pyrox.dev
lol
nixos-container: Use new configuration & state directories
We need to move NixOS containers somewhere else so these don't clash
with Podman, Skopeo & other container software in the libpod &
cri-o/cri-u/libcontainer ecosystems.
The state directory move is not strictly a requirement but is good for
consistency.
+42
-32
+1
-1
nixos/doc/manual/administration/declarative-containers.section.md
+1
-1
nixos/doc/manual/administration/declarative-containers.section.md
···
40
40
To disable the container, just remove it from `configuration.nix` and
41
41
run `nixos-rebuild
42
42
switch`. Note that this will not delete the root directory of the
43
-
container in `/var/lib/containers`. Containers can be destroyed using
43
+
container in `/var/lib/nixos-containers`. Containers can be destroyed using
44
44
the imperative method: `nixos-container destroy foo`.
45
45
46
46
Declarative containers can be started and stopped using the
+2
-2
nixos/doc/manual/administration/imperative-containers.section.md
+2
-2
nixos/doc/manual/administration/imperative-containers.section.md
···
10
10
# nixos-container create foo
11
11
```
12
12
13
-
This creates the container's root directory in `/var/lib/containers/foo`
14
-
and a small configuration file in `/etc/containers/foo.conf`. It also
13
+
This creates the container's root directory in `/var/lib/nixos-containers/foo`
14
+
and a small configuration file in `/etc/nixos-containers/foo.conf`. It also
15
15
builds the container's initial system configuration and stores it in
16
16
`/nix/var/nix/profiles/per-container/foo/system`. You can modify the
17
17
initial configuration of the container on the command line. For
+2
-2
nixos/doc/manual/from_md/administration/declarative-containers.section.xml
+2
-2
nixos/doc/manual/from_md/administration/declarative-containers.section.xml
···
48
48
<literal>configuration.nix</literal> and run
49
49
<literal>nixos-rebuild switch</literal>. Note that this will not
50
50
delete the root directory of the container in
51
-
<literal>/var/lib/containers</literal>. Containers can be destroyed
52
-
using the imperative method:
51
+
<literal>/var/lib/nixos-containers</literal>. Containers can be
52
+
destroyed using the imperative method:
53
53
<literal>nixos-container destroy foo</literal>.
54
54
</para>
55
55
<para>
+3
-2
nixos/doc/manual/from_md/administration/imperative-containers.section.xml
+3
-2
nixos/doc/manual/from_md/administration/imperative-containers.section.xml
···
14
14
</programlisting>
15
15
<para>
16
16
This creates the container’s root directory in
17
-
<literal>/var/lib/containers/foo</literal> and a small configuration
18
-
file in <literal>/etc/containers/foo.conf</literal>. It also builds
17
+
<literal>/var/lib/nixos-containers/foo</literal> and a small
18
+
configuration file in
19
+
<literal>/etc/nixos-containers/foo.conf</literal>. It also builds
19
20
the container’s initial system configuration and stores it in
20
21
<literal>/nix/var/nix/profiles/per-container/foo/system</literal>.
21
22
You can modify the initial configuration of the container on the
+20
-11
nixos/modules/virtualisation/nixos-containers.nix
+20
-11
nixos/modules/virtualisation/nixos-containers.nix
···
4
4
5
5
let
6
6
7
+
configurationPrefix = optionalString (versionAtLeast config.system.stateVersion "22.05") "nixos-";
8
+
configurationDirectoryName = "${configurationPrefix}containers";
9
+
configurationDirectory = "/etc/${configurationDirectoryName}";
10
+
stateDirectory = "/var/lib/${configurationPrefix}containers";
