Networkd containers

jobset.nix

@@ -0,0 +1,21 @@
+# FIXME remove before merging!
+
+{ nixpkgs }:
+let
+  release = import ./nixos/release.nix {
+    supportedSystems = [ "x86_64-linux" ];
+    inherit nixpkgs;
+  };
+in
+
+{
+  container-tests = {
+    general = release.tests.containers-next.basic;
+    migration = release.tests.containers-next.migration;
+    activation = release.tests.containers-next.config-activation;
+    imperative = release.tests.containers-next.imperative;
+    nat = release.tests.containers-next.nat;
+    daemon-mount = release.tests.containers-next.daemon-mount;
+    wireguard = release.tests.containers-next.wireguard;
+  };
+}

nixos/lib/test-driver/test_driver/machine.py

@@ -483,6 +483,15 @@ def systemctl(self, q: str, user: Optional[str] = None) -> Tuple[int, str]:
             )
         return self.execute(f"systemctl {q}")
 
+    def wait_until_unit_stops(self, unit: str) -> None:
+        def wait_inactive(_: Any) -> bool:
+            info = self.get_unit_info(unit)
+            state = info["ActiveState"]
+            return state == "inactive"
+
+        with self.nested(f"waiting for unit '{unit}' to stop"):
+            retry(wait_inactive)
+
     def require_unit_state(self, unit: str, require_state: str = "active") -> None:
         with self.nested(
             f"checking if unit '{unit}' has reached state '{require_state}'"

nixos/modules/module-list.nix

@@ -1377,6 +1377,8 @@
   ./virtualisation/container-config.nix
   ./virtualisation/containerd.nix
   ./virtualisation/containers.nix
+  ./virtualisation/containers-next
+  ./virtualisation/nixos-containers.nix
   ./virtualisation/cri-o.nix
   ./virtualisation/docker-rootless.nix
   ./virtualisation/docker.nix

nixos/modules/services/misc/nix-daemon.nix

@@ -720,7 +720,7 @@ in
     # systemd.tmpfiles.packages = [ nixPackage ];
 
     # Can be dropped for Nix > https://github.com/NixOS/nix/pull/6285
-    systemd.tmpfiles.rules = [
+    systemd.tmpfiles.rules = mkIf (!config.boot.isContainer) [
       "d /nix/var/nix/daemon-socket 0755 root root - -"
     ];
 

nixos/modules/system/activation/switch-to-configuration.pl

@@ -125,14 +125,11 @@
 # virtual console 1 and we restart the "tty1" unit.
 $SIG{PIPE} = "IGNORE";
 
-# Replacement for Net::DBus that calls busctl of the current systemd, parses
-# it's json output and returns the response using only core modules to reduce
-# dependencies on perlPackages in baseSystem
-sub busctl_call_systemd1_mgr {
-    my (@args) = @_;
+sub call_systemd_dbus_api {
+    my ($api_name, @args) = @_;
     my $cmd = [
-        "$cur_systemd/busctl", "--json=short", "call", "org.freedesktop.systemd1",
-        "/org/freedesktop/systemd1", "org.freedesktop.systemd1.Manager",
+        "$cur_systemd/busctl", "--json=short", "call", "org.freedesktop.${api_name}",
+        "/org/freedesktop/${api_name}", "org.freedesktop.${api_name}.Manager",
         @args
     ];
 
@@ -143,6 +140,14 @@ sub busctl_call_systemd1_mgr {
     return $res;
 }
 
+# Replacement for Net::DBus that calls busctl of the current systemd, parses
+# it's json output and returns the response using only core modules to reduce
+# dependencies on perlPackages in baseSystem
+sub busctl_call_systemd1_mgr {
+    my (@args) = @_;
+    return call_systemd_dbus_api("systemd1", @args);
+}
+
 # Asks the currently running systemd instance via dbus which units are active.
 # Returns a hash where the key is the name of each unit and the value a hash
 # of load, state, substate.
@@ -294,11 +299,18 @@ sub record_unit {
 sub unrecord_unit {
     my ($fn, $unit) = @_;
     if ($action ne "dry-activate") {
-        edit_file(sub { s/^$unit\n//msx }, $fn);
+        if (index($unit, "systemd-nspawn@") == -1) {
+            edit_file(sub { s/^$unit\n//msx }, $fn);
+        }
     }
     return;
 }
 
+sub comp_array {
+    my ($a, $b) = @_;
+    return join("\0", @{$a}) eq join("\0", @{$b});
+};
+
 # Compare the contents of two unit files and return whether the unit
 # needs to be restarted or reloaded. If the units differ, the service
 # is restarted unless the only difference is `X-Reload-Triggers` in the
@@ -322,11 +334,6 @@ sub compare_units { ## no critic(Subroutines::ProhibitExcessComplexity)
         SourcePath
     );
 
