Commit Graph

787 Commits

Author SHA1 Message Date
Eelco Dolstra
7b82d1ee27 Ensure that the container root can always be accessed via /var/lib/containers 2014-03-18 11:04:54 +01:00
Eelco Dolstra
895bcdd1cb Add support for running a container with a private network interface
For example, the following sets up a container named ‘foo’.  The
container will have a single network interface eth0, with IP address
10.231.136.2.  The host will have an interface c-foo with IP address
10.231.136.1.

  systemd.containers.foo =
    { privateNetwork = true;
      hostAddress = "10.231.136.1";
      localAddress = "10.231.136.2";
      config =
        { services.openssh.enable = true; };
    };

With ‘privateNetwork = true’, the container has the CAP_NET_ADMIN
capability, allowing it to do arbitrary network configuration, such as
setting up firewall rules.  This is secure because it cannot touch the
interfaces of the host.

The helper program ‘run-in-netns’ is needed at the moment because ‘ip
netns exec’ doesn't quite do the right thing (it remounts /sys without
bind-mounting the original /sys/fs/cgroups).
2014-03-18 10:49:25 +01:00
Eelco Dolstra
ac215779dd Give containers a writable /nix/var/nix/{profiles,gcroots}
These are stored on the host in
/nix/var/nix/{profiles,gcroots}/per-container/<container-name> to
ensure that container profiles/roots are not garbage-collected.
2014-03-17 15:23:20 +01:00
Eelco Dolstra
ef8e0266a2 Don't reboot a container when its configuration changes
Instead, just run "switch-to-configuration" inside the container.
2014-03-17 15:03:29 +01:00
Eelco Dolstra
0d506aa712 Provide a simple way to log into containers
On the host, you can run

  $ socat unix:<path-to-container>/var/lib/login.socket -,echo=0,raw

to get a login prompt.  So this allows logging in even if the
container has no SSH access enabled.

You can also do

  $ socat unix:<path-to-container>/var/lib/root-shell.socket -

to get a plain root shell.  (This socket is only accessible by root,
obviously.)  This makes it easy to execute commands in the container,
e.g.

  $ echo reboot | socat unix:<path-to-container>/var/lib/root-shell.socket -
2014-03-17 14:10:47 +01:00
Rickard Nilsson
d5211b0e0e Make initialRootPassword overrideable in all virtualisation modules, not just virtualbox. 2014-02-24 18:05:26 +01:00
Pascal Wittmann
ff7e234fb4 Removed obsolete option services.xserver.videoDriver 2014-02-18 23:13:00 +01:00
Shea Levy
48b8118f2c virtualbox-image.nix: initialRootPassword setting should be easily overrideable 2014-02-14 09:06:26 -05:00
Shea Levy
c8f1a6ac1e Revert "Add nixosSubmodule option type"
Moving recent types work to a separate branch for now

This reverts commit ca1c5cfa8f.
2014-02-13 12:10:50 -05:00
Shea Levy
220654e205 Revert "Add heterogeneousAttrsOf option type"
Moving recent types work to a separate branch for now

This reverts commit 3f70dabad3.
2014-02-13 12:10:50 -05:00
Shea Levy
3f70dabad3 Add heterogeneousAttrsOf option type
It is parameterized by a function that takes a name and evaluates to the
option type for the attribute of that name. Together with
submoduleWithExtraArgs, this subsumes nixosSubmodule.
2014-02-11 14:59:24 -05:00
Shea Levy
ca1c5cfa8f Add nixosSubmodule option type
Since NixOS modules expect special arguments, use a hack to provide them
2014-02-11 14:21:34 -05:00
Shea Levy
dea562b6b9 services.mesa -> hardware.opengl
Signed-off-by: Shea Levy <shea@shealevy.com>
2014-02-08 14:45:37 -05:00
Mathijs Kwik
951f37f3da services.xserver.videoDrivers -> services.mesa.videoDrivers 2014-02-06 10:01:08 +01:00
Moritz Maxeiner
0a230b852d Add "vboxsf" to the kernel modules for VirtualBox Guest Additions 4.3.6 2014-02-05 18:38:03 +01:00
Rickard Nilsson
0b92ad02c8 Re-introduce security.initialRootPassword, and add a new option users.extraUsers.<user>.hashedPassword 2014-02-05 15:56:51 +01:00
Rickard Nilsson
eb2f44c18c Generate /etc/passwd and /etc/group at build time
This is a rather large commit that switches user/group creation from using
useradd/groupadd on activation to just generating the contents of /etc/passwd
and /etc/group, and then on activation merging the generated files with the
files that exist in the system. This makes the user activation process much
cleaner, in my opinion.

