diff options
| author | Marek Mahut <marek.mahut@gmail.com> | 2019-08-23 08:00:35 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2019-08-23 08:00:35 +0200 |
| commit | 27acea73b80d22af43b2d0d64dc84e40c3beb991 (patch) | |
| tree | e0c3ac19651d08b486d965993fe59cc1d9438460 /nixos/modules/virtualisation | |
| parent | dfc6d580bcc76f92a7ef2ab502a18ea4251594c2 (diff) | |
| parent | 7e7fc6471e86cbc167255d56d84e2cbb8b0365ab (diff) | |
| download | nixpkgs-27acea73b80d22af43b2d0d64dc84e40c3beb991.tar nixpkgs-27acea73b80d22af43b2d0d64dc84e40c3beb991.tar.gz nixpkgs-27acea73b80d22af43b2d0d64dc84e40c3beb991.tar.bz2 nixpkgs-27acea73b80d22af43b2d0d64dc84e40c3beb991.tar.lz nixpkgs-27acea73b80d22af43b2d0d64dc84e40c3beb991.tar.xz nixpkgs-27acea73b80d22af43b2d0d64dc84e40c3beb991.tar.zst nixpkgs-27acea73b80d22af43b2d0d64dc84e40c3beb991.zip | |
Merge pull request #67130 from uvNikita/containers/unprivileged
nixos/containers: add unprivileged option
Diffstat (limited to 'nixos/modules/virtualisation')
| -rw-r--r-- | nixos/modules/virtualisation/containers.nix | 16 |
1 files changed, 14 insertions, 2 deletions
diff --git a/nixos/modules/virtualisation/containers.nix b/nixos/modules/virtualisation/containers.nix index b65374c9257..97325847bd1 100644 --- a/nixos/modules/virtualisation/containers.nix +++ b/nixos/modules/virtualisation/containers.nix @@ -139,6 +139,7 @@ let --bind="/nix/var/nix/profiles/per-container/$INSTANCE:/nix/var/nix/profiles" \ --bind="/nix/var/nix/gcroots/per-container/$INSTANCE:/nix/var/nix/gcroots" \ ${optionalString (!cfg.ephemeral) "--link-journal=try-guest"} \ + ${optionalString (cfg.unprivileged) "-U"} \ --setenv PRIVATE_NETWORK="$PRIVATE_NETWORK" \ --setenv HOST_BRIDGE="$HOST_BRIDGE" \ --setenv HOST_ADDRESS="$HOST_ADDRESS" \ @@ -238,8 +239,8 @@ let ExecReload = pkgs.writeScript "reload-container" '' #! ${pkgs.runtimeShell} -e - ${pkgs.nixos-container}/bin/nixos-container run "$INSTANCE" -- \ - bash --login -c "''${SYSTEM_PATH:-/nix/var/nix/profiles/system}/bin/switch-to-configuration test" + ${pkgs.systemd}/bin/machinectl shell "$INSTANCE" \ + ''${SYSTEM_PATH:-/nix/var/nix/profiles/system}/bin/switch-to-configuration test ''; SyslogIdentifier = "container %i"; @@ -423,6 +424,7 @@ let extraVeths = {}; additionalCapabilities = []; ephemeral = false; + unprivileged = false; allowedDevices = []; hostAddress = null; hostAddress6 = null; @@ -516,6 +518,16 @@ in ''; }; + unprivileged = mkOption { + type = types.bool; + default = false; + description = '' + Run container in unprivileged mode using private users feature of <command>systemd-nspawn</command>. + This option is eqvivalent of adding -U parameter to <command>systemd-nspawn</command> command. + See <literal>systemd-nspawn(1)</literal> man page for more information. + ''; + }; + ephemeral = mkOption { type = types.bool; default = false; |