pyrox.dev / nixpkgs
lol
fork atom

nixos-container: Use new configuration & state directories

We need to move NixOS containers somewhere else so these don't clash
with Podman, Skopeo & other container software in the libpod &
cri-o/cri-u/libcontainer ecosystems.

The state directory move is not strictly a requirement but is good for
consistency.

adisbladis f535d6f4 7d9a979b

options
unified split
Changed files
+42 -32
nixos
doc
manual
administration
declarative-containers.section.md
imperative-containers.section.md
from_md
administration
declarative-containers.section.xml
imperative-containers.section.xml
modules
virtualisation
nixos-containers.nix
tests
containers-ephemeral.nix
containers-imperative.nix
containers-tmpfs.nix
+1 -1
nixos/doc/manual/administration/declarative-containers.section.md 
···

       
40

       
40

       
 

       
To disable the container, just remove it from `configuration.nix` and


     

       
41

       
41

       
 

       
run `nixos-rebuild


     

       
42

       
42

       
 

       
  switch`. Note that this will not delete the root directory of the


     

       
43

       

       
-

       
container in `/var/lib/containers`. Containers can be destroyed using


     

       

       
43

       
+

       
container in `/var/lib/nixos-containers`. Containers can be destroyed using


     

       
44

       
44

       
 

       
the imperative method: `nixos-container destroy foo`.


     

       
45

       
45

       
 

       



     

       
46

       
46

       
 

       
Declarative containers can be started and stopped using the
+2 -2
nixos/doc/manual/administration/imperative-containers.section.md 
···

       
10

       
10

       
 

       
# nixos-container create foo


     

       
11

       
11

       
 

