nixpkgs/nixos/modules/services
Eelco Dolstra 9ee30cd9b5 Add support for lightweight NixOS containers
You can now say:

  systemd.containers.foo.config =
    { services.openssh.enable = true;
      services.openssh.ports = [ 2022 ];
      users.extraUsers.root.openssh.authorizedKeys.keys = [ "ssh-dss ..." ];
    };

which defines a NixOS instance with the given configuration running
inside a lightweight container.

You can also manage the configuration of the container independently
from the host:

  systemd.containers.foo.path = "/nix/var/nix/profiles/containers/foo";

where "path" is a NixOS system profile.  It can be created/updated by
doing:

  $ nix-env --set -p /nix/var/nix/profiles/containers/foo \
      -f '<nixos>' -A system -I nixos-config=foo.nix

The container configuration (foo.nix) should define

  boot.isContainer = true;

to optimise away the building of a kernel and initrd.  This is done
automatically when using the "config" route.

On the host, a lightweight container appears as the service
"container-<name>.service".  The container is like a regular NixOS
(virtual) machine, except that it doesn't have its own kernel.  It has
its own root file system (by default /var/lib/containers/<name>), but
shares the Nix store of the host (as a read-only bind mount).  It also
has access to the network devices of the host.

Currently, if the configuration of the container changes, running
"nixos-rebuild switch" on the host will cause the container to be
rebooted.  In the future we may want to send some message to the
container so that it can activate the new container configuration
without rebooting.

Containers are not perfectly isolated yet.  In particular, the host's
/sys/fs/cgroup is mounted (writable!) in the guest.
2013-11-27 17:14:10 +01:00
..
amqp
audio Disable various services when running inside a container 2013-11-26 18:19:45 +01:00
backup
databases postgresql: Fix the port option 2013-11-27 17:09:17 +01:00
games Strictly check the arguments to mkOption 2013-10-30 15:35:09 +01:00
hardware Add support for lightweight NixOS containers 2013-11-27 17:14:10 +01:00
logging Disable various services when running inside a container 2013-11-26 18:19:45 +01:00
mail Substitute "types.uniq types.string" -> "types.str" 2013-10-30 14:57:42 +01:00
misc When setting $NIX_REMOTE, check whether /nix/var/nix/db is writable 2013-11-27 17:09:17 +01:00
monitoring Make dd-agent services restart when killed. 2013-11-22 15:23:45 +01:00
network-filesystems nixos: capitalize a bunch of service descriptions 2013-11-09 20:45:50 +01:00
networking Disable various services when running inside a container 2013-11-26 18:19:45 +01:00
printing Add lots of missing option types 2013-10-30 18:47:43 +01:00
scheduling fcron: Fix error when cron.mailto is null. 2013-11-04 11:07:11 +00:00
search Removed unnecessary mkIf 2013-11-05 08:52:23 +01:00
security Use the "assertions" option instead of mkAssert 2013-10-30 18:47:44 +01:00
system Add lots of missing option types 2013-10-30 18:47:43 +01:00
torrent Add some primops to lib 2013-11-12 13:48:30 +01:00
ttys Add lots of missing option types 2013-10-30 18:47:43 +01:00
web-servers httpd.nix: Support non-root operation 2013-11-18 18:04:17 +01:00
x11 xfce: enable tumbler the thumbnail manager (close #1206) 2013-11-16 16:58:08 +01:00