Commit graph

86 commits

Author SHA1 Message Date
Arnold Krille
b6023f37ad container: fix extraVeth submodule usage
the submodule needs options, not a plain set.
2016-10-09 16:02:14 +02:00
Eric Sagnes
a67b597b22 container module: allowedDevices type to submodule
The optionSet type is deprecated in favor of submodule
2016-10-02 14:07:00 +09:00
Joachim F
7e80c42b0e Merge pull request #18511 from ericsagnes/feat/remove-optionSet
modules: optionSet -> submodule
2016-10-01 17:57:45 +02:00
Jörg Thalheim
a8c172ca4b Merge pull request #18822 from wlhlm/containers-dev-tun
Allow access to /dev/net/tun inside containers
2016-10-01 00:19:02 +02:00
Wilhelm Schuster
0d1e1b1810 containers module: Add option to enable tunnel access
This adds the containers.<name>.enableTun option allowing containers to
access /dev/net/tun. This is required by openvpn, tinc, etc. in order to
work properly inside containers.

The new option builds on top of two generic options
containers.<name>.additionalCapabilities and
containers.<name>.allowedDevices which also can be used for example when
adding support for FUSE later down the road.
2016-09-25 19:25:17 +02:00
Jörg Thalheim
d6ce2e4bcb
containers: fix dynamic hash lookup
we want the content of attribute as a key:
b9df84cd4f broke this
2016-09-24 09:26:52 +02:00
Eelco Dolstra
b9df84cd4f nixos-container: Syntax fixes
Get rid of the "or null" stuff. Also change 'cfg . "foo"' to 'cfg.foo'.

Also fixed what appears to be an actual bug: in postStartScript,
cfg.attribute (where attribute is a function argument) should be
cfg.${attribute}.
2016-09-22 14:06:22 +02:00
Eric Sagnes
69713a882c containers module: optionSet -> submodule 2016-09-13 12:54:59 +09:00
Guillaume Maudoux
3aef93e8f0 nixos/containers: Process config like toplevel options (#17365) 2016-08-29 18:25:50 +02:00
Arnold Krille
9045a8e24c declarative containers: additional veths
With these changes, a container can have more then one veth-pair. This allows for example to have LAN and DMZ as bridges on the host and add dedicated containers for proxies, ipv4-firewall and ipv6-firewall. Or to have a bridge for normal WAN, one bridge for administration and one bridge for customer-internal communication. So that web-server containers can be reached from outside per http, from the management via ssh and can talk to their database via the customer network.

The scripts to set up the containers are now rendered several times instead of just one template. The scripts now contain per-container code to configure the extra veth interfaces. The default template without support for extra-veths is still rendered for the imperative containers.

Also a test is there to see if extra veths can be placed into host-bridges or can be reached via routing.
2016-07-28 23:06:41 +02:00
Eelco Dolstra
fd5bbdb436 nixos-containers: Set DevicePolicy=closed
This makes the container a bit more secure, by preventing root
creating device nodes to access the host file system, for
instance. (Reference: systemd-nspawn@.service in systemd.)
2016-07-28 17:58:55 +02:00
Eelco Dolstra
bf3edfbb3c nixos-containers: Use systemd 231's --notify-ready flag 2016-07-28 17:58:52 +02:00
Eric Merritt
eb92804f91 nixos-containers: init package (#16959)
This moves nixos-containers into its own package so that it can be
relied upon by other packages/systems. This should make development
using dynamic containers much easier.
2016-07-19 08:13:06 +02:00
aszlig
dc38003af9
nixos/containers: Create an empty machine-id file
Since systemd version 230, it is required to have a machine-id file
prior to the startup of the container. If the file is empty, a transient
machine ID is generated by systemd-nspawn.

See systemd/systemd#3014 for more details on the matter.

This unbreaks all of the containers-* NixOS tests.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Cc: @edolstra
Closes: #15808
2016-05-29 18:38:37 +02:00
Eelco Dolstra
b37d6d8996 Fix failure to start old containers
The existence of $root/var/lib/private/host-notify as a socket
prevented a bind mount:

  container foo[8083]: Failed to create mount point /var/lib/containers/foo/var/lib/private/host-notify: No such device or address
2016-05-26 16:19:40 +02:00
Arnold Krille
3c819f28f5 containers: Make declarative containers real systemd services
Without the templating (which is still present for imperative containers), it
will be possible to set individual dependencies. Like depending on the network
only if the hostbridge or hardware interfaces are used.

