Skip to content
This repository was archived by the owner on Apr 12, 2021. It is now read-only.
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: NixOS/nixpkgs-channels
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: 21293d2576ac
Choose a base ref
...
head repository: NixOS/nixpkgs-channels
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: 1ada6fcde10a
Choose a head ref
  • 7 commits
  • 5 files changed
  • 3 contributors

Commits on Oct 8, 2018

  1. Merge branch 'release-18.09' into staging-18.09

    @vcunat
    vcunat committed Oct 8, 2018
    Copy the full SHA
    41cc5c4 View commit details

  2. openssh: fix tunnel forwarding (upstream patch) 

    Close #48031, fixes #48016.  I didn't use the PR commit
because I think it's better to fetch the patch.

(cherry picked from commit c2e6ca5)
    @vcunat
    vcunat committed Oct 8, 2018
    Copy the full SHA
    3ab942e View commit details

  3. Merge branch 'staging-18.09' into release-18.09

    @vcunat
    vcunat committed Oct 8, 2018
    Copy the full SHA
    3cee341 View commit details

  4. debian vm tools: use snapshot.debian.org 

    snapshot.debian.org actually keeps track of all of the updates as they
come in rather than doing arbitrary (?) snapshots.

(cherry picked from commit 9cc18fa)
    @lheckemann @Mic92
    lheckemann authored and Mic92 committed Oct 8, 2018
    Copy the full SHA
    d0b24be View commit details

  5. nixos-container: Force container to talk to host nix-daemon 

    When logging into a container by using
  nixos-container root-login
all nix-related commands in the container would fail, as they
tried to modify the nix db and nix store, which are mounted
read-only in the container.  We want nixos-container to not
try to modify the nix store at all, but instead delegate
any build commands to the nix daemon of the host operating system.

This already works for non-root users inside a nixos-container,
as it doesn't 'own' the nix-store, and thus defaults
to talking to the daemon socket at /nix/var/nix/daemon-socket/,
which is bind-mounted to the host daemon-socket, causing all nix
commands to be delegated to the host.

However, when we are the root user inside the container, we have the
same uid as the nix store owner, eventhough it's not actually
the same root user (due to user namespaces). Nix gets confused,
and is convinced it's running in single-user mode, and tries
to modify the nix store directly instead.

By setting `NIX_REMOTE=daemon` in `/etc/profile`, we force nix
to operate in multi-user mode, so that it will talk to the host
daemon instead, which will modify the nix store for the container.

This fixes #40355

(cherry picked from commit 3624bb5)
    @arianvp @samueldr
    arianvp authored and samueldr committed Oct 8, 2018
    Copy the full SHA
    76c1cd3 View commit details

  6. Revert "Revert "Revert "doc: Update section about imperative containe… 

    …rs"""

nixos-container can now execute nix commands again inside the container

This reverts commit 9622cd3.

(cherry picked from commit bb31835)
    @arianvp @samueldr
    arianvp authored and samueldr committed Oct 8, 2018
    Copy the full SHA
    cf9b801 View commit details

  7. nixos/containers: Add regression test for #40355 

    (cherry picked from commit 0668906)
    @arianvp @samueldr
    arianvp authored and samueldr committed Oct 8, 2018
    Copy the full SHA
    1ada6fc View commit details
18 changes: 9 additions & 9 deletions nixos/doc/manual/administration/imperative-containers.xml
View file
Original file line number Diff line number Diff line change
@@ -73,7 +73,8 @@ Linux foo 3.4.82 #1-NixOS SMP Thu Mar 20 14:44:05 UTC 2014 x86_64 GNU/Linux
</para>

<para>
To change the configuration of the container, you can edit
There are several ways to change the configuration of the container. First,
on the host, you can edit
<literal>/var/lib/container/<replaceable>name</replaceable>/etc/nixos/configuration.nix</literal>,
and run
<screen>
@@ -86,7 +87,8 @@ Linux foo 3.4.82 #1-NixOS SMP Thu Mar 20 14:44:05 UTC 2014 x86_64 GNU/Linux
<xref linkend="opt-services.httpd.enable"/> = true;
<xref linkend="opt-services.httpd.adminAddr"/> = "foo@example.org";
<xref linkend="opt-networking.firewall.allowedTCPPorts"/> = [ 80 ];
'
'

