nixpkgs/nixos/modules/virtualisation/lxd.nix

# Systemd services for lxd.

{ config, lib, pkgs, ... }:

with lib;

let

  cfg = config.virtualisation.lxd;
  zfsCfg = config.boot.zfs;

in

{
  ###### interface

  options = {
    virtualisation.lxd = {
      enable = mkOption {
        type = types.bool;
        default = false;
        description = ''
          This option enables lxd, a daemon that manages
          containers. Users in the "lxd" group can interact with
          the daemon (e.g. to start or stop containers) using the
          <command>lxc</command> command line tool, among others.

          Most of the time, you'll also want to start lxcfs, so
          that containers can "see" the limits:
          <code>
            virtualisation.lxc.lxcfs.enable = true;
          </code>
        '';
      };

      package = mkOption {
        type = types.package;
        default = pkgs.lxd.override { nftablesSupport = config.networking.nftables.enable; };
        defaultText = "pkgs.lxd";
        description = ''
          The LXD package to use.
        '';
      };

      lxcPackage = mkOption {
        type = types.package;
        default = pkgs.lxc;
        defaultText = "pkgs.lxc";
        description = ''
          The LXC package to use with LXD (required for AppArmor profiles).
        '';
      };

      zfsPackage = mkOption {
        type = types.package;
        default = with pkgs; if zfsCfg.enableUnstable then zfsUnstable else zfs;
        defaultText = "pkgs.zfs";
        description = ''
          The ZFS package to use with LXD.
        '';
      };

      zfsSupport = mkOption {
        type = types.bool;
        default = false;
        description = ''
          Enables lxd to use zfs as a storage for containers.

          This option is enabled by default if a zfs pool is configured
          with nixos.
        '';
      };

      recommendedSysctlSettings = mkOption {
        type = types.bool;
        default = false;
        description = ''
          enables various settings to avoid common pitfalls when
          running containers requiring many file operations.
          Fixes errors like "Too many open files" or
          "neighbour: ndisc_cache: neighbor table overflow!".
          See https://lxd.readthedocs.io/en/latest/production-setup/
          for details.
        '';
      };
    };
  };

  ###### implementation

  config = mkIf cfg.enable {
    environment.systemPackages = [ cfg.package ];

    security.apparmor = {
      enable = true;
      profiles = [
        "${cfg.lxcPackage}/etc/apparmor.d/usr.bin.lxc-start"
        "${cfg.lxcPackage}/etc/apparmor.d/lxc-containers"
      ];
      packages = [ cfg.lxcPackage ];
    };

    # TODO: remove once LXD gets proper support for cgroupsv2
    # (currently most of the e.g. CPU accounting stuff doesn't work)
    systemd.enableUnifiedCgroupHierarchy = false;

    systemd.services.lxd = {
      description = "LXD Container Management Daemon";

      wantedBy = [ "multi-user.target" ];
      after = [ "systemd-udev-settle.service" ];

      path = lib.optional cfg.zfsSupport cfg.zfsPackage;

      preStart = ''
        mkdir -m 0755 -p /var/lib/lxc/rootfs
      '';

      serviceConfig = {
        ExecStart = "@${cfg.package}/bin/lxd lxd --group lxd";
        Type = "simple";
        KillMode = "process"; # when stopping, leave the containers alone
        LimitMEMLOCK = "infinity";
        LimitNOFILE = "1048576";
        LimitNPROC = "infinity";
        TasksMax = "infinity";

        # By default, `lxd` loads configuration files from hard-coded
        # `/usr/share/lxc/config` - since this is a no-go for us, we have to
        # explicitly tell it where the actual configuration files are
        Environment = mkIf (config.virtualisation.lxc.lxcfs.enable)
          "LXD_LXC_TEMPLATE_CONFIG=${pkgs.lxcfs}/share/lxc/config";
      };
    };

    users.groups.lxd.gid = config.ids.gids.lxd;

    users.users.root = {
      subUidRanges = [ { startUid = 1000000; count = 65536; } ];
      subGidRanges = [ { startGid = 1000000; count = 65536; } ];
    };

    boot.kernel.sysctl = mkIf cfg.recommendedSysctlSettings {
      "fs.inotify.max_queued_events" = 1048576;
      "fs.inotify.max_user_instances" = 1048576;
      "fs.inotify.max_user_watches" = 1048576;
      "vm.max_map_count" = 262144;
      "kernel.dmesg_restrict" = 1;
      "net.ipv4.neigh.default.gc_thresh3" = 8192;
      "net.ipv6.neigh.default.gc_thresh3" = 8192;
      "kernel.keys.maxkeys" = 2000;
    };
  };
}
nixos/lxd: Add service 2015-09-13 23:27:31 -07:00			`# Systemd services for lxd.`

