Docker support

[zefhemel]

NixOS should have docker support. Because NixOS is cool and so is Docker. Docker requires a 3.8+ kernel and as of 0.7 no longer requires AuFS.

To be clear: this issue is about supporting running and building Docker containers with NixOS as a host, not about running NixOS inside of a Docker container.

[chexxor]

I'm just getting started with Nix, so my knowledge is limited, but I'm also interested in a Nix and Docker combo.

Regarding the Linux 3.8 kernel: shlevy's comment in the this discussion, a NixOS ISO with the "newest" Linux kernel is [http://hydra.nixos.org/jobset/nixos/trunk#tabs-jobs](available on Hydra).

First question: We can't use that ISO? Install that NixOS, then install Docker on it. This way, each Docker container uses a sandboxed NixOS.

I am on 32-bit Xubuntu 13.10 currently, so I can't install Docker. Docker requires 64-bit OS, and Ubuntu 13.10 isn't officially supported yet (no sure if latter is important).

Second question: How is using NixOS different from using [Nix Docker image]https://index.docker.io/u/zefhemel/nix/)? It uses Bash and Nix, but it should still be a pure build environment. Programs in a Docker container can't reference files outside the container, right?

[zefhemel]

Upgrading the kernel is not an issue, you can configure that in your configuration.nix, the tricky part would be AuFS support, although that may no longer be required in future Docker versions (and be replaced by some copy-on-write LVM thing -- does that make any sense?), and perhaps LXC, although I think that's already in nixpkgs.

As for what I mean with support, I mean I'd like a Docker module to start the Docker daemon (services.docker.enable = true;) and a package to install the docker command line tool. In addition it would be nice to declaratively specify which docker applications to run, but that can be added later. Installing Nix inside of a docker container is a whole different issue and already possible (as I demonstrate in the Docker image you're pointing too).

[offlinehacker]

I think current priority is getting nixos running in linux containers. Libvirt can already nicely and securely(using 12.4 kernel and user_ns) run linux containers. I just don't see why would i use docker. I would rather see better support for openstack, which already uses libvirt. On Oct 19, 2013 3:42 PM, "Zef Hemel" notifications@github.com wrote:

Upgrading the kernel is not an issue, you can configure that in your configuration.nix, the tricky part would be AuFS support, although that may no longer be required in future Docker versions (and be replaced by some copy-on-write LVM thing -- does that make any sense?), and perhaps LXC, although I think that's already in nixpkgs.

As for what I mean with support, I mean I'd like a Docker module to start the Docker daemon (services.docker.enable = true;) and a package to install the docker command line tool. In addition it would be nice to declaratively specify which docker applications to run, but that can be added later. Installing Nix inside of a docker container is a whole different issue and already possible (as I demonstrate in the Docker image you're pointing too).

— Reply to this email directly or view it on GitHubhttps://github.com/NixOS/nixpkgs/issues/1088#issuecomment-26649915 .

[rickynils]

I second @offlinehacker. If we can run Nixos conveniently in LXC with libvirt, and share the nix store from the host, we basically have docker functionality, but in a more flexible way than docker, since we can use configuration.nix to setup the guest.

[offlinehacker]

It would be interesting to run only small lightweight nixos containers where only needed closure would be copied and systemd would be used for process managment. I will try to strip down nixos build and make it run in lxc once i will have time. This could be integrated with docker and the magic.

It would still be nice to get docker running on nixos, but for me, said above is priority. On Oct 19, 2013 6:02 PM, "Rickard Nilsson" notifications@github.com wrote:

I second @offlinehacker https://github.com/offlinehacker. If we can run Nixos conveniently in LXC with libvirt, and share the nix store from the host, we basically have docker functionality, but in a more flexible way than docker, since we can use configuration.nix to setup the guest.

— Reply to this email directly or view it on GitHubhttps://github.com/NixOS/nixpkgs/issues/1088#issuecomment-26652652 .

[zefhemel]

Regarding provisioning Docker images with Nix: http://zef.me/6049/nix-docker

Now the embarrassing thing left is that you can't actually run these containers on NixOS which is what this issue is about :)

[offlinehacker]

I like your article, but not so much the idea with supervisor.

Systemd runs just fine in linux containers. When i will have time(right after i write new python generator with @garbas) i will make virtualization script that builds linux container, that will eventually run on docker. On Nov 7, 2013 4:45 PM, "Zef Hemel" notifications@github.com wrote:

Regarding provisioning Docker images with Nix: http://zef.me/6049/nix-docker

Now the embarrassing thing left is that you can't actually run these containers on NixOS which is what this issue is about :)

— Reply to this email directly or view it on GitHubhttps://github.com/NixOS/nixpkgs/issues/1088#issuecomment-27976582 .

