forked from mirrors/nixpkgs
9f72791516
* Lets container@.service be activated by machines.target instead of multi-user.target According to the systemd manpages, all containers that are registered by machinectl, should be inside machines.target for easy stopping and starting container units altogether * make sure container@.service and container.slice instances are actually located in machine.slice https://plus.google.com/112206451048767236518/posts/SYAueyXHeEX See original commit: https://github.com/NixOS/systemd/commit/45d383a3b8 * Enable Cgroup delegation for nixos-containers Delegate=yes should be set for container scopes where a systemd instance inside the container shall manage the hierarchies below its own cgroup and have access to all controllers. This is equivalent to enabling all accounting options on the systemd process inside the system container. This means that systemd inside the container is responsible for managing Cgroup resources for unit files that enable accounting options inside. Without this option, units that make use of cgroup features within system containers might misbehave See original commit: https://github.com/NixOS/systemd/commit/a931ad47a8 from the manpage: Turns on delegation of further resource control partitioning to processes of the unit. Units where this is enabled may create and manage their own private subhierarchy of control groups below the control group of the unit itself. For unprivileged services (i.e. those using the User= setting) the unit's control group will be made accessible to the relevant user. When enabled the service manager will refrain from manipulating control groups or moving processes below the unit's control group, so that a clear concept of ownership is established: the control group tree above the unit's control group (i.e. towards the root control group) is owned and managed by the service manager of the host, while the control group tree below the unit's control group is owned and managed by the unit itself. Takes either a boolean argument or a list of control group controller names. If true, delegation is turned on, and all supported controllers are enabled for the unit, making them available to the unit's processes for management. If false, delegation is turned off entirely (and no additional controllers are enabled). If set to a list of controllers, delegation is turned on, and the specified controllers are enabled for the unit. Note that additional controllers than the ones specified might be made available as well, depending on configuration of the containing slice unit or other units contained in it. Note that assigning the empty string will enable delegation, but reset the list of controllers, all assignments prior to this will have no effect. Defaults to false. Note that controller delegation to less privileged code is only safe on the unified control group hierarchy. Accordingly, access to the specified controllers will not be granted to unprivileged services on the legacy hierarchy, even when requested. The following controller names may be specified: cpu, cpuacct, io, blkio, memory, devices, pids. Not all of these controllers are available on all kernels however, and some are specific to the unified hierarchy while others are specific to the legacy hierarchy. Also note that the kernel might support further controllers, which aren't covered here yet as delegation is either not supported at all for them or not defined cleanly.
119 lines
3.5 KiB
Nix
119 lines
3.5 KiB
Nix
{ config, lib , pkgs, ...}:
|
|
|
|
with lib;
|
|
with import ./systemd-unit-options.nix { inherit config lib; };
|
|
with import ./systemd-lib.nix { inherit config lib pkgs; };
|
|
|
|
let
|
|
cfg = config.systemd.nspawn;
|
|
|
|
checkExec = checkUnitConfig "Exec" [
|
|
(assertOnlyFields [
|
|
"Boot" "ProcessTwo" "Parameters" "Environment" "User" "WorkingDirectory"
|
|
"Capability" "DropCapability" "KillSignal" "Personality" "MachineId"
|
|
"PrivateUsers" "NotifyReady"
|
|
])
|
|
(assertValueOneOf "Boot" boolValues)
|
|
(assertValueOneOf "ProcessTwo" boolValues)
|
|
(assertValueOneOf "NotifyReady" boolValues)
|
|
];
|
|
|
|
checkFiles = checkUnitConfig "Files" [
|
|
(assertOnlyFields [
|
|
"ReadOnly" "Volatile" "Bind" "BindReadOnly" "TemporaryFileSystems"
|
|
"PrivateUsersChown"
|
|
])
|
|
(assertValueOneOf "ReadOnly" boolValues)
|
|
(assertValueOneOf "Volatile" (boolValues ++ [ "state" ]))
|
|
(assertValueOneOf "PrivateUsersChown" boolValues)
|
|
];
|
|
|
|
checkNetwork = checkUnitConfig "Network" [
|
|
(assertOnlyFields [
|
|
"Private" "VirtualEthernet" "VirtualEthernetExtra" "Interface" "MACVLAN"
|
|
"IPVLAN" "Bridge" "Zone" "Port"
|
|
])
|
|
(assertValueOneOf "Private" boolValues)
|
|
(assertValueOneOf "VirtualEthernet" boolValues)
|
|
];
|
|
|
|
instanceOptions = {
|
|
options = sharedOptions // {
|
|
execConfig = mkOption {
|
|
default = {};
|
|
example = { Parameters = "/bin/sh"; };
|
|
type = types.addCheck (types.attrsOf unitOption) checkExec;
|
|
description = ''
|
|
Each attribute in this set specifies an option in the
|
|
<literal>[Exec]</literal> section of this unit. See
|
|
<citerefentry><refentrytitle>systemd.nspawn</refentrytitle>
|
|
<manvolnum>5</manvolnum></citerefentry> for details.
|
|
'';
|
|
};
|
|
|
|
filesConfig = mkOption {
|
|
default = {};
|
|
example = { Bind = [ "/home/alice" ]; };
|
|
type = types.addCheck (types.attrsOf unitOption) checkFiles;
|
|
description = ''
|
|
Each attribute in this set specifies an option in the
|
|
<literal>[Files]</literal> section of this unit. See
|
|
<citerefentry><refentrytitle>systemd.nspawn</refentrytitle>
|
|
<manvolnum>5</manvolnum></citerefentry> for details.
|
|
'';
|
|
};
|
|
|
|
networkConfig = mkOption {
|
|
default = {};
|
|
example = { Private = false; };
|
|
type = types.addCheck (types.attrsOf unitOption) checkNetwork;
|
|
description = ''
|
|
Each attribute in this set specifies an option in the
|
|
<literal>[Network]</literal> section of this unit. See
|
|
<citerefentry><refentrytitle>systemd.nspawn</refentrytitle>
|
|
<manvolnum>5</manvolnum></citerefentry> for details.
|
|
'';
|
|
};
|
|
};
|
|
|
|
};
|
|
|
|
instanceToUnit = name: def:
|
|
let base = {
|
|
text = ''
|
|
[Exec]
|
|
${attrsToSection def.execConfig}
|
|
|
|
[Files]
|
|
${attrsToSection def.filesConfig}
|
|
|
|
[Network]
|
|
${attrsToSection def.networkConfig}
|
|
'';
|
|
} // def;
|
|
in base // { unit = makeUnit name base; };
|
|
|
|
in {
|
|
|
|
options = {
|
|
|
|
systemd.nspawn = mkOption {
|
|
default = {};
|
|
type = with types; attrsOf (submodule instanceOptions);
|
|
description = "Definition of systemd-nspawn configurations.";
|
|
};
|
|
|
|
};
|
|
|
|
config =
|
|
let
|
|
units = mapAttrs' (n: v: let nspawnFile = "${n}.nspawn"; in nameValuePair nspawnFile (instanceToUnit nspawnFile v)) cfg;
|
|
in mkIf (cfg != {}) {
|
|
|
|
environment.etc."systemd/nspawn".source = generateUnits "nspawn" units [] [];
|
|
|
|
systemd.targets."multi-user".wants = [ "machines.target "];
|
|
};
|
|
|
|
}
|