From 28853d8954199bc7944797c260d8116a68da2b46 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20K=C3=B6gler?= Date: Thu, 22 Aug 2019 07:52:58 +0200 Subject: [PATCH 1/5] container config: better default in case of resolved Avoid assertion in nixos/modules/system/boot/resolved.nix if service systemd-resolved is enabled. --- nixos/modules/virtualisation/container-config.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nixos/modules/virtualisation/container-config.nix b/nixos/modules/virtualisation/container-config.nix index 604fb8a75932..ca7f126c59f6 100644 --- a/nixos/modules/virtualisation/container-config.nix +++ b/nixos/modules/virtualisation/container-config.nix @@ -10,7 +10,7 @@ with lib; services.udisks2.enable = mkDefault false; powerManagement.enable = mkDefault false; - networking.useHostResolvConf = mkDefault true; + networking.useHostResolvConf = mkDefault (!config.services.resolved.enable); # Containers should be light-weight, so start sshd on demand. services.openssh.startWhenNeeded = mkDefault true; From 65792923afe7b48708b59c57c380c0e35cb836af Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20K=C3=B6gler?= Date: Thu, 22 Aug 2019 22:45:20 +0200 Subject: [PATCH 2/5] nixos: added machinectl test --- nixos/tests/all-tests.nix | 1 + nixos/tests/nixos-install-simple | 19 ++++++++++++ nixos/tests/systemd-machinectl.nix | 49 ++++++++++++++++++++++++++++++ 3 files changed, 69 insertions(+) create mode 100755 nixos/tests/nixos-install-simple create mode 100644 nixos/tests/systemd-machinectl.nix diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index 60762de76d33..86aafd02685b 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -260,6 +260,7 @@ in syncthing-relay = handleTest ./syncthing-relay.nix {}; systemd = handleTest ./systemd.nix {}; systemd-confinement = handleTest ./systemd-confinement.nix {}; + systemd-machinectl = handleTest ./systemd-machinectl.nix {}; systemd-timesyncd = handleTest ./systemd-timesyncd.nix {}; systemd-networkd-wireguard = handleTest ./systemd-networkd-wireguard.nix {}; pdns-recursor = handleTest ./pdns-recursor.nix {}; diff --git a/nixos/tests/nixos-install-simple b/nixos/tests/nixos-install-simple new file mode 100755 index 000000000000..c6044eeffb15 --- /dev/null +++ b/nixos/tests/nixos-install-simple @@ -0,0 +1,19 @@ +#!/bin/sh -eux + +mkdir -p "$1" + +ROOT="$(readlink -f $1)" +SYSTEM="$(readlink -f ${2:-./result})" + +# create root folders +mkdir -p "$ROOT/etc" "$ROOT/boot" + +# install NixOS +nix-env --store "$ROOT" \ + --extra-substituters "auto?trusted=1" \ + -p "$ROOT/nix/var/nix/profiles/system" --set "$SYSTEM" + +# activate NixOS +touch "$ROOT/etc/NIXOS" +nixos-enter --root "$ROOT" \ + -- /run/current-system/bin/switch-to-configuration boot diff --git a/nixos/tests/systemd-machinectl.nix b/nixos/tests/systemd-machinectl.nix new file mode 100644 index 000000000000..f28941bca5ae --- /dev/null +++ b/nixos/tests/systemd-machinectl.nix @@ -0,0 +1,49 @@ +import ./make-test.nix (let + + container = { ... }: { + boot.isContainer = true; + + # use networkd to obtain systemd network setup + networking.useNetworkd = true; + + # systemd-nspawn expects /sbin/init + boot.loader.initScript.enable = true; + + imports = [ ../modules/profiles/minimal.nix ]; + }; + + containerSystem = (import ../lib/eval-config.nix { + modules = [ container ]; + }).config.system.build.toplevel; + + containerName = "container"; + +in { + name = "systemd-machinectl"; + + machine = { lib, ... }: { + # use networkd to obtain systemd network setup + networking.useNetworkd = true; + + # open DHCP server on interface to container + networking.firewall.trustedInterfaces = [ "ve-+" ]; + + # do not try to access cache.nixos.org + nix.binaryCaches = lib.mkForce []; + + virtualisation.pathsInNixDB = [ containerSystem ]; + }; + + testScript = '' + startAll; + + $machine->waitForUnit("default.target"); + $machine->succeed("mkdir -p ${containerRoot}"); + $machine->succeed("${./nixos-install-simple} /var/lib/machines/${containerName} ${containerSystem}"); + + $machine->succeed("machinectl start ${containerName}"); + $machine->waitUntilSucceeds("systemctl -M ${containerName} is-active default.target"); + $machine->succeed("ping -n -c 1 ${containerName}"); + $machine->succeed("machinectl stop ${containerName}"); + ''; +}) From 930ac600d2b3f18fcfd41c387835332cfb480462 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20K=C3=B6gler?= Date: Fri, 23 Aug 2019 20:53:57 +0200 Subject: [PATCH 3/5] nixos-install: ensure activation script is always called The activation script is needed to get the missing files in etc/ created. Needed for container manager like systemd-nspawn. --- .../modules/installer/tools/nixos-install.sh | 3 ++- nixos/tests/nixos-install-simple | 19 ------------------- nixos/tests/systemd-machinectl.nix | 3 ++- 3 files changed, 4 insertions(+), 21 deletions(-) delete mode 100755 nixos/tests/nixos-install-simple diff --git a/nixos/modules/installer/tools/nixos-install.sh b/nixos/modules/installer/tools/nixos-install.sh index 8685cb345e1e..be3b5c0687a6 100644 --- a/nixos/modules/installer/tools/nixos-install.sh +++ b/nixos/modules/installer/tools/nixos-install.sh @@ -132,8 +132,9 @@ if [[ -z $noBootLoader ]]; then echo "installing the boot loader..." # Grub needs an mtab. ln -sfn /proc/mounts $mountPoint/etc/mtab - NIXOS_INSTALL_BOOTLOADER=1 nixos-enter --root "$mountPoint" -- /run/current-system/bin/switch-to-configuration boot + export NIXOS_INSTALL_BOOTLOADER=1 fi +nixos-enter --root "$mountPoint" -- /run/current-system/bin/switch-to-configuration boot # Ask the user to set a root password, but only if the passwd command # exists (i.e. when mutable user accounts are enabled). diff --git a/nixos/tests/nixos-install-simple b/nixos/tests/nixos-install-simple deleted file mode 100755 index c6044eeffb15..000000000000 --- a/nixos/tests/nixos-install-simple +++ /dev/null @@ -1,19 +0,0 @@ -#!/bin/sh -eux - -mkdir -p "$1" - -ROOT="$(readlink -f $1)" -SYSTEM="$(readlink -f ${2:-./result})" - -# create root folders -mkdir -p "$ROOT/etc" "$ROOT/boot" - -# install NixOS -nix-env --store "$ROOT" \ - --extra-substituters "auto?trusted=1" \ - -p "$ROOT/nix/var/nix/profiles/system" --set "$SYSTEM" - -# activate NixOS -touch "$ROOT/etc/NIXOS" -nixos-enter --root "$ROOT" \ - -- /run/current-system/bin/switch-to-configuration boot diff --git a/nixos/tests/systemd-machinectl.nix b/nixos/tests/systemd-machinectl.nix index f28941bca5ae..3438722e3218 100644 --- a/nixos/tests/systemd-machinectl.nix +++ b/nixos/tests/systemd-machinectl.nix @@ -17,6 +17,7 @@ import ./make-test.nix (let }).config.system.build.toplevel; containerName = "container"; + containerRoot = "/var/lib/machines/${containerName}"; in { name = "systemd-machinectl"; @@ -39,7 +40,7 @@ in { $machine->waitForUnit("default.target"); $machine->succeed("mkdir -p ${containerRoot}"); - $machine->succeed("${./nixos-install-simple} /var/lib/machines/${containerName} ${containerSystem}"); + $machine->succeed("nixos-install --root ${containerRoot} --system ${containerSystem} --no-channel-copy --no-root-passwd --no-bootloader"); $machine->succeed("machinectl start ${containerName}"); $machine->waitUntilSucceeds("systemctl -M ${containerName} is-active default.target"); From ba37b3c622da535a5b06ae5d05e37146b6f4143f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20K=C3=B6gler?= Date: Sat, 24 Aug 2019 08:49:44 +0200 Subject: [PATCH 4/5] nixos: added installation doc for nspawn container --- .../installing-nspawn-container.xml | 37 +++++++++++++++++++ nixos/doc/manual/installation/installing.xml | 3 ++ 2 files changed, 40 insertions(+) create mode 100644 nixos/doc/manual/installation/installing-nspawn-container.xml diff --git a/nixos/doc/manual/installation/installing-nspawn-container.xml b/nixos/doc/manual/installation/installing-nspawn-container.xml new file mode 100644 index 000000000000..ae893c53c905 --- /dev/null +++ b/nixos/doc/manual/installation/installing-nspawn-container.xml @@ -0,0 +1,37 @@ +
