From 3624bb536244ea99f9f9a6d18ff00bbe4a5204af Mon Sep 17 00:00:00 2001 From: Arian van Putten Date: Fri, 5 Oct 2018 15:42:15 +0200 Subject: nixos-container: Force container to talk to host nix-daemon When logging into a container by using nixos-container root-login all nix-related commands in the container would fail, as they tried to modify the nix db and nix store, which are mounted read-only in the container. We want nixos-container to not try to modify the nix store at all, but instead delegate any build commands to the nix daemon of the host operating system. This already works for non-root users inside a nixos-container, as it doesn't 'own' the nix-store, and thus defaults to talking to the daemon socket at /nix/var/nix/daemon-socket/, which is bind-mounted to the host daemon-socket, causing all nix commands to be delegated to the host. However, when we are the root user inside the container, we have the same uid as the nix store owner, eventhough it's not actually the same root user (due to user namespaces). Nix gets confused, and is convinced it's running in single-user mode, and tries to modify the nix store directly instead. By setting `NIX_REMOTE=daemon` in `/etc/profile`, we force nix to operate in multi-user mode, so that it will talk to the host daemon instead, which will modify the nix store for the container. This fixes #40355 --- nixos/modules/virtualisation/container-config.nix | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'nixos') diff --git a/nixos/modules/virtualisation/container-config.nix b/nixos/modules/virtualisation/container-config.nix index 5e368acd6d8b..561db7cabcfb 100644 --- a/nixos/modules/virtualisation/container-config.nix +++ b/nixos/modules/virtualisation/container-config.nix @@ -22,6 +22,13 @@ with lib; # Not supported in systemd-nspawn containers. security.audit.enable = false; + # Make sure that root user in container will talk to host nix-daemon + environment.etc."profile".text = '' + export NIX_REMOTE=daemon + ''; + + + }; } -- cgit 1.4.1 From bb31835b1d2d1933a6c1d2cb196491ba1efa9233 Mon Sep 17 00:00:00 2001 From: Arian van Putten Date: Fri, 5 Oct 2018 15:48:41 +0200 Subject: Revert "Revert "Revert "doc: Update section about imperative containers""" nixos-container can now execute nix commands again inside the container This reverts commit 9622cd3b38ddbc7faa4cac2a48dbd70bd99570d0. --- .../manual/administration/imperative-containers.xml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) (limited to 'nixos') diff --git a/nixos/doc/manual/administration/imperative-containers.xml b/nixos/doc/manual/administration/imperative-containers.xml index fa380477f6cb..9bb62bc2ece9 100644 --- a/nixos/doc/manual/administration/imperative-containers.xml +++ b/nixos/doc/manual/administration/imperative-containers.xml @@ -73,7 +73,8 @@ Linux foo 3.4.82 #1-NixOS SMP Thu Mar 20 14:44:05 UTC 2014 x86_64 GNU/Linux - To change the configuration of the container, you can edit + There are several ways to change the configuration of the container. First, + on the host, you can edit /var/lib/container/name/etc/nixos/configuration.nix, and run @@ -86,7 +87,8 @@ Linux foo 3.4.82 #1-NixOS SMP Thu Mar 20 14:44:05 UTC 2014 x86_64 GNU/Linux = true; = "foo@example.org"; = [ 80 ]; - ' +' + # curl http://$(nixos-container show-ip foo)/ <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">… @@ -95,13 +97,11 @@ Linux foo 3.4.82 #1-NixOS SMP Thu Mar 20 14:44:05 UTC 2014 x86_64 GNU/Linux - Note that in previous versions of NixOS (17.09 and earlier) one could also - use all nix-related commands (like nixos-rebuild switch) - from inside the container. However, since the release of Nix 2.0 this is not - supported anymore. Supporting Nix commands inside the container might be - possible again in future versions. See - the github - issue for tracking progress on this issue. + Alternatively, you can change the configuration from within the container + itself by running nixos-rebuild switch inside the + container. Note that the container by default does not have a copy of the + NixOS channel, so you should run nix-channel --update + first. -- cgit 1.4.1 From 0668906e8470bb1bfa03a47cbedec5050a16a905 Mon Sep 17 00:00:00 2001 From: Arian van Putten Date: Fri, 5 Oct 2018 16:13:42 +0200 Subject: nixos/containers: Add regression test for #40355 --- nixos/tests/containers-imperative.nix | 3 +++ 1 file changed, 3 insertions(+) (limited to 'nixos') diff --git a/nixos/tests/containers-imperative.nix b/nixos/tests/containers-imperative.nix index 6f86819f4e88..782095a09dad 100644 --- a/nixos/tests/containers-imperative.nix +++ b/nixos/tests/containers-imperative.nix @@ -86,6 +86,9 @@ import ./make-test.nix ({ pkgs, ...} : { # Execute commands via the root shell. $machine->succeed("nixos-container run $id1 -- uname") =~ /Linux/ or die; + # Execute a nix command via the root shell. (regression test for #40355) + $machine->succeed("nixos-container run $id1 -- nix-instantiate -E 'derivation { name = \"empty\"; builder = \"false\"; system = \"false\"; }'"); + # Stop and start (regression test for #4989) $machine->succeed("nixos-container stop $id1"); $machine->succeed("nixos-container start $id1"); -- cgit 1.4.1