Commit f535d6f4 authored by adisbladis's avatar adisbladis
Browse files

nixos-container: Use new configuration & state directories 

We need to move NixOS containers somewhere else so these don't clash
with Podman, Skopeo & other container software in the libpod &
cri-o/cri-u/libcontainer ecosystems.

The state directory move is not strictly a requirement but is good for
consistency.
parent 7d9a979b

nixos/doc/manual/administration/declarative-containers.section.md

+1 −1
Original line number Diff line number Diff line
@@ -40,7 +40,7 @@ section for details on container networking.) 
To disable the container, just remove it from `configuration.nix` and

run `nixos-rebuild

  switch`. Note that this will not delete the root directory of the

container in `/var/lib/containers`. Containers can be destroyed using

container in `/var/lib/nixos-containers`. Containers can be destroyed using

the imperative method: `nixos-container destroy foo`.



Declarative containers can be started and stopped using the

nixos/doc/manual/administration/imperative-containers.section.md

+2 −2
Original line number Diff line number Diff line
@@ -10,8 +10,8 @@ You create a container with identifier `foo` as follows: 
# nixos-container create foo

```



This creates the container's root directory in `/var/lib/containers/foo`

and a small configuration file in `/etc/containers/foo.conf`. It also

This creates the container's root directory in `/var/lib/nixos-containers/foo`

and a small configuration file in `/etc/nixos-containers/foo.conf`. It also

builds the container's initial system configuration and stores it in

`/nix/var/nix/profiles/per-container/foo/system`. You can modify the

initial configuration of the container on the command line. For

nixos/doc/manual/from_md/administration/declarative-containers.section.xml

+2 −2
Original line number Diff line number Diff line
@@ -48,8 +48,8 @@ containers.database = { 
    <literal>configuration.nix</literal> and run

    <literal>nixos-rebuild switch</literal>. Note that this will not

    delete the root directory of the container in

    <literal>/var/lib/containers</literal>. Containers can be destroyed

    using the imperative method:

    <literal>/var/lib/nixos-containers</literal>. Containers can be

    destroyed using the imperative method:

    <literal>nixos-container destroy foo</literal>.

  </para>

  <para>

nixos/doc/manual/from_md/administration/imperative-containers.section.xml

+3 −2
Original line number Diff line number Diff line
@@ -14,8 +14,9 @@ 
</programlisting>

  <para>

    This creates the container’s root directory in

    <literal>/var/lib/containers/foo</literal> and a small configuration

    file in <literal>/etc/containers/foo.conf</literal>. It also builds

    <literal>/var/lib/nixos-containers/foo</literal> and a small

    configuration file in

    <literal>/etc/nixos-containers/foo.conf</literal>. It also builds

    the container’s initial system configuration and stores it in

    <literal>/nix/var/nix/profiles/per-container/foo/system</literal>.

    You can modify the initial configuration of the container on the

nixos/modules/virtualisation/nixos-containers.nix

+20 −11
Original line number Diff line number Diff line
@@ -4,6 +4,11 @@ with lib; 


let



  configurationPrefix = optionalString (versionAtLeast config.system.stateVersion "22.05") "nixos-";

  configurationDirectoryName = "${configurationPrefix}containers";

  configurationDirectory = "/etc/${configurationDirectoryName}";

  stateDirectory = "/var/lib/${configurationPrefix}containers";



  # The container's init script, a small wrapper around the regular

  # NixOS stage-2 init script.

  containerInit = (cfg:
@@ -77,7 +82,7 @@ let 
  startScript = cfg:

    ''

      mkdir -p -m 0755 "$root/etc" "$root/var/lib"

      mkdir -p -m 0700 "$root/var/lib/private" "$root/root" /run/containers

      mkdir -p -m 0700 "$root/var/lib/private" "$root/root" /run/nixos-containers

      if ! [ -e "$root/etc/os-release" ]; then

        touch "$root/etc/os-release"

      fi
@@ -249,11 +254,11 @@ let 


    SyslogIdentifier = "container %i";



    EnvironmentFile = "-/etc/containers/%i.conf";

    EnvironmentFile = "-${configurationDirectory}/%i.conf";



    Type = "notify";



    RuntimeDirectory = lib.optional cfg.ephemeral "containers/%i";

    RuntimeDirectory = lib.optional cfg.ephemeral "${configurationDirectoryName}/%i";



    # Note that on reboot, systemd-nspawn returns 133, so this

    # unit will be restarted. On poweroff, it returns 0, so the
@@ -740,12 +745,12 @@ in 
    unit = {

      description = "Container '%i'";



      unitConfig.RequiresMountsFor = "/var/lib/containers/%i";

      unitConfig.RequiresMountsFor = "${stateDirectory}/%i";



      path = [ pkgs.iproute2 ];



      environment = {

        root = "/var/lib/containers/%i";

        root = "${stateDirectory}/%i";

        INSTANCE = "%i";

      };
@@ -782,8 +787,8 @@ in 
            script = startScript containerConfig;

            postStart = postStartScript containerConfig;

            serviceConfig = serviceDirectives containerConfig;

            unitConfig.RequiresMountsFor = lib.optional (!containerConfig.ephemeral) "/var/lib/containers/%i";

            environment.root = if containerConfig.ephemeral then "/run/containers/%i" else "/var/lib/containers/%i";

            unitConfig.RequiresMountsFor = lib.optional (!containerConfig.ephemeral) "${stateDirectory}/%i";

            environment.root = if containerConfig.ephemeral then "/run/nixos-containers/%i" else "${stateDirectory}/%i";

          } // (

          if containerConfig.autoStart then

            {
@@ -792,7 +797,7 @@ in 
              after = [ "network.target" ];

              restartTriggers = [

                containerConfig.path

                config.environment.etc."containers/${name}.conf".source

                config.environment.etc."${configurationDirectoryName}/${name}.conf".source

              ];

              restartIfChanged = true;

            }
@@ -800,12 +805,12 @@ in 
      )) config.containers)

    ));



    # Generate a configuration file in /etc/containers for each

    # Generate a configuration file in /etc/nixos-containers for each

    # container so that container@.target can get the container

    # configuration.

    environment.etc =

      let mkPortStr = p: p.protocol + ":" + (toString p.hostPort) + ":" + (if p.containerPort == null then toString p.hostPort else toString p.containerPort);

      in mapAttrs' (name: cfg: nameValuePair "containers/${name}.conf"

      in mapAttrs' (name: cfg: nameValuePair "${configurationDirectoryName}/${name}.conf"

      { text =

          ''

            SYSTEM_PATH=${cfg.path}
@@ -854,7 +859,11 @@ in 
      ENV{INTERFACE}=="v[eb]-*", ENV{NM_UNMANAGED}="1"

    '';



    environment.systemPackages = [ pkgs.nixos-container ];

    environment.systemPackages = [

      (pkgs.nixos-container.override {

        inherit stateDirectory configurationDirectory;

      })

    ];



    boot.kernelModules = [

      "bridge"