From deb28cf0b1af905f007a9219e1e11da6859faede Mon Sep 17 00:00:00 2001 From: Jaka Hudoklin Date: Thu, 11 Dec 2014 22:58:17 +0100 Subject: [PATCH] nixos: container tarball release - Create container nixos profile - Create lxc-container nixos config using container nixos profile - Docker nixos image, use nixos profile for its base config --- nixos/modules/profiles/container.nix | 57 ++++++++++++++++++ nixos/modules/virtualisation/docker-image.nix | 60 ++----------------- .../modules/virtualisation/lxc-container.nix | 26 ++++++++ nixos/release.nix | 6 ++ 4 files changed, 95 insertions(+), 54 deletions(-) create mode 100644 nixos/modules/profiles/container.nix create mode 100644 nixos/modules/virtualisation/lxc-container.nix diff --git a/nixos/modules/profiles/container.nix b/nixos/modules/profiles/container.nix new file mode 100644 index 00000000000..5b531e5c3df --- /dev/null +++ b/nixos/modules/profiles/container.nix @@ -0,0 +1,57 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + pkgs2storeContents = l : map (x: { object = x; symlink = "none"; }) l; + +in { + # Docker image config. + imports = [ + ../installer/cd-dvd/channel.nix + ./minimal.nix + ./clone-config.nix + ]; + + # Create the tarball + system.build.tarball = import ../../lib/make-system-tarball.nix { + inherit (pkgs) stdenv perl xz pathsFromGraph; + + contents = []; + extraArgs = "--owner=0"; + + # Some container managers like lxc need these + extraCommands = "mkdir -p proc sys dev"; + + # Add init script to image + storeContents = [ + { object = config.system.build.toplevel + "/init"; + symlink = "/init"; + } + ] ++ (pkgs2storeContents [ pkgs.stdenv ]); + }; + + boot.postBootCommands = + '' + # After booting, register the contents of the Nix store in the Nix + # database. + if [ -f /nix-path-registration ]; then + ${config.nix.package}/bin/nix-store --load-db < /nix-path-registration && + rm /nix-path-registration + fi + + # nixos-rebuild also requires a "system" profile and an + # /etc/NIXOS tag. + touch /etc/NIXOS + ${config.nix.package}/bin/nix-env -p /nix/var/nix/profiles/system --set /run/current-system + ''; + + boot.isContainer = true; + + # Disable some features that are not useful in a container. + sound.enable = mkDefault false; + services.udisks2.enable = mkDefault false; + + # Shut up warnings about not having a boot loader. + system.build.installBootLoader = "${pkgs.coreutils}/bin/true"; +} diff --git a/nixos/modules/virtualisation/docker-image.nix b/nixos/modules/virtualisation/docker-image.nix index cabb1712b6c..0195ca5c6dc 100644 --- a/nixos/modules/virtualisation/docker-image.nix +++ b/nixos/modules/virtualisation/docker-image.nix @@ -1,67 +1,19 @@ -{ config, lib, pkgs, ... }: +{ config, pkgs, ... }: -with lib; - -let - pkgs2storeContents = l : map (x: { object = x; symlink = "none"; }) l; - -in { - # Create the tarball - system.build.dockerImage = import ../../lib/make-system-tarball.nix { - inherit (pkgs) stdenv perl xz pathsFromGraph; - - contents = []; - extraArgs = "--owner=0"; - storeContents = [ - { object = config.system.build.toplevel + "/init"; - symlink = "/bin/init"; - } - ] ++ (pkgs2storeContents [ pkgs.stdenv ]); - }; +{ + imports = [ + ../profiles/container.nix + ]; boot.postBootCommands = '' - # After booting, register the contents of the Nix store in the Nix - # database. - if [ -f /nix-path-registration ]; then - ${config.nix.package}/bin/nix-store --load-db < /nix-path-registration && - rm /nix-path-registration - fi - - # nixos-rebuild also requires a "system" profile and an - # /etc/NIXOS tag. - touch /etc/NIXOS - ${config.nix.package}/bin/nix-env -p /nix/var/nix/profiles/system --set /run/current-system - # Set virtualisation to docker - echo "docker" > /run/systemd/container + echo "docker" > /run/systemd/container ''; - - # Docker image config. - imports = [ - ../installer/cd-dvd/channel.nix - ../profiles/minimal.nix - ../profiles/clone-config.nix - ]; - - boot.isContainer = true; - # Iptables do not work in Docker. networking.firewall.enable = false; - services.openssh.enable = true; - # Socket activated ssh presents problem in Docker. services.openssh.startWhenNeeded = false; - - # Allow the user to login as root without password. - users.extraUsers.root.initialHashedPassword = mkOverride 150 ""; - - # Some more help text. - services.mingetty.helpLine = - '' - - Log in as "root" with an empty password. - ''; } diff --git a/nixos/modules/virtualisation/lxc-container.nix b/nixos/modules/virtualisation/lxc-container.nix new file mode 100644 index 00000000000..2fa749d542e --- /dev/null +++ b/nixos/modules/virtualisation/lxc-container.nix @@ -0,0 +1,26 @@ +{ config, pkgs, lib, ... }: + +with lib; + +{ + imports = [ + ../profiles/container.nix + ]; + + # Allow the user to login as root without password. + users.extraUsers.root.initialHashedPassword = mkOverride 150 ""; + + # Some more help text. + services.mingetty.helpLine = + '' + + Log in as "root" with an empty password. + ''; + + # Containers should be light-weight, so start sshd on demand. + services.openssh.enable = mkDefault true; + services.openssh.startWhenNeeded = mkDefault true; + + # Allow ssh connections + networking.firewall.allowedTCPPorts = [ 22 ]; +} diff --git a/nixos/release.nix b/nixos/release.nix index b0932c318c9..efc49adce46 100644 --- a/nixos/release.nix +++ b/nixos/release.nix @@ -213,6 +213,12 @@ in rec { inherit system; }); + # Provide container tarball for lxc, libvirt-lxc, docker-lxc, ... + container_tarball = forAllSystems (system: makeSystemTarball { + module = ./modules/virtualisation/lxc-container.nix; + inherit system; + }); + /* system_tarball_fuloong2f = assert builtins.currentSystem == "mips64-linux";