Ported from #3021
2016-04-02 17:07:41 +02:00
Arnold Krille
aa46904490 containers: Add a hostbridge and ipv6 addresses
This allows the containers to have their interface in a bridge on the host.
Also this adds IPv6 addresses to the containers both with bridged and unbridged
network.
2016-04-02 17:07:41 +02:00
Ian-Woo Kim
b3eebcd93c Merge branch 'master' into extra-binds 2015-09-28 06:02:52 +00:00
Ian-Woo Kim
c6b031d32b minor changes 2015-09-28 05:48:16 +00:00
Jan Malakhovski
6eadb16022 nixos: fix some types 2015-09-18 18:48:50 +00:00
Matthias Beyer
a38d9d1ca8 nixos-container: Add bash completion for "nixos-container" command 2015-09-16 22:18:48 +02:00
Luca Bruno
682777ed24 nixos containers: fix system path when reloading 2015-09-11 16:59:40 +02:00
Boris Sukholitko
ae80c3e7bc containers: fix interfaces option bugs
The default should be [], no need to check it for INTERFACES
variable.
2015-08-26 22:11:12 +03:00
Boris Sukholitko
77c49d9333 containers: add interfaces config option.
It uses systemd-nspawn's --network-interface to move
existing interfaces into the container.
2015-08-22 13:03:07 +03:00
Ian-Woo Kim
ae2279bcdb nixos-containers: bindMounts: change default to readOnly. use EXTRA_NSPAWN_FLAGS 2015-05-26 13:41:31 +00:00
Ian-Woo Kim
4d551227c9 nixos-container: rename extraBinds to bindMounts and use attribute set format. 2015-05-26 11:56:42 +00:00
Ian-Woo Kim
c4f66eb85d unify extraBindsRW/RO into extraBinds. Now arbitrary mount point is supported. 2015-05-25 19:09:53 +00:00
Ian-Woo Kim
cac38c8664 extraBindsRO/extraBindsRW 2015-05-24 16:31:59 +00:00
Eelco Dolstra
307064ceb5 Don't use machinectl to shut down containers
If the host is shutting down, machinectl may fail because it's
bus-activated and D-Bus will be shutting down. So just send a signal
to the leader process directly.

Fixes #6212.
2015-02-28 19:23:00 +01:00
Lane Seppala
4106a3b74e Fix rebooting containers where resolv.conf is a symlink 2015-02-27 10:27:18 -07:00
Eelco Dolstra
22d2fc3657 Fix "systemctl reload container@"
Fixes #5179.
2015-02-27 14:32:54 +01:00
Jaka Hudoklin
2af3ff52c2 nixos/containers: make containers in containers possible 2015-01-28 16:06:44 +01:00
Eelco Dolstra
3ca275d7ba NixOS containers: Create /root with 700 permission
Systemd-nspawn creates /root with 755 permission if it doesn't exist,
which is bad. So we have to create it ourselves before calling
systemd-nspawn.
2015-01-15 17:51:43 +01:00
mokasin
dd6dfde575 Add auto-start option to containers. 2015-01-12 18:26:22 +01:00
Aristid Breitkreuz
5ff169f4d7 containers: remove obsolete comment 2014-11-23 12:30:03 +01:00
Vladimír Čunát
d957b4bd78 Merge recent master into staging
Hydra nixpkgs: ?compare=1151601
2014-09-13 21:48:29 +02:00
Eelco Dolstra
152ae27aac Merge remote-tracking branch 'origin/systemd-216' into staging 2014-09-08 13:53:33 +02:00
Eelco Dolstra
3d821c068a Merge remote-tracking branch 'origin/master' into systemd-216 2014-09-02 14:43:27 +02:00
Vladimír Čunát
e51f73652d Merge recent master into staging
Hydra: ?compare=1149952

Conflicts:
	nixos/doc/manual/configuration.xml (changed split file)
	nixos/modules/config/users-groups.nix (choosing filterNull instead of inline definition)
	pkgs/development/libraries/readline/readline6.3.nix (auto-solved)
2014-08-30 10:04:02 +02:00
Eelco Dolstra
6773babd5b Containers: Use nsenter to execute commands in containers
Also remove ‘nixos-container set-root-password’, which is kind of
pointless now.
2014-08-28 02:20:23 +02:00
Eelco Dolstra
0263a8f860 NixOS containers: Use exit status 133 for reboots 2014-08-24 12:28:41 +02:00
Vladimír Čunát
d4e9fd2a90 Merge recent master into staging
Hydra: ?compare=1148749

Conflicts (easy):
	nixos/modules/virtualisation/containers.nix
2014-08-21 15:09:31 +02:00
Eelco Dolstra
23db49cf98 Containers: Fix all-containers.service start
Fixes #3662.
2014-08-19 10:06:48 +02:00
Eelco Dolstra
2c899859bf Containers: Use systemd startup notification
Systemd in a container will call sd_notify when it has finished
booting, so we can use that to signal that the container is
ready. This does require some fiddling with $NOTIFY_SOCKET.
2014-08-18 17:16:13 +02:00
Eelco Dolstra
11d99048c1 Containers: Use systemd-nspawn startup notification 2014-08-18 17:14:55 +02:00
Eelco Dolstra
ceb67cc9ef Containers: Clean up veth interfaces 2014-08-18 17:14:49 +02:00
Eelco Dolstra
32b977d4a7 Containers: Fix reboot and poweroff
Previously "machinectl reboot/poweroff" brutally killed the container,
as did "systemctl stop/restart". And reboot didn't actually work. Now
everything is fine.
2014-08-18 17:14:38 +02:00
Eelco Dolstra
2337a85fc3 Autostart containers at boot time 2014-08-18 17:09:42 +02:00
Eelco Dolstra
e620be97fe Containers: Set up /etc/resolv.conf
Systemd-nspawn is supposed to do this, but doesn't if any of the
--network-* flags are used.
2014-08-15 04:06:01 +02:00
Eelco Dolstra
330fadb706 Containers: Use systemd-nspawn startup notification
This prevents the container unit startup from hanging until timeout if
systemd-nspawn fails.
2014-08-13 00:49:25 +02:00