commit 389de87aed7fa3836d4ed22efc875d8417a161a8 · pyrox.dev/nixpkgs

+38

nixos/modules/virtualisation/lxc.nix

···

       23
       23
        
                 '';

     

       24
       24
        
             };

     

       25
       25
        
       

     

       26
       26
       +
           unprivilegedContainers = lib.mkEnableOption "support for unprivileged users to launch containers";

     

       27
       27
       +
       

     

       26
       28
        
           systemConfig =

     

       27
       29
        
             lib.mkOption {

     

       28
       30
        
               type = lib.types.lines;

     
···

       53
       55
        
                   administration access in LXC. See {manpage}`lxc-usernet(5)`.

     

       54
       56
        
                 '';

     

       55
       57
        
             };

     

       58
       58
       +
       

     

       59
       59
       +
             bridgeConfig =

     

       60
       60
       +
               lib.mkOption {

     

       61
       61
       +
                 type = lib.types.lines;

     

       62
       62
       +
                 default = "";

     

       63
       63
       +
                 description = ''

     

       64
       64
       +
                     This is the config file for override lxc-net bridge default settings.

     

       65
       65
       +
                   '';

     

       66
       66
       +
               };

     

       56
       67
        
         };

     

       57
       68
        
       

     

       58
       69
        
         ###### implementation

     
···

       62
       73
        
           environment.etc."lxc/lxc.conf".text = cfg.systemConfig;

     

       63
       74
        
           environment.etc."lxc/lxc-usernet".text = cfg.usernetConfig;

     

       64
       75
        
           environment.etc."lxc/default.conf".text = cfg.defaultConfig;

     

       76
       76
       +
           environment.etc."lxc/lxc-net".text = cfg.bridgeConfig;

     

       77
       77
       +
           environment.pathsToLink = [ "/share/lxc" ];

     

       65
       78
        
           systemd.tmpfiles.rules = [ "d /var/lib/lxc/rootfs 0755 root root -" ];

     

       66
       79
        
       

     

       67
       80
        
           security.apparmor.packages = [ cfg.package ];

     
···

       72
       85
        
             "lxc-containers".profile = ''

     

       73
       86
        
               include ${cfg.package}/etc/apparmor.d/lxc-containers

     

       74
       87
        
             '';

     

       88
       88
       +
           };

     

       89
       89
       +
       

     

       90
       90
       +
           # We don't need the `lxc-user` group, unless the unprivileged containers are enabled.

     

       91
       91
       +
           users.groups = lib.mkIf cfg.unprivilegedContainers { lxc-user = {}; };

     

       92
       92
       +
       

     

       93
       93
       +
           # `lxc-user-nic` needs suid to attach to bridge for unpriv containers.

     

       94
       94
       +
           security.wrappers = lib.mkIf cfg.unprivilegedContainers {

     

       95
       95
       +
             lxcUserNet = {

     

       96
       96
       +
               source = "${pkgs.lxc}/libexec/lxc/lxc-user-nic";

     

       97
       97
       +
               setuid = true;

     

       98
       98
       +
               owner = "root";

     

       99
       99
       +
               group = "lxc-user";

     

       100
       100
       +
               program = "lxc-user-nic";

     

       101
       101
       +
               permissions = "u+rx,g+x,o-rx";

     

       102
       102
       +
             };

     

       103
       103
       +
           };

     

       104
       104
       +
       

     

       105
       105
       +
           # Add lxc-net service if unpriv mode is enabled.

     

       106
       106
       +
           systemd.packages = lib.mkIf cfg.unprivilegedContainers [ pkgs.lxc ];

     

       107
       107
       +
           systemd.services = lib.mkIf cfg.unprivilegedContainers {

     

       108
       108
       +
             lxc-net = {

     

       109
       109
       +
               enable = true;

     

       110
       110
       +
               wantedBy = [ "multi-user.target" ];

     

       111
       111
       +
               path = [ pkgs.iproute2 pkgs.iptables pkgs.getent pkgs.dnsmasq ];

     

       112
       112
       +
             };

     

       75
       113
        
           };

     

       76
       114
        
         };

     

       77
       115
        
       }

nixos/tests/all-tests.nix

···

       538
       538
        
         loki = handleTest ./loki.nix {};

     

       539
       539
        
         luks = handleTest ./luks.nix {};

     

       540
       540
        
         lvm2 = handleTest ./lvm2 {};

     

       541
       541
       +
         lxc = handleTest ./lxc {};

     

