pyrox.dev / nixpkgs
lol
fork atom

nixos/oci-containers: stricter dependencies for rootless containers with sdnotify=healthy

After running this configuration for a while, we
noticed that the containers didn't get back up once and the services
failed with the following error:

Error: current system boot ID differs from cached boot ID; an unhandled reboot has occurred.

This is hard to reproduce and seems to be a timing issue. However,
the logs indicated another issue that this patch now solves:

* The ExecStartPost= indicated that the user session got stopped before
which is required or sdnotify=healthy. Add explicit ordering for
user@. This unfortunately requires a statically declared uid.

Maximilian Bosch 344ee0cf 18cff5e9

options
unified split
Changed files
+25 -3
nixos
modules
virtualisation
oci-containers.nix
tests
oci-containers.nix
+24 -3
nixos/modules/virtualisation/oci-containers.nix 
···

       
434

       
 

       
      };


     

       
435

       
 

       



     

       
436

       
 

       
      effectiveUser = container.podman.user or "root";


     

       

       

       
     

       
437

       
 

       
      dependOnLingerService =


     

       
438

       
 

       
        cfg.backend == "podman" && effectiveUser != "root" && config.users.users.${effectiveUser}.linger;


     

       
439

       
 

       
    in


     
···

       
441

       
 

       
      wantedBy = [ ] ++ optional (container.autoStart) "multi-user.target";


     

       
442

       
 

       
      wants =


     

       
443

       
 

       
        lib.optional (container.imageFile == null && container.imageStream == null) "network-online.target"


     

       
444

       
-

       
        ++ lib.optional dependOnLingerService "linger-users.service";


     

       
445

       
 

       
      after =


     

       
446

       
 

       
        lib.optionals (cfg.backend == "docker") [


     

       
447

       
 

       
          "docker.service"


     
···

       
452

       
 

       
          "network-online.target"


     

       
453

       
 

       
        ]


     

       
454

       
 

       
        ++ dependsOn


     

       
455

       
-

       
        ++ lib.optional dependOnLingerService "linger-users.service";


     

       
456

       
-

       
      requires = dependsOn;


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
457

       
 

       
      environment = lib.mkMerge [


     

       
458

       
 

       
        proxy_env


     

       
459

       
 

       
        (mkIf (cfg.backend == "podman" && container.podman.user != "root") {


     
···

       
523

       
 

       
        else


     

       
524

       
 

       
          "${cfg.backend} rm -f ${name} || true";


     

       
525

       
 

       



     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
526

       
 

       
      serviceConfig =


     

       
527

       
 

       
        {


     

       
528

       
 

       
          ### There is no generalized way of supporting `reload` for docker


     
···

       
615

       
 

       
                {


     

       
616

       
 

       
                  assertion = cfg.backend == "docker" -> podman == null;


     

       
617

       
 

       
                  message = "virtualisation.oci-containers.containers.${name}: Cannot set `podman` option if backend is `docker`.";


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
618

       
 

       
                }


     

       
619

       
 

       
              ];


     

       
620

       
 

       
          in


     
···

       
434

       
 

       
      };


     

       
435

       
 

       



     

       
436

       
 

       
      effectiveUser = container.podman.user or "root";


     

       
437

       
+

       
      inherit (config.users.users.${effectiveUser}) uid;


     

       
438

       
 

       
      dependOnLingerService =


     

       
439

       
 

       
        cfg.backend == "podman" && effectiveUser != "root" && config.users.users.${effectiveUser}.linger;


     

       
440

       
 

       
    in


     
···

       
442

       
 

       
      wantedBy = [ ] ++ optional (container.autoStart) "multi-user.target";


     

       
443

       
 

       
      wants =


     

       
444

       
 

       
        lib.optional (container.imageFile == null && container.imageStream == null) "network-online.target"


     

       
445

       
+

       
        ++ lib.optionals dependOnLingerService [ "linger-users.service" ];


     

       
446

       
 

       
      after =


     

       
447

       
 

       
        lib.optionals (cfg.backend == "docker") [


     

       
448

       
 

       
          "docker.service"


     
···

       
453

       
 

       
          "network-online.target"


     

       
454

       
 

       
        ]


     

       
455

       
 

       
        ++ dependsOn


     

       
456

       
+

       
        ++ lib.optionals dependOnLingerService [ "linger-users.service" ]


     

       
457

       
+

       
        ++ lib.optionals (effectiveUser != "root" && container.podman.sdnotify == "healthy") [


     

       
458

       
+

       
          "user@${toString uid}.service"


     

       
459

       
+

       
        ];


     

       
460

       
+

       
      requires =


     

       
461

       
+

       
        dependsOn


     

       
462

       
+

       
        ++ lib.optionals (effectiveUser != "root" && container.podman.sdnotify == "healthy") [


     

       
463

       
+

       
          "user@${toString uid}.service"


     

       
464

       
+

       
        ];


     

       
465

       
 

       
      environment = lib.mkMerge [


     

       
466

       
 

       
        proxy_env


     

       
467

       
 

       
        (mkIf (cfg.backend == "podman" && container.podman.user != "root") {


     
···

       
531

       
 

       
        else


     

       
532

       
 

       
          "${cfg.backend} rm -f ${name} || true";


     

       
533

       
 

       



     

       
534

       
+

       
      unitConfig = mkIf (effectiveUser != "root") {


     

       
535

       
+

       
        RequiresMountsFor = "/run/user/${toString uid}/containers";


     

       
536

       
+

       
      };


     

       
537

       
+

       



     

       
538

       
 

       
      serviceConfig =


     

       
539

       
 

       
        {


     

       
540

       
 

       
          ### There is no generalized way of supporting `reload` for docker


     
···

       
627

       
 

       
                {


     

       
628

       
 

       
                  assertion = cfg.backend == "docker" -> podman == null;


     

       
629

       
 

       
                  message = "virtualisation.oci-containers.containers.${name}: Cannot set `podman` option if backend is `docker`.";


     

       
630

       
+

       
                }


     

       
631

       
+

       
                {


     

       
632

       
+

       
                  assertion =


     

       
633

       
+

       
                    cfg.backend == "podman" && podman.sdnotify == "healthy" && podman.user != "root"


     

       
634

       
+

       
                    -> config.users.users.${podman.user}.uid != null;


     

       
635

       
+

       
                  message = ''


     

       
636

       
+

       
                    Rootless container ${name} (with podman and sdnotify=healthy)


     

       
637

       
+

       
                    requires that its running user ${podman.user} has a statically specified uid.


     

       
638

       
+

       
                  '';


     

       
639

       
 

       
                }


     

       
640

       
 

       
              ];


     

       
641

       
 

       
          in
+1
nixos/tests/oci-containers.nix 
···

       
80

       
 

       
              home = "/var/lib/redis";


     

       
81

       
 

       
              linger = type == "healthy";


     

       
82

       
 

       
              createHome = true;


     

       

       

       
     

       
83

       
 

       
              subUidRanges = [


     

       
84

       
 

       
                {


     

       
85

       
 

       
                  count = 65536;


     
···

       
80

       
 

       
              home = "/var/lib/redis";


     

       
81

       
 

       
              linger = type == "healthy";


     

       
82

       
 

       
              createHome = true;


     

       
83

       
+

       
              uid = 2342;


     

       
84

       
 

       
              subUidRanges = [


     

       
85

       
 

       
                {


     

       
86

       
 

       
                  count = 65536;