dev/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

nixos/containers: add unprivileged option

Browse Source 
Fixes #57083.
This commit is contained in:
Nikita Uvarov 2019-08-20 23:43:15 +02:00
parent bacf5619e2
commit 7e7fc6471e
No known key found for this signature in database
GPG Key ID: F7A5FB3A7C10EF96
3 changed files with 71 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
nixos/modules/virtualisation/containers.nix
View File

@ -139,6 +139,7 @@ let
--bind="/nix/var/nix/profiles/per-container/$INSTANCE:/nix/var/nix/profiles" \ --bind="/nix/var/nix/profiles/per-container/$INSTANCE:/nix/var/nix/profiles" \
--bind="/nix/var/nix/gcroots/per-container/$INSTANCE:/nix/var/nix/gcroots" \ --bind="/nix/var/nix/gcroots/per-container/$INSTANCE:/nix/var/nix/gcroots" \
${optionalString (!cfg.ephemeral) "--link-journal=try-guest"} \ ${optionalString (!cfg.ephemeral) "--link-journal=try-guest"} \
${optionalString (cfg.unprivileged) "-U"} \
--setenv PRIVATE_NETWORK="$PRIVATE_NETWORK" \ --setenv PRIVATE_NETWORK="$PRIVATE_NETWORK" \
--setenv HOST_BRIDGE="$HOST_BRIDGE" \ --setenv HOST_BRIDGE="$HOST_BRIDGE" \
--setenv HOST_ADDRESS="$HOST_ADDRESS" \ --setenv HOST_ADDRESS="$HOST_ADDRESS" \
@ -238,8 +239,8 @@ let
ExecReload = pkgs.writeScript "reload-container" ExecReload = pkgs.writeScript "reload-container"
'' ''
#! ${pkgs.runtimeShell} -e #! ${pkgs.runtimeShell} -e
${pkgs.nixos-container}/bin/nixos-container run "$INSTANCE" -- \ ${pkgs.systemd}/bin/machinectl shell "$INSTANCE" \
bash --login -c "''${SYSTEM_PATH:-/nix/var/nix/profiles/system}/bin/switch-to-configuration test" ''${SYSTEM_PATH:-/nix/var/nix/profiles/system}/bin/switch-to-configuration test
''; '';
SyslogIdentifier = "container %i"; SyslogIdentifier = "container %i";
@ -423,6 +424,7 @@ let
extraVeths = {}; extraVeths = {};
additionalCapabilities = []; additionalCapabilities = [];
ephemeral = false; ephemeral = false;
unprivileged = false;
allowedDevices = []; allowedDevices = [];
hostAddress = null; hostAddress = null;
hostAddress6 = null; hostAddress6 = null;
@ -516,6 +518,16 @@ in
''; '';
}; };
unprivileged = mkOption {
type = types.bool;
default = false;
description = ''
Run container in unprivileged mode using private users feature of <command>systemd-nspawn</command>.
This option is eqvivalent of adding -U parameter to <command>systemd-nspawn</command> command.
See <literal>systemd-nspawn(1)</literal> man page for more information.
'';
};
ephemeral = mkOption { ephemeral = mkOption {
type = types.bool; type = types.bool;
default = false; default = false;

1
nixos/tests/all-tests.nix
View File

@ -48,6 +48,7 @@ in
colord = handleTest ./colord.nix {}; colord = handleTest ./colord.nix {};
containers-bridge = handleTest ./containers-bridge.nix {}; containers-bridge = handleTest ./containers-bridge.nix {};
containers-ephemeral = handleTest ./containers-ephemeral.nix {}; containers-ephemeral = handleTest ./containers-ephemeral.nix {};
containers-unprivileged = handleTest ./containers-unprivileged.nix {};
containers-extra_veth = handleTest ./containers-extra_veth.nix {}; containers-extra_veth = handleTest ./containers-extra_veth.nix {};
containers-hosts = handleTest ./containers-hosts.nix {}; containers-hosts = handleTest ./containers-hosts.nix {};
containers-imperative = handleTest ./containers-imperative.nix {}; containers-imperative = handleTest ./containers-imperative.nix {};

56
nixos/tests/containers-unprivileged.nix Normal file
View File

@ -0,0 +1,56 @@
# Test for NixOS' container support.
import ./make-test.nix ({ pkgs, ...} : {
name = "containers-unprivileged";
machine = { pkgs, ... }: {
virtualisation.memorySize = 768;
virtualisation.writableStore = true;
containers.webserver = {
unprivileged = true;
privateNetwork = true;
hostAddress = "10.231.136.1";
localAddress = "10.231.136.2";
config = {
services.nginx = {
enable = true;
virtualHosts.localhost = {
root = (pkgs.runCommand "localhost" {} ''
mkdir "$out"
echo hello world > "$out/index.html"
'');
};
};
networking.firewall.allowedTCPPorts = [ 80 ];
};
};
};
testScript = ''
$machine->succeed("nixos-container list") =~ /webserver/ or die;
# Start the webserver container.
$machine->succeed("nixos-container start webserver");
my $ip = $machine->succeed("nixos-container show-ip webserver");
chomp $ip;
$machine->succeed("ping -n -c1 $ip");
# Check that container root folder is owned by a new private user
$machine->succeed('test $(stat -c "%U" /var/lib/containers/webserver) == "vu-webserver-0"');
# Check that webserver is working before reload
$machine->succeed("curl --fail http://$ip/ > /dev/null");
# Reload container
$machine->succeed('systemctl reload container@webserver');
# Check that webserver is working after reload
$machine->succeed("curl --fail http://$ip/ > /dev/null");
# Stop the container.
$machine->succeed("nixos-container stop webserver");
$machine->fail("curl --fail --connect-timeout 2 http://$ip/ > /dev/null");
'';
})