       541
       542
        
         lxd = pkgs.recurseIntoAttrs (handleTest ./lxd { inherit handleTestOn; });

     

       542
       543
        
         lxd-image-server = handleTest ./lxd-image-server.nix {};

     

       543
       544
        
         #logstash = handleTest ./logstash.nix {};

+6 -2

nixos/tests/incus/incusd-options.nix

···

       16
       16
        
             };

     

       17
       17
        
           };

     

       18
       18
        
       

     

       19
       19
       -
           container-image-metadata = "${releases.incusContainerMeta.${pkgs.stdenv.hostPlatform.system}}/tarball/nixos-system-${pkgs.stdenv.hostPlatform.system}.tar.xz";

     

       20
       20
       -
           container-image-rootfs = "${releases.incusContainerImage.${pkgs.stdenv.hostPlatform.system}}/nixos-lxc-image-${pkgs.stdenv.hostPlatform.system}.squashfs";

     

       19
       19
       +
           container-image-metadata = "${

     

       20
       20
       +
             releases.incusContainerMeta.${pkgs.stdenv.hostPlatform.system}

     

       21
       21
       +
           }/tarball/nixos-system-${pkgs.stdenv.hostPlatform.system}.tar.xz";

     

       22
       22
       +
           container-image-rootfs = "${

     

       23
       23
       +
             releases.incusContainerImage.${pkgs.stdenv.hostPlatform.system}

     

       24
       24
       +
           }/nixos-lxc-image-${pkgs.stdenv.hostPlatform.system}.squashfs";

     

       21
       25
        
         in

     

       22
       26
        
         {

     

       23
       27
        
           name = "incusd-options";

+124

nixos/tests/lxc/default.nix

···

       1
       1
       +
       import ../make-test-python.nix (

     

       2
       2
       +
         { pkgs, lib, ... }:

     

       3
       3
       +
       

     

       4
       4
       +
         let

     

       5
       5
       +
           releases = import ../../release.nix {

     

       6
       6
       +
             configuration = {

     

       7
       7
       +
               # Building documentation makes the test unnecessarily take a longer time:

     

       8
       8
       +
               documentation.enable = lib.mkForce false;

     

       9
       9
       +
             };

     

       10
       10
       +
           };

     

       11
       11
       +
       

     

       12
       12
       +
           lxc-image-metadata = releases.lxdContainerMeta.${pkgs.stdenv.hostPlatform.system};

     

       13
       13
       +
           lxc-image-rootfs = releases.lxdContainerImage.${pkgs.stdenv.hostPlatform.system};

     

       14
       14
       +
       

     

       15
       15
       +
         in

     

       16
       16
       +
         {

     

       17
       17
       +
           name = "lxc-container-unprivileged";

     

       18
       18
       +
       

     

       19
       19
       +
           meta = {

     

       20
       20
       +
             maintainers = lib.teams.lxc.members;

     

       21
       21
       +
           };

     

       22
       22
       +
       

     

       23
       23
       +
           nodes.machine =

     

       24
       24
       +
             { lib, pkgs, ... }:

     

       25
       25
       +
             {

     

       26
       26
       +
               virtualisation = {

     

       27
       27
       +
                 diskSize = 6144;

     

       28
       28
       +
                 cores = 2;

     

       29
       29
       +
                 memorySize = 512;

     

       30
       30
       +
                 writableStore = true;

     

       31
       31
       +
       

     

       32
       32
       +
                 lxc = {

     

       33
       33
       +
                   enable = true;

     

       34
       34
       +
                   unprivilegedContainers = true;

     

       35
       35
       +
                   systemConfig = ''

     

       36
       36
       +
                     lxc.lxcpath = /tmp/lxc

     

       37
       37
       +
                   '';

     

       38
       38
       +
                   defaultConfig = ''

     

       39
       39
       +
                     lxc.net.0.type = veth

     

       40
       40
       +
                     lxc.net.0.link = lxcbr0

     

       41
       41
       +
                     lxc.net.0.flags = up

     

       42
       42
       +
                     lxc.net.0.hwaddr = 00:16:3e:xx:xx:xx

     

       43
       43
       +
                     lxc.idmap = u 0 100000 65536

     

       44
       44
       +
                     lxc.idmap = g 0 100000 65536

     

       45
       45
       +
                   '';

     

       46
       46
       +
                   # Permit user alice to connect to bridge

     

       47
       47
       +
                   usernetConfig = ''

     

       48
       48
       +
                     @lxc-user veth lxcbr0 10

     

       49
       49
       +
                   '';

     

