Merge pull request #67232 from ck3d/container-useHostResolvConf

machinectl compliant NixOS installation

nixos/doc/manual/installation/installing-nspawn-container.xml

@@ -0,0 +1,37 @@
+<section xmlns="http://docbook.org/ns/docbook"
+         version="5.0"
+         xml:id="sec-installing-nspawn-container">
+ <title>Installing into a nspawn container</title>
+
+ <para>
+  For installing a NixOS into a systemd nspawn container the NixOS installation tools are needed.
+  If you run another distribution than NixOS on your host,
+  please follow <xref linkend="sec-installing-from-other-distro"/> steps 1, 2, and 3.
+ </para>
+
+ <para>
+  Create a NixOS configuration file <filename>/var/lib/machines/my-container/etc/nixos/configuration.nix</filename>.
+  It is important that the container root file system is under <filename>/var/lib/machines</filename>.
+  This is the standard location where <command>machinectl</command> will look for containers.
+  If you choose place the root into another location you need to start the container directly with <command>systemd-nspawn</command>.
+  The file needs to have at least following options enabled:
+<programlisting>
+<xref linkend="opt-boot.isContainer"/> = true;
+<xref linkend="opt-boot.loader.initScript.enable"/> = true;
+</programlisting>
+  If your host uses <command>systemd-networkd</command> to configure the network,
+  you can also enable <xref linkend="opt-networking.useNetworkd"/> to use networkd default network configuration for your host and container.
+ </para>
+
+ <para>
+  Install the container by running following command:
+   <screen>nixos-install --root /var/lib/machines/my-container \
+     --no-channel-copy --no-root-passwd --no-bootloader</screen>
+ </para>
+
+ <para>
+  Start the container by running following command:
+  <screen>machinectl start my-container</screen>
+ </para>
+
+</section>

nixos/doc/manual/installation/installing.xml

@@ -563,5 +563,8 @@ Retype new UNIX password: ***</screen>
   <xi:include href="installing-from-other-distro.xml" />
 
   <xi:include href="installing-behind-a-proxy.xml" />
+
+  <xi:include href="installing-nspawn-container.xml" />
+
  </section>
 </chapter>

nixos/modules/installer/tools/nixos-install.sh

@@ -132,8 +132,9 @@ if [[ -z $noBootLoader ]]; then
     echo "installing the boot loader..."
     # Grub needs an mtab.
     ln -sfn /proc/mounts $mountPoint/etc/mtab
-    NIXOS_INSTALL_BOOTLOADER=1 nixos-enter --root "$mountPoint" -- /run/current-system/bin/switch-to-configuration boot
+    export NIXOS_INSTALL_BOOTLOADER=1
 fi
+nixos-enter --root "$mountPoint" -- /run/current-system/bin/switch-to-configuration boot
 
 # Ask the user to set a root password, but only if the passwd command
 # exists (i.e. when mutable user accounts are enabled).

nixos/modules/system/activation/activation-script.nix

@@ -184,7 +184,14 @@ in
         find /var/empty -mindepth 1 -delete
         chmod 0555 /var/empty
         chown root:root /var/empty
+
+        ${ # reasons for not setting immutable flag:
+           # 1. flag is not changeable inside a container
+           # 2. systemd-nspawn can not perform chown in case of --private-users-chown
+           #    then the owner is nobody and ssh will not start
+          optionalString (!config.boot.isContainer) ''
         ${pkgs.e2fsprogs}/bin/chattr -f +i /var/empty || true
+          ''}
       '';
 
     system.activationScripts.usrbinenv = if config.environment.usrbinenv != null

nixos/modules/virtualisation/container-config.nix

@@ -10,7 +10,7 @@ with lib;
     services.udisks2.enable = mkDefault false;
     powerManagement.enable = mkDefault false;
 
-    networking.useHostResolvConf = mkDefault true;
+    networking.useHostResolvConf = mkDefault (!config.services.resolved.enable);
 
     # Containers should be light-weight, so start sshd on demand.
     services.openssh.startWhenNeeded = mkDefault true;

nixos/tests/all-tests.nix

@@ -262,6 +262,7 @@ in
   syncthing-relay = handleTest ./syncthing-relay.nix {};
   systemd = handleTest ./systemd.nix {};
   systemd-confinement = handleTest ./systemd-confinement.nix {};
+  systemd-machinectl = handleTest ./systemd-machinectl.nix {};
   systemd-timesyncd = handleTest ./systemd-timesyncd.nix {};
   systemd-networkd-wireguard = handleTest ./systemd-networkd-wireguard.nix {};
   pdns-recursor = handleTest ./pdns-recursor.nix {};

nixos/tests/systemd-machinectl.nix

@@ -0,0 +1,52 @@
+import ./make-test.nix (let
+
+  container = { ... }: {
+    boot.isContainer = true;
+
+    # use networkd to obtain systemd network setup
+    networking.useNetworkd = true;
+
+    # systemd-nspawn expects /sbin/init
+    boot.loader.initScript.enable = true;
+
+    imports = [ ../modules/profiles/minimal.nix ];
+  };
+
+  containerSystem = (import ../lib/eval-config.nix {
+    modules = [ container ];
+  }).config.system.build.toplevel;
+
+  containerName = "container";
+  containerRoot = "/var/lib/machines/${containerName}";
+
+in {
+  name = "systemd-machinectl";
+
+  machine = { lib, ... }: {
+    # use networkd to obtain systemd network setup
+    networking.useNetworkd = true;
+
+    # open DHCP server on interface to container
+    networking.firewall.trustedInterfaces = [ "ve-+" ];
+
+    # do not try to access cache.nixos.org
+    nix.binaryCaches = lib.mkForce [];
+
+    virtualisation.pathsInNixDB = [ containerSystem ];
+  };
+
+  testScript = ''
+    startAll;
+
+    $machine->waitForUnit("default.target");
+    $machine->succeed("mkdir -p ${containerRoot}");
+    $machine->succeed("nixos-install --root ${containerRoot} --system ${containerSystem} --no-channel-copy --no-root-passwd --no-bootloader");
+
+    $machine->succeed("machinectl start ${containerName}");
+    $machine->waitUntilSucceeds("systemctl -M ${containerName} is-active default.target");
+    $machine->succeed("ping -n -c 1 ${containerName}");
+    $machine->succeed("test `stat ${containerRoot}/var/empty -c %u%g` != 00");
+
+    $machine->succeed("machinectl stop ${containerName}");
+  '';
+})