389de87aed
Added extra option to enable unprivileged containers. This includes a patch to remove the hard-coded path to `lxc-user-nic` and a new security wrapper to set SUID to `lxc-user-nic`.
116 lines
3.3 KiB
Nix
116 lines
3.3 KiB
Nix
# LXC Configuration
|
|
|
|
{ config, lib, pkgs, ... }:
|
|
|
|
let
|
|
cfg = config.virtualisation.lxc;
|
|
in
|
|
|
|
{
|
|
meta = {
|
|
maintainers = lib.teams.lxc.members;
|
|
};
|
|
|
|
options.virtualisation.lxc = {
|
|
enable =
|
|
lib.mkOption {
|
|
type = lib.types.bool;
|
|
default = false;
|
|
description = ''
|
|
This enables Linux Containers (LXC), which provides tools
|
|
for creating and managing system or application containers
|
|
on Linux.
|
|
'';
|
|
};
|
|
|
|
unprivilegedContainers = lib.mkEnableOption "support for unprivileged users to launch containers";
|
|
|
|
systemConfig =
|
|
lib.mkOption {
|
|
type = lib.types.lines;
|
|
default = "";
|
|
description = ''
|
|
This is the system-wide LXC config. See
|
|
{manpage}`lxc.system.conf(5)`.
|
|
'';
|
|
};
|
|
package = lib.mkPackageOption pkgs "lxc" { };
|
|
|
|
defaultConfig =
|
|
lib.mkOption {
|
|
type = lib.types.lines;
|
|
default = "";
|
|
description = ''
|
|
Default config (default.conf) for new containers, i.e. for
|
|
network config. See {manpage}`lxc.container.conf(5)`.
|
|
'';
|
|
};
|
|
|
|
usernetConfig =
|
|
lib.mkOption {
|
|
type = lib.types.lines;
|
|
default = "";
|
|
description = ''
|
|
This is the config file for managing unprivileged user network
|
|
administration access in LXC. See {manpage}`lxc-usernet(5)`.
|
|
'';
|
|
};
|
|
|
|
bridgeConfig =
|
|
lib.mkOption {
|
|
type = lib.types.lines;
|
|
default = "";
|
|
description = ''
|
|
This is the config file for override lxc-net bridge default settings.
|
|
'';
|
|
};
|
|
};
|
|
|
|
###### implementation
|
|
|
|
config = lib.mkIf cfg.enable {
|
|
environment.systemPackages = [ cfg.package ];
|
|
environment.etc."lxc/lxc.conf".text = cfg.systemConfig;
|
|
environment.etc."lxc/lxc-usernet".text = cfg.usernetConfig;
|
|
environment.etc."lxc/default.conf".text = cfg.defaultConfig;
|
|
environment.etc."lxc/lxc-net".text = cfg.bridgeConfig;
|
|
environment.pathsToLink = [ "/share/lxc" ];
|
|
systemd.tmpfiles.rules = [ "d /var/lib/lxc/rootfs 0755 root root -" ];
|
|
|
|
security.apparmor.packages = [ cfg.package ];
|
|
security.apparmor.policies = {
|
|
"bin.lxc-start".profile = ''
|
|
include ${cfg.package}/etc/apparmor.d/usr.bin.lxc-start
|
|
'';
|
|
"lxc-containers".profile = ''
|
|
include ${cfg.package}/etc/apparmor.d/lxc-containers
|
|
'';
|
|
};
|
|
|
|
# We don't need the `lxc-user` group, unless the unprivileged containers are enabled.
|
|
users.groups = lib.mkIf cfg.unprivilegedContainers { lxc-user = {}; };
|
|
|
|
# `lxc-user-nic` needs suid to attach to bridge for unpriv containers.
|
|
security.wrappers = lib.mkIf cfg.unprivilegedContainers {
|
|
lxcUserNet = {
|
|
source = "${pkgs.lxc}/libexec/lxc/lxc-user-nic";
|
|
setuid = true;
|
|
owner = "root";
|
|
group = "lxc-user";
|
|
program = "lxc-user-nic";
|
|
permissions = "u+rx,g+x,o-rx";
|
|
};
|
|
};
|
|
|
|
# Add lxc-net service if unpriv mode is enabled.
|
|
systemd.packages = lib.mkIf cfg.unprivilegedContainers [ pkgs.lxc ];
|
|
systemd.services = lib.mkIf cfg.unprivilegedContainers {
|
|
lxc-net = {
|
|
enable = true;
|
|
wantedBy = [ "multi-user.target" ];
|
|
path = [ pkgs.iproute2 pkgs.iptables pkgs.getent pkgs.dnsmasq ];
|
|
};
|
|
};
|
|
};
|
|
}
|