# curl http://$(nixos-container show-ip foo)/
&lt;!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">…
</screen>
@@ -95,13 +97,11 @@ Linux foo 3.4.82 #1-NixOS SMP Thu Mar 20 14:44:05 UTC 2014 x86_64 GNU/Linux
</para>

<para>
Note that in previous versions of NixOS (17.09 and earlier) one could also
use all nix-related commands (like <command>nixos-rebuild switch</command>)
from inside the container. However, since the release of Nix 2.0 this is not
supported anymore. Supporting Nix commands inside the container might be
possible again in future versions. See
<link xlink:href="https://github.com/NixOS/nixpkgs/issues/40355">the github
issue</link> for tracking progress on this issue.
Alternatively, you can change the configuration from within the container
itself by running <command>nixos-rebuild switch</command> inside the
container. Note that the container by default does not have a copy of the
NixOS channel, so you should run <command>nix-channel --update</command>
first.
</para>

<para>
7 changes: 7 additions & 0 deletions nixos/modules/virtualisation/container-config.nix
View file
Original file line number Diff line number Diff line change
@@ -22,6 +22,13 @@ with lib;
# Not supported in systemd-nspawn containers.
security.audit.enable = false;

# Make sure that root user in container will talk to host nix-daemon
environment.etc."profile".text = ''
export NIX_REMOTE=daemon
'';



};

}
3 changes: 3 additions & 0 deletions nixos/tests/containers-imperative.nix
View file
Original file line number Diff line number Diff line change
@@ -86,6 +86,9 @@ import ./make-test.nix ({ pkgs, ...} : {
# Execute commands via the root shell.
$machine->succeed("nixos-container run $id1 -- uname") =~ /Linux/ or die;
# Execute a nix command via the root shell. (regression test for #40355)
$machine->succeed("nixos-container run $id1 -- nix-instantiate -E 'derivation { name = \"empty\"; builder = \"false\"; system = \"false\"; }'");
# Stop and start (regression test for #4989)
$machine->succeed("nixos-container stop $id1");
$machine->succeed("nixos-container start $id1");
8 changes: 4 additions & 4 deletions pkgs/build-support/vm/default.nix
View file
Original file line number Diff line number Diff line change
@@ -990,8 +990,8 @@ rec {
name = "debian-9.4-stretch-i386";
fullName = "Debian 9.4 Stretch (i386)";
packagesList = fetchurl {
url = mirror://debian/dists/stretch/main/binary-i386/Packages.xz;
sha256 = "05z5ccg4ysbrgallhai53sh83i0364w7a3fdq84dpv1li059jf10";
url = http://snapshot.debian.org/archive/debian/20180912T154744Z/dists/stretch/main/binary-i386/Packages.xz;
sha256 = "0flvn8zn7vk04p10ndf3aq0mdr8k2ic01g51aq4lsllkv8lmwzyh";
};
urlPrefix = mirror://debian;
packages = commonDebianPackages;
@@ -1001,8 +1001,8 @@ rec {
name = "debian-9.4-stretch-amd64";
fullName = "Debian 9.4 Stretch (amd64)";
packagesList = fetchurl {
url = mirror://debian/dists/stretch/main/binary-amd64/Packages.xz;
sha256 = "19j0c54b1b9lbk9fv2c2aswdh0s2c3klf97zrlmsz4hs8wm9jylq";
url = http://snapshot.debian.org/archive/debian/20180912T154744Z/dists/stretch/main/binary-amd64/Packages.xz;
sha256 = "11vnn9bba2jabixvabfbw9zparl326c88xn99di7pbr5xsnl15jm";
};
urlPrefix = mirror://debian;
packages = commonDebianPackages;
7 changes: 7 additions & 0 deletions pkgs/tools/networking/openssh/default.nix
View file
Original file line number Diff line number Diff line change
@@ -37,6 +37,13 @@ stdenv.mkDerivation rec {

patches =
[
# Remove on update!
(fetchpatch {
name = "fix-tunnel-forwarding.diff";
url = "https://github.com/openssh/openssh-portable/commit/cfb1d9bc767.diff";
sha256 = "1mszj7f1kj6bazr7asbi1bi4238lfpilpp98f6c1dn3py4fbsdg8";
})

./locale_archive.patch
./fix-host-key-algorithms-plus.patch