The users.extraUsers.<user>.uid and users.extraGroups.<group>.gid must all be
properly defined (if <user>.createUser is true, which it is by default). My
pull request adds a lot of uids/gids to config.ids to solve this problem for
existing nixos services, but there might be configurations that break because
this change. However, this will be discovered during the build.

Option changes introduced by this commit:

* Remove the options <user>.isSystemUser and <user>.isAlias since
they don't make sense when generating /etc/passwd statically.

* Add <group>.members as a complement to <user>.extraGroups.

* Add <user>.passwordFile for setting a user's password from an encrypted
(shadow-style) file.

* Add users.mutableUsers which is true by default. This means you can keep
managing your users as previously, by using useradd/groupadd manually. This is
accomplished by merging the generated passwd/group file with the existing files
in /etc on system activation. The merging of the files is simplistic. It just
looks at the user/group names. If a user/group exists both on the system and
in the generated files, the system entry will be kept un-changed and the
generated entries will be ignored. The merging itself is performed with the
help of vipw/vigr to properly lock the account files during edit.
If mutableUsers is set to false, the generated passwd and group files will not
be merged with the system files on activation. Instead they will simply replace
the system files, and overwrite any changes done on the running system. The
same logic holds for user password, if the <user>.password or
<user>.passwordFile options are used. If mutableUsers is false, password will
simply be replaced on activation. If true, the initial user passwords will be
set according to the configuration, but existing passwords will not be touched.

I have tested this on a couple of different systems and it seems to work fine
so far. If you think this is a good idea, please test it. This way of adding
local users has been discussed in issue #103 (and this commit solves that
issue).
2014-02-05 15:56:51 +01:00
Moritz Maxeiner
4900d6561b Follow renaming of services.xserver.videoDrivers to services.mesa.videoDrivers for VirtualBox Guest 2014-02-02 02:43:11 +01:00
Rob Vermaas
61d346eaaf Google Compute image: fix punctuation in description, give disk image proper name with version and revision. 2013-12-12 12:48:09 +01:00
Rob Vermaas
ee8a58a72f Remove a hardcoded SSH public key from the Google Compute image. 2013-12-11 16:18:12 +01:00
Rob Vermaas
f7b256a221 Add initial configuration for Google Compute Engine 2013-12-11 15:32:27 +01:00
Bjørn Forsman
0856500f3e nixos/libvirtd-service: fix fail-to-start when no machines are configured
Don't fail to start the libvirtd service just because there are no files
that match the /etc/libvirt/qemu/*.xml pattern.
2013-12-09 19:41:44 +01:00
Bjørn Forsman
f52f9bf7cd nixos/libvirtd-service: fix for garbage collected emulator paths
libvirtd puts the full path of the emulator binary in the machine config
file. But this path can unfortunately be garbage collected while still
being used by the virtual machine. Then this happens:

Error starting domain: Cannot check QEMU binary /nix/store/z5c2xzk9x0pj6x511w0w4gy9xl5wljxy-qemu-1.5.2-x86-only/bin/qemu-kvm: No such file or directory

Fix by updating the emulator path on each service startup to something
valid (re-scan $PATH).
2013-11-27 23:09:57 +01:00
Eelco Dolstra
9ee30cd9b5 Add support for lightweight NixOS containers
You can now say:

  systemd.containers.foo.config =
    { services.openssh.enable = true;
      services.openssh.ports = [ 2022 ];
      users.extraUsers.root.openssh.authorizedKeys.keys = [ "ssh-dss ..." ];
    };

which defines a NixOS instance with the given configuration running
inside a lightweight container.

You can also manage the configuration of the container independently
from the host:

  systemd.containers.foo.path = "/nix/var/nix/profiles/containers/foo";

where "path" is a NixOS system profile.  It can be created/updated by
doing:

  $ nix-env --set -p /nix/var/nix/profiles/containers/foo \
      -f '<nixos>' -A system -I nixos-config=foo.nix

The container configuration (foo.nix) should define

  boot.isContainer = true;

to optimise away the building of a kernel and initrd.  This is done
automatically when using the "config" route.

On the host, a lightweight container appears as the service
"container-<name>.service".  The container is like a regular NixOS
(virtual) machine, except that it doesn't have its own kernel.  It has
its own root file system (by default /var/lib/containers/<name>), but
shares the Nix store of the host (as a read-only bind mount).  It also
has access to the network devices of the host.

