virtualisation / container host OS
Clone or download


vpsAdminOS is a small experimental OS for container virtualisation.

Provides environment to run unprivileged LXC containers with nesting and AppArmor.

Based on not-os - small experimental OS for embeded situations.

It is also based on NixOS, but compiles down to a custom kernel, initrd, and a squashfs root while reusing packages and some modules from nixpkgs.



  • Upstream kernel with several patches
  • AppArmor
  • CRIU
  • runit
  • BIRD
  • ZFS
  • osctl/osctld (userspace tools bundled with vpsAdminOS)

Building OS

git clone
cd vpsadminos

# temporarily this needs vpsadminos branch from vpsfreecz/nixpkgs

git clone --branch vpsadminos
export NIX_PATH=`pwd`


# to run under qemu
make qemu

QEMU runner creates two disk images - sda.img and sdb.img which are added as QEMU ATA drives and can be used to create a mirrored ZFS pool which persists across reboots.


# Login via ssh or use qemu terminal with autologin
ssh -p 2222 localhost

# Configure osctld:
osctl pool install tank

# Create a user:
osctl user new --ugid 5000 --map 0:666000:65536 myuser01

# Create a container:
osctl ct new --user myuser01 --distribution alpine --version 3.7 myct01

# Configure container networking:
# Bridged veth
osctl ct netif new bridge --link lxcbr0 myct01 eth0

# Routed veth
osctl ct netif new routed myct01 eth1
osctl ct netif ip add myct01 eth1

# Start the container:
osctl ct start myct01

# Work with containers:
osctl ct ls
osctl ct attach myct01
osctl ct console myct01
osctl ct exec myct01 ip addr

# More information:
man osctl


Converting OpenVZ Legacy containers into vpsAdminOS

vpsAdminOS Converter can be used to convert OpenVZ Legacy containers containers into vpsAdminOS. See the documentation.

Nested LXC/LXD containers

Nested LXC/LXD containers can be enabled per container:

osctl ct set nesting <id>


Docker within containers works with a modified seccomp profile:

osctl ct set seccomp <id> /etc/lxc/config/common.seccomp

Then you can install the latest Docker version within container <id> by following the manual, e.g.

Building specific targets

nix-build -A -o tftpdir
nix-build -A



There is a support for generating iPXE config files, that will check the cryptographic signature over all images, to ensure only authorized files can run on the given hardware. This also rebuilds iPXE to contain keys to be used for signature verification.