pyrox.dev
1<section xmlns="http://docbook.org/ns/docbook"
2 xmlns:xlink="http://www.w3.org/1999/xlink"
3 xmlns:xi="http://www.w3.org/2001/XInclude"
4 version="5.0"
5 xml:id="sec-imperative-containers">
6
7<title>Imperative Container Management</title>
8
9<para>We’ll cover imperative container management using
10<command>nixos-container</command> first. You create a container with
11identifier <literal>foo</literal> as follows:
12
13<screen>
14$ nixos-container create foo
15</screen>
16
17This creates the container’s root directory in
18<filename>/var/lib/containers/foo</filename> and a small configuration
19file in <filename>/etc/containers/foo.conf</filename>. It also builds
20the container’s initial system configuration and stores it in
21<filename>/nix/var/nix/profiles/per-container/foo/system</filename>. You
22can modify the initial configuration of the container on the command
23line. For instance, to create a container that has
24<command>sshd</command> running, with the given public key for
25<literal>root</literal>:
26
27<screen>
28$ nixos-container create foo --config 'services.openssh.enable = true; \
29 users.extraUsers.root.openssh.authorizedKeys.keys = ["ssh-dss AAAAB3N…"];'
30</screen>
31
32</para>
33
34<para>Creating a container does not start it. To start the container,
35run:
36
37<screen>
38$ nixos-container start foo
39</screen>
40
41This command will return as soon as the container has booted and has
42reached <literal>multi-user.target</literal>. On the host, the
43container runs within a systemd unit called
44<literal>container@<replaceable>container-name</replaceable>.service</literal>.
45Thus, if something went wrong, you can get status info using
46<command>systemctl</command>:
47
48<screen>
49$ systemctl status container@foo
50</screen>
51
52</para>
53
54<para>If the container has started succesfully, you can log in as
55root using the <command>root-login</command> operation:
56
57<screen>
58$ nixos-container root-login foo
59[root@foo:~]#
60</screen>
61
62Note that only root on the host can do this (since there is no
63authentication). You can also get a regular login prompt using the
64<command>login</command> operation, which is available to all users on
65the host:
66
67<screen>
68$ nixos-container login foo
69foo login: alice
70Password: ***
71</screen>
72
73With <command>nixos-container run</command>, you can execute arbitrary
74commands in the container:
75
76<screen>
77$ nixos-container run foo -- uname -a
78Linux foo 3.4.82 #1-NixOS SMP Thu Mar 20 14:44:05 UTC 2014 x86_64 GNU/Linux
79</screen>
80
81</para>
82
83<para>There are several ways to change the configuration of the
84container. First, on the host, you can edit
85<literal>/var/lib/container/<replaceable>name</replaceable>/etc/nixos/configuration.nix</literal>,
86and run
87
88<screen>
89$ nixos-container update foo
90</screen>
91
92This will build and activate the new configuration. You can also
93specify a new configuration on the command line:
94
95<screen>
96$ nixos-container update foo --config 'services.httpd.enable = true; \
97 services.httpd.adminAddr = "foo@example.org";'
98
99$ curl http://$(nixos-container show-ip foo)/
100<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">…
101</screen>
102
103However, note that this will overwrite the container’s
104<filename>/etc/nixos/configuration.nix</filename>.</para>
105
106<para>Alternatively, you can change the configuration from within the
107container itself by running <command>nixos-rebuild switch</command>
108inside the container. Note that the container by default does not have
109a copy of the NixOS channel, so you should run <command>nix-channel
110--update</command> first.</para>
111
112<para>Containers can be stopped and started using
113<literal>nixos-container stop</literal> and <literal>nixos-container
114start</literal>, respectively, or by using
115<command>systemctl</command> on the container’s service unit. To
116destroy a container, including its file system, do
117
118<screen>
119$ nixos-container destroy foo
120</screen>
121
122</para>
123
124</section>