c957341ef5
I have a nixops network where I deploy containers using the `container` backend which uses `nixos-container` intenrally to deploy several containers to a certain host. During that time I removed and added new containers and while trying to deploy those to a different host I realized that it isn't guaranteed that each container gets the same IP address which is a problem as some parts of the deployment need to know which container is using which IP (i.e. to configure port forwarding on the host). With this change you can specify the container's IP like this (and don't have to use the arbitrarily used 10.233.0.0/16 subnet): ``` $ nixos-container create test --config-file test-container.nix \ --local-address 10.235.1.2 --host-address 10.235.1.1 ```
123 lines
4.5 KiB
XML
123 lines
4.5 KiB
XML
<section xmlns="http://docbook.org/ns/docbook"
|
||
xmlns:xlink="http://www.w3.org/1999/xlink"
|
||
xmlns:xi="http://www.w3.org/2001/XInclude"
|
||
version="5.0"
|
||
xml:id="sec-imperative-containers">
|
||
<title>Imperative Container Management</title>
|
||
|
||
<para>
|
||
We’ll cover imperative container management using
|
||
<command>nixos-container</command> first. Be aware that container management
|
||
is currently only possible as <literal>root</literal>.
|
||
</para>
|
||
|
||
<para>
|
||
You create a container with identifier <literal>foo</literal> as follows:
|
||
<screen>
|
||
# nixos-container create foo
|
||
</screen>
|
||
This creates the container’s root directory in
|
||
<filename>/var/lib/containers/foo</filename> and a small configuration file
|
||
in <filename>/etc/containers/foo.conf</filename>. It also builds the
|
||
container’s initial system configuration and stores it in
|
||
<filename>/nix/var/nix/profiles/per-container/foo/system</filename>. You can
|
||
modify the initial configuration of the container on the command line. For
|
||
instance, to create a container that has <command>sshd</command> running,
|
||
with the given public key for <literal>root</literal>:
|
||
<screen>
|
||
# nixos-container create foo --config '
|
||
<xref linkend="opt-services.openssh.enable"/> = true;
|
||
<link linkend="opt-users.users._name__.openssh.authorizedKeys.keys">users.users.root.openssh.authorizedKeys.keys</link> = ["ssh-dss AAAAB3N…"];
|
||
'
|
||
</screen>
|
||
By default the next free address in the <literal>10.233.0.0/16</literal> subnet will be chosen
|
||
as container IP. This behavior can be altered by setting <literal>--host-address</literal> and
|
||
<literal>--local-address</literal>:
|
||
<screen>
|
||
# nixos-container create test --config-file test-container.nix \
|
||
--local-address 10.235.1.2 --host-address 10.235.1.1
|
||
</screen>
|
||
</para>
|
||
|
||
<para>
|
||
Creating a container does not start it. To start the container, run:
|
||
<screen>
|
||
# nixos-container start foo
|
||
</screen>
|
||
This command will return as soon as the container has booted and has reached
|
||
<literal>multi-user.target</literal>. On the host, the container runs within
|
||
a systemd unit called
|
||
<literal>container@<replaceable>container-name</replaceable>.service</literal>.
|
||
Thus, if something went wrong, you can get status info using
|
||
<command>systemctl</command>:
|
||
<screen>
|
||
# systemctl status container@foo
|
||
</screen>
|
||
</para>
|
||
|
||
<para>
|
||
If the container has started successfully, you can log in as root using the
|
||
<command>root-login</command> operation:
|
||
<screen>
|
||
# nixos-container root-login foo
|
||
[root@foo:~]#
|
||
</screen>
|
||
Note that only root on the host can do this (since there is no
|
||
authentication). You can also get a regular login prompt using the
|
||
<command>login</command> operation, which is available to all users on the
|
||
host:
|
||
<screen>
|
||
# nixos-container login foo
|
||
foo login: alice
|
||
Password: ***
|
||
</screen>
|
||
With <command>nixos-container run</command>, you can execute arbitrary
|
||
commands in the container:
|
||
<screen>
|
||
# nixos-container run foo -- uname -a
|
||
Linux foo 3.4.82 #1-NixOS SMP Thu Mar 20 14:44:05 UTC 2014 x86_64 GNU/Linux
|
||
</screen>
|
||
</para>
|
||
|
||
<para>
|
||
There are several ways to change the configuration of the container. First,
|
||
on the host, you can edit
|
||
<literal>/var/lib/container/<replaceable>name</replaceable>/etc/nixos/configuration.nix</literal>,
|
||
and run
|
||
<screen>
|
||
# nixos-container update foo
|
||
</screen>
|
||
This will build and activate the new configuration. You can also specify a
|
||
new configuration on the command line:
|
||
<screen>
|
||
# nixos-container update foo --config '
|
||
<xref linkend="opt-services.httpd.enable"/> = true;
|
||
<xref linkend="opt-services.httpd.adminAddr"/> = "foo@example.org";
|
||
<xref linkend="opt-networking.firewall.allowedTCPPorts"/> = [ 80 ];
|
||
'
|
||
|
||
# curl http://$(nixos-container show-ip foo)/
|
||
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">…
|
||
</screen>
|
||
However, note that this will overwrite the container’s
|
||
<filename>/etc/nixos/configuration.nix</filename>.
|
||
</para>
|
||
|
||
<para>
|
||
Alternatively, you can change the configuration from within the container
|
||
itself by running <command>nixos-rebuild switch</command> inside the
|
||
container. Note that the container by default does not have a copy of the
|
||
NixOS channel, so you should run <command>nix-channel --update</command>
|
||
first.
|
||
</para>
|
||
|
||
<para>
|
||
Containers can be stopped and started using <literal>nixos-container
|
||
stop</literal> and <literal>nixos-container start</literal>, respectively, or
|
||
by using <command>systemctl</command> on the container’s service unit. To
|
||
destroy a container, including its file system, do
|
||
<screen>
|
||
# nixos-container destroy foo
|
||
</screen>
|
||
</para>
|
||
</section>
|