[alexanderkjeldaas]

What is this bug about? Is it about running NixOS inside a docker container or using NixOS as a host for docker containers? (I'm mostly interested in the latter)

[chexxor]

You are correct, this issue is ambiguous.

The creator of this issue created one answer, which uses only Nix package management. Instead of using Puppet or some other configuration management tool to provision the contents of a Docker container, he uses Nix to provision its contents.

Here's a blog post which introduces his product. http://zef.me/6049/nix-docker

[zefhemel]

The creator of this issue just updated the original description to be less ambiguous.

[zefhemel]

Seems to be implemented: https://github.com/NixOS/nixpkgs/pull/1581

[CMCDragonkai]

@zefhemel Can NixOS be used as the base OS for Docker containers? I see that you created this: https://index.docker.io/u/zefhemel/base-nix/ Is there any advantages/disadvantages. Would love a blog post about using NixOS as a base image in Docker!

[chexxor]

@CMCDragonkai I haven't heard of a successful containerized NixOS instance yet.

I've spent some time working on it a month or two ago, and I got pretty close. I had a TTY in the Docker container, but no commands worked. I think the activation scripts didn't run. I got busy with other stuff, so I haven't tried since.

I was trying to build a fresh image using a similar process used to build the Live CD. Eelco suggested another method: try creating a container using the nixos-container command, then convert that into a Docker image. I tried that, but I couldn't get that command to spawn a working NixOS container, so I gave that one up also.

[offlinehacker]

I'm running nixos in lxc and in libvirt-lxc, and i will make docker image when i will have time ;) It's basically lxc with more constraints, nothing special.

[wmertens]

@offlinehacker, if you don't have time, can you share what you have? I'm mostly curious about how to make systemd work, the rest should already be covered by nix-docker...

[offlinehacker]

Can you set which privileges docker drops when running lxc? On May 30, 2014 1:30 PM, "wmertens" notifications@github.com wrote:

@offlinehacker https://github.com/offlinehacker, if you don't have time, can you share what you have? I'm mostly curious about how to make systemd work, the rest should already be covered by nix-docker...

— Reply to this email directly or view it on GitHub https://github.com/NixOS/nixpkgs/issues/1088#issuecomment-44641091.

[offlinehacker]

@wmertens look into https://github.com/kiberpipa/nix-rehash/blob/master/container.nix for referential lxc configuration, that works flawlessly with nixos :)

[offlinehacker]

@wmertens Nixos should run if you do sudo docker run --privileged nixos, but without it, in current configuration, i doubt it. Also docker is too constrained in my opinion anyway and not solution for real virtualization.

[CMCDragonkai]

@offlinehaxker Can you share your opinions on why docker is not a solution for real virtualization? What are your suggested alternatives?

[offlinehacker]

@CMCDragonkai Docker is used primarily for process virtualization. So you have a bunch of processes and you start them with something like supervisord, or init scripts. Well you can theoretically run nixos inside docker(because it's using lxc) in privileged mode, it was never designed for such tasks. If you want to distribute your development environment i would advice you to use something like vagrant, it even has a plugin for lxc and also nixos plugin or https://github.com/kiberpipa/nix-rehash. For deployment use nixops, or something like https://github.com/kiberpipa/nix-rehash/blob/master/container.nix that would give you auto updatable, installable linux containers(something like heroku). I would also like someone to explain me docker philosophy, because it seems to me it's hacking stuff that was already hacked(init scripts). On the other hand nixos is somehow too constrained for me, because everything is deterministic, what i would really need is just some scriptable distributed process manager that would use nixpkgs for package base. Well i might write it, thanks for implanting me that idea(you know movie inception :P)

[CMCDragonkai]

I thought that was disnix.

[offlinehacker]

Well yes, it is disnix, except that disnix does not solve all the problems and it's not really usefull for me. On Jun 3, 2014 11:48 AM, "Roger Qiu" notifications@github.com wrote:

I thought that was disnix.

— Reply to this email directly or view it on GitHub https://github.com/NixOS/nixpkgs/issues/1088#issuecomment-44944320.

[CMCDragonkai]

Well let me know when you decide to start such a project. I'd like to help.

[offlinehacker]

That would be great :) I will first write articles about problematics with current platforms for deployment and development, proposing alternative. Btw have you seen ubuntu juju, i really like concept, which seems more mature than docker. I would like to do similar, but cross platform(linux/osx/bsd,win) on the level of processes/services and not on the level of operating system.

On Tue, Jun 3, 2014 at 1:06 PM, Roger Qiu notifications@github.com wrote:

Well let me know when you decide to start such a project. I'd like to help.

— Reply to this email directly or view it on GitHub https://github.com/NixOS/nixpkgs/issues/1088#issuecomment-44950616.

