nixos: container tarball release

- Create container nixos profile
- Create lxc-container nixos config using container nixos profile
- Docker nixos image, use nixos profile for its base config

4 files changed, 95 insertions, 54 deletions

diff --git a/nixos/modules/profiles/container.nix b/nixos/modules/profiles/container.nix
new file mode 100644
index 00000000000..5b531e5c3df
--- /dev/null
+++ b/nixos/modules/profiles/container.nix
@@ -0,0 +1,57 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+ pkgs2storeContents = l : map (x: { object = x; symlink = "none"; }) l;
+
+in {
+  # Docker image config.
+  imports = [
+    ../installer/cd-dvd/channel.nix
+    ./minimal.nix
+    ./clone-config.nix
+  ];
+
+  # Create the tarball
+  system.build.tarball = import ../../lib/make-system-tarball.nix {
+    inherit (pkgs) stdenv perl xz pathsFromGraph;
+
+    contents = [];
+    extraArgs = "--owner=0";
+
+    # Some container managers like lxc need these
+    extraCommands = "mkdir -p proc sys dev";
+
+    # Add init script to image
+    storeContents = [
+      { object = config.system.build.toplevel + "/init";
+        symlink = "/init";
+      }
+    ] ++ (pkgs2storeContents [ pkgs.stdenv ]);
+  };
+
+  boot.postBootCommands =
+    ''
+      # After booting, register the contents of the Nix store in the Nix
+      # database.
+      if [ -f /nix-path-registration ]; then
+        ${config.nix.package}/bin/nix-store --load-db < /nix-path-registration &&
+        rm /nix-path-registration
+      fi
+
+      # nixos-rebuild also requires a "system" profile and an
+      # /etc/NIXOS tag.
+      touch /etc/NIXOS
+      ${config.nix.package}/bin/nix-env -p /nix/var/nix/profiles/system --set /run/current-system
+    '';
+
+  boot.isContainer = true;
+
+  # Disable some features that are not useful in a container.
+  sound.enable = mkDefault false;
+  services.udisks2.enable = mkDefault false;
+
+  # Shut up warnings about not having a boot loader.
+  system.build.installBootLoader = "${pkgs.coreutils}/bin/true";
+}
diff --git a/nixos/modules/virtualisation/docker-image.nix b/nixos/modules/virtualisation/docker-image.nix
index cabb1712b6c..0195ca5c6dc 100644
--- a/nixos/modules/virtualisation/docker-image.nix
+++ b/nixos/modules/virtualisation/docker-image.nix
@@ -1,67 +1,19 @@
-{ config, lib, pkgs, ... }:
+{ config, pkgs, ... }:
 
-with lib;
-
-let
- pkgs2storeContents = l : map (x: { object = x; symlink = "none"; }) l;
-
-in {
-  # Create the tarball
-  system.build.dockerImage = import ../../lib/make-system-tarball.nix {
-    inherit (pkgs) stdenv perl xz pathsFromGraph;
-
-    contents = [];
-    extraArgs = "--owner=0";
-    storeContents = [
-      { object = config.system.build.toplevel + "/init";
-        symlink = "/bin/init";
-      }
-    ] ++ (pkgs2storeContents [ pkgs.stdenv ]);
-  };
+{
+  imports = [
+    ../profiles/container.nix
+  ];
 
   boot.postBootCommands =
     ''
-      # After booting, register the contents of the Nix store in the Nix
-      # database.
-      if [ -f /nix-path-registration ]; then
-        ${config.nix.package}/bin/nix-store --load-db < /nix-path-registration &&
-        rm /nix-path-registration
-      fi
-
-      # nixos-rebuild also requires a "system" profile and an
-      # /etc/NIXOS tag.
-      touch /etc/NIXOS
-      ${config.nix.package}/bin/nix-env -p /nix/var/nix/profiles/system --set /run/current-system
-
       # Set virtualisation to docker
-      echo "docker" > /run/systemd/container 
+      echo "docker" > /run/systemd/container
     '';
 
-
-  # Docker image config.
-  imports = [
-    ../installer/cd-dvd/channel.nix
-    ../profiles/minimal.nix
-    ../profiles/clone-config.nix
-  ];
-
-  boot.isContainer = true;
-
   # Iptables do not work in Docker.
   networking.firewall.enable = false;
 
-  services.openssh.enable = true;
-
   # Socket activated ssh presents problem in Docker.
   services.openssh.startWhenNeeded = false;
-
-  # Allow the user to login as root without password.
-  users.extraUsers.root.initialHashedPassword = mkOverride 150 "";
-
-  # Some more help text.
-  services.mingetty.helpLine =
-    ''
-
-      Log in as "root" with an empty password.
-    '';
 }
diff --git a/nixos/modules/virtualisation/lxc-container.nix b/nixos/modules/virtualisation/lxc-container.nix
new file mode 100644
index 00000000000..2fa749d542e
--- /dev/null
+++ b/nixos/modules/virtualisation/lxc-container.nix
@@ -0,0 +1,26 @@
+{ config, pkgs, lib, ... }:
+
+with lib;
+
+{
+  imports = [
+    ../profiles/container.nix
+  ];
+
+  # Allow the user to login as root without password.
+  users.extraUsers.root.initialHashedPassword = mkOverride 150 "";
+
+  # Some more help text.
+  services.mingetty.helpLine =
+    ''
+
+      Log in as "root" with an empty password.
+    '';
+
+  # Containers should be light-weight, so start sshd on demand.
+  services.openssh.enable = mkDefault true;
+  services.openssh.startWhenNeeded = mkDefault true;
+
+  # Allow ssh connections
+  networking.firewall.allowedTCPPorts = [ 22 ];
+}
diff --git a/nixos/release.nix b/nixos/release.nix
index b0932c318c9..efc49adce46 100644
--- a/nixos/release.nix
+++ b/nixos/release.nix
@@ -213,6 +213,12 @@ in rec {
     inherit system;
   });
 
+  # Provide container tarball for lxc, libvirt-lxc, docker-lxc, ...
+  container_tarball = forAllSystems (system: makeSystemTarball {
+    module = ./modules/virtualisation/lxc-container.nix;
+    inherit system;
+  });
+
   /*
   system_tarball_fuloong2f =
     assert builtins.currentSystem == "mips64-linux";