Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

nixos/containers: add unprivileged option #67130

Merged
merged 1 commit into from Aug 23, 2019

Conversation

uvNikita
Copy link
Contributor

Motivation for this change

There are two parts of this commit:

As described in #57083, the first change is necessary since nixos-container command fails to enter container namespace when userns is enabled due to missing -u argument to nsenter call. Otherwise, to my best knowledge, machinectl shell should be a drop-in replacement for nixos-container run in this context.

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nix-review --run "nix-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.
Notify maintainers

cc @grahamc @danbst @flokli @arianvp @mmahut

@uvNikita
Copy link
Contributor Author

Related #28425.

@mmahut
Copy link
Member

mmahut commented Aug 20, 2019

@GrahamcOfBorg test containers-unprivileged

@danbst
Copy link
Contributor

danbst commented Aug 21, 2019

Does machinectl shell propagate error signals? Like, if container reload failed, would that be masked?

@uvNikita
Copy link
Contributor Author

@danbst Good point! I guess it doesn't, at least by default:

# machinectl shell container /run/current-system/sw/bin/false
Connected to machine container. Press ^] three times within 1s to exit session.

Connection to machine container terminated.
# echo $?
0

@mmahut mmahut self-assigned this Aug 21, 2019
@mmahut
Copy link
Member

mmahut commented Aug 22, 2019

This looks good. @uvNikita any idea if it would be easy to propagate these return codes?

@danbst
Copy link
Contributor

danbst commented Aug 23, 2019

About return code: machinectl shell was once introduced and then got reverted (cb49c14#diff-de8d44b6decd56e2faadb52ff18e2eba). See #21044

@mmahut
Copy link
Member

mmahut commented Aug 23, 2019

I see, thank you. This looks good.

@mmahut mmahut merged commit 27acea7 into NixOS:master Aug 23, 2019
@uvNikita
Copy link
Contributor Author

But doesn't it mean that machinectl is not actually suitable for this use-case? I can fix nixos container run instead.

@mmahut
Copy link
Member

mmahut commented Aug 23, 2019

@uvNikita if you can do that, it would be better. Going to revert my merge. Please open a new PR and tag me.

@uvNikita
Copy link
Contributor Author

@mmahut will do, thanks.

uvNikita added a commit to uvNikita/nixpkgs that referenced this pull request Aug 23, 2019
This is the first step for unprivileged nixos containers support.
Fixes NixOS#30019. See also NixOS#18825, NixOS#57083, and NixOS#67130.
@nixos-discourse
Copy link

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/nixos-container-limitations/1835/6

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

nixos-container with user namespace enabled
4 participants