[CMCDragonkai]

Well if the current solutions isn't fundamentally different from what you're envisioning perhaps we work with or from existing solutions like disnix. But you'll have to write what is the limitations first before we can think of different solutions.

[alexanderkjeldaas]

Jumping in with a feature request: What is needed is automatic derivations of apparmour/selinux configurations based on container contents.

Make apparmour/selinux configurations for a service into a monoid so that for a container with multiple services, the required security combination can be calculated.

On Wed, Jun 4, 2014 at 1:39 AM, Roger Qiu notifications@github.com wrote:

Well if the current solutions isn't fundamentally different from what you're envisioning perhaps we work with or from existing solutions like disnix. But you'll have to write what is the limitations first before we can think of different solutions.

— Reply to this email directly or view it on GitHub https://github.com/NixOS/nixpkgs/issues/1088#issuecomment-45035100.

[CMCDragonkai]

Feature requests already and we haven't got a repo lol!

[domenkozar]

I guess we need another issue "NixOS running on Docker"?

[offlinehacker]

@iElectric by my observations docker was never ment for running whole os. It's security configuration drops a lot, forget even starting something like upstart, and forget about systemd. Docker's proposed solution is starting speciffic init scripts or processes with supervisord. It was made for containerization of processes and not systems. Yes it has privileged mode, but forget deploying in privileged mode. On Jun 9, 2014 6:58 PM, "Domen Kožar" notifications@github.com wrote:

I guess we need another issue "NixOS running on Docker"?

— Reply to this email directly or view it on GitHub https://github.com/NixOS/nixpkgs/issues/1088#issuecomment-45514969.

[domenkozar]

I don't know much about Docker inner workings, but people are running full containers: http://stackoverflow.com/questions/19332662/start-full-container-in-docker

And there are blog posts about running systemd: http://developerblog.redhat.com/2014/05/05/running-systemd-within-docker-container/

[offlinehacker]

Sure, it runs, as i said, by refference from this article: http://developerblog.redhat.com/2014/05/05/running-systemd-within-docker-container/

"This means for now you have to run systemd within a privileged container since privileged containers do not drop any capabilities." -> you are also unsecure ;)

"The Docker Model suggests that it is better to run a single service within a container. If you wanted to build an application that required an Apache service and a MariaDB database, you should generate two different containers."

Ok for development, good luck in deplying that.

On Mon, Jun 9, 2014 at 8:49 PM, Domen Kožar notifications@github.com wrote:

I don't know much about Docker inner workings, but people are running full containers: http://stackoverflow.com/questions/19332662/start-full-container-in-docker

And there are blog posts about running systemd: http://developerblog.redhat.com/2014/05/05/running-systemd-within-docker-container/

— Reply to this email directly or view it on GitHub https://github.com/NixOS/nixpkgs/issues/1088#issuecomment-45528546.

-----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.11 (GNU/Linux)

