src/main/nspawn/config.ini

#
# default configuration
#

#
# main program behaviour
#
[main]

# say 'yes' for debugging
# print error stack traces before exit on failure
trace_error = no


#
#  build engine options
#
[build]

# name space in archive/extract store
build_space = a-nspawn-build
build_regex = ^a-nspawn-build(.+)

# say 'yes' for debugging
# preserve archive/extract/runtime folders used for build
preserve_build_dir = no

# shell script invocation for SH(script)
# i.e.: compose command as ['/usr/bin/env', 'sh', '-e', '-c', script]
shell_invoke =
    /usr/bin/env
    sh
    -e
    -c
    {script}

#
# configuration behaviour 
#
[config]

# configuration override file list
path_list = 
    /etc/nspawn/config.ini
    $HOME/.nspawn/config.ini
    $HOME/.config/nspawn/config.ini

#
# logging options
#
[logging]

# https://docs.python.org/3/library/logging.html
level = debug
datefmt = %Y-%m-%d %H:%M:%S
format = %(asctime)s %(levelname)-6s %(message)s

#
# location of program resources
# note: ensure single file system with xattr support
#
[storage]

# base directory for all resources
root = /var/lib/nspawn

# downloaded archive resources
archive = ${storage:root}/archive

# extracted archive resources
extract = ${storage:root}/extract

# live machine resources
runtime = ${storage:root}/runtime

# program working directory
tempdir = ${storage:root}/tempdir

# hatcher image storage
provision = ${storage:tempdir}/provision

#
# proxy settings during build
#
[proxy]

# apply proxy during image pull
use_host_proxy = yes

# apply proxy inside build container
use_machine_proxy = yes

# seconds to wait during proxy validation
socket_timeout = 1.5

# list of proxy configuration sources:
# * "user" - check proxy env var from current user
# * "root" - check proxy env var from sudo root user
# * "config" - check proxy settings from 'proxy_config_text'
# last found "no_proxy" takes place
# first working "proto_proxy" takes place
proxy_check_list =
    user
    root
    config

# default proxy fallback settings
proxy_config_text =
    no_proxy = nspawn-image-server
    http_proxy = http://nspawn-proxy-server:3128
    https_proxy = http://nspawn-proxy-server:3130

#
# network environment discovery
#
[network]

# check internet access timeout, seconds
check_timeout = 1.5

# list of hosts to check internet access
check_host_list =
    http://checkip.amazonaws.com/

#
# container service properties
#
[machine]

# default tempalte
template = machine-default.service

# auto-provision host resources declared in "Bind=..."
# works by adding mkdir/touch to the service unit file
# provision empty folder if path ends with "/"
# provision emtpy file if path does not end with "/"
use_bind_stub = yes  

# overlayfs mount options, comma-separator, no-space
# https://www.kernel.org/doc/Documentation/filesystems/overlayfs.txt
# not supported on old ubuntu, ie travis/xenial
#overlayfs_mount_opts = xino=on
overlayfs_mount_opts = 

#
# system commands used by this package
#
[wrapper]

# declare system commands used by this package
required_list =
    env
    sudo
    true
    test
    touch
    getfattr
    setfattr
    cp
    mv
    dd
    xz
    zip
    tar
    pigz
    ip
    curl
    rsync
    nsenter
    systemctl
    machinectl
    systemd-nspawn


[wrapper/sudo]
binary = sudo
option_list =
    -u
    root
    
# attribute name space used by this package
xattr_space = user.nspawn.

# regular expression used to match package attributes
xattr_regex = ^user[.]nspawn[.]

# rsync options
# https://linux.die.net/man/1/rsync
#
# -D                          same as --devices --specials
# -r, --recursive             recurse into directories
# -l, --links                 copy symlinks as symlinks
# -t, --times                 preserve modification times
#
# -X, --xattrs                preserve extended attributes
#
# -A, --acls                  preserve ACLs
# -p, --perms                 preserve permissions
#
# -g, --group                 preserve group
# -o, --owner                 preserve owner

