New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nixos/containers: Introduce several tweaks to systemd-nspawn from upstream systemd #48771
Conversation
6f619b7
to
810989a
Compare
seems to fail
|
bbd7b42
to
b047c51
Compare
Test fixed now. Apparently |
b047c51
to
9fe44d8
Compare
…tream systemd * Lets container@.service be activated by machines.target instead of multi-user.target According to the systemd manpages, all containers that are registered by machinectl, should be inside machines.target for easy stopping and starting container units altogether * make sure container@.service and container.slice instances are actually located in machine.slice https://plus.google.com/112206451048767236518/posts/SYAueyXHeEX See original commit: NixOS/systemd@45d383a3b8 * Enable Cgroup delegation for nixos-containers Delegate=yes should be set for container scopes where a systemd instance inside the container shall manage the hierarchies below its own cgroup and have access to all controllers. This is equivalent to enabling all accounting options on the systemd process inside the system container. This means that systemd inside the container is responsible for managing Cgroup resources for unit files that enable accounting options inside. Without this option, units that make use of cgroup features within system containers might misbehave See original commit: NixOS/systemd@a931ad47a8 from the manpage: Turns on delegation of further resource control partitioning to processes of the unit. Units where this is enabled may create and manage their own private subhierarchy of control groups below the control group of the unit itself. For unprivileged services (i.e. those using the User= setting) the unit's control group will be made accessible to the relevant user. When enabled the service manager will refrain from manipulating control groups or moving processes below the unit's control group, so that a clear concept of ownership is established: the control group tree above the unit's control group (i.e. towards the root control group) is owned and managed by the service manager of the host, while the control group tree below the unit's control group is owned and managed by the unit itself. Takes either a boolean argument or a list of control group controller names. If true, delegation is turned on, and all supported controllers are enabled for the unit, making them available to the unit's processes for management. If false, delegation is turned off entirely (and no additional controllers are enabled). If set to a list of controllers, delegation is turned on, and the specified controllers are enabled for the unit. Note that additional controllers than the ones specified might be made available as well, depending on configuration of the containing slice unit or other units contained in it. Note that assigning the empty string will enable delegation, but reset the list of controllers, all assignments prior to this will have no effect. Defaults to false. Note that controller delegation to less privileged code is only safe on the unified control group hierarchy. Accordingly, access to the specified controllers will not be granted to unprivileged services on the legacy hierarchy, even when requested. The following controller names may be specified: cpu, cpuacct, io, blkio, memory, devices, pids. Not all of these controllers are available on all kernels however, and some are specific to the unified hierarchy while others are specific to the legacy hierarchy. Also note that the kernel might support further controllers, which aren't covered here yet as delegation is either not supported at all for them or not defined cleanly.
9fe44d8
to
9f72791
Compare
CC @Mic92 |
Can you add yourself to ofborg? https://github.com/NixOS/ofborg/pull/223/files |
Done: NixOS/ofborg#256 |
The
That should do the trick. |
Ah yes this is because our activation script needs this information as well. |
@peterhoeg yes I do that now. Thanks! Albeit the other way around. (Multi-user.wants = machines.target). The result being identical in terms of semancis. |
@GrahamcOfBorg test containers-imperative containers-tmpfs |
Success on x86_64-linux (full log) Attempted: tests.containers-imperative, tests.containers-tmpfs Partial log (click to expand)
|
Success on aarch64-linux (full log) Attempted: tests.containers-imperative, tests.containers-tmpfs Partial log (click to expand)
|
@GrahamcOfBorg test containers-bridge containers-extra_veth containers-hosts containers-ipv4 containers-ipv6 containers-macvlans containers-physical_interfaces containers-portforward containers-reloadable containers-restart_networking |
Success on x86_64-linux (full log) Attempted: tests.containers-bridge, tests.containers-extra_veth, tests.containers-hosts, tests.containers-ipv4, tests.containers-ipv6, tests.containers-macvlans, tests.containers-physical_interfaces, tests.containers-restart_networking The following builds were skipped because they don't evaluate on x86_64-linux: tests.containers-portforward, tests.containers-reloadable Partial log (click to expand)
|
Success on aarch64-linux (full log) Attempted: tests.containers-bridge, tests.containers-extra_veth, tests.containers-hosts, tests.containers-ipv4, tests.containers-ipv6, tests.containers-macvlans, tests.containers-physical_interfaces, tests.containers-restart_networking The following builds were skipped because they don't evaluate on aarch64-linux: tests.containers-portforward, tests.containers-reloadable Partial log (click to expand)
|
Tests look good to me. The two tests that didn't 'evaluate' are not in |
Things done
sandbox
innix.conf
on non-NixOS)nix-shell -p nox --run "nox-review wip"
./result/bin/
)nix path-info -S
before and after)