       
```


     

       
12

       
12

       
 

       



     

       
13

       

       
-

       
This creates the container's root directory in `/var/lib/containers/foo`


     

       
14

       

       
-

       
and a small configuration file in `/etc/containers/foo.conf`. It also


     

       

       
13

       
+

       
This creates the container's root directory in `/var/lib/nixos-containers/foo`


     

       

       
14

       
+

       
and a small configuration file in `/etc/nixos-containers/foo.conf`. It also


     

       
15

       
15

       
 

       
builds the container's initial system configuration and stores it in


     

       
16

       
16

       
 

       
`/nix/var/nix/profiles/per-container/foo/system`. You can modify the


     

       
17

       
17

       
 

       
initial configuration of the container on the command line. For
+2 -2
nixos/doc/manual/from_md/administration/declarative-containers.section.xml 
···

       
48

       
48

       
 

       
    <literal>configuration.nix</literal> and run


     

       
49

       
49

       
 

       
    <literal>nixos-rebuild switch</literal>. Note that this will not


     

       
50

       
50

       
 

       
    delete the root directory of the container in


     

       
51

       

       
-

       
    <literal>/var/lib/containers</literal>. Containers can be destroyed


     

       
52

       

       
-

       
    using the imperative method:


     

       

       
51

       
+

       
    <literal>/var/lib/nixos-containers</literal>. Containers can be


     

       

       
52

       
+

       
    destroyed using the imperative method:


     

       
53

       
53

       
 

       
    <literal>nixos-container destroy foo</literal>.


     

       
54

       
54

       
 

       
  </para>


     

       
55

       
55

       
 

       
  <para>
+3 -2
nixos/doc/manual/from_md/administration/imperative-containers.section.xml 
···

       
14

       
14

       
 

       
</programlisting>


     

       
15

       
15

       
 

       
  <para>


     

       
16

       
16

       
 

       
    This creates the container’s root directory in


     

       
17

       

       
-

       
    <literal>/var/lib/containers/foo</literal> and a small configuration


     

       
18

       

       
-

       
    file in <literal>/etc/containers/foo.conf</literal>. It also builds


     

       

       
17

       
+

       
    <literal>/var/lib/nixos-containers/foo</literal> and a small


     

       

       
18

       
+

       
    configuration file in


     

       

       
19

       
+

       
    <literal>/etc/nixos-containers/foo.conf</literal>. It also builds


     

       
19

       
20

       
 

       
    the container’s initial system configuration and stores it in


     

       
20

       
21

       
 

       
    <literal>/nix/var/nix/profiles/per-container/foo/system</literal>.


     

       
21

       
22

       
 

       
    You can modify the initial configuration of the container on the
+20 -11
nixos/modules/virtualisation/nixos-containers.nix 
···

       
4

       
4

       
 

       



     

       
5

       
5

       
 

       
let


     

       
6

       
6

       
 

       



     

       

       
7

       
+

       
  configurationPrefix = optionalString (versionAtLeast config.system.stateVersion "22.05") "nixos-";


     

       

       
8

       
+

       
  configurationDirectoryName = "${configurationPrefix}containers";


     

       

       
9

       
+

       
  configurationDirectory = "/etc/${configurationDirectoryName}";


     

       

       
10

       
+

       
  stateDirectory = "/var/lib/${configurationPrefix}containers";


     

       

       
11

       
+

       



     

       
7

       
12

       
 

       
  # The container's init script, a small wrapper around the regular


     

       
8

       
13

       
 

       
  # NixOS stage-2 init script.


     

       
9

       
14

       
 

       
  containerInit = (cfg:


     
···

       
77

       
82

       
 

       
  startScript = cfg:


     

       
78

       
83

       
 

       
    ''


     

       
79

       
84

       
 

       
      mkdir -p -m 0755 "$root/etc" "$root/var/lib"


     

       
80

       

       
-

       
      mkdir -p -m 0700 "$root/var/lib/private" "$root/root" /run/containers


     

       

       
85

       
+

       
      mkdir -p -m 0700 "$root/var/lib/private" "$root/root" /run/nixos-containers


     

       
81

       
86

       
 

       
      if ! [ -e "$root/etc/os-release" ]; then


     

       
82

       
87

       
 

       
        touch "$root/etc/os-release"


     

       
83

       
88

       
 

       
      fi


     
···

       
249

       
254

       
 

       



     

       
250

       
255

       
 

       
    SyslogIdentifier = "container %i";


     

       
251

       
256

       
 

       



     

       
252

       

       
-

       
    EnvironmentFile = "-/etc/containers/%i.conf";


     

       

       
257

       
+

       
    EnvironmentFile = "-${configurationDirectory}/%i.conf";


     

       
253

       
258

       
 

       



     

       
254

       
259

       
 

       
    Type = "notify";


     

       
255

       
260

       
 

       



     

       
256

       

       
-

       
    RuntimeDirectory = lib.optional cfg.ephemeral "containers/%i";


     

       

       
261

       
+

       
    RuntimeDirectory = lib.optional cfg.ephemeral "${configurationDirectoryName}/%i";


     

       
257

       
262

       
 

       



     

       
258

       
263

       
 

       
    # Note that on reboot, systemd-nspawn returns 133, so this


     

       
259

       
264

       
 

       
    # unit will be restarted. On poweroff, it returns 0, so the


     
···

       
740

       
745

       
 

       
    unit = {


     

       
741

       
746

       
 

       
      description = "Container '%i'";


     

       
742

       
747

       
 

       



     

       
743

       

       
-

       
      unitConfig.RequiresMountsFor = "/var/lib/containers/%i";


     

       

       
748

       
+

       
      unitConfig.RequiresMountsFor = "${stateDirectory}/%i";


     

       
