movefasta/nixpkgs
1
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-06-25 18:46:32 +03:00
Code Activity

Merge recent master into staging

Browse source 
Hydra: ?compare=1148749

Conflicts (easy):
	nixos/modules/virtualisation/containers.nix
This commit is contained in:
Vladimír Čunát 2014-08-21 15:09:31 +02:00
commit d4e9fd2a90
215 changed files with 3425 additions and 1642 deletions
Download patch file Download diff file Expand all files Collapse all files

2
nixos/modules/config/users-groups.nix
View file

@ -346,7 +346,7 @@ in {
uid = ids.uids.root;
description = "System administrator";
home = "/root";
shell = cfg.defaultUserShell;
shell = mkDefault cfg.defaultUserShell;
group = "root";
extraGroups = [ "grsecurity" ];
hashedPassword = mkDefault config.security.initialRootPassword;

2
nixos/modules/installer/tools/nixos-install.sh
View file

@ -81,7 +81,7 @@ mount -t tmpfs -o "mode=0755" none $mountPoint/var/setuid-wrappers
rm -rf $mountPoint/var/run
ln -s /run $mountPoint/var/run
rm -f $mountPoint/etc/{resolv.conf,hosts}
cp -f /etc/resolv.conf /etc/hosts $mountPoint/etc/
cp -Lf /etc/resolv.conf /etc/hosts $mountPoint/etc/
if [ -n "$runChroot" ]; then

2
nixos/modules/system/boot/systemd.nix
View file

@ -744,7 +744,7 @@ in
# Make all journals readable to users in the wheel and adm
# groups, in addition to those in the systemd-journal group.
# Users can always read their own journals.
${pkgs.acl}/bin/setfacl -nm g:wheel:rx,d:g:wheel:rx,g:adm:rx,d:g:adm:rx /var/log/journal
${pkgs.acl}/bin/setfacl -nm g:wheel:rx,d:g:wheel:rx,g:adm:rx,d:g:adm:rx /var/log/journal || true
'';
# Target for charon send-keys to hook into.

48
nixos/modules/virtualisation/containers.nix
View file

@ -32,7 +32,10 @@ let
fi
fi
exec "$1"
# Start the regular stage 1 script, passing the bind-mounted
# notification socket from the host to allow the container
# systemd to signal readiness to the host systemd.
NOTIFY_SOCKET=/var/lib/private/host-notify exec "$1"
'';
system = config.nixpkgs.system;
@ -175,17 +178,16 @@ in
ip link del dev "ve-$INSTANCE" 2> /dev/null || true
fi
mkdir -p -m 0755 $root/var/lib
# Create a named pipe to get a signal when the container
# has finished booting.
rm -f $root/var/lib/startup-done
mkfifo -m 0600 $root/var/lib/startup-done
if [ "$PRIVATE_NETWORK" = 1 ]; then
ip link del dev "ve-$INSTANCE" 2> /dev/null || true
fi
'';
script =
''
mkdir -p -m 0755 "$root/etc" "$root/var/lib"
mkdir -p -m 0700 "$root/var/lib/private"
if ! [ -e "$root/etc/os-release" ]; then
touch "$root/etc/os-release"
fi
@ -194,6 +196,8 @@ in
"/nix/var/nix/profiles/per-container/$INSTANCE" \
"/nix/var/nix/gcroots/per-container/$INSTANCE"
cp -f /etc/resolv.conf "$root/etc/resolv.conf"
if [ "$PRIVATE_NETWORK" = 1 ]; then
extraFlags+=" --network-veth"
fi
@ -210,13 +214,16 @@ in
fi
''}
EXIT_ON_REBOOT=1 \
# Run systemd-nspawn without startup notification (we'll
# wait for the container systemd to signal readiness).
EXIT_ON_REBOOT=1 NOTIFY_SOCKET= \
exec ${config.systemd.package}/bin/systemd-nspawn \
--keep-unit \
-M "$INSTANCE" -D "$root" $extraFlags \
--bind-ro=/nix/store \
--bind-ro=/nix/var/nix/db \
--bind-ro=/nix/var/nix/daemon-socket \
--bind=/run/systemd/notify:/var/lib/private/host-notify \
--bind="/nix/var/nix/profiles/per-container/$INSTANCE:/nix/var/nix/profiles" \
--bind="/nix/var/nix/gcroots/per-container/$INSTANCE:/nix/var/nix/gcroots" \
--setenv PRIVATE_NETWORK="$PRIVATE_NETWORK" \
@ -269,6 +276,8 @@ in
Type = "notify";
NotifyAccess = "all";
# Note that on reboot, systemd-nspawn returns 10, so this
# unit will be restarted. On poweroff, it returns 0, so the
# unit won't be restarted.
@ -315,5 +324,30 @@ in
environment.systemPackages = [ nixos-container ];
# Start containers at boot time.
systemd.services.all-containers =
{ description = "All Containers";
wantedBy = [ "multi-user.target" ];
unitConfig.ConditionDirectoryNotEmpty = "/etc/containers";
serviceConfig.Type = "oneshot";
script =
''
res=0
shopt -s nullglob
for i in /etc/containers/*.conf; do
AUTO_START=
source "$i"
if [ "$AUTO_START" = 1 ]; then
systemctl start "container@$(basename "$i" .conf).service" || res=1
fi
done
exit $res
''; # */
};
};
}