11
+
7
12
# The container's init script, a small wrapper around the regular
8
13
# NixOS stage-2 init script.
9
14
containerInit = (cfg:
···
77
82
startScript = cfg:
78
83
''
79
84
mkdir -p -m 0755 "$root/etc" "$root/var/lib"
80
-
mkdir -p -m 0700 "$root/var/lib/private" "$root/root" /run/containers
85
+
mkdir -p -m 0700 "$root/var/lib/private" "$root/root" /run/nixos-containers
81
86
if ! [ -e "$root/etc/os-release" ]; then
82
87
touch "$root/etc/os-release"
83
88
fi
···
249
254
250
255
SyslogIdentifier = "container %i";
251
256
252
-
EnvironmentFile = "-/etc/containers/%i.conf";
257
+
EnvironmentFile = "-${configurationDirectory}/%i.conf";
253
258
254
259
Type = "notify";
255
260
256
-
RuntimeDirectory = lib.optional cfg.ephemeral "containers/%i";
261
+
RuntimeDirectory = lib.optional cfg.ephemeral "${configurationDirectoryName}/%i";
257
262
258
263
# Note that on reboot, systemd-nspawn returns 133, so this
259
264
# unit will be restarted. On poweroff, it returns 0, so the
···
740
745
unit = {
741
746
description = "Container '%i'";
742
747
743
-
unitConfig.RequiresMountsFor = "/var/lib/containers/%i";
748
+
unitConfig.RequiresMountsFor = "${stateDirectory}/%i";
744
749
745
750
path = [ pkgs.iproute2 ];
746
751
747
752
environment = {
748
-
root = "/var/lib/containers/%i";
753
+
root = "${stateDirectory}/%i";
749
754
INSTANCE = "%i";
750
755
};
751
756
···
782
787
script = startScript containerConfig;
783
788
postStart = postStartScript containerConfig;
784
789
serviceConfig = serviceDirectives containerConfig;
785
-
unitConfig.RequiresMountsFor = lib.optional (!containerConfig.ephemeral) "/var/lib/containers/%i";
786
-
environment.root = if containerConfig.ephemeral then "/run/containers/%i" else "/var/lib/containers/%i";
790
+
unitConfig.RequiresMountsFor = lib.optional (!containerConfig.ephemeral) "${stateDirectory}/%i";
791
+
environment.root = if containerConfig.ephemeral then "/run/nixos-containers/%i" else "${stateDirectory}/%i";
787
792
} // (
788
793
if containerConfig.autoStart then
789
794
{
···
792
797
after = [ "network.target" ];
793
798
restartTriggers = [
794
799
containerConfig.path
795
-
config.environment.etc."containers/${name}.conf".source
800
+
config.environment.etc."${configurationDirectoryName}/${name}.conf".source
796
801
];
797
802
restartIfChanged = true;
798
803
}
···
800
805
)) config.containers)
801
806
));
802
807
803
-
# Generate a configuration file in /etc/containers for each
808
+
# Generate a configuration file in /etc/nixos-containers for each
804
809
# container so that container@.target can get the container
805
810
# configuration.
806
811
environment.etc =
807
812
let mkPortStr = p: p.protocol + ":" + (toString p.hostPort) + ":" + (if p.containerPort == null then toString p.hostPort else toString p.containerPort);
808
-
in mapAttrs' (name: cfg: nameValuePair "containers/${name}.conf"
813
+
in mapAttrs' (name: cfg: nameValuePair "${configurationDirectoryName}/${name}.conf"
809
814
{ text =
810
815
''
811
816
SYSTEM_PATH=${cfg.path}
···
854
859
ENV{INTERFACE}=="v[eb]-*", ENV{NM_UNMANAGED}="1"
855
860
'';
856
861
857
-
environment.systemPackages = [ pkgs.nixos-container ];
862
+
environment.systemPackages = [
863
+
(pkgs.nixos-container.override {
864
+
inherit stateDirectory configurationDirectory;
865
+
})
866
+
];
858
867
859
868
boot.kernelModules = [
860
869
"bridge"
+3
-3
nixos/tests/containers-ephemeral.nix
+3
-3
nixos/tests/containers-ephemeral.nix
···
33
33
machine.succeed("nixos-container start webserver")
34
34
35
35
with subtest("Container got its own root folder"):
36
-
machine.succeed("ls /run/containers/webserver")
36
+
machine.succeed("ls /run/nixos-containers/webserver")
37
37
38
38
with subtest("Container persistent directory is not created"):
39
-
machine.fail("ls /var/lib/containers/webserver")
39
+
machine.fail("ls /var/lib/nixos-containers/webserver")
