pyrox.dev
1<section xmlns="http://docbook.org/ns/docbook"
2 xmlns:xlink="http://www.w3.org/1999/xlink"
3 xmlns:xi="http://www.w3.org/2001/XInclude"
4 version="5.0"
5 xml:id="sec-imperative-containers">
6
7<title>Imperative Container Management</title>
8
9<para>We’ll cover imperative container management using
10<command>nixos-container</command> first.
11Be aware that container management is currently only possible
12as <literal>root</literal>.</para>
13
14<para>You create a container with
15identifier <literal>foo</literal> as follows:
16
17<screen>
18# nixos-container create foo
19</screen>
20
21This creates the container’s root directory in
22<filename>/var/lib/containers/foo</filename> and a small configuration
23file in <filename>/etc/containers/foo.conf</filename>. It also builds
24the container’s initial system configuration and stores it in
25<filename>/nix/var/nix/profiles/per-container/foo/system</filename>. You
26can modify the initial configuration of the container on the command
27line. For instance, to create a container that has
28<command>sshd</command> running, with the given public key for
29<literal>root</literal>:
30
31<screen>
32# nixos-container create foo --config '
33 services.openssh.enable = true;
34 users.extraUsers.root.openssh.authorizedKeys.keys = ["ssh-dss AAAAB3N…"];
35'
36</screen>
37
38</para>
39
40<para>Creating a container does not start it. To start the container,
41run:
42
43<screen>
44# nixos-container start foo
45</screen>
46
47This command will return as soon as the container has booted and has
48reached <literal>multi-user.target</literal>. On the host, the
49container runs within a systemd unit called
50<literal>container@<replaceable>container-name</replaceable>.service</literal>.
51Thus, if something went wrong, you can get status info using
52<command>systemctl</command>:
53
54<screen>
55# systemctl status container@foo
56</screen>
57
58</para>
59
60<para>If the container has started successfully, you can log in as
61root using the <command>root-login</command> operation:
62
63<screen>
64# nixos-container root-login foo
65[root@foo:~]#
66</screen>
67
68Note that only root on the host can do this (since there is no
69authentication). You can also get a regular login prompt using the
70<command>login</command> operation, which is available to all users on
71the host:
72
73<screen>
74# nixos-container login foo
75foo login: alice
76Password: ***
77</screen>
78
79With <command>nixos-container run</command>, you can execute arbitrary
80commands in the container:
81
82<screen>
83# nixos-container run foo -- uname -a
84Linux foo 3.4.82 #1-NixOS SMP Thu Mar 20 14:44:05 UTC 2014 x86_64 GNU/Linux
85</screen>
86
87</para>
88
89<para>There are several ways to change the configuration of the
90container. First, on the host, you can edit
91<literal>/var/lib/container/<replaceable>name</replaceable>/etc/nixos/configuration.nix</literal>,
92and run
93
94<screen>
95# nixos-container update foo
96</screen>
97
98This will build and activate the new configuration. You can also
99specify a new configuration on the command line:
100
101<screen>
102# nixos-container update foo --config '
103 services.httpd.enable = true;
104 services.httpd.adminAddr = "foo@example.org";
105 networking.firewall.allowedTCPPorts = [ 80 ];
106'
107
108# curl http://$(nixos-container show-ip foo)/
109<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">…
110</screen>
111
112However, note that this will overwrite the container’s
113<filename>/etc/nixos/configuration.nix</filename>.</para>
114
115<para>Alternatively, you can change the configuration from within the
116container itself by running <command>nixos-rebuild switch</command>
117inside the container. Note that the container by default does not have
118a copy of the NixOS channel, so you should run <command>nix-channel
119--update</command> first.</para>
120
121<para>Containers can be stopped and started using
122<literal>nixos-container stop</literal> and <literal>nixos-container
123start</literal>, respectively, or by using
124<command>systemctl</command> on the container’s service unit. To
125destroy a container, including its file system, do
126
127<screen>
128# nixos-container destroy foo
129</screen>
130
131</para>
132
133</section>