# options for DSL.COPY, DSL.CAST
rsync_base = -Drlt -Ap

# options for DSL.PULL, DSL.PUSH
rsync_full = -Drlt -Ap -go

#
# https://curl.haxx.se/docs/manpage.html
#
[wrapper/curl]
binary = curl
option_list =
    # ignore $HOME/.curlrc   
    --disable
    # enable redirect response 3XX
    --location
    # ignore ssl validation
    --insecure
    # report non-2XX via non-zero rc
    --fail
    # suppress progress or error
    --silent
    # still display non-2XX errors
    --show-error
    # manage connection delays
    --connect-timeout
    5
    # retry on transient errors
    --retry
    3
    --retry-delay
    1
    --retry-max-time
    15 

[wrapper/tar]
binary = tar
option_list = 
    # keep access
    --acls
    # keep attributes
    --xattrs
    # preserve user/group
    --same-owner
    # preserve rwx persmissions
    --same-permissions

# supported image formats
suffix_list =
    .tar.gz
    .tar.xz
    
[wrapper/zip]
binary = zip
option_list = 

[wrapper/unzip]
binary = unzip
option_list = 
    
[wrapper/systemctl]
binary = systemctl
option_list = 
    --no-pager

[wrapper/machinectl]
binary = machinectl
option_list = 
    --no-pager

[wrapper/systemd_nspawn]
binary = systemd-nspawn
option_list = 
    # suppress "press to escape" message
    --quiet
    # do not expose service via machinectl
    --register=no
    # connect process stdin,stdout,stderr
    --console=pipe
    # elevate priveleges during build
    --capability=all
    # use private system log
    --link-journal=no
    
[wrapper/nsenter]
binary = nsenter
option_list = 
    # enter mount namespace
    -m
    # enter UTS namespace (hostname etc)
    -u
    # enter System V IPC namespace
    -i
    # enter network namespace
    -n
    # enter pid namespace
    -p

#
# authentication entry
# image server provided by hatcher
#
[auth/image]
# using username:password
type = basic
# using host name re-mapping
host = nspawn-image-server
# default username
username = default
# default password
password = default

#
# local image server
#
[hatcher/image-server]

# alpine nginx user identity
service_gid = 101
service_uid = 100

# machine container identity
machine_name = nspawn-image-server

# service data store
service_home = /home/${hatcher/image-server:machine_name}
service_log_dir = ${hatcher/image-server:service_home}/log
service_store_dir = ${hatcher/image-server:service_home}/store
service_user_file = ${hatcher/image-server:service_home}/etc/user.conf

#
# amazon aws s3 image syncer
#
[hatcher/image-syncer]

# machine container identity
machine_name = nspawn-image-syncer

# service data store, shared
service_home = /home/${hatcher/image-syncer:machine_name}
service_log_dir = ${hatcher/image-syncer:service_home}/log
service_store_dir = ${hatcher/image-server:service_home}/store

# service aws s3 replication parameters
# see: https://github.com/random-python/file_sync_s3
service_access_key = invalid
service_secret_key = invalid
service_region_name = invalid
service_bucket_name = invalid
service_object_mode = public-read
service_include_list =
    .+[.]gz\Z
    .+[.]zst\Z
    .+[.]html\Z
service_exclude_list =
    .+/invalid/.+
service_use_expire = yes
service_expire_days = 50
service_expire_period = 12:00:00

#
# local image proxy
#
[hatcher/image-proxy]

# alpine squid user identity
service_gid = 31
service_uid = 31

# machine container identity
machine_name = nspawn-proxy-server

# service data store
service_home = /home/${hatcher/image-proxy:machine_name}
service_log_dir = ${hatcher/image-proxy:service_home}/log
service_store_dir = ${hatcher/image-proxy:service_home}/store