Currently, if the configuration of the container changes, running
"nixos-rebuild switch" on the host will cause the container to be
rebooted.  In the future we may want to send some message to the
container so that it can activate the new container configuration
without rebooting.

Containers are not perfectly isolated yet.  In particular, the host's
/sys/fs/cgroup is mounted (writable!) in the guest.
2013-11-27 17:14:10 +01:00
Domen Kožar
cee0f6c708 Merge pull request #1196 from bjornfor/capitalize-service-descriptions
nixos: capitalize a bunch of service descriptions
2013-11-12 01:25:18 -08:00
Bjørn Forsman
b9f5b880e7 nixos/libvirtd-service: fix for dnsmasq (dir perms 700 -> 755)
Fixes this:

Nov 09 16:18:54 nixos-laptop systemd[1]: Starting Libvirt Virtual Machine Management Daemon...
Nov 09 16:18:54 nixos-laptop dnsmasq[15809]: read /etc/hosts - 2 addresses
Nov 09 16:18:54 nixos-laptop dnsmasq[15809]: failed to load names from /var/lib/libvirt/dnsmasq/default.addnhosts: Permission denied
Nov 09 16:18:54 nixos-laptop dnsmasq[15809]: cannot read /var/lib/libvirt/dnsmasq/default.hostsfile: Permission denied
Nov 09 16:18:55 nixos-laptop systemd[1]: Started Libvirt Virtual Machine Management Daemon.

I don't understand the reason for the original 700 permission bits.
Apparently read-access is needed and Ubuntu also use 755 perms.

Use "chmod" instead of "mkdir -m" to set permissions because mkdir doesn't
modify permissions on existing directories.
2013-11-10 14:07:29 +01:00
Bjørn Forsman
dc352536a8 nixos: capitalize a bunch of service descriptions
(systemd service descriptions that is, not service descriptions in "man
configuration.nix".)

Capitalizing each word in the description seems to be the accepted
standard.

Also shorten these descriptions:
 * "Munin node, the agent process" => "Munin Node"
 * "Planet Venus, an awesome ‘river of news’ feed reader" => "Planet Venus Feed Reader"
2013-11-09 20:45:50 +01:00
Eelco Dolstra
4ba7dfde5b Don't set an initial null root password for Amazon / VirtualBox images
A null password allows logging into local PAM services such as "login"
(agetty) and KDM.  That's not actually a security problem for EC2
machines, since they do not have "local" logins; for VirtualBox
machines, if you local access, you can do anything anyway.  But it's
better to be on the safe side and disable password-based logins for
root.
2013-11-01 15:04:21 +01:00
Eelco Dolstra
c1159edc65 Remove remaining references to Upstart 2013-10-31 13:26:06 +01:00
Eelco Dolstra
972d9974c6 Decrease verbosity of VirtualBox image generation 2013-10-29 21:15:11 +01:00
Eelco Dolstra
473a870a64 nixos-rebuild build-vm: Ignore the user's LUKS devices 2013-10-29 13:31:01 +01:00
Eelco Dolstra
adc1b38b85 Add a priority level for overrides in VM tests
Now that overriding fileSystems in qemu-vm.nix works again, it's
important that the VM tests that add additional file systems use the
same override priority.  Instead of using the same magic constant
everywhere, they can now use mkVMOverride.

http://hydra.nixos.org/build/6695561
2013-10-29 13:14:30 +01:00
Eelco Dolstra
259f7a93b1 Rename environment.nix -> nix.package 2013-10-28 22:45:57 +01:00
Jaka Hudoklin
ad3a0dd8fb nixos/libvirtd: fix remote ssh managment by adding netcat-openbsd in system packages
Virsh/virt-manager uses ssh to connect to master, there it expects openbsd netcat(which
has support for unix sockets) to be avalible, to make a tunnel.

Close #1087.
2013-10-24 11:01:43 +03:00
Eelco Dolstra
5f14933c33 Don't enable acpid for VirtualBox guests
It's no longer needed for ACPI shutdown, since logind handles this
now.
2013-10-17 14:41:58 +02:00
Eelco Dolstra
6dafee8d67 Fix runInMachine
It requires a writable /nix/store to store the build result.  Also,
wait until we've reached multi-user.target before doing the build, and
do a sync at the end to ensure all data to $out is properly written.

http://hydra.nixos.org/build/6496716
2013-10-16 11:37:38 +02:00
Eelco Dolstra
5c1f8cbc70 Move all of NixOS to nixos/ in preparation of the repository merge 2013-10-10 13:28:20 +02:00