Add support for global LXC config files

[fpletz]

This PR adds basic configuration of global LXC configuration parameters through the config files

• /etc/lxc/lxc.conf
• /etc/lxc/default.conf
• /etc/lxc/lxc-usernet

Configuration example:

{
  virtualisation = {
    lxc.enable = true;
    lxc.defaultConfig = ''
      lxc.network.type = veth
      lxc.network.link = virbr0
      lxc.network.flags = up
    '';
  };
}

[aristidb]

It's just a thin wrapper around environment.etc, so I'm not sure if this adds much value?

[7c6f434c]

We need to start somewhere…

[bjornfor]

Anyone successfully running LXC on NixOS?

I followed the instructions on https://linuxcontainers.org/lxc/getting-started/ (and adding users.extraUsers.*.subUidRanges and subGidRanges), but then there are some issues:

$ lxc-start -n my-container
lxc_container: Could not set clone_children to 1 for cpuset hierarchy in parent cgroup.
lxc_container: Read-only file system - cgroup_rmdir: failed to delete /sys/fs/cgroup/blkio/
lxc_container: Read-only file system - cgroup_rmdir: failed to delete /sys/fs/cgroup/net_cls/
lxc_container: Read-only file system - cgroup_rmdir: failed to delete /sys/fs/cgroup/freezer/
lxc_container: Read-only file system - cgroup_rmdir: failed to delete /sys/fs/cgroup/devices/
lxc_container: Read-only file system - cgroup_rmdir: failed to delete /sys/fs/cgroup/memory/
lxc_container: Read-only file system - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct/
lxc_container: Read-only file system - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpuset/
lxc_container: failed creating cgroups
lxc_container: failed to spawn 'my-container'
lxc_container: The container failed to start.
lxc_container: Additional information can be obtained by setting the --logfile and --logpriority options.

According to lxc/lxc#369 (comment), the issue is that the cgroup mounts lack the 'clone_children' flag, set to 1. I see that NixOS lacks that flag:

$ mount | grep cgroup
...
cgroup on /sys/fs/cgroup/cpuset type cgroup (rw,nosuid,nodev,noexec,relatime,cpuset)

Ok, manually working around that:

echo 1 | sudo tee /sys/fs/cgroup/cpuset/cgroup.clone_children

Trying again with "lxc-start" fails with insufficient write permissions on various
sub-directories under /sys/fs/cgroup/. Fixing manually with chmod a+w (hack).

When all permissions are sorted out:

$ lxc-start -n my-container
Failed to open /nix/store/9dc0igigigvjlk0w7yv2gp75mi8mdi4f-lxc-1.0.6/etc/lxc/lxc-usernet: No such file or directory
Quota reached
lxc_container: failed to create the configured network

That lxc store path exists, but not the .../etc/lxc/lxc-usernet path. I guess LXC
should have read /etc/lxc/lxc-usernet instead (which I have configured with proper content).

@fpletz: Did LXC work for you at the time you submitted this PR?

[bjornfor]

@fpletz: Ping.