Disable various services when running inside a container

2013-11-26 18:17:12 +01:00 · 2013-11-26 18:17:12 +01:00 · 2b1f212494
commit 2b1f212494
parent da093461a2
11 changed files with 35 additions and 14 deletions
--- a/nixos/modules/config/sysctl.nix
+++ b/nixos/modules/config/sysctl.nix
@ -46,7 +46,10 @@ in
        before = [ "sysinit.target" "shutdown.target" ];
        wantedBy = [ "sysinit.target" "multi-user.target" ];
        restartTriggers = [ config.environment.etc."sysctl.d/nixos.conf".source ];
-        unitConfig.DefaultDependencies = false; # needed to prevent a cycle
+        unitConfig = {
+          DefaultDependencies = false; # needed to prevent a cycle
+          ConditionPathIsReadWrite = "/proc/sys/"; # prevent systemd-sysctl in containers
+        };
        serviceConfig = {
          Type = "oneshot";
          RemainAfterExit = true;
--- a/nixos/modules/services/audio/alsa.nix
+++ b/nixos/modules/services/audio/alsa.nix
@ -55,6 +55,7 @@ in
      { description = "Store Sound Card State";
        wantedBy = [ "multi-user.target" ];
        unitConfig.RequiresMountsFor = "/var/lib/alsa";
+        unitConfig.ConditionVirtualization = "!systemd-nspawn";
        serviceConfig = {
          Type = "oneshot";
          RemainAfterExit = true;
--- a/nixos/modules/services/hardware/acpid.nix
+++ b/nixos/modules/services/hardware/acpid.nix
@ -110,6 +110,7 @@ in

        exec = "acpid --confdir ${acpiConfDir}";

+        unitConfig.ConditionVirtualization = "!systemd-nspawn";
        unitConfig.ConditionPathExists = [ "/proc/acpi" ];
      };

--- a/nixos/modules/services/logging/klogd.nix
+++ b/nixos/modules/services/logging/klogd.nix
@ -32,6 +32,8 @@ with pkgs.lib;

        path = [ pkgs.sysklogd ];

+        unitConfig.ConditionVirtualization = "!systemd-nspawn";
+
        exec =
          "klogd -c 1 -2 -n " +
          "-k $(dirname $(readlink -f /run/booted-system/kernel))/System.map";
--- a/nixos/modules/services/misc/nix-daemon.nix
+++ b/nixos/modules/services/misc/nix-daemon.nix
@ -279,6 +279,7 @@ in
      { description = "Nix Daemon Socket";
        wantedBy = [ "sockets.target" ];
        before = [ "multi-user.target" ];
+        unitConfig.ConditionPathIsReadWrite = "/nix/var/nix/daemon-socket/";
        socketConfig.ListenStream = "/nix/var/nix/daemon-socket/socket";
      };

@ -290,6 +291,8 @@ in

        environment = cfg.envVars // { CURL_CA_BUNDLE = "/etc/ssl/certs/ca-bundle.crt"; };

+        unitConfig.ConditionPathIsReadWrite = "/nix/var/nix/daemon-socket/";
+
        serviceConfig =
          { ExecStart = "@${nix}/bin/nix-daemon nix-daemon --daemon";
            KillMode = "process";
--- a/nixos/modules/services/networking/dhcpcd.nix
+++ b/nixos/modules/services/networking/dhcpcd.nix
@ -114,6 +114,8 @@ in

        path = [ dhcpcd pkgs.nettools pkgs.openresolv ];

+        unitConfig.ConditionCapability = "CAP_NET_ADMIN";
+
        serviceConfig =
          { Type = "forking";
            PIDFile = "/run/dhcpcd.pid";
--- a/nixos/modules/system/boot/kernel.nix
+++ b/nixos/modules/system/boot/kernel.nix
@ -231,7 +231,10 @@ in
        wantedBy = [ "sysinit.target" "multi-user.target" ];
        before = [ "sysinit.target" "shutdown.target" ];
        conflicts = [ "shutdown.target" ];
-        unitConfig.DefaultDependencies = "no";
+        unitConfig =
+          { DefaultDependencies = false;
+            ConditionCapability = "CAP_SYS_MODULE";
+          };
        serviceConfig =
          { Type = "oneshot";
            RemainAfterExit = true;
--- a/nixos/modules/system/boot/shutdown.nix
+++ b/nixos/modules/system/boot/shutdown.nix
@ -6,20 +6,20 @@ with pkgs.lib;

  # This unit saves the value of the system clock to the hardware
  # clock on shutdown.
-  systemd.units."save-hwclock.service" =
-    { wantedBy = [ "shutdown.target" ];
+  systemd.services.save-hwclock =
+    { description = "Save Hardware Clock";

-      text =
-        ''
-          [Unit]
-          Description=Save Hardware Clock
-          DefaultDependencies=no
-          Before=shutdown.target
+      wantedBy = [ "shutdown.target" ];

-          [Service]
-          Type=oneshot
-          ExecStart=${pkgs.utillinux}/sbin/hwclock --systohc ${if config.time.hardwareClockInLocalTime then "--localtime" else "--utc"}
-        '';
+      unitConfig = {
+        DefaultDependencies = false;
+        ConditionVirtualization = "!systemd-nspawn";
+      };
+
+      serviceConfig = {
+        Type = "oneshot";
+        ExecStart = "${pkgs.utillinux}/sbin/hwclock --systohc ${if config.time.hardwareClockInLocalTime then "--localtime" else "--utc"}";
+      };
    };

  boot.kernel.sysctl."kernel.poweroff_cmd" = "${config.systemd.package}/sbin/poweroff";
--- a/nixos/modules/tasks/cpu-freq.nix
+++ b/nixos/modules/tasks/cpu-freq.nix
@ -33,6 +33,8 @@ with pkgs.lib;
        after = [ "systemd-modules-load.service" ];
        wantedBy = [ "multi-user.target" ];

+        unitConfig.ConditionPathIsReadWrite = "/sys/devices/";
+
        path = [ pkgs.cpufrequtils ];

        preStart = ''
--- a/nixos/modules/tasks/network-interfaces.nix
+++ b/nixos/modules/tasks/network-interfaces.nix
@ -270,6 +270,8 @@ in
            before = [ "network.target" ];
            wantedBy = [ "network.target" ];

+            unitConfig.ConditionCapability = "CAP_NET_ADMIN";
+
            path = [ pkgs.iproute ];

            serviceConfig.Type = "oneshot";
--- a/nixos/modules/tasks/scsi-link-power-management.nix
+++ b/nixos/modules/tasks/scsi-link-power-management.nix
@ -31,6 +31,8 @@ with pkgs.lib;

        task = true;

+        unitConfig.ConditionPathIsReadWrite = "/sys/class/scsi_host";
+
        script = ''
          shopt -s nullglob
          for x in /sys/class/scsi_host/host*/link_power_management_policy; do