mQENBFEY1PEBCADPOfERF2wo4qeoq9L1m2z4pKfWqNd4B6BsoFUWPNd7BXmY+9JG jJddSkmYobWec7XjAFTBL0Xbttt+rK9SIED2dCOmU1FYMQElhGlM3PNA3kaiQFeV ijgH318GCfZzDd0dWa5TN/IshVeWXwgngsIEmZTVf1VSeb3eO3B8Fxe3zsSLUq0b 71MmU5eLVP9pMkm5V5BTYp+lV70FIekKygkKq+uTDo1csWUatbs4Qvgv37Bymy2t oTwOBXGoinQk5N/6asR1jWs3vKv0L0SruoZy/kEG/jXb4l2OZUP85EVMganYKouE OchVmcmhBdWV+t3HK4r2ATfyEcMRzvzSflA1ABEBAAG0Jkpha2EgSHVkb2tsaW4g PGpha2FodWRva2xpbkBnbWFpbC5jb20+iQE+BBMBAgAoBQJRGNTxAhsDBQkB4TOA BgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRD6Zxi5hZclKnXNCACLOKa8abQp eTWv9SXUwC7LVM5pP2mXcgn+Ipqr6YWBdLx4Iij0YlvUok9VeKvwTpUlT+cx++o3 wCM3AYrUyJE+zrtw49lInUmutz9seqJLU895oq+D+UuGoORrLBpEZrYR5f83uUmQ E3Z1ZmWrNGXYtITWDtVZD/KauMF2nkPcmy/XaYXhd4WHD81DGNlKtGAHig6A3Phc 8Mr0A4yLDeRQJm8lCFEsxMJUNTupgY+ybbsMfVGx1gQvvGOTioV8CLCoRchUCCcm YPArFg40KzIDSNjwdo9EVZDnlPx1hbOppfQydxP+JVnZsqoYmVY4UhIWi/NfOl3V UMjl338INW1zuQENBFEY1PEBCADRSIfelOMjaTH7IfpMFFUc5Gys//njFnW9QAUg wyfs2AFxUp6vKQ7nxXQiJXVhKTwe9iqo+oGxaHp4AeTjC7vXsfMuF5g5lfttbAo3 YEobEe6OG5so41nbwan6SyeIIQ2AmQqJBw8TKKMSec2qUN0Pw7iZRs0o9uJM/obG DPsAsMOQgNLxJyMCP7X2jBtDXxkMFVHMmk50Tl3h3Fi9qWuNxgTXjs0tUvKkXiu2 Pco952jnm7HpCIKBek2pqR/UJXXb5qxy5G6Lc0qaMWZ5GKnSMTJmTY6Xl44EnaLK zh0rqgF9qpoWck470ZbiGASMtB008hy2l0cyxUfvDaS3tY4hABEBAAGJASUEGAEC AA8FAlEY1PECGwwFCQHhM4AACgkQ+mcYuYWXJSoT6AgAkvzvC0EGmeCR3cn9O3Gf yG00Kqk9/1gJvlphis7AAce8iUgU+4xd94Vp0u8rghpdy88xKN5lF1W2YZQmmBaf AVe6b7TOg6kxc3GKkVsWDxNyQKkpB46BwefIGaSljH7502X9aEWosrqWyJJNYCtt QDit4BysX0Ww3Ka5Rx6ZFhC9ybPKoW2i8JwpyBaXDt7R2k+PC/ClBf9qzL+sb2es zh/zCMVKNdm8KUITHU/5lgn2qZpUFZwiASPCMGGFP9u8g6UKeUTYTPD+GWaHIW63 RAgNIAffxx0M1r3P/2ipkAdI3NX/1iBKDQNG8Odsf+BswFKrNCnyUDdLPvJAhODS gw== =tmrm -----END PGP PUBLIC KEY BLOCK-----

[offlinehacker]

I think solution from @zefhemel is still the best( http://zef.me/6049/nix-docker), except that i have to make a pull request for a few patches :)

On Mon, Jun 9, 2014 at 8:56 PM, Jaka Hudoklin jakahudoklin@gmail.com wrote:

Sure, it runs, as i said, by refference from this article: http://developerblog.redhat.com/2014/05/05/running-systemd-within-docker-container/

"This means for now you have to run systemd within a privileged container since privileged containers do not drop any capabilities." -> you are also unsecure ;)

"The Docker Model suggests that it is better to run a single service within a container. If you wanted to build an application that required an Apache service and a MariaDB database, you should generate two different containers."

Ok for development, good luck in deplying that.

On Mon, Jun 9, 2014 at 8:49 PM, Domen Kožar notifications@github.com wrote:

I don't know much about Docker inner workings, but people are running full containers: http://stackoverflow.com/questions/19332662/start-full-container-in-docker

And there are blog posts about running systemd: http://developerblog.redhat.com/2014/05/05/running-systemd-within-docker-container/

— Reply to this email directly or view it on GitHub https://github.com/NixOS/nixpkgs/issues/1088#issuecomment-45528546.

-----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.11 (GNU/Linux)

mQENBFEY1PEBCADPOfERF2wo4qeoq9L1m2z4pKfWqNd4B6BsoFUWPNd7BXmY+9JG jJddSkmYobWec7XjAFTBL0Xbttt+rK9SIED2dCOmU1FYMQElhGlM3PNA3kaiQFeV ijgH318GCfZzDd0dWa5TN/IshVeWXwgngsIEmZTVf1VSeb3eO3B8Fxe3zsSLUq0b 71MmU5eLVP9pMkm5V5BTYp+lV70FIekKygkKq+uTDo1csWUatbs4Qvgv37Bymy2t oTwOBXGoinQk5N/6asR1jWs3vKv0L0SruoZy/kEG/jXb4l2OZUP85EVMganYKouE OchVmcmhBdWV+t3HK4r2ATfyEcMRzvzSflA1ABEBAAG0Jkpha2EgSHVkb2tsaW4g PGpha2FodWRva2xpbkBnbWFpbC5jb20+iQE+BBMBAgAoBQJRGNTxAhsDBQkB4TOA BgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRD6Zxi5hZclKnXNCACLOKa8abQp eTWv9SXUwC7LVM5pP2mXcgn+Ipqr6YWBdLx4Iij0YlvUok9VeKvwTpUlT+cx++o3 wCM3AYrUyJE+zrtw49lInUmutz9seqJLU895oq+D+UuGoORrLBpEZrYR5f83uUmQ E3Z1ZmWrNGXYtITWDtVZD/KauMF2nkPcmy/XaYXhd4WHD81DGNlKtGAHig6A3Phