-
-
Notifications
You must be signed in to change notification settings - Fork 14.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support declarative container options in imperative setup #18355
Comments
Imperative bind mounts should be possible via I doubt they persist across reboots but have not tested. If you are looking for a declarative way, this works:
|
Came around this problem while trying to deploy containers via NixOPS. I've done some early experiments. Declarative containers are currently quite powerful compared to the imperative approach and that's a pity, since NixOPS' container backend is based on the imperative approach via the tool nixos-container. From researching how containers are actually implemented, I've found that declarative containers take advantage of custom unit files for some settings and they use mode values in the container's configuration file. These values are then used in the startup files of the container. Imperative containers have way less options for configuration. They use a template unit file based on an empty dummy configuration and the container's configuration file is written by nixos-container instead of being built via Nix. By manually tweaking the configuration file of my test containers in /etc/containers/ some of the features from declarative containers can be used. They are just not accessible via nixos-container, still they work. That's because the startup scripts of the containers base most of their decisions on this configuration file. Most of the fragments are defined in this module: https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/virtualisation/containers.nix Based on my current understanding I think that there might be a chance to actually adjust the way how containers are configured, so that the deployment options sit inside of the container definition, like you suggest above. In my experiments I've used a different namespace The idea is to move all options of the declarative containers from Currently I am thinking that the container's configuration file (or in the imperative case the base of it) should be build by nix and maybe added as a symlink into the system derivation, so that nixos-container could use it from there and the user could inspect it via the system profile. I am not sure if that's having unwanted side effects though, first time I am touching this area. It would probably also be possible to support adjusted startup scripts based on the same logic which is used for declarative containers. The tricky part would be to tell the template unit file, that we want a specific startup script or snippet to be executed. This might be doable based on a new variable in the container's configuration file, so that the unit template of the host would find the script. I've made an experiment which demonstrates parts of the idea. Would be great to get some feedback if that's a reasonable direction. For simplicity I've put the code into my nixops fork into this branch: https://github.com/johbo/nixops/tree/exp-containers The compare view can be found here: https://github.com/NixOS/nixops/compare/master...johbo:exp-containers?expand=1 The following is an example how I've used it in my small test scenario:
|
Looking forward for Nixos side implementation! Why did you go nixops side? |
I stumbled upon this while trying to learn how to define bind mounts in an imperative container. I tried looking at @johbo's commits, but I'm new to Nix and it's all gibberish to me at this point. I want to mention a concern that @johbo's commits may or may not take into account (if it even should). I noticed that I'm editing settings for my imperative container in Declarative containers, on the other hand, do not have a Perhaps dropping privileges inside the container is sufficient (I still need to determine how this is achieved), or perhaps Nix is so awesome it already handles this, but if configuring bindMounts inside a container is the direction this solution is heading, consider moving the |
Currently it is clearly stated that compromised |
I need this too, because I need to override |
My usecase is finally possible with https://github.com/erikarvstedt/extra-container Next issue should be intergrate |
@danbst Did you inted to close this? It seems like until
is done, this problem continues to exist. (Tentatively reopening) |
yep, I wanted to close this issue. Actually, I think integrating extra-container stuff into nixos-container isn't trivial, maybe better would be to design |
@danbst That all sounds reasonable, but shouldn't we keep the ticket open then, as there is no current general solution? |
@nh2 alright. I wonder if there are drawbacks of using |
Nix is now, with flakes, going towards splitting code up. Merging everything in nixpkgs isn't the way to go anymore. Containers are, in all likelyhood, better as a separate flake. We can go the other way, and take stuff out of nixpkgs. |
Thank you for your contributions.
|
still important to me |
I marked this as stale due to inactivity. → More info |
I wonder what @erikarvstedt has to say on this topic... |
I marked this as stale due to inactivity. → More info |
also interested in this, specially with flakes |
I marked this as stale due to inactivity. → More info |
Still interested, for containers defined inside flakes |
It's worth taking a look at microvm, which is setting up vm options as nixos modules: outputs = { self, nixpkgs, microvm }: {
# Example nixosConfigurations entry
nixosConfigurations.my-microvm = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
modules = [
# Include the microvm module
microvm.nixosModules.microvm
# Add more modules here
{
networking.hostName = "my-microvm";
microvm.hypervisor = "cloud-hypervisor";
}
];
};
}; It should be possible to create a module defining container options, to be put inside the container definition, as microvm is doing |
It is now impossible to set bind mounts for imperative containers. I don't whether it is by design, or there is no interface to do it imperatively yet. I hope for latter. In that case we can have this container config:
Main use case is to improve usability of container deployments in NixOps. Another usecase it to simplify solution for problem in #17365 (if I understood the problem correctly).
The text was updated successfully, but these errors were encountered: