From 7e7fc6471e86cbc167255d56d84e2cbb8b0365ab Mon Sep 17 00:00:00 2001
From: Nikita Uvarov <uv.nikita@gmail.com>
Date: Tue, 20 Aug 2019 23:43:15 +0200
Subject: nixos/containers: add unprivileged option

Fixes #57083.
---
 nixos/modules/virtualisation/containers.nix | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

(limited to 'nixos/modules/virtualisation/containers.nix')

diff --git a/nixos/modules/virtualisation/containers.nix b/nixos/modules/virtualisation/containers.nix
index e1a91f7704e..b7cb29eaa22 100644
--- a/nixos/modules/virtualisation/containers.nix
+++ b/nixos/modules/virtualisation/containers.nix
@@ -139,6 +139,7 @@ let
         --bind="/nix/var/nix/profiles/per-container/$INSTANCE:/nix/var/nix/profiles" \
         --bind="/nix/var/nix/gcroots/per-container/$INSTANCE:/nix/var/nix/gcroots" \
         ${optionalString (!cfg.ephemeral) "--link-journal=try-guest"} \
+        ${optionalString (cfg.unprivileged) "-U"} \
         --setenv PRIVATE_NETWORK="$PRIVATE_NETWORK" \
         --setenv HOST_BRIDGE="$HOST_BRIDGE" \
         --setenv HOST_ADDRESS="$HOST_ADDRESS" \
@@ -238,8 +239,8 @@ let
     ExecReload = pkgs.writeScript "reload-container"
       ''
         #! ${pkgs.runtimeShell} -e
-        ${pkgs.nixos-container}/bin/nixos-container run "$INSTANCE" -- \
-          bash --login -c "''${SYSTEM_PATH:-/nix/var/nix/profiles/system}/bin/switch-to-configuration test"
+        ${pkgs.systemd}/bin/machinectl shell "$INSTANCE" \
+          ''${SYSTEM_PATH:-/nix/var/nix/profiles/system}/bin/switch-to-configuration test
       '';
 
     SyslogIdentifier = "container %i";
@@ -423,6 +424,7 @@ let
       extraVeths = {};
       additionalCapabilities = [];
       ephemeral = false;
+      unprivileged = false;
       allowedDevices = [];
       hostAddress = null;
       hostAddress6 = null;
@@ -516,6 +518,16 @@ in
               '';
             };
 
+            unprivileged = mkOption {
+              type = types.bool;
+              default = false;
+              description = ''
+                Run container in unprivileged mode using private users feature of <command>systemd-nspawn</command>.
+                This option is eqvivalent of adding -U parameter to <command>systemd-nspawn</command> command.
+                See <literal>systemd-nspawn(1)</literal> man page for more information.
+              '';
+            };
+
             ephemeral = mkOption {
               type = types.bool;
               default = false;
-- 
cgit 1.4.1