Created
August 18, 2024 20:20
-
-
Save ck3d/e6995ce1d52e2f54d480fe0caadbd4ff to your computer and use it in GitHub Desktop.
NixOS NSpawn Podman unprivileged
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { pkgs, ... }: | |
| let | |
| # same as nixos/tests/systemd-machinectl.nix | |
| container = | |
| { config, modulesPath, ... }: | |
| { | |
| boot.isContainer = true; | |
| networking.useHostResolvConf = false; | |
| networking.useNetworkd = true; | |
| networking.useDHCP = false; | |
| system.stateVersion = config.system.nixos.version; | |
| users.users.alice.isNormalUser = true; | |
| virtualisation.podman.enable = true; | |
| }; | |
| containerSystem = | |
| (import (pkgs.path + "/nixos/lib/eval-config.nix") { | |
| inherit (pkgs) system; | |
| modules = [ container ]; | |
| }).config.system.build.toplevel; | |
| containerName = "container"; | |
| in | |
| { | |
| name = "nspawn-podman-unprivileged"; | |
| nodes.machine = | |
| { lib, ... }: | |
| { | |
| virtualisation.additionalPaths = [ containerSystem ]; | |
| # use networkd to obtain systemd network setup | |
| networking.useNetworkd = true; | |
| networking.useDHCP = false; | |
| # do not try to access cache.nixos.org | |
| nix.settings.substituters = lib.mkForce [ ]; | |
| # auto-start container | |
| systemd.targets.machines.wants = [ "systemd-nspawn@${containerName}.service" ]; | |
| systemd.tmpfiles.rules = [ "d /var/lib/machines/${containerName} 0755 root root - -" ]; | |
| systemd.nspawn.${containerName} = { | |
| execConfig = { | |
| Boot = false; | |
| Parameters = "${containerSystem}/init"; | |
| PrivateUsers = "524288:262144"; | |
| }; | |
| filesConfig = { | |
| BindReadOnly = "/nix/store"; | |
| # workaround to fix kernel namespaces; needed for Nix sandbox | |
| # https://github.com/systemd/systemd/issues/27994#issuecomment-1704005670 | |
| Bind = "/proc:/run/proc"; | |
| PrivateUsersOwnership = "auto"; | |
| }; | |
| }; | |
| systemd.services."systemd-nspawn@${containerName}" = { | |
| serviceConfig.Environment = [ | |
| "SYSTEMD_SECCOMP=0" | |
| # force unified cgroup delegation, which would be the default | |
| # if systemd could check the capabilities of the installed systemd. | |
| # see also: https://github.com/NixOS/nixpkgs/pull/198526 | |
| "SYSTEMD_NSPAWN_UNIFIED_HIERARCHY=1" | |
| ]; | |
| overrideStrategy = "asDropin"; | |
| }; | |
| # allow container access to DHCP | |
| networking.firewall.extraCommands = '' | |
| ${pkgs.iptables}/bin/iptables -A nixos-fw -i ve-+ -p udp -m udp --dport 67 -j nixos-fw-accept | |
| ''; | |
| }; | |
| testScript = '' | |
| import shlex | |
| start_all() | |
| machine.wait_for_unit("default.target"); | |
| def run_container(cmd, user = "alice"): | |
| cmd = shlex.quote(cmd) | |
| return f"systemd-run --pty --wait --machine=${containerName} /run/current-system/sw/bin/su {user} --login --command {cmd} >&2" | |
| machine.wait_until_succeeds("systemctl -M ${containerName} is-active default.target") | |
| machine.succeed(run_container("loginctl enable-linger alice", "root")) | |
| machine.succeed(run_container("podman info")) | |
| machine.succeed(run_container("tar cv --files-from /dev/null | podman import - scratchimg")) | |
| machine.succeed(run_container("podman run --detach --name=sleeping --volume=/nix/store:/nix/store --volume=/run/current-system/sw/bin:/bin scratchimg /bin/sleep 10")) | |
| machine.succeed(run_container("podman ps | grep sleeping")) | |
| machine.succeed(run_container("podman stop sleeping")) | |
| machine.succeed(run_container("podman rm sleeping")) | |
| ''; | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment