| Age | Commit message (Collapse) | Author |
|---|
|
This makes ~2.5x speed up of an empty container instantiate, hence reduces
rebuild time of system with many declarative containers.
Note that this doesn't affect production systems much, becaseu those most
likely already include `minimal.nix` profile.
|
|
This reverts commit 66967ec7521d065f605795d64ddbbbd4fcd448c3, reversing
changes made to fb6595eafdb90ef0bc7a31c2bfc9204e4cad11d9.
Fixes #70442; discussion: https://github.com/NixOS/nixpkgs/pull/70027
|
|
nixos/nix-optimise: be smarter about when we run the store optimiser
|
|
Avoid assertion in nixos/modules/system/boot/resolved.nix
if service systemd-resolved is enabled.
|
|
We might be inside a NixOS container on a non-NixOS host, so instead of not
running at all inside a container, check if the nix-daemon socket is writable as
it will tell us if the store is managed from here or outside.
Fixes #63578
|
|
The option is `false` by default since
e349ccc77febd45abbd14be14f7de123ec4a4da2, so we don’t need to mention
it explicitely in these minimal configs.
|
|
Also clear up the misleading comment: This env var isn't
root-specific, it's needed for all users.
|
|
When logging into a container by using
nixos-container root-login
all nix-related commands in the container would fail, as they
tried to modify the nix db and nix store, which are mounted
read-only in the container. We want nixos-container to not
try to modify the nix store at all, but instead delegate
any build commands to the nix daemon of the host operating system.
This already works for non-root users inside a nixos-container,
as it doesn't 'own' the nix-store, and thus defaults
to talking to the daemon socket at /nix/var/nix/daemon-socket/,
which is bind-mounted to the host daemon-socket, causing all nix
commands to be delegated to the host.
However, when we are the root user inside the container, we have the
same uid as the nix store owner, eventhough it's not actually
the same root user (due to user namespaces). Nix gets confused,
and is convinced it's running in single-user mode, and tries
to modify the nix store directly instead.
By setting `NIX_REMOTE=daemon` in `/etc/profile`, we force nix
to operate in multi-user mode, so that it will talk to the host
daemon instead, which will modify the nix store for the container.
This fixes #40355
|
|
|
|
This barfs:
Jan 18 12:46:32 machine 522i0x9l80z7gw56iahxjjsdjp0xi10q-audit-start[506]: The audit system is disabled
|
|
(cherry picked from commit c52a98380673093037a3116025d0aa92cd46a214)
|
|
|
|
Also remove ‘nixos-container set-root-password’, which is kind of
pointless now.
|
|
|
|
By enabling ‘services.openssh.startWhenNeeded’, sshd is started
on-demand by systemd using socket activation. This is particularly
useful if you have a zillion containers and don't want to have sshd
running permanently. Note that socket activation is not noticeable
slower, contrary to what the manpage for ‘sshd -i’ says, so we might
want to make this the default one day.
|
|
The ability for unprivileged users to mount external media is useful
regardless of the desktop environment. Also, since udisks2 is
activated on-demand, it doesn't add any overhead if you're not using it.
|
|
|
|
|
|
This used to work with systemd-nspawn 203, because it bind-mounted
/etc/resolv.conf (so openresolv couldn't overwrite it). Now it's just
copied, so we need some special handling.
|
|
|
|
|
|
|
|
And remove ‘root-shell’.
|
|
So now "systemctl start container@foo" will only return after the
container has reached multi-user.target.
|