       50
       50
       +
                   bridgeConfig = ''

     

       51
       51
       +
                     LXC_IPV6_ADDR=""

     

       52
       52
       +
                     LXC_IPV6_MASK=""

     

       53
       53
       +
                     LXC_IPV6_NETWORK=""

     

       54
       54
       +
                     LXC_IPV6_NAT="false"

     

       55
       55
       +
                   '';

     

       56
       56
       +
                 };

     

       57
       57
       +
               };

     

       58
       58
       +
       

     

       59
       59
       +
               # Needed for lxc

     

       60
       60
       +
               environment.systemPackages = with pkgs; [

     

       61
       61
       +
                 pkgs.wget

     

       62
       62
       +
                 pkgs.dnsmasq

     

       63
       63
       +
               ];

     

       64
       64
       +
       

     

       65
       65
       +
               # Create user for test

     

       66
       66
       +
               users.users.alice = {

     

       67
       67
       +
                 isNormalUser = true;

     

       68
       68
       +
                 password = "test";

     

       69
       69
       +
                 description = "Lxc unprivileged user with access to lxcbr0";

     

       70
       70
       +
                 extraGroups = [ "lxc-user" ];

     

       71
       71
       +
                 subGidRanges = [

     

       72
       72
       +
                   {

     

       73
       73
       +
                     startGid = 100000;

     

       74
       74
       +
                     count = 65536;

     

       75
       75
       +
                   }

     

       76
       76
       +
                 ];

     

       77
       77
       +
                 subUidRanges = [

     

       78
       78
       +
                   {

     

       79
       79
       +
                     startUid = 100000;

     

       80
       80
       +
                     count = 65536;

     

       81
       81
       +
                   }

     

       82
       82
       +
                 ];

     

       83
       83
       +
               };

     

       84
       84
       +
       

     

       85
       85
       +
               users.users.bob = {

     

       86
       86
       +
                 isNormalUser = true;

     

       87
       87
       +
                 password = "test";

     

       88
       88
       +
                 description = "Lxc unprivileged user without access to lxcbr0";

     

       89
       89
       +
                 subGidRanges = [

     

       90
       90
       +
                   {

     

       91
       91
       +
                     startGid = 100000;

     

       92
       92
       +
                     count = 65536;

     

       93
       93
       +
                   }

     

       94
       94
       +
                 ];

     

       95
       95
       +
                 subUidRanges = [

     

       96
       96
       +
                   {

     

       97
       97
       +
                     startUid = 100000;

     

       98
       98
       +
                     count = 65536;

     

       99
       99
       +
                   }

     

       100
       100
       +
                 ];

     

       101
       101
       +
               };

     

       102
       102
       +
             };

     

       103
       103
       +
       

     

       104
       104
       +
           testScript = ''

     

       105
       105
       +
             machine.wait_for_unit("lxc-net.service")

     

       106
       106
       +
       

     

       107
       107
       +
             # Copy config files for alice

     

       108
       108
       +
             machine.execute("su -- alice -c 'mkdir -p ~/.config/lxc'")

     

       109
       109
       +
             machine.execute("su -- alice -c 'cp /etc/lxc/default.conf ~/.config/lxc/'")

     

       110
       110
       +
             machine.execute("su -- alice -c 'cp /etc/lxc/lxc.conf ~/.config/lxc/'")

     

       111
       111
       +
       

     

       112
       112
       +
             machine.succeed("su -- alice -c 'lxc-create -t local -n test -- --metadata ${lxc-image-metadata}/*/*.tar.xz --fstree ${lxc-image-rootfs}/*/*.tar.xz'")

     

       113
       113
       +
             machine.succeed("su -- alice -c 'lxc-start test'")

     

       114
       114
       +
             machine.succeed("su -- alice -c 'lxc-stop test'")

     

       115
       115
       +
       

     

       116
       116
       +
             # Copy config files for bob

     

       117
       117
       +
             machine.execute("su -- bob -c 'mkdir -p ~/.config/lxc'")

     

       118
       118
       +
             machine.execute("su -- bob -c 'cp /etc/lxc/default.conf ~/.config/lxc/'")

     

       119
       119
       +
             machine.execute("su -- bob -c 'cp /etc/lxc/lxc.conf ~/.config/lxc/'")

     

       120
       120
       +
       

     

       121
       121
       +
             machine.fail("su -- bob -c 'lxc-start test'")

     

       122
       122
       +
           '';

     

       123
       123
       +
         }

     

       124
       124
       +
       )

