index 86c17503fbcd..217ef62a1f62 100644 --- a/nixos/modules/virtualisation/containers.nix +++ b/nixos/modules/virtualisation/containers.nix @@ -47,7 +47,7 @@ let mountPoint = mkOption { example = "/mnt/usb"; type = types.str; - description = "Location of the mounted in the container file systems"; + description = "Mount point on the container file system"; }; hostPath = mkOption { default = null; @@ -56,7 +56,7 @@ let description = "Location of the host path to be mounted"; }; isReadOnly = mkOption { - default = false; + default = true; example = true; type = types.bool; description = "Determine whether the mounted path will be accessed in read-only mode"; @@ -288,7 +288,7 @@ in exec ${config.systemd.package}/bin/systemd-nspawn \ --keep-unit \ -M "$INSTANCE" -D "$root" $extraFlags \ - $EXTRABINDS \ + $EXTRA_NSPAWN_FLAGS \ --bind-ro=/nix/store \ --bind-ro=/nix/var/nix/db \ --bind-ro=/nix/var/nix/daemon-socket \ @@ -384,12 +384,10 @@ in LOCAL_ADDRESS=${cfg.localAddress} ''} ''} - ${optionalString cfg.autoStart '' - AUTO_START=1 - ''} - - EXTRABINDS="${mkBindFlags cfg.bindMounts}" - + ${optionalString cfg.autoStart '' + AUTO_START=1 + ''} + EXTRA_NSPAWN_FLAGS="${mkBindFlags cfg.bindMounts}" ''; }) config.containers; -- cgit 1.4.1 From c6b031d32bae47f497050f5586ecd3f5ed3740b6 Mon Sep 17 00:00:00 2001 From: Ian-Woo Kim Date: Mon, 28 Sep 2015 05:48:16 +0000 Subject: minor changes --- nixos/modules/virtualisation/containers.nix | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'nixos/modules') diff --git a/nixos/modules/virtualisation/containers.nix b/nixos/modules/virtualisation/containers.nix index 217ef62a1f62..6012499b0683 100644 --- a/nixos/modules/virtualisation/containers.nix +++ b/nixos/modules/virtualisation/containers.nix @@ -47,19 +47,19 @@ let mountPoint = mkOption { example = "/mnt/usb"; type = types.str; - description = "Mount point on the container file system"; + description = "Mount point on the container file system."; }; hostPath = mkOption { default = null; example = "/home/alice"; - type = types.uniq (types.nullOr types.string); - description = "Location of the host path to be mounted"; + type = types.nullOr types.str; + description = "Location of the host path to be mounted."; }; isReadOnly = mkOption { default = true; example = true; type = types.bool; - description = "Determine whether the mounted path will be accessed in read-only mode"; + description = "Determine whether the mounted path will be accessed in read-only mode."; }; }; -- cgit 1.4.1