movefasta/nixpkgs
0
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-07-13 21:50:33 +03:00
Code Activity

nixos/lxc-container: use lxc systemd generator

Browse source
This commit is contained in:
Adam Stephens 2023-10-27 12:58:50 -04:00
parent e14da5c1b8
commit 2cd9619801
No known key found for this signature in database
3 changed files with 43 additions and 45 deletions
Download patch file Download diff file Expand all files Collapse all files

52
nixos/modules/virtualisation/lxc-container.nix
View file

@ -1,26 +1,14 @@
{ lib, config, pkgs, ... }: { lib, config, pkgs, ... }:
let {
cfg = config.virtualisation.lxc;
in {
imports = [ imports = [
./lxc-instance-common.nix ./lxc-instance-common.nix
(lib.mkRemovedOptionModule [ "virtualisation" "lxc" "nestedContainer" ] "")
(lib.mkRemovedOptionModule [ "virtualisation" "lxc" "privilegedContainer" ] "")
]; ];
options = { options = { };
virtualisation.lxc = {
nestedContainer = lib.mkEnableOption (lib.mdDoc ''
Whether this container is configured as a nested container. On LXD containers this is recommended
for all containers and is enabled with `security.nesting = true`.
'');
privilegedContainer = lib.mkEnableOption (lib.mdDoc ''
Whether this LXC container will be running as a privileged container or not. If set to `true` then
additional configuration will be applied to the `systemd` instance running within the container as
recommended by [distrobuilder](https://linuxcontainers.org/distrobuilder/introduction/).
'');
};
};
config = { config = {
boot.isContainer = true; boot.isContainer = true;
@ -85,34 +73,10 @@ in {
${pkgs.coreutils}/bin/ln -fs "$1/init" /sbin/init ${pkgs.coreutils}/bin/ln -fs "$1/init" /sbin/init
''; '';
systemd.additionalUpstreamSystemUnits = lib.mkIf cfg.nestedContainer ["systemd-udev-trigger.service"]; # networkd depends on this, but systemd module disables this for containers
systemd.additionalUpstreamSystemUnits = ["systemd-udev-trigger.service"];
# Add the overrides from lxd distrobuilder systemd.packages = [ pkgs.distrobuilder.generator ];
# https://github.com/lxc/distrobuilder/blob/05978d0d5a72718154f1525c7d043e090ba7c3e0/distrobuilder/main.go#L630
systemd.packages = [
(pkgs.writeTextFile {
name = "systemd-lxc-service-overrides";
destination = "/etc/systemd/system/service.d/zzz-lxc-service.conf";
text = ''
[Service]
ProcSubset=all
ProtectProc=default
ProtectControlGroups=no
ProtectKernelTunables=no
NoNewPrivileges=no
LoadCredential=
'' + lib.optionalString cfg.privilegedContainer ''
# Additional settings for privileged containers
ProtectHome=no
ProtectSystem=no
PrivateDevices=no
PrivateTmp=no
ProtectKernelLogs=no
ProtectKernelModules=no
ReadWritePaths=
'';
})
];
system.activationScripts.installInitScript = lib.mkForce '' system.activationScripts.installInitScript = lib.mkForce ''
ln -fs $systemConfig/init /sbin/init ln -fs $systemConfig/init /sbin/init

28
nixos/tests/incus/container.nix
View file

@ -73,5 +73,33 @@ in
meminfo = machine.succeed("incus exec container grep -- MemTotal /proc/meminfo").strip() meminfo = machine.succeed("incus exec container grep -- MemTotal /proc/meminfo").strip()
meminfo_bytes = " ".join(meminfo.split(' ')[-2:]) meminfo_bytes = " ".join(meminfo.split(' ')[-2:])
assert meminfo_bytes == "125000 kB", f"Wrong amount of memory reported from /proc/meminfo, want: '125000 kB', got: '{meminfo_bytes}'" assert meminfo_bytes == "125000 kB", f"Wrong amount of memory reported from /proc/meminfo, want: '125000 kB', got: '{meminfo_bytes}'"
with subtest("lxc-container generator configures plain container"):
machine.execute("incus delete --force container")
machine.succeed("incus launch nixos container")
with machine.nested("Waiting for instance to start and be usable"):
retry(instance_is_up)
machine.succeed("incus exec container test -- -e /run/systemd/system/service.d/zzz-lxc-service.conf")
with subtest("lxc-container generator configures nested container"):
machine.execute("incus delete --force container")
machine.succeed("incus launch nixos container --config security.nesting=true")
with machine.nested("Waiting for instance to start and be usable"):
retry(instance_is_up)
machine.fail("incus exec container test -- -e /run/systemd/system/service.d/zzz-lxc-service.conf")
target = machine.succeed("incus exec container readlink -- -f /run/systemd/system/systemd-binfmt.service").strip()
assert target == "/dev/null", "lxc generator did not correctly mask /run/systemd/system/systemd-binfmt.service"
with subtest("lxc-container generator configures privileged container"):
machine.execute("incus delete --force container")
machine.succeed("incus launch nixos container --config security.privileged=true")
with machine.nested("Waiting for instance to start and be usable"):
retry(instance_is_up)
# give generator an extra second to run
machine.sleep(1)
machine.succeed("incus exec container test -- -e /run/systemd/system/service.d/zzz-lxc-service.conf")
''; '';
}) })

8
pkgs/tools/virtualization/distrobuilder/default.nix
View file

@ -9,6 +9,7 @@
, squashfsTools , squashfsTools
, debootstrap , debootstrap
, callPackage , callPackage
, nixosTests
}: }:
let let
@ -36,7 +37,6 @@ buildGoModule rec {
buildInputs = bins; buildInputs = bins;
passthru.generator = callPackage ./generator.nix { inherit src version; };
# tests require a local keyserver (mkg20001/nixpkgs branch distrobuilder-with-tests) but gpg is currently broken in tests # tests require a local keyserver (mkg20001/nixpkgs branch distrobuilder-with-tests) but gpg is currently broken in tests
doCheck = false; doCheck = false;
@ -50,6 +50,12 @@ buildGoModule rec {
wrapProgram $out/bin/distrobuilder --prefix PATH ":" ${lib.makeBinPath bins} wrapProgram $out/bin/distrobuilder --prefix PATH ":" ${lib.makeBinPath bins}
''; '';
passthru = {
tests.incus = nixosTests.incus.container;
generator = callPackage ./generator.nix { inherit src version; };
};
meta = with lib; { meta = with lib; {
description = "System container image builder for LXC and LXD"; description = "System container image builder for LXC and LXD";
homepage = "https://github.com/lxc/distrobuilder"; homepage = "https://github.com/lxc/distrobuilder";