nixos: Option for disabling individual special fs #18391
Conversation
In some cases, we don't want NixOS to mount certain special file systems. For example, some container systems handle this themselves. This commit adds an option for disabling NixOS management of individual file systems.
|
@rickynils, thanks for your PR! By analyzing the annotation information on this pull request, we identified @abbradar, @edolstra and @oxij to be potential reviewers |
|
Would be nice to also have a lxc test case :) |
|
@domenkozar Yeah. I use libvirt/lxc in my CI setup, so this gets tested implicitly on my end. But it would be nice to have in the official Hydra too. My setup requires nix-daemon to have access to a running libvirtd daemon though, might not be ideal for the official build setup. I haven't looked into setting up LXC without libvirt yet. |
| # systemd-nspawn populates /sys by itself, and remounting it causes all | ||
| # kinds of weird issues (most noticeably, waiting for host disk device | ||
| # nodes). | ||
| "/sys" = { fsType = "sysfs"; options = [ "nosuid" "noexec" "nodev" ]; }; | ||
| "/sys" = { enabled = !config.boot.isContainer; fsType = "sysfs"; options = [ "nosuid" "noexec" "nodev" ]; }; | ||
| }; |
There was a problem hiding this comment.
Won't it work to simply have "/sys" = mkIf (!config.boot.isContainer) { ... } in this case, or is something more complicated needed somewhere else?
There was a problem hiding this comment.
I think so too (optionalAttrs also seems fine) -- otherwise we would need to also support enabled in regular filesystems and I don't think it gives us much benefits.
There was a problem hiding this comment.
@dezgeg @abbradar No, because then we have to encode too much logic in nixpkgs. For example, the libvirt-lxc container sets up /dev/pts itself and the console breaks if NixOS also mounts it. So we'd like to be able to turn /dev/pts off from an external, LXC-specific module.
Why do we need to support enable in regular filesystems? I can't find any place in nixpkgs where we do something like filesystems = config.boot.specialFileSystems. The regular file systems are different, because NixOS doesn't predefine a bunch of mountpoints in that case.
Btw, I started a general discussion of this "unsetting" of options here: http://lists.science.uu.nl/pipermail/nix-dev/2016-September/021663.html .
There was a problem hiding this comment.
Got it, that sounds reasonable then. A nitpick -- options like those are generally named enable (imperative mood).
Oh, and we then want to move "/sys".enabled to container.nix,
Yet another "oh": we need to support this in fileSystems then because coreFileSystemOpts are reused for fileSystems. Should not be too hard, though.
There was a problem hiding this comment.
Ah, yeah it should be enable, I'll change it.
And yes, we should move it to container.nix. Except there is no such file :) I started to try to find the right file to add it to, but got confused about the division between nixos/modules/profiles and nixos/modules/virtualisation. I'll see if I can prepare another PR for cleaning that up a bit, so I can add a proper libvirt-lxc config there too.
OK, I see if I can add it to fileSystems too.
There was a problem hiding this comment.
You have already effectively added it to fileSystems, so you need to add filtering to fileSystems at the top of the file (where it's toposorted) and that should be it.
What about modules/virtualisation/containers.nix?
EDIT: sorry, I'm sleepy and haven't noticed you mentioned it _. I think virtualization/containers.nix is the proper place because that's where container options are defined.
|
What is the status of this PR? It appears that @abbradar suggested a changed that you were going to work on, is that still relevant? |
|
Any updates on this pull request, please? |
|
@mmahut My specific use case for this is not relevant any more, and since it was a long time ago, I can't tell if this is generally useful anymore. Do you have a use case where you need this PR? If not, I think it can be closed. |
|
Thank you, if anyone is interested in this, feel free to re-open this issue. |
Motivation for this change
In some cases, we don't want NixOS to mount certain special
file systems. For example, some container systems handle this
themselves. This commit adds an option for disabling NixOS
management of individual file systems.
Things done
(nix.useSandbox on NixOS,
or option
build-use-sandboxinnix.confon non-NixOS)
nix-shell -p nox --run "nox-review wip"./result/bin/)