diff options
author | Eelco Dolstra <eelco.dolstra@logicblox.com> | 2013-11-27 16:54:20 +0100 |
---|---|---|
committer | Eelco Dolstra <eelco.dolstra@logicblox.com> | 2013-11-27 17:14:10 +0100 |
commit | 9ee30cd9b51c46cea7193993d006bb4301588001 (patch) | |
tree | df235eb03f6b5a8af7966868ad2faca60403e345 /nixos/lib/eval-config.nix | |
parent | 57f145a7f8c3bd01e5ac1927cb0e1b14658fa7aa (diff) | |
download | nixpkgs-9ee30cd9b51c46cea7193993d006bb4301588001.tar nixpkgs-9ee30cd9b51c46cea7193993d006bb4301588001.tar.gz nixpkgs-9ee30cd9b51c46cea7193993d006bb4301588001.tar.bz2 nixpkgs-9ee30cd9b51c46cea7193993d006bb4301588001.tar.lz nixpkgs-9ee30cd9b51c46cea7193993d006bb4301588001.tar.xz nixpkgs-9ee30cd9b51c46cea7193993d006bb4301588001.tar.zst nixpkgs-9ee30cd9b51c46cea7193993d006bb4301588001.zip |
Add support for lightweight NixOS containers
You can now say: systemd.containers.foo.config = { services.openssh.enable = true; services.openssh.ports = [ 2022 ]; users.extraUsers.root.openssh.authorizedKeys.keys = [ "ssh-dss ..." ]; }; which defines a NixOS instance with the given configuration running inside a lightweight container. You can also manage the configuration of the container independently from the host: systemd.containers.foo.path = "/nix/var/nix/profiles/containers/foo"; where "path" is a NixOS system profile. It can be created/updated by doing: $ nix-env --set -p /nix/var/nix/profiles/containers/foo \ -f '<nixos>' -A system -I nixos-config=foo.nix The container configuration (foo.nix) should define boot.isContainer = true; to optimise away the building of a kernel and initrd. This is done automatically when using the "config" route. On the host, a lightweight container appears as the service "container-<name>.service". The container is like a regular NixOS (virtual) machine, except that it doesn't have its own kernel. It has its own root file system (by default /var/lib/containers/<name>), but shares the Nix store of the host (as a read-only bind mount). It also has access to the network devices of the host. Currently, if the configuration of the container changes, running "nixos-rebuild switch" on the host will cause the container to be rebooted. In the future we may want to send some message to the container so that it can activate the new container configuration without rebooting. Containers are not perfectly isolated yet. In particular, the host's /sys/fs/cgroup is mounted (writable!) in the guest.
Diffstat (limited to 'nixos/lib/eval-config.nix')
-rw-r--r-- | nixos/lib/eval-config.nix | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/nixos/lib/eval-config.nix b/nixos/lib/eval-config.nix index 5e1ce69158f..4b8c7354a7e 100644 --- a/nixos/lib/eval-config.nix +++ b/nixos/lib/eval-config.nix @@ -8,6 +8,7 @@ , extraArgs ? {} , modules , check ? true +, prefix ? [] }: let extraArgs_ = extraArgs; pkgs_ = pkgs; system_ = system; in @@ -17,6 +18,7 @@ rec { # Merge the option definitions in all modules, forming the full # system configuration. inherit (pkgs.lib.evalModules { + inherit prefix; modules = modules ++ baseModules; args = extraArgs; check = check && options.environment.checkConfigurationOptions.value; @@ -48,7 +50,7 @@ rec { let system = if nixpkgsOptions.system != "" then nixpkgsOptions.system else system_; nixpkgsOptions = (import ./eval-config.nix { - inherit system extraArgs modules; + inherit system extraArgs modules prefix; # For efficiency, leave out most NixOS modules; they don't # define nixpkgs.config, so it's pointless to evaluate them. baseModules = [ ../modules/misc/nixpkgs.nix ]; |