744

       
749

       
 

       



     

       
745

       
750

       
 

       
      path = [ pkgs.iproute2 ];


     

       
746

       
751

       
 

       



     

       
747

       
752

       
 

       
      environment = {


     

       
748

       

       
-

       
        root = "/var/lib/containers/%i";


     

       

       
753

       
+

       
        root = "${stateDirectory}/%i";


     

       
749

       
754

       
 

       
        INSTANCE = "%i";


     

       
750

       
755

       
 

       
      };


     

       
751

       
756

       
 

       



     
···

       
782

       
787

       
 

       
            script = startScript containerConfig;


     

       
783

       
788

       
 

       
            postStart = postStartScript containerConfig;


     

       
784

       
789

       
 

       
            serviceConfig = serviceDirectives containerConfig;


     

       
785

       

       
-

       
            unitConfig.RequiresMountsFor = lib.optional (!containerConfig.ephemeral) "/var/lib/containers/%i";


     

       
786

       

       
-

       
            environment.root = if containerConfig.ephemeral then "/run/containers/%i" else "/var/lib/containers/%i";


     

       

       
790

       
+

       
            unitConfig.RequiresMountsFor = lib.optional (!containerConfig.ephemeral) "${stateDirectory}/%i";


     

       

       
791

       
+

       
            environment.root = if containerConfig.ephemeral then "/run/nixos-containers/%i" else "${stateDirectory}/%i";


     

       
787

       
792

       
 

       
          } // (


     

       
788

       
793

       
 

       
          if containerConfig.autoStart then


     

       
789

       
794

       
 

       
            {


     
···

       
792

       
797

       
 

       
              after = [ "network.target" ];


     

       
793

       
798

       
 

       
              restartTriggers = [


     

       
794

       
799

       
 

       
                containerConfig.path


     

       
795

       

       
-

       
                config.environment.etc."containers/${name}.conf".source


     

       

       
800

       
+

       
                config.environment.etc."${configurationDirectoryName}/${name}.conf".source


     

       
796

       
801

       
 

       
              ];


     

       
797

       
802

       
 

       
              restartIfChanged = true;


     

       
798

       
803

       
 

       
            }


     
···

       
800

       
805

       
 

       
      )) config.containers)


     

       
801

       
806

       
 

       
    ));


     

       
802

       
807

       
 

       



     

       
803

       

       
-

       
    # Generate a configuration file in /etc/containers for each


     

       

       
808

       
+

       
    # Generate a configuration file in /etc/nixos-containers for each


     

       
804

       
809

       
 

       
    # container so that container@.target can get the container


     

       
805

       
810

       
 

       
    # configuration.


     

       
806

       
811

       
 

       
    environment.etc =


     

       
807

       
812

       
 

       
      let mkPortStr = p: p.protocol + ":" + (toString p.hostPort) + ":" + (if p.containerPort == null then toString p.hostPort else toString p.containerPort);


     

       
808

       

       
-

       
      in mapAttrs' (name: cfg: nameValuePair "containers/${name}.conf"


     

       

       
813

       
+

       
      in mapAttrs' (name: cfg: nameValuePair "${configurationDirectoryName}/${name}.conf"


     

       
809

       
814

       
 

       
      { text =


     

       
810

       
815

       
 

       
          ''


     

       
811

       
816

       
 

       
            SYSTEM_PATH=${cfg.path}


     
···

       
854

       
859

       
 

       
      ENV{INTERFACE}=="v[eb]-*", ENV{NM_UNMANAGED}="1"


     

       
855

       
860

       
 

       
    '';


     

       
856

       
861

       
 

       



     

       
857

       

       
-

       
    environment.systemPackages = [ pkgs.nixos-container ];


     

       

       
862

       
+

       
    environment.systemPackages = [


     

       

       
863

       
+

       
      (pkgs.nixos-container.override {


     

       

       
864

       
+

       
        inherit stateDirectory configurationDirectory;


     

       

       
865

       
+

       
      })


     

       

       
866

       
+

       
    ];


     

       
858

       
867

       
 

       



     

       
859

       
868

       
 

       
    boot.kernelModules = [


     

       
860

       
869

       
 

       
      "bridge"
+3 -3
nixos/tests/containers-ephemeral.nix 
···

       
33

       
33

       
 

       
    machine.succeed("nixos-container start webserver")


     

       
34

       
34

       
 

       



     

       
35

       
35

       
 

       
    with subtest("Container got its own root folder"):


     

       
36

       

       
-

       
        machine.succeed("ls /run/containers/webserver")


     

       

       
36

       
+

       
        machine.succeed("ls /run/nixos-containers/webserver")


     

       
37

       
37

       
 

       



     

       
38

       
38

       
 

       
    with subtest("Container persistent directory is not created"):


     

       
39

       

       
-

       
        machine.fail("ls /var/lib/containers/webserver")


     

       

       
39

       
+

       
        machine.fail("ls /var/lib/nixos-containers/webserver")


     

       
40

       
40

       
 

       



     

       
41

       
41

       
 

       
    # Since "start" returns after the container has reached


     

       
42

       
42

       
 

       
    # multi-user.target, we should now be able to access it.


     
···

       
49

       
49

       
 

       
        machine.fail(f"curl --fail --connect-timeout 2 http://{ip}/ > /dev/null")


     

       
50

       
50

       
 

       



     

       
51

       
51

       
 

       
    with subtest("Container's root folder was removed"):


     

       
52

       

       
-

       
