nixos-container: Add ‘run’ and ‘root-login’ commands

And remove ‘root-shell’.

nixos/modules/virtualisation/container-config.nix

@@ -30,29 +30,60 @@ with lib;
           };
       };
 
-    # Provide a non-interactive login root shell on
+    # Also provide a root login prompt on /var/lib/root-login.socket
-    # /var/lib/root-shell.socket.  On the host, you can connect to it
+    # that doesn't ask for a password. This socket can only be used by
-    # by running ‘socat unix:<path-to-container>/var/lib/root-shell.socket -’.
+    # root on the host.
-    systemd.sockets.root-shell =
+    systemd.sockets.root-login =
-      { description = "Root Shell Socket";
+      { description = "Root Login Socket";
         wantedBy = [ "sockets.target" ];
         socketConfig =
-          { ListenStream = "/var/lib/root-shell.socket";
+          { ListenStream = "/var/lib/root-login.socket";
-            SocketMode = "0600"; # only root can connect, obviously
+            SocketMode = "0600";
             Accept = true;
           };
       };
 
-    systemd.services."root-shell@" =
+    systemd.services."root-login@" =
-      { description = "Root Shell %i";
+      { description = "Root Login %i";
+        environment.TERM = "linux";
         serviceConfig =
           { Type = "simple";
             StandardInput = "socket";
-            ExecStart = "${pkgs.bash}/bin/bash --login";
+            ExecStart = "${pkgs.socat}/bin/socat -t0 - \"exec:${pkgs.shadow}/bin/login -f root,pty,setsid,setpgid,stderr,ctty\"";
             TimeoutStopSec = 1; # FIXME
           };
       };
 
+    # Provide a daemon on /var/lib/run-command.socket that reads a
+    # command from stdin and executes it.
+    systemd.sockets.run-command =
+      { description = "Run Command Socket";
+        wantedBy = [ "sockets.target" ];
+        socketConfig =
+          { ListenStream = "/var/lib/run-command.socket";
+            SocketMode = "0600";  # only root can connect
+            Accept = true;
+          };
+      };
+
+    systemd.services."run-command@" =
+      { description = "Run Command %i";
+        environment.TERM = "linux";
+        serviceConfig =
+          { Type = "simple";
+            StandardInput = "socket";
+            TimeoutStopSec = 1; # FIXME
+          };
+        script =
+          ''
+            #! ${pkgs.stdenv.shell} -e
+            source /etc/bashrc
+            read c
+            eval "command=($c)"
+            exec "''${command[@]}"
+          '';
+      };
+
     systemd.services.container-startup-done =
       { description = "Container Startup Notification";
         wantedBy = [ "multi-user.target" ];

nixos/modules/virtualisation/containers.nix

@@ -256,7 +256,7 @@ in
               . "/etc/containers/$INSTANCE.conf"
             fi
             echo $SYSTEM_PATH/bin/switch-to-configuration test | \
-              ${pkgs.socat}/bin/socat unix:$root/var/lib/root-shell.socket -
+              ${pkgs.socat}/bin/socat unix:$root/var/lib/run-command.socket -
           '';
 
         serviceConfig.SyslogIdentifier = "container %i";

nixos/modules/virtualisation/nixos-container.pl

@@ -19,7 +19,8 @@ Usage: nixos-container list
        nixos-container start <container-name>
        nixos-container stop <container-name>
        nixos-container login <container-name>
-       nixos-container root-shell <container-name>
+       nixos-container root-login <container-name>
+       nixos-container run <container-name> -- args...
        nixos-container set-root-password <container-name> <password>
        nixos-container show-ip <container-name>
 EOF
@@ -205,14 +206,21 @@ elsif ($action eq "login") {
     exec($socat, "unix:$root/var/lib/login.socket", "-,echo=0,raw");
 }
 
-elsif ($action eq "root-shell") {
+elsif ($action eq "root-login") {
-    exec($socat, "unix:$root/var/lib/root-shell.socket", "-");
+    exec($socat, "unix:$root/var/lib/root-login.socket", "-,echo=0,raw");
+}
+
+elsif ($action eq "run") {
+    shift @ARGV; shift @ARGV;
+    open(SOCAT, "|-", $socat, "unix:$root/var/lib/run-command.socket", "-");
+    print SOCAT join(' ', map { "'$_'" } @ARGV), "\n";
+    close(SOCAT);
 }
 
 elsif ($action eq "set-root-password") {
     # FIXME: don't get password from the command line.
     my $password = $ARGV[2] or die "$0: no password given\n";
-    open(SOCAT, "|-", $socat, "unix:$root/var/lib/root-shell.socket", "-");
+    open(SOCAT, "|-", $socat, "unix:$root/var/lib/run-command.socket", "-");
     print SOCAT "passwd\n";
     print SOCAT "$password\n";
     print SOCAT "$password\n";