Commit Graph

40607 Commits

Author SHA1 Message Date
Eelco Dolstra
ba88db3cd3 Add support for imperative container management
The command nixos-container can now create containers.  For instance,
the following creates and starts a container named ‘database’:

  $ nixos-container create database

The configuration of the container is stored in
/var/lib/containers/<name>/etc/nixos/configuration.nix.  After editing
the configuration, you can make the changes take effect by doing

  $ nixos-container update database

The container can also be destroyed:

  $ nixos-container destroy database

Containers are now executed using a template unit,
‘container@.service’, so the unit in this example would be
‘container@database.service’.
2014-03-24 12:19:27 +01:00
Eelco Dolstra
0cca0f477f nixos-container-shell -> nixos-container { login | root-shell } 2014-03-24 12:19:27 +01:00
Eelco Dolstra
2ace7edb81 Rename systemd.containers -> containers
That NixOS containers use systemd-nspawn is just an implementation
detail (which we could change in the future).
2014-03-24 12:19:27 +01:00
Eelco Dolstra
7ee31c7f94 Fix permissions 2014-03-18 18:04:38 +01:00
Eelco Dolstra
5b10ea1f99 Don't run dhcpcd in containers 2014-03-18 11:39:51 +01:00
Eelco Dolstra
11c4c4ae54 Add command ‘nixos-container-shell’ for logging into a container 2014-03-18 11:36:03 +01:00
Eelco Dolstra
7b82d1ee27 Ensure that the container root can always be accessed via /var/lib/containers 2014-03-18 11:04:54 +01:00
Eelco Dolstra
895bcdd1cb Add support for running a container with a private network interface
For example, the following sets up a container named ‘foo’.  The
container will have a single network interface eth0, with IP address
10.231.136.2.  The host will have an interface c-foo with IP address
10.231.136.1.

  systemd.containers.foo =
    { privateNetwork = true;
      hostAddress = "10.231.136.1";
      localAddress = "10.231.136.2";
      config =
        { services.openssh.enable = true; };
    };

With ‘privateNetwork = true’, the container has the CAP_NET_ADMIN
capability, allowing it to do arbitrary network configuration, such as
setting up firewall rules.  This is secure because it cannot touch the
interfaces of the host.

The helper program ‘run-in-netns’ is needed at the moment because ‘ip
netns exec’ doesn't quite do the right thing (it remounts /sys without
bind-mounting the original /sys/fs/cgroups).
2014-03-18 10:49:25 +01:00
Eelco Dolstra
ac215779dd Give containers a writable /nix/var/nix/{profiles,gcroots}
These are stored on the host in
/nix/var/nix/{profiles,gcroots}/per-container/<container-name> to
ensure that container profiles/roots are not garbage-collected.
2014-03-17 15:23:20 +01:00
Eelco Dolstra
ef8e0266a2 Don't reboot a container when its configuration changes
Instead, just run "switch-to-configuration" inside the container.
2014-03-17 15:03:29 +01:00
Eelco Dolstra
511b86d22d Add an option to reload rather than restart changed units 2014-03-17 15:02:53 +01:00
Eelco Dolstra
28b7d67d08 httpd: Don't require keys.target
This has the unintended side-effect of restarting httpd every time we
run switch-to-configuration, even if httpd hasn't changed (because
we're doing a "stop keys.target" now).  So use a "Wants" dependency
instead.
2014-03-17 15:01:10 +01:00
Eelco Dolstra
f9e2af1e8b switch-to-configuration: Don't require /etc/NIXOS
Check /etc/os-release if /etc/NIXOS doesn't exist.
2014-03-17 14:16:10 +01:00
Eelco Dolstra
f13bd41384 switch-to-configuration: Restart sockets.target 2014-03-17 14:10:48 +01:00
Eelco Dolstra
0d506aa712 Provide a simple way to log into containers
On the host, you can run

  $ socat unix:<path-to-container>/var/lib/login.socket -,echo=0,raw

to get a login prompt.  So this allows logging in even if the
container has no SSH access enabled.

You can also do

  $ socat unix:<path-to-container>/var/lib/root-shell.socket -

to get a plain root shell.  (This socket is only accessible by root,
obviously.)  This makes it easy to execute commands in the container,
e.g.