40
40
41
41
# Since "start" returns after the container has reached
42
42
# multi-user.target, we should now be able to access it.
···
49
49
machine.fail(f"curl --fail --connect-timeout 2 http://{ip}/ > /dev/null")
50
50
51
51
with subtest("Container's root folder was removed"):
52
-
machine.fail("ls /run/containers/webserver")
52
+
machine.fail("ls /run/nixos-containers/webserver")
53
53
'';
54
54
})
+6
-6
nixos/tests/containers-imperative.nix
+6
-6
nixos/tests/containers-imperative.nix
···
69
69
70
70
with subtest(f"Put the root of {id2} into a bind mount"):
71
71
machine.succeed(
72
-
f"mv /var/lib/containers/{id2} /id2-bindmount",
73
-
f"mount --bind /id2-bindmount /var/lib/containers/{id1}",
72
+
f"mv /var/lib/nixos-containers/{id2} /id2-bindmount",
73
+
f"mount --bind /id2-bindmount /var/lib/nixos-containers/{id1}",
74
74
)
75
75
76
76
ip1 = machine.succeed(f"nixos-container show-ip {id1}").rstrip()
···
88
88
"Create a directory with a dummy file and bind-mount it into both containers."
89
89
):
90
90
for id in id1, id2:
91
-
important_path = f"/var/lib/containers/{id}/very/important/data"
91
+
important_path = f"/var/lib/nixos-containers/{id}/very/important/data"
92
92
machine.succeed(
93
93
f"mkdir -p {important_path}",
94
94
f"mount --bind /nested-bindmount {important_path}",
···
154
154
machine.succeed("grep -qF 'important data' /nested-bindmount/dummy")
155
155
156
156
with subtest("Ensure that the container path is gone"):
157
-
print(machine.succeed("ls -lsa /var/lib/containers"))
158
-
machine.succeed(f"test ! -e /var/lib/containers/{id1}")
157
+
print(machine.succeed("ls -lsa /var/lib/nixos-containers"))
158
+
machine.succeed(f"test ! -e /var/lib/nixos-containers/{id1}")
159
159
160
160
with subtest("Ensure that a failed container creation doesn'leave any state"):
161
161
machine.fail(
162
162
"nixos-container create b0rk --config-file ${brokenCfg}"
163
163
)
164
-
machine.succeed("test ! -e /var/lib/containers/b0rk")
164
+
machine.succeed("test ! -e /var/lib/nixos-containers/b0rk")
165
165
'';
166
166
})
+5
-5
nixos/tests/containers-tmpfs.nix
+5
-5
nixos/tests/containers-tmpfs.nix
···
62
62
machine.succeed(
63
63
tmpfs_cmd("touch /root/test.file"),
64
64
tmpfs_cmd("ls -l /root | grep -q test.file"),
65
-
"test -e /var/lib/containers/tmpfs/root/test.file",
65
+
"test -e /var/lib/nixos-containers/tmpfs/root/test.file",
66
66
)
67
67
68
68
with subtest(
···
73
73
tmpfs_cmd("touch /some/random/path/test.file"),
74
74
tmpfs_cmd("test -e /some/random/path/test.file"),
75
75
)
76
-
machine.fail("test -e /var/lib/containers/tmpfs/some/random/path/test.file")
76
+
machine.fail("test -e /var/lib/nixos-containers/tmpfs/some/random/path/test.file")
77
77
78
78
with subtest(
79
79
"files created in the hosts container dir in a path where a tmpfs "
···
81
81
+ "the do not exist in the tmpfs"
82
82
):
83
83
machine.succeed(
84
-
"touch /var/lib/containers/tmpfs/var/test.file",
85
-
"test -e /var/lib/containers/tmpfs/var/test.file",
86
-
"ls -l /var/lib/containers/tmpfs/var/ | grep -q test.file 2>/dev/null",
84
+
"touch /var/lib/nixos-containers/tmpfs/var/test.file",
85
+
"test -e /var/lib/nixos-containers/tmpfs/var/test.file",
86
+
"ls -l /var/lib/nixos-containers/tmpfs/var/ | grep -q test.file 2>/dev/null",
87
87
)
88
88
machine.fail(tmpfs_cmd("ls -l /var | grep -q test.file"))
89
89
'';