forked from mirrors/nixpkgs
32 lines
1.5 KiB
XML
32 lines
1.5 KiB
XML
|
<chapter xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:xi="http://www.w3.org/2001/XInclude" xml:id="ch-containers">
|
||
|
<title>Container Management</title>
|
||
|
<para>
|
||
|
NixOS allows you to easily run other NixOS instances as
|
||
|
<emphasis>containers</emphasis>. Containers are a light-weight
|
||
|
approach to virtualisation that runs software in the container at
|
||
|
the same speed as in the host system. NixOS containers share the Nix
|
||
|
store of the host, making container creation very efficient.
|
||
|
</para>
|
||
|
<warning>
|
||
|
<para>
|
||
|
Currently, NixOS containers are not perfectly isolated from the
|
||
|
host system. This means that a user with root access to the
|
||
|
container can do things that affect the host. So you should not
|
||
|
give container root access to untrusted users.
|
||
|
</para>
|
||
|
</warning>
|
||
|
<para>
|
||
|
NixOS containers can be created in two ways: imperatively, using the
|
||
|
command <literal>nixos-container</literal>, and declaratively, by
|
||
|
specifying them in your <literal>configuration.nix</literal>. The
|
||
|
declarative approach implies that containers get upgraded along with
|
||
|
your host system when you run <literal>nixos-rebuild</literal>,
|
||
|
which is often not what you want. By contrast, in the imperative
|
||
|
approach, containers are configured and updated independently from
|
||
|
the host system.
|
||
|
</para>
|
||
|
<xi:include href="imperative-containers.section.xml" />
|
||
|
<xi:include href="declarative-containers.section.xml" />
|
||
|
<xi:include href="container-networking.section.xml" />
|
||
|
</chapter>
|