  $ echo reboot | socat unix:<path-to-container>/var/lib/root-shell.socket -
2014-03-17 14:10:47 +01:00
Eelco Dolstra
1b6c01721d Revert "nixos-manual: show manual on tty8 by default"
This reverts commit b792394119.
Starting the manual on tty8 was intended as a convenience during
installation, not as a general purpose thing.  In fact, given that w3m
runs as root, this is highly insecure!
2014-03-17 12:45:57 +01:00
Eelco Dolstra
14af15dbff Explicitly require Nix 1.6
People using Nix < 1.6 previously got an unhelpful "infinite
recursion" error.
2014-03-17 11:33:36 +01:00
Eelco Dolstra
c0f3f6e396 linux: Update to 3.4.83 2014-03-17 11:25:48 +01:00
Eelco Dolstra
ea1cd70128 geoip: Convert to mkDerivation
Also, drop unused zlib dependency and add some meta attributes.
2014-03-17 11:23:59 +01:00
Mathijs Kwik
779a959982 add haskell-lzma-enumerator 2014-03-17 07:30:26 +01:00
Domen Kozar
11874b9e3b add Planetary Annihilation: next-generation RTS that takes the genre to a planetary scale 2014-03-16 23:31:08 +01:00
mornfall
fe995cdedc Merge pull request #1775 from thoughtpolice/duo_unix
Duo Security module and uid/gid support for /etc files
2014-03-16 23:06:01 +01:00
mornfall
ec353692ad Merge pull request #1849 from thoughtpolice/criu
criu: version 1.2
2014-03-16 22:58:54 +01:00
mornfall
2891925265 Merge pull request #1973 from thoughtpolice/nmap
nmap: add myself to maintainers, add homepage/description
2014-03-16 22:55:34 +01:00
Austin Seipp
4c04474c27 nmap: add myself to maintainers, add homepage/description
Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-03-16 16:53:08 -05:00
Vladimír Čunát
9363303922 pfstools: update from 1.8.3 to 1.8.5 2014-03-16 17:46:39 +01:00
Vladimír Čunát
3caa572a8e xfce4-task-manager: minor update 1.0.0 -> .1 2014-03-16 17:46:16 +01:00
Vladimír Čunát
607678341d xfce.tumbler: minor update 0.1.29 -> .30 2014-03-16 17:46:16 +01:00
Vladimír Čunát
ab05fa29eb xfce.gigolo: minor update 0.4.1 -> .2
It no longer uses Waf.
2014-03-16 17:46:15 +01:00
Vladimír Čunát
76822ea4d5 libav: minor updates of both branches 2014-03-16 17:45:48 +01:00
Vladimír Čunát
8de867c958 qt_gstreamer: update from 0.10.2 to 0.10.3 2014-03-16 17:45:07 +01:00
Vladimír Čunát
d4da7e5e4f man-pages-posix: update 2003a -> 2013-a 2014-03-16 17:39:50 +01:00
Domen Kožar
08eaf76667 Merge pull request #1971 from matejc/deluge_curses
deluge: add curses module for deluge-console
2014-03-16 16:15:48 +01:00
Matej Cotman
af16343504 deluge: add curses module for deluge-console 2014-03-16 16:01:42 +01:00
Ricardo M. Correia
a16e1e2133 chromium: Update stable and beta channels
stable: 33.0.1750.149 -> 33.0.1750.152
beta:   34.0.1847.45  -> 34.0.1847.60
2014-03-16 13:26:01 +01:00
Austin Seipp
47b35d5e80 criu: version 1.2
Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-03-16 07:16:34 -05:00
Austin Seipp
29d46452dd nixos: add Duo Security module
This module adds the security.duosec attributes, which you can use to
enable simple two-factor authentication for NixOS logins.

The module currently provides PAM and SSH support, although the PAM unix
system configuration isn't automatically dealt with (although the
configuration is automatically built).

Enabling it is as easy as saying:

  security.duosec.ssh.enable = true;
  security.duosec.ikey       = "XXXXXXXX...";
  security.duosec.skey       = "XXXXXXXX...";
  security.duosec.host       = "api-XXXXXXX.duosecurity.com";
  security.duosec.group      = "duosec";

which will enforce two-factor authentication for SSH logins for users in
the 'duosec' group.

This requires uid/gid support in the environment.etc module.

Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-03-16 07:11:50 -05:00
Cillian de Róiste
b57ee8c331 nixpkgs-lint: add the platforms meta attr for most of my packages 2014-03-16 12:08:26 +01:00
Domen Kozar
37c42c16a4 networkmanagerapplet: fix crash while connecting to protected wifis 2014-03-16 11:49:13 +01:00
Cillian de Róiste
1661501465 ardour: make ardour3 the default and remove ardour 2, it doesn't build 2014-03-16 11:32:56 +01:00
Bjørn Forsman
2ce7902059 gpsd: fix build in chroot
Fixes this when building with nix.useChroot = true in configuration.nix:

  sh: ./test_maidenhead.py: /usr/bin/env: bad interpreter: No such file or directory
  scons: *** [maidenhead-locator-regress] Error 126
  scons: building terminated because of errors.
2014-03-16 00:05:58 +01:00
Vladimír Čunát
7ca8bd6d4f Merge pull request #1965 from ambrop72/ktorrent-4.3.1
KTorrent: update to 4.3.1.
2014-03-15 23:13:50 +01:00
ambrop7@gmail.com
24f4957d50 KTorrent: Fix URLs. 2014-03-15 21:31:58 +01:00
Shea Levy
3c8f5c2471 Merge branch 'fasd' of https://github.com/ellis/nixpkgs
Create package for 'fasd'
2014-03-15 15:52:41 -04:00
Ellis Whitehead
44b6766f5d Create package for 'fasd' 2014-03-15 20:33:10 +01:00
ambrop7@gmail.com
732760bb50 Update KTorrent to 4.3.1. 2014-03-15 20:22:03 +01:00
Shea Levy
6cc0cc7ff6 Merge branch 'postgresql-user' of git://github.com/ocharles/nixpkgs
postgresql module: Use the default superuser username
2014-03-15 13:29:52 -04:00
Shea Levy
3c4be425db Merge branch 'master.rpm' of git://github.com/wkennington/nixpkgs
rpm: Upgrade from 4.7.2 -> 4.11.2
2014-03-15 13:25:43 -04:00
Shea Levy
dddb4f45e9 Merge branch 'pr-wqy' of git://github.com/PkmX/nixpkgs
Bump wqy-zenhei font to the latest version and add wqy-microhei
2014-03-15 13:22:31 -04:00
Shea Levy
80ed0ff85f Merge branch 'ocaml-oasis' of git://github.com/maggesi/nixpkgs
Ocaml oasis
2014-03-15 13:14:14 -04:00