-
-
Notifications
You must be signed in to change notification settings - Fork 13.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nixos/containers: add unprivileged option #67130
Conversation
Related #28425. |
@GrahamcOfBorg test containers-unprivileged |
Does machinectl shell propagate error signals? Like, if container reload failed, would that be masked? |
@danbst Good point! I guess it doesn't, at least by default:
|
This looks good. @uvNikita any idea if it would be easy to propagate these return codes? |
About return code: |
I see, thank you. This looks good. |
But doesn't it mean that machinectl is not actually suitable for this use-case? I can fix |
@uvNikita if you can do that, it would be better. Going to revert my merge. Please open a new PR and tag me. |
@mmahut will do, thanks. |
This is the first step for unprivileged nixos containers support. Fixes NixOS#30019. See also NixOS#18825, NixOS#57083, and NixOS#67130.
This pull request has been mentioned on NixOS Discourse. There might be relevant details there: https://discourse.nixos.org/t/nixos-container-limitations/1835/6 |
Motivation for this change
There are two parts of this commit:
nixos-container run
tomachinectl shell
in reload command which fixes nixos-container with user namespace enabled #57083unprivileged
option that adds-U
tosystemd-nspawn
commandAs described in #57083, the first change is necessary since
nixos-container
command fails to enter container namespace when userns is enabled due to missing-u
argument to nsenter call. Otherwise, to my best knowledge,machinectl shell
should be a drop-in replacement fornixos-container run
in this context.Things done
sandbox
innix.conf
on non-NixOS)nix-shell -p nix-review --run "nix-review wip"
./result/bin/
)nix path-info -S
before and after)Notify maintainers
cc @grahamc @danbst @flokli @arianvp @mmahut