			`{ config, lib, pkgs, ... }:`

			`with lib;`

			`let`

			`cfg = config.virtualisation.lxd;`
nixos/lxd: add package options for LXC, LXD and ZFS Currently, LXD always use pkgs.zfs, even if boot.zfs.enableUnstable is set. This change provides the option to change the LXC, LXD and ZFS packages, and determines the default ZFS package based on zfs.enableUnstable. 2019-11-19 05:08:49 +01:00			`zfsCfg = config.boot.zfs;`
nixos/lxd: Add service 2015-09-13 23:27:31 -07:00
			`in`

			`{`
			`###### interface`

			`options = {`
lxd: 2.16 -> 3.0.0 2018-03-16 09:58:54 +00:00			`virtualisation.lxd = {`
			`enable = mkOption {`
nixos/lxd: Add service 2015-09-13 23:27:31 -07:00			`type = types.bool;`
			`default = false;`
lxd: 2.16 -> 3.0.0 2018-03-16 09:58:54 +00:00			`description = ''`
			`This option enables lxd, a daemon that manages`
			`containers. Users in the "lxd" group can interact with`
			`the daemon (e.g. to start or stop containers) using the`
			`<command>lxc</command> command line tool, among others.`
lxd: When `lxcfs` is enabled, start `lxd` with explicit `LXD_LXC_TEMPLATE_CONFIG` 2020-06-05 14:40:02 +02:00
			`Most of the time, you'll also want to start lxcfs, so`
			`that containers can "see" the limits:`
			`<code>`
			`virtualisation.lxc.lxcfs.enable = true;`
			`</code>`
lxd: 2.16 -> 3.0.0 2018-03-16 09:58:54 +00:00			`'';`
nixos/lxd: Add service 2015-09-13 23:27:31 -07:00			`};`
nixos/lxd: add package options for LXC, LXD and ZFS Currently, LXD always use pkgs.zfs, even if boot.zfs.enableUnstable is set. This change provides the option to change the LXC, LXD and ZFS packages, and determines the default ZFS package based on zfs.enableUnstable. 2019-11-19 05:08:49 +01:00
			`package = mkOption {`
			`type = types.package;`
lxd: Add proper support for `nftables` 2020-06-05 12:57:18 +02:00			`default = pkgs.lxd.override { nftablesSupport = config.networking.nftables.enable; };`
lxd: also use default text for other package options 2020-01-30 14:26:54 +00:00			`defaultText = "pkgs.lxd";`
nixos/lxd: add package options for LXC, LXD and ZFS Currently, LXD always use pkgs.zfs, even if boot.zfs.enableUnstable is set. This change provides the option to change the LXC, LXD and ZFS packages, and determines the default ZFS package based on zfs.enableUnstable. 2019-11-19 05:08:49 +01:00			`description = ''`
			`The LXD package to use.`
			`'';`
			`};`

			`lxcPackage = mkOption {`
			`type = types.package;`
			`default = pkgs.lxc;`
lxd: also use default text for other package options 2020-01-30 14:26:54 +00:00			`defaultText = "pkgs.lxc";`
nixos/lxd: add package options for LXC, LXD and ZFS Currently, LXD always use pkgs.zfs, even if boot.zfs.enableUnstable is set. This change provides the option to change the LXC, LXD and ZFS packages, and determines the default ZFS package based on zfs.enableUnstable. 2019-11-19 05:08:49 +01:00			`description = ''`
			`The LXC package to use with LXD (required for AppArmor profiles).`
			`'';`
			`};`

			`zfsPackage = mkOption {`
			`type = types.package;`
			`default = with pkgs; if zfsCfg.enableUnstable then zfsUnstable else zfs;`
			`defaultText = "pkgs.zfs";`
			`description = ''`
			`The ZFS package to use with LXD.`
			`'';`
			`};`

lxd: 2.16 -> 3.0.0 2018-03-16 09:58:54 +00:00			`zfsSupport = mkOption {`
			`type = types.bool;`
			`default = false;`
			`description = ''`
nixos/lxd: add package options for LXC, LXD and ZFS Currently, LXD always use pkgs.zfs, even if boot.zfs.enableUnstable is set. This change provides the option to change the LXC, LXD and ZFS packages, and determines the default ZFS package based on zfs.enableUnstable. 2019-11-19 05:08:49 +01:00			`Enables lxd to use zfs as a storage for containers.`

lxd: 2.16 -> 3.0.0 2018-03-16 09:58:54 +00:00			`This option is enabled by default if a zfs pool is configured`
			`with nixos.`
			`'';`
			`};`
lxd: Add proper support for `nftables` 2020-06-05 12:57:18 +02:00
nixos/lxd: add recommendedSysctlSettings * nixos/lxd: add productionSetup option * nixos/lxd: enable some settings by default * nixos/lxd: rename option 2019-12-14 23:29:08 +09:00			`recommendedSysctlSettings = mkOption {`
			`type = types.bool;`
			`default = false;`
			`description = ''`
			`enables various settings to avoid common pitfalls when`
			`running containers requiring many file operations.`
			`Fixes errors like "Too many open files" or`
			`"neighbour: ndisc_cache: neighbor table overflow!".`
			`See https://lxd.readthedocs.io/en/latest/production-setup/`
			`for details.`
			`'';`
			`};`
lxd: 2.16 -> 3.0.0 2018-03-16 09:58:54 +00:00			`};`
nixos/lxd: Add service 2015-09-13 23:27:31 -07:00			`};`

			`###### implementation`

			`config = mkIf cfg.enable {`
nixos/lxd: add package options for LXC, LXD and ZFS Currently, LXD always use pkgs.zfs, even if boot.zfs.enableUnstable is set. This change provides the option to change the LXC, LXD and ZFS packages, and determines the default ZFS package based on zfs.enableUnstable. 2019-11-19 05:08:49 +01:00			`environment.systemPackages = [ cfg.package ];`
nixos/lxd: Add service 2015-09-13 23:27:31 -07:00
nixos/lxd: partial fix 2018-02-10 17:18:53 +09:00			`security.apparmor = {`
			`enable = true;`
Revert "apparmor: fix and improve the service" This reverts commit fb6d63f3fdd95a5468d43a0693c8ca7c1894363f. I really hope this finally fixes #99236: evaluation on Hydra. This time I really did check basically the same commit on Hydra: https://hydra.nixos.org/eval/1618011 Right now I don't have energy to find what exactly is wrong in the commit, and it doesn't seem important in comparison to nixos-unstable channel being stuck on a commit over one week old. 2020-10-07 11:15:18 +02:00			`profiles = [`
			`"${cfg.lxcPackage}/etc/apparmor.d/usr.bin.lxc-start"`
			`"${cfg.lxcPackage}/etc/apparmor.d/lxc-containers"`
			`];`
nixos/lxd: add package options for LXC, LXD and ZFS Currently, LXD always use pkgs.zfs, even if boot.zfs.enableUnstable is set. This change provides the option to change the LXC, LXD and ZFS packages, and determines the default ZFS package based on zfs.enableUnstable. 2019-11-19 05:08:49 +01:00			`packages = [ cfg.lxcPackage ];`
nixos/lxd: partial fix 2018-02-10 17:18:53 +09:00			`};`

nixos/lxd: disable cgroup v2 when LXD is active 2021-01-04 10:59:19 +01:00			`# TODO: remove once LXD gets proper support for cgroupsv2`
			`# (currently most of the e.g. CPU accounting stuff doesn't work)`
			`systemd.enableUnifiedCgroupHierarchy = false;`