        machine.fail("ls /run/containers/webserver")


     

       

       
52

       
+

       
        machine.fail("ls /run/nixos-containers/webserver")


     

       
53

       
53

       
 

       
  '';


     

       
54

       
54

       
 

       
})
+6 -6
nixos/tests/containers-imperative.nix 
···

       
69

       
69

       
 

       



     

       
70

       
70

       
 

       
      with subtest(f"Put the root of {id2} into a bind mount"):


     

       
71

       
71

       
 

       
          machine.succeed(


     

       
72

       

       
-

       
              f"mv /var/lib/containers/{id2} /id2-bindmount",


     

       
73

       

       
-

       
              f"mount --bind /id2-bindmount /var/lib/containers/{id1}",


     

       

       
72

       
+

       
              f"mv /var/lib/nixos-containers/{id2} /id2-bindmount",


     

       

       
73

       
+

       
              f"mount --bind /id2-bindmount /var/lib/nixos-containers/{id1}",


     

       
74

       
74

       
 

       
          )


     

       
75

       
75

       
 

       



     

       
76

       
76

       
 

       
          ip1 = machine.succeed(f"nixos-container show-ip {id1}").rstrip()


     
···

       
88

       
88

       
 

       
          "Create a directory with a dummy file and bind-mount it into both containers."


     

       
89

       
89

       
 

       
      ):


     

       
90

       
90

       
 

       
          for id in id1, id2:


     

       
91

       

       
-

       
              important_path = f"/var/lib/containers/{id}/very/important/data"


     

       

       
91

       
+

       
              important_path = f"/var/lib/nixos-containers/{id}/very/important/data"


     

       
92

       
92

       
 

       
              machine.succeed(


     

       
93

       
93

       
 

       
                  f"mkdir -p {important_path}",


     

       
94

       
94

       
 

       
                  f"mount --bind /nested-bindmount {important_path}",


     
···

       
154

       
154

       
 

       
          machine.succeed("grep -qF 'important data' /nested-bindmount/dummy")


     

       
155

       
155

       
 

       



     

       
156

       
156

       
 

       
      with subtest("Ensure that the container path is gone"):


     

       
157

       

       
-

       
          print(machine.succeed("ls -lsa /var/lib/containers"))


     

       
158

       

       
-

       
          machine.succeed(f"test ! -e /var/lib/containers/{id1}")


     

       

       
157

       
+

       
          print(machine.succeed("ls -lsa /var/lib/nixos-containers"))


     

       

       
158

       
+

       
          machine.succeed(f"test ! -e /var/lib/nixos-containers/{id1}")


     

       
159

       
159

       
 

       



     

       
160

       
160

       
 

       
      with subtest("Ensure that a failed container creation doesn'leave any state"):


     

       
161

       
161

       
 

       
          machine.fail(


     

       
162

       
162

       
 

       
              "nixos-container create b0rk --config-file ${brokenCfg}"


     

       
163

       
163

       
 

       
          )


     

       
164

       

       
-

       
          machine.succeed("test ! -e /var/lib/containers/b0rk")


     

       

       
164

       
+

       
          machine.succeed("test ! -e /var/lib/nixos-containers/b0rk")


     

       
165

       
165

       
 

       
    '';


     

       
166

       
166

       
 

       
})
+5 -5
nixos/tests/containers-tmpfs.nix 
···

       
62

       
62

       
 

       
          machine.succeed(


     

       
63

       
63

       
 

       
              tmpfs_cmd("touch /root/test.file"),


     

       
64

       
64

       
 

       
              tmpfs_cmd("ls -l  /root | grep -q test.file"),


     

       
65

       

       
-

       
              "test -e /var/lib/containers/tmpfs/root/test.file",


     

       

       
65

       
+

       
              "test -e /var/lib/nixos-containers/tmpfs/root/test.file",


     

       
66

       
66

       
 

       
          )


     

       
67

       
67

       
 

       



     

       
68

       
68

       
 

       
      with subtest(


     
···

       
73

       
73

       
 

       
              tmpfs_cmd("touch /some/random/path/test.file"),


     

       
74

       
74

       
 

       
              tmpfs_cmd("test -e /some/random/path/test.file"),


     

       
75

       
75

       
 

       
          )


     

       
76

       

       
-

       
          machine.fail("test -e /var/lib/containers/tmpfs/some/random/path/test.file")


     

       

       
76

       
+

       
          machine.fail("test -e /var/lib/nixos-containers/tmpfs/some/random/path/test.file")


     

       
77

       
77

       
 

       



     

       
78

       
78

       
 

       
      with subtest(


     

       
79

       
79

       
 

       
          "files created in the hosts container dir in a path where a tmpfs "


     
···

       
81

       
81

       
 

       
          + "the do not exist in the tmpfs"


     

       
82

       
82

       
 

       
      ):


     

       
83

       
83

       
 

       
          machine.succeed(


     

       
84

       

       
-

       
              "touch /var/lib/containers/tmpfs/var/test.file",


     

       
85

       

       
-

       
              "test -e /var/lib/containers/tmpfs/var/test.file",


     

       
86

       

       
-

       
              "ls -l /var/lib/containers/tmpfs/var/ | grep -q test.file 2>/dev/null",


     

       

       
84

       
+

       
              "touch /var/lib/nixos-containers/tmpfs/var/test.file",


     

       

       
85

       
+

       
              "test -e /var/lib/nixos-containers/tmpfs/var/test.file",


     

       

       
86

       
+

       
              "ls -l /var/lib/nixos-containers/tmpfs/var/ | grep -q test.file 2>/dev/null",


     

       
87

       
87

       
 

       
          )


     

       
88

       
88

       
 

       
          machine.fail(tmpfs_cmd("ls -l /var | grep -q test.file"))


     

       
89

       
89

       
 

       
    '';