+23 -1

pkgs/by-name/lx/lxc/package.nix

···

       48
       48
        
         patches = [

     

       49
       49
        
           # fix docbook2man version detection

     

       50
       50
        
           ./docbook-hack.patch

     

       51
       51
       +
       

     

       52
       52
       +
           # Fix hardcoded path of lxc-user-nic

     

       53
       53
       +
           # This is needed to use unprivileged containers

     

       54
       54
       +
           ./user-nic.diff

     

       51
       55
        
         ];

     

       52
       56
        
       

     

       53
       57
        
         mesonFlags = [

     

       54
       54
       -
           "-Dinstall-init-files=false"

     

       58
       58
       +
           "-Dinstall-init-files=true"

     

       55
       59
        
           "-Dinstall-state-dirs=false"

     

       56
       60
        
           "-Dspecfile=false"

     

       57
       61
        
           "-Dtools-multicall=true"

     

       58
       62
        
           "-Dtools=false"

     

       63
       63
       +
           "-Dusernet-config-path=/etc/lxc/lxc-usernet"

     

       64
       64
       +
           "-Ddistrosysconfdir=${placeholder "out"}/etc/lxc"

     

       65
       65
       +
           "-Dsystemd-unitdir=${placeholder "out"}/lib/systemd/system"

     

       59
       66
        
         ];

     

       60
       67
        
       

     

       68
       68
       +
         # /run/current-system/sw/share

     

       69
       69
       +
         postInstall = ''

     

       70
       70
       +
           substituteInPlace $out/etc/lxc/lxc --replace-fail "$out/etc/lxc" "/etc/lxc"

     

       71
       71
       +
           substituteInPlace $out/libexec/lxc/lxc-net --replace-fail "$out/etc/lxc" "/etc/lxc"

     

       72
       72
       +
       

     

       73
       73
       +
           substituteInPlace $out/share/lxc/templates/lxc-download --replace-fail "$out/share" "/run/current-system/sw/share"

     

       74
       74
       +
           substituteInPlace $out/share/lxc/templates/lxc-local --replace-fail "$out/share" "/run/current-system/sw/share"

     

       75
       75
       +
           substituteInPlace $out/share/lxc/templates/lxc-oci --replace-fail "$out/share" "/run/current-system/sw/share"

     

       76
       76
       +
       

     

       77
       77
       +
           substituteInPlace $out/share/lxc/config/common.conf --replace-fail "$out/share" "/run/current-system/sw/share"

     

       78
       78
       +
           substituteInPlace $out/share/lxc/config/userns.conf --replace-fail "$out/share" "/run/current-system/sw/share"

     

       79
       79
       +
           substituteInPlace $out/share/lxc/config/oci.common.conf --replace-fail "$out/share" "/run/current-system/sw/share"

     

       80
       80
       +
         '';

     

       81
       81
       +
       

     

       61
       82
        
         enableParallelBuilding = true;

     

       62
       83
        
       

     

       63
       84
        
         doCheck = true;

     
···

       66
       87
        
           tests = {

     

       67
       88
        
             incus-legacy-init = nixosTests.incus.container-legacy-init;

     

       68
       89
        
             incus-systemd-init = nixosTests.incus.container-systemd-init;

     

       90
       90
       +
             lxc = nixosTests.lxc;

     

       69
       91
        
             lxd = nixosTests.lxd.container;

     

       70
       92
        
           };

     

       71
       93

+13

pkgs/by-name/lx/lxc/user-nic.diff

···

       1
       1
       +
       diff --git a/src/lxc/network.c b/src/lxc/network.c

     

       2
       2
       +
       index 0a99d32..850e975 100644

     

       3
       3
       +
       --- a/src/lxc/network.c

     

       4
       4
       +
       +++ b/src/lxc/network.c

     

       5
       5
       +
       @@ -2940,7 +2940,7 @@ int lxc_find_gateway_addresses(struct lxc_handler *handler)

     

       6
       6
       +
        

     

       7
       7
       +
        #ifdef IN_LIBLXC

     

       8
       8
       +
        

     

       9
       9
       +
       -#define LXC_USERNIC_PATH LIBEXECDIR "/lxc/lxc-user-nic"

     

       10
       10
       +
       +#define LXC_USERNIC_PATH "/run/wrappers/bin/lxc-user-nic"

     

       11
       11
       +
        static int lxc_create_network_unpriv_exec(const char *lxcpath,

     

       12
       12
       +
        					  const char *lxcname,

     

       13
       13
       +
        					  struct lxc_netdev *netdev, pid_t pid,