lxd: 2.16 -> 3.0.0 2018-03-16 09:58:54 +00:00			`systemd.services.lxd = {`
			`description = "LXD Container Management Daemon";`
nixos/lxd: Add service 2015-09-13 23:27:31 -07:00
lxd: 2.16 -> 3.0.0 2018-03-16 09:58:54 +00:00			`wantedBy = [ "multi-user.target" ];`
			`after = [ "systemd-udev-settle.service" ];`
nixos/lxd: Add service 2015-09-13 23:27:31 -07:00
nixos/lxd: add package options for LXC, LXD and ZFS Currently, LXD always use pkgs.zfs, even if boot.zfs.enableUnstable is set. This change provides the option to change the LXC, LXD and ZFS packages, and determines the default ZFS package based on zfs.enableUnstable. 2019-11-19 05:08:49 +01:00			`path = lib.optional cfg.zfsSupport cfg.zfsPackage;`
nixos/lxd: Add service 2015-09-13 23:27:31 -07:00
lxd: 2.16 -> 3.0.0 2018-03-16 09:58:54 +00:00			`preStart = ''`
			`mkdir -m 0755 -p /var/lib/lxc/rootfs`
			`'';`
nixos/lxd: partial fix 2018-02-10 17:18:53 +09:00
lxd: 2.16 -> 3.0.0 2018-03-16 09:58:54 +00:00			`serviceConfig = {`
nixos/*: use $out instead of $bin with buildGoPackage 2020-04-28 11:50:34 +10:00			`ExecStart = "@${cfg.package}/bin/lxd lxd --group lxd";`
lxd: 2.16 -> 3.0.0 2018-03-16 09:58:54 +00:00			`Type = "simple";`
			`KillMode = "process"; # when stopping, leave the containers alone`
nixos/lxd: add recommendedSysctlSettings * nixos/lxd: add productionSetup option * nixos/lxd: enable some settings by default * nixos/lxd: rename option 2019-12-14 23:29:08 +09:00			`LimitMEMLOCK = "infinity";`
			`LimitNOFILE = "1048576";`
			`LimitNPROC = "infinity";`
			`TasksMax = "infinity";`
lxd: When `lxcfs` is enabled, start `lxd` with explicit `LXD_LXC_TEMPLATE_CONFIG` 2020-06-05 14:40:02 +02:00
			# By default, `lxd` loads configuration files from hard-coded
			# `/usr/share/lxc/config` - since this is a no-go for us, we have to
			`# explicitly tell it where the actual configuration files are`
			`Environment = mkIf (config.virtualisation.lxc.lxcfs.enable)`
			`"LXD_LXC_TEMPLATE_CONFIG=${pkgs.lxcfs}/share/lxc/config";`
nixos/lxd: Add service 2015-09-13 23:27:31 -07:00			`};`
lxd: 2.16 -> 3.0.0 2018-03-16 09:58:54 +00:00			`};`

nixos/modules: users.(extraUsers\|extraGroup->users\|group) 2018-06-30 01:58:35 +02:00			`users.groups.lxd.gid = config.ids.gids.lxd;`
nixos/lxd: Add service 2015-09-13 23:27:31 -07:00
nixos/modules: users.(extraUsers\|extraGroup->users\|group) 2018-06-30 01:58:35 +02:00			`users.users.root = {`
nixos/lxd: Add service 2015-09-13 23:27:31 -07:00			`subUidRanges = [ { startUid = 1000000; count = 65536; } ];`
			`subGidRanges = [ { startGid = 1000000; count = 65536; } ];`
			`};`
nixos/lxd: add recommendedSysctlSettings * nixos/lxd: add productionSetup option * nixos/lxd: enable some settings by default * nixos/lxd: rename option 2019-12-14 23:29:08 +09:00
			`boot.kernel.sysctl = mkIf cfg.recommendedSysctlSettings {`
			`"fs.inotify.max_queued_events" = 1048576;`
			`"fs.inotify.max_user_instances" = 1048576;`
			`"fs.inotify.max_user_watches" = 1048576;`
			`"vm.max_map_count" = 262144;`
			`"kernel.dmesg_restrict" = 1;`
			`"net.ipv4.neigh.default.gc_thresh3" = 8192;`
			`"net.ipv6.neigh.default.gc_thresh3" = 8192;`
			`"kernel.keys.maxkeys" = 2000;`
			`};`
nixos/lxd: Add service 2015-09-13 23:27:31 -07:00			`};`
			`}`