From 0d506aa712cf088343dff5863e9e58eb1228c3b0 Mon Sep 17 00:00:00 2001
From: Eelco Dolstra <>
Date: Mon, 17 Mar 2014 14:04:39 +0100
Subject: [PATCH] Provide a simple way to log into containers

On the host, you can run

  $ socat unix:<path-to-container>/var/lib/login.socket -,echo=0,raw

to get a login prompt.  So this allows logging in even if the
container has no SSH access enabled.

You can also do

  $ socat unix:<path-to-container>/var/lib/root-shell.socket -

to get a plain root shell.  (This socket is only accessible by root,
obviously.)  This makes it easy to execute commands in the container,

  $ echo reboot | socat unix:<path-to-container>/var/lib/root-shell.socket -
 .../virtualisation/container-login.nix        | 56 +++++++++++++++++++
 nixos/modules/virtualisation/containers.nix   |  1 +
 2 files changed, 57 insertions(+)
 create mode 100644 nixos/modules/virtualisation/container-login.nix

diff --git a/nixos/modules/virtualisation/container-login.nix b/nixos/modules/virtualisation/container-login.nix
new file mode 100644
index 000000000000..56e772fb797d
--- /dev/null
+++ b/nixos/modules/virtualisation/container-login.nix
@@ -0,0 +1,56 @@
+{ config, pkgs, ... }:
+  config = {
+    # Provide a login prompt on /var/lib/login.socket.  On the host,
+    # you can connect to it by running ‘socat
+    # unix:<path-to-container>/var/lib/login.socket -,echo=0,raw’.
+    systemd.sockets.login =
+      { description = "Login Socket";
+        wantedBy = [ "" ];
+        socketConfig =
+          { ListenStream = "/var/lib/login.socket";
+            SocketMode = "0600"; # only root can connect, obviously
+            Accept = true;
+          };
+      };
+"login@" =
+      { description = "Login %i";
+        environment.TERM = "linux";
+        serviceConfig =
+          { Type = "simple";
+            StandardInput = "socket";
+            ExecStart = "${pkgs.socat}/bin/socat -t0 - exec:${pkgs.shadow}/bin/login,pty,setsid,setpgid,stderr,ctty";
+            TimeoutStopSec = 1; # FIXME
+          };
+      };
+    # Provide a non-interactive login root shell on
+    # /var/lib/root-shell.socket.  On the host, you can connect to it
+    # by running ‘socat unix:<path-to-container>/var/lib/root-shell.socket -’.
+    systemd.sockets.root-shell =
+      { description = "Root Shell Socket";
+        wantedBy = [ "" ];
+        socketConfig =
+          { ListenStream = "/var/lib/root-shell.socket";
+            SocketMode = "0666";
+            Accept = true;
+          };
+      };
+"root-shell@" =
+      { description = "Root Shell %i";
+        serviceConfig =
+          { Type = "simple";
+            StandardInput = "socket";
+            ExecStart = "${pkgs.bash}/bin/bash --login";
+            TimeoutStopSec = 1; # FIXME
+          };
+      };
+  };
diff --git a/nixos/modules/virtualisation/containers.nix b/nixos/modules/virtualisation/containers.nix
index d87284de4fc1..f1fcc18f1f99 100644
--- a/nixos/modules/virtualisation/containers.nix
+++ b/nixos/modules/virtualisation/containers.nix
@@ -57,6 +57,7 @@ with pkgs.lib;
                       { boot.isContainer = true;
                         security.initialRootPassword = mkDefault "!";
                         networking.hostName = mkDefault name;
+                        imports = [ ./container-login.nix ];
                     in [ extraConfig config.config ];
                   prefix = [ "systemd" "containers" name ];