movefasta/nixpkgs
1
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-06-10 19:55:41 +03:00
Code Issues Projects Releases Packages Wiki Activity

nixos-container: add support for --private-users (#362210)

Browse source
This commit is contained in:
Sandro 2025-02-18 00:09:56 +01:00 committed by GitHub
commit 86f9eeb816
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 46 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

50
nixos/modules/virtualisation/nixos-containers.nix
View file

@ -115,6 +115,16 @@ let
extraFlags+=("--private-network")
fi
NIX_BIND_OPT=""
if [ -n "$PRIVATE_USERS" ]; then
extraFlags+=("--private-users=$PRIVATE_USERS")
if [ "$PRIVATE_USERS" = "pick" ] || ( [ "$PRIVATE_USERS" != "identity" ] && [ "$PRIVATE_USERS" -gt 0 ] ); then
# when user namespacing is enabled, we use `idmap` mount option
# so that bind mounts under /nix get proper owner (and not nobody/nogroup).
NIX_BIND_OPT=":idmap"
fi
fi
if [ -n "$HOST_ADDRESS" ] || [ -n "$LOCAL_ADDRESS" ] ||
[ -n "$HOST_ADDRESS6" ] || [ -n "$LOCAL_ADDRESS6" ]; then
extraFlags+=("--network-veth")
@ -171,13 +181,14 @@ let
$EXTRA_NSPAWN_FLAGS \
--notify-ready=yes \
--kill-signal=SIGRTMIN+3 \
--bind-ro=/nix/store \
--bind-ro=/nix/var/nix/db \
--bind-ro=/nix/var/nix/daemon-socket \
--bind="/nix/var/nix/profiles/per-container/$INSTANCE:/nix/var/nix/profiles" \
--bind="/nix/var/nix/gcroots/per-container/$INSTANCE:/nix/var/nix/gcroots" \
--bind-ro=/nix/store:/nix/store$NIX_BIND_OPT \
--bind-ro=/nix/var/nix/db:/nix/var/nix/db$NIX_BIND_OPT \
--bind-ro=/nix/var/nix/daemon-socket:/nix/var/nix/daemon-socket$NIX_BIND_OPT \
--bind="/nix/var/nix/profiles/per-container/$INSTANCE:/nix/var/nix/profiles$NIX_BIND_OPT" \
--bind="/nix/var/nix/gcroots/per-container/$INSTANCE:/nix/var/nix/gcroots$NIX_BIND_OPT" \
${optionalString (!cfg.ephemeral) "--link-journal=try-guest"} \
--setenv PRIVATE_NETWORK="$PRIVATE_NETWORK" \
--setenv PRIVATE_USERS="$PRIVATE_USERS" \
--setenv HOST_BRIDGE="$HOST_BRIDGE" \
--setenv HOST_ADDRESS="$HOST_ADDRESS" \
--setenv LOCAL_ADDRESS="$LOCAL_ADDRESS" \
@ -650,6 +661,27 @@ in
'';
};
privateUsers = mkOption {
type = types.either types.ints.u32 (types.enum [ "no" "identity" "pick" ]);
default = "no";
description = ''
Whether to give the container its own private UIDs/GIDs space (user namespacing).
Disabled by default (`no`).
If set to a number (usually above host's UID/GID range: 65536),
user namespacing is enabled and the container UID/GIDs will start at that number.
If set to `identity`, mostly equivalent to `0`, this will only provide
process capability isolation (no UID/GID isolation, as they are the same as host).
If set to `pick`, user namespacing is enabled and the UID/GID range is automatically chosen,
so that no overlapping UID/GID ranges are assigned to multiple containers.
This is the recommanded option as it enhances container security massively and operates fully automatically in most cases.
See https://www.freedesktop.org/software/systemd/man/latest/systemd-nspawn.html#--private-users= for details.
'';
};
interfaces = mkOption {
type = types.listOf types.str;
default = [];
@ -862,6 +894,13 @@ in
additionalCapabilities = cfg.additionalCapabilities
++ [ "CAP_NET_ADMIN" ];
}
) // (
optionalAttrs (!cfg.enableTun && cfg.privateNetwork
&& (cfg.privateUsers == "pick" || (builtins.isInt cfg.privateUsers && cfg.privateUsers > 0 )))
{
allowedDevices = cfg.allowedDevices
++ [ { node = "/dev/net/tun"; modifier = "rwm"; } ];
}
);
in
recursiveUpdate unit {
@ -923,6 +962,7 @@ in
${optionalString (cfg.networkNamespace != null) ''
NETWORK_NAMESPACE_PATH=${cfg.networkNamespace}
''}
PRIVATE_USERS=${toString cfg.privateUsers}
INTERFACES="${toString cfg.interfaces}"
MACVLANS="${toString cfg.macvlans}"
${optionalString cfg.autoStart ''