-    my $comp_array = sub {
-      my ($a, $b) = @_;
-      return join("\0", @{$a}) eq join("\0", @{$b});
-    };
-
     # Comparison hash for the sections
     my %section_cmp = map { $_ => 1 } keys(%{$new_unit});
     # Iterate over the sections
@@ -370,7 +377,7 @@ sub compare_units { ## no critic(Subroutines::ProhibitExcessComplexity)
             }
             my @new_value = @{$new_unit->{$section_name}{$ini_key}};
             # If the contents are different, the units are different
-            if (not $comp_array->(\@cur_value, \@new_value)) {
+            if (not comp_array(\@cur_value, \@new_value)) {
                 # Check if only the reload triggers changed or one of the ignored keys
                 if ($section_name eq "Unit") {
                     if ($ini_key eq "X-Reload-Triggers") {
@@ -418,6 +425,79 @@ sub compare_units { ## no critic(Subroutines::ProhibitExcessComplexity)
     return $ret;
 }
 
+
+sub compare_nspawn_units {
+    # Intentionally trying to keep this similar to compare_units.
+    my ($cur_unit, $new_unit) = @_;
+
+    # Keys to ignore
+    my %ignored_keys = map { $_ => 1 } qw(
+        Parameters
+        X-ActivationStrategy
+    );
+
+    # Comparison hash for the sections
+    my %section_cmp = map { $_ => 1 } keys(%{$new_unit});
+
+    # Iterate over the sections
+    foreach my $section_name (keys(%{$cur_unit})) {
+        # Missing section in the new unit.
+        if (not exists($section_cmp{$section_name})) {
+            return 1;
+        }
+
+        # Delete the key from the hashmap. Used later to determine
+        # if some sections exist in new unit but not in current unit.
+        delete $section_cmp{$section_name};
+
+        # Comparison hash for the section contents
+        my %ini_cmp = map { $_ => 1 } keys(%{$new_unit->{$section_name}});
+
+        # Iterate over the keys of the section
+        foreach my $ini_key (keys(%{$cur_unit->{$section_name}})) {
+            # Check that the key exists in the new unit, matches in value or is ignored.
+            if (
+                exists($ini_cmp{$ini_key}) and (
+                    defined($ignored_keys{$ini_key})
+                    or comp_array(
+                        \@{$cur_unit->{$section_name}{$ini_key}},
+                        \@{$new_unit->{$section_name}{$ini_key}}
+                    )
+                )
+            ) {
+                # Delete the key from the hashmap. Used later to determine
+                # if some keys exist in new unit but not in current unit,
+                # or they differ.
+                delete $ini_cmp{$ini_key};
+
+            } else {
+                # Key is missing or differs to the new unit.
+                return 1;
+            }
+        }
+
+        # Missing key(s) in the current unit.
+        # If they are not ignorable, a restart is required.
+        foreach my $ini_key (keys(%ini_cmp)) {
+            if (not defined($ignored_keys{$ini_key})) {
+                return 1;
+            }
+        }
+    }
+
+    # Missing section(s) in the current unit.
+    if (%section_cmp) {
+        return 1;
+    }
+    return 0;
+}
+
+sub list_running_nspawn_machines {
+    my $raw = call_systemd_dbus_api("machine1", qw/ListMachines/)->{data}->[0];
+    my %running_machines = map { $_->[0] => 1 } grep { $_->[0] ne ".host" } @{$raw};
+    return %running_machines;
+}
+
 # Called when a unit exists in both the old systemd and the new system and the units
 # differ. This figures out of what units are to be stopped, restarted, reloaded, started, and skipped.
 sub handle_modified_unit { ## no critic(Subroutines::ProhibitManyArgs, Subroutines::ProhibitExcessComplexity)
@@ -495,6 +575,11 @@ sub handle_modified_unit { ## no critic(Subroutines::ProhibitManyArgs, Subroutin
                     }
                 }
 
+                # Skip the following logic for systemd-nspawn units
+                if (index($unit, "systemd-nspawn@") ne -1) {
+                    return;
+                }
+
                 # If the unit is not socket-activated, record
                 # that this unit needs to be started below.
                 # We write this to a file to ensure that the
@@ -534,6 +619,62 @@ sub handle_modified_unit { ## no critic(Subroutines::ProhibitManyArgs, Subroutin
 %units_to_reload = map { $_ => 1 }
     split(/\n/msx, read_file($reload_list_file, err_mode => "quiet") // "");
 