+ Installing into a nspawn container + + + For installing a NixOS into a systemd nspawn container the NixOS installation tools are needed. + If you run another distribution than NixOS on your host, + please follow steps 1, 2, and 3. + + + + Create a NixOS configuration file /var/lib/machines/my-container/etc/nixos/configuration.nix. + It is important that the container root file system is under /var/lib/machines. + This is the standard location where machinectl will look for containers. + If you choose place the root into another location you need to start the container directly with systemd-nspawn. + The file needs to have at least following options enabled: + + = true; + = true; + + If your host uses systemd-networkd to configure the network, + you can also enable to use networkd default network configuration for your host and container. + + + + Install the container by running following command: + nixos-install --root /var/lib/machines/my-container \ + --no-channel-copy --no-root-passwd --no-bootloader + + + + Start the container by running following command: + machinectl start my-container + + +
diff --git a/nixos/doc/manual/installation/installing.xml b/nixos/doc/manual/installation/installing.xml index f1e1568c0349..270372022fac 100644 --- a/nixos/doc/manual/installation/installing.xml +++ b/nixos/doc/manual/installation/installing.xml @@ -563,5 +563,8 @@ Retype new UNIX password: *** + + + From db9b5f5525225acf20f0f030e95532d192b3baac Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20K=C3=B6gler?= Date: Sun, 1 Sep 2019 21:34:37 +0200 Subject: [PATCH 5/5] nixos: deactivate immutablity for /var/empty in container --- nixos/modules/system/activation/activation-script.nix | 7 +++++++ nixos/tests/systemd-machinectl.nix | 2 ++ 2 files changed, 9 insertions(+) diff --git a/nixos/modules/system/activation/activation-script.nix b/nixos/modules/system/activation/activation-script.nix index 74c150a848d1..fe77094c52b7 100644 --- a/nixos/modules/system/activation/activation-script.nix +++ b/nixos/modules/system/activation/activation-script.nix @@ -184,7 +184,14 @@ in find /var/empty -mindepth 1 -delete chmod 0555 /var/empty chown root:root /var/empty + + ${ # reasons for not setting immutable flag: + # 1. flag is not changeable inside a container + # 2. systemd-nspawn can not perform chown in case of --private-users-chown + # then the owner is nobody and ssh will not start + optionalString (!config.boot.isContainer) '' ${pkgs.e2fsprogs}/bin/chattr -f +i /var/empty || true + ''} ''; system.activationScripts.usrbinenv = if config.environment.usrbinenv != null diff --git a/nixos/tests/systemd-machinectl.nix b/nixos/tests/systemd-machinectl.nix index 3438722e3218..091f855d043b 100644 --- a/nixos/tests/systemd-machinectl.nix +++ b/nixos/tests/systemd-machinectl.nix @@ -45,6 +45,8 @@ in { $machine->succeed("machinectl start ${containerName}"); $machine->waitUntilSucceeds("systemctl -M ${containerName} is-active default.target"); $machine->succeed("ping -n -c 1 ${containerName}"); + $machine->succeed("test `stat ${containerRoot}/var/empty -c %u%g` != 00"); + $machine->succeed("machinectl stop ${containerName}"); ''; })