52
nixos/modules/virtualisation/nixos-container.pl
View file

@ -17,25 +17,31 @@ umask 0022;
sub showHelp {
print <<EOF;
Usage: nixos-container list
nixos-container create <container-name> [--config <string>] [--ensure-unique-name]
nixos-container create <container-name> [--system-path <path>] [--config <string>] [--ensure-unique-name] [--auto-start]
nixos-container destroy <container-name>
nixos-container start <container-name>
nixos-container stop <container-name>
nixos-container status <container-name>
nixos-container login <container-name>
nixos-container root-login <container-name>
nixos-container run <container-name> -- args...
nixos-container set-root-password <container-name> <password>
nixos-container show-ip <container-name>
nixos-container show-host-key <container-name>
EOF
exit 0;
}
my $systemPath;
my $ensureUniqueName = 0;
my $autoStart = 0;
my $extraConfig;
GetOptions(
"help" => sub { showHelp() },
"ensure-unique-name" => \$ensureUniqueName,
"auto-start" => \$autoStart,
"system-path=s" => \$systemPath,
"config=s" => \$extraConfig
) or exit 1;
@ -122,17 +128,13 @@ if ($action eq "create") {
push @conf, "PRIVATE_NETWORK=1\n";
push @conf, "HOST_ADDRESS=$hostAddress\n";
push @conf, "LOCAL_ADDRESS=$localAddress\n";
push @conf, "AUTO_START=$autoStart\n";
write_file($confFile, \@conf);
close($lock);
print STDERR "host IP is $hostAddress, container IP is $localAddress\n";
mkpath("$root/etc/nixos", 0, 0755);
my $nixosConfigFile = "$root/etc/nixos/configuration.nix";
writeNixOSConfig $nixosConfigFile;
# The per-container directory is restricted to prevent users on
# the host from messing with guest users who happen to have the
# same uid.
@ -141,10 +143,21 @@ if ($action eq "create") {
$profileDir = "$profileDir/$containerName";
mkpath($profileDir, 0, 0755);
system("nix-env", "-p", "$profileDir/system",
"-I", "nixos-config=$nixosConfigFile", "-f", "<nixpkgs/nixos>",
"--set", "-A", "system") == 0
or die "$0: failed to build initial container configuration\n";
# Build/set the initial configuration.
if (defined $systemPath) {
system("nix-env", "-p", "$profileDir/system", "--set", $systemPath) == 0
or die "$0: failed to set initial container configuration\n";
} else {
mkpath("$root/etc/nixos", 0, 0755);
my $nixosConfigFile = "$root/etc/nixos/configuration.nix";
writeNixOSConfig $nixosConfigFile;
system("nix-env", "-p", "$profileDir/system",
"-I", "nixos-config=$nixosConfigFile", "-f", "<nixpkgs/nixos>",
"--set", "-A", "system") == 0
or die "$0: failed to build initial container configuration\n";
}
print "$containerName\n" if $ensureUniqueName;
exit 0;
@ -154,7 +167,14 @@ my $root = "/var/lib/containers/$containerName";
my $profileDir = "/nix/var/nix/profiles/per-container/$containerName";
my $gcRootsDir = "/nix/var/nix/gcroots/per-container/$containerName";
my $confFile = "/etc/containers/$containerName.conf";
die "$0: container $containerName does not exist\n" if !-e $confFile;
if (!-e $confFile) {
if ($action eq "destroy") {
exit 0;
} elsif ($action eq "status") {
print "gone\n";
}
die "$0: container $containerName does not exist\n" ;
}
sub isContainerRunning {
my $status = `systemctl show 'container\@$containerName'`;
@ -187,6 +207,10 @@ elsif ($action eq "stop") {
stopContainer;
}
elsif ($action eq "status") {
print isContainerRunning() ? "up" : "down", "\n";
}
elsif ($action eq "update") {
my $nixosConfigFile = "$root/etc/nixos/configuration.nix";
@ -241,6 +265,12 @@ elsif ($action eq "show-ip") {
print "$1\n";
}
elsif ($action eq "show-host-key") {
my $fn = "$root/etc/ssh/ssh_host_ecdsa_key.pub";
exit 1 if ! -f $fn;
print read_file($fn);
}
else {
die "$0: unknown action $action\n";
}