+# Handle nspawn unit changes
+my @current_nspawn_units = glob("/etc/systemd/nspawn/*.nspawn");
+my @new_nspawn_units = glob("$out/etc/systemd/nspawn/*.nspawn");
+my %current_units_cmp = map { $_ => 1 } @current_nspawn_units;
+my %running_containers = list_running_nspawn_machines();
+foreach my $new_unit_file (@new_nspawn_units) {
+    my $container_name = basename($new_unit_file);
+    $container_name =~ s/\.nspawn//;
+    my $unit_name = "systemd-nspawn\@$container_name.service";
+
+    my $cur_unit_file = $new_unit_file;
+    $cur_unit_file =~ s/^$out//;
+    if (exists($current_units_cmp{$cur_unit_file})) {
+        my %new_unit_info = parse_unit($new_unit_file);
+        my $strategy = $new_unit_info{"Exec"}{"X-ActivationStrategy"}[0] // "dynamic";
+
+        # Skip comparison logic/restart check if ActivationStrategy is "none"
+        next if $strategy eq "none";
+
+        my %cur_unit_info = parse_unit($cur_unit_file);
+        my $changed = compare_nspawn_units(\%cur_unit_info, \%new_unit_info);
+
+=pod Truth table for restarts
+|Strategy|Changed|Reload|Restart|
+|--------|-------|------|-------|
+|Dynamic |0      |Y     |-      |
+|Dynamic |1      |-     |Y      |
+|Restart |0      |-     |-      |
+|Restart |1      |-     |Y      |
+|Reload  |0      |Y     |-      |
+|Reload  |1      |Y     |-      |
+=cut
+        if ($strategy ne "restart" and ($changed == 0 or $strategy eq "reload")) {
+            if (exists($running_containers{$container_name})) {
+                $units_to_reload{$unit_name} = 1;
+            }
+        } elsif ($changed == 1) {
+            $units_to_restart{$unit_name} = 1;
+        }
+    } else {
+        # Start the unit if it didn't exist before
+        $units_to_start{$unit_name} = 1;
+    }
+}
+
+# Stop all now removed nspawn containers
+foreach my $cur_unit_file (@current_nspawn_units) {
+    my %cur_unit_info = parse_unit($cur_unit_file);
+    unless (-f "$out$cur_unit_file" || ($cur_unit_info{"Exec"}{'X-Imperative'}[0] // "0") == "1") {
+        my $container_name = basename($cur_unit_file);
+        $container_name =~ s/\.nspawn//;
+        my $unit_name = "systemd-nspawn\@$container_name.service";
+        $units_to_stop{$unit_name} = 1;
+    }
+}
+
 my $active_cur = get_active_units();
 while (my ($unit, $state) = each(%{$active_cur})) {
     my $base_unit = $unit;
@@ -859,8 +1000,10 @@ sub filter_units {
             # Figure out if we need to start the unit
             my %unit_info = parse_unit("$out/etc/systemd/system/$unit");
             if (!(parse_systemd_bool(\%unit_info, "Unit", "RefuseManualStart", 0) || parse_systemd_bool(\%unit_info, "Unit", "X-OnlyManualStart", 0))) {
-                $units_to_start{$unit} = 1;
-                record_unit($start_list_file, $unit);
+                if (index($unit, "systemd-nspawn@") == -1) {
+                    $units_to_start{$unit} = 1;
+                    record_unit($start_list_file, $unit);
+                }
             }
             # Don't reload the unit, reloading would fail
             delete %units_to_reload{$unit};
@@ -871,8 +1014,27 @@ sub filter_units {
 # Reload units that need it. This includes remounting changed mount
 # units.
 if (scalar(keys(%units_to_reload)) > 0) {
-    print STDERR "reloading the following units: ", join(", ", sort(keys(%units_to_reload))), "\n";
-    system("$new_systemd/bin/systemctl", "reload", "--", sort(keys(%units_to_reload))) == 0 or $res = 4;
+    my @to_reload = sort(keys(%units_to_reload));
+    print STDERR "reloading the following units: ", join(", ", @to_reload), "\n";
+
+    # Reloading containers & dbus.service in the same transaction causes
+    # the system to stall for about 1 minute.
+    my (@services, @containers);
+    foreach my $s (@to_reload) {
+        if (index($s, "systemd-nspawn@") == 0) {
+            push @containers, $s;
+        } else {
+            push @services, $s;
+        }
+    }
+
+    if (scalar(@services) > 0) {
+        system("$new_systemd/bin/systemctl", "reload", "--", @services) == 0 or $res = 4;
+    }
+    if (scalar(@containers) > 0) {
+        system("$new_systemd/bin/systemctl", "reload", "--", @containers) == 0 or $res = 4;
+    }
+
     unlink($reload_list_file);
 }