rkt: run api service and make socket activatable #40534

peterhoeg · 2018-05-15T01:32:20Z

Motivation for this change

The rkt-metadata service is socket activatable so there is no point running it eagerly. Also, it was just called "rkt" in the past which isn't really descriptive as it isn't needed for running regular containers but is a metadata service.

We also now run the API service.

Cc: @Mic92 and @coretemp who have shown interest in the socket activation stuff

Things done

Tested using sandboxing (nix.useSandbox on NixOS, or option build-use-sandbox in nix.conf on non-NixOS)
Built on platform(s)
- NixOS
- macOS
- other Linux distributions
Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
Tested compilation of all pkgs that depend on this change using nix-shell -p nox --run "nox-review wip"
Tested execution of all binary files (usually in ./result/bin/)
Fits CONTRIBUTING.md.

GrahamcOfBorg · 2018-05-15T01:42:45Z

No attempt on aarch64-linux (full log)

The following builds were skipped because they don't evaluate on aarch64-linux: rkt

Partial log (click to expand)


a) For `nixos-rebuild` you can set
  { nixpkgs.config.allowUnsupportedSystem = true; }
in configuration.nix to override this.

b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
  { allowUnsupportedSystem = true; }
to ~/.config/nixpkgs/config.nix.

GrahamcOfBorg · 2018-05-15T01:43:05Z

Success on x86_64-linux (full log)

Attempted: rkt

Partial log (click to expand)

these paths will be fetched (53.60 MiB download, 64.60 MiB unpacked):
  /nix/store/grpmiddag0npm1r0dhyi0a7i4rkljpgw-rkt-1.30.0
copying path '/nix/store/grpmiddag0npm1r0dhyi0a7i4rkljpgw-rkt-1.30.0' from 'https://cache.nixos.org'...
/nix/store/grpmiddag0npm1r0dhyi0a7i4rkljpgw-rkt-1.30.0

Mic92 · 2018-05-15T08:56:21Z

nixos/modules/virtualisation/rkt.nix

      };
    };

+    systemd.tmpfiles.rules = [


Can you explain why all these files are needed?

Upstream wants it

Which services creates this usually?

I should have been clearer - sorry. In order to be able to actually interact with rkt without being root/using sudo, you need to be a member of the rkt group.

Without this PR:

peter@dolores:~ $ rkt list list: failed to get pod handles: mkdir /var/lib/rkt/pods: permission denied

With it:

peter@dolores:~ $ rkt list UUID APP IMAGE NAME STATE CREATED STARTED NETWORKS

Could we maybe use the upstream file? environment.etc."tmpfiles.d/rkt.conf".source = "${rkt}/lib/tmpfiles.d/rkt.conf";?

Hmm, it is not installed by default. Adding the following to postInstall should do it.

mkdir -p $out/lib/tmpfiles.d install -Dm644 dist/init/systemd/tmpfiles.d/rkt.conf $out/lib/tmpfiles.d/rkt.conf

Taken from https://github.com/rkt/rkt/blob/601d9887c5f3659c0e5f72ce1f839787c55fd1f3/scripts/install-rkt.sh#L57

Services should probably be installed the same way. And systemd.packages should probably recognize tmpfiles.d (#40594).

As I understand it, files in tmpfiles.d are not automatically loaded on NixOS. We need to add them to systemd.tmpfiles.rules.

From

nixpkgs/nixos/modules/system/boot/systemd.nix

Lines 773 to 781 in 8a93595

"tmpfiles.d/systemd.conf".source = "${systemd}/example/tmpfiles.d/systemd.conf";

"tmpfiles.d/x11.conf".source = "${systemd}/example/tmpfiles.d/x11.conf";

"tmpfiles.d/nixos.conf".text = ''

# This file is created automatically and should not be modified.

# Please change the option ‘systemd.tmpfiles.rules’ instead.

${concatStringsSep "\n" cfg.tmpfiles.rules}

'';

, it seems like they are.

Files that are simply part of the package distribution aren't added - so we need to add it to /etc/tmpfiles.d like it's done here or alternatively builtins.readFile. In any case, there is no need to re-invent the wheel so I will adjust this to use the file distributes with upstream. We could it it similarly for the units.

mmahut · 2019-08-03T14:41:24Z

What is the status of this pull request?

peterhoeg · 2019-08-05T04:10:36Z

rkt is for all intents and purposes dead, so we might as well close this.

rkt: run api service and make socket activatable

5d710f3

GrahamcOfBorg added 6.topic: nixos 8.has: module (update) 10.rebuild-darwin: 0 10.rebuild-linux: 0 labels May 15, 2018

Mic92 reviewed May 15, 2018

View reviewed changes

peterhoeg closed this Aug 5, 2019

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

rkt: run api service and make socket activatable #40534

rkt: run api service and make socket activatable #40534

peterhoeg commented May 15, 2018

GrahamcOfBorg commented May 15, 2018

GrahamcOfBorg commented May 15, 2018

Mic92 May 15, 2018

peterhoeg May 15, 2018

Mic92 May 15, 2018

peterhoeg May 16, 2018

jtojnar May 16, 2018

jtojnar May 16, 2018

jtojnar May 16, 2018

peterhoeg May 16, 2018

jtojnar May 16, 2018

peterhoeg May 16, 2018

mmahut commented Aug 3, 2019

peterhoeg commented Aug 5, 2019

	"tmpfiles.d/systemd.conf".source = "${systemd}/example/tmpfiles.d/systemd.conf";
	"tmpfiles.d/x11.conf".source = "${systemd}/example/tmpfiles.d/x11.conf";

	"tmpfiles.d/nixos.conf".text = ''
	# This file is created automatically and should not be modified.
	# Please change the option ‘systemd.tmpfiles.rules’ instead.

	${concatStringsSep "\n" cfg.tmpfiles.rules}
	'';

rkt: run api service and make socket activatable #40534

rkt: run api service and make socket activatable #40534

Conversation

peterhoeg commented May 15, 2018

Motivation for this change

Things done

GrahamcOfBorg commented May 15, 2018

GrahamcOfBorg commented May 15, 2018

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

mmahut commented Aug 3, 2019

peterhoeg commented Aug 5, 2019