Provide a simple way to log into containers

On the host, you can run $ socat unix:<path-to-container>/var/lib/login.socket -,echo=0,raw to get a login prompt. So this allows logging in even if the container has no SSH access enabled. You can also do $ socat unix:<path-to-container>/var/lib/root-shell.socket - to get a plain root shell. (This socket is only accessible by root, obviously.) This makes it easy to execute commands in the container, e.g. $ echo reboot | socat unix:<path-to-container>/var/lib/root-shell.socket -
2014-03-17 14:04:39 +01:00 · 2014-03-17 14:04:39 +01:00 · 0d506aa712
commit 0d506aa712
parent 1b6c01721d
2 changed files with 57 additions and 0 deletions
--- a/nixos/modules/virtualisation/container-login.nix
+++ b/nixos/modules/virtualisation/container-login.nix
@ -0,0 +1,56 @@
+{ config, pkgs, ... }:
+
+{
+
+  config = {
+
+    # Provide a login prompt on /var/lib/login.socket.  On the host,
+    # you can connect to it by running ‘socat
+    # unix:<path-to-container>/var/lib/login.socket -,echo=0,raw’.
+    systemd.sockets.login =
+      { description = "Login Socket";
+        wantedBy = [ "sockets.target" ];
+        socketConfig =
+          { ListenStream = "/var/lib/login.socket";
+            SocketMode = "0600"; # only root can connect, obviously
+            Accept = true;
+          };
+      };
+
+    systemd.services."login@" =
+      { description = "Login %i";
+        environment.TERM = "linux";
+        serviceConfig =
+          { Type = "simple";
+            StandardInput = "socket";
+            ExecStart = "${pkgs.socat}/bin/socat -t0 - exec:${pkgs.shadow}/bin/login,pty,setsid,setpgid,stderr,ctty";
+            TimeoutStopSec = 1; # FIXME
+          };
+      };
+
+    # Provide a non-interactive login root shell on
+    # /var/lib/root-shell.socket.  On the host, you can connect to it
+    # by running ‘socat unix:<path-to-container>/var/lib/root-shell.socket -’.
+    systemd.sockets.root-shell =
+      { description = "Root Shell Socket";
+        wantedBy = [ "sockets.target" ];
+        socketConfig =
+          { ListenStream = "/var/lib/root-shell.socket";
+            SocketMode = "0666";
+            Accept = true;
+          };
+      };
+
+    systemd.services."root-shell@" =
+      { description = "Root Shell %i";
+        serviceConfig =
+          { Type = "simple";
+            StandardInput = "socket";
+            ExecStart = "${pkgs.bash}/bin/bash --login";
+            TimeoutStopSec = 1; # FIXME
+          };
+      };
+
+  };
+
+}
--- a/nixos/modules/virtualisation/containers.nix
+++ b/nixos/modules/virtualisation/containers.nix
@ -57,6 +57,7 @@ with pkgs.lib;
                      { boot.isContainer = true;
                        security.initialRootPassword = mkDefault "!";
                        networking.hostName = mkDefault name;
+                        imports = [ ./container-login.nix ];
                      };
                    in [ extraConfig config.config ];
                  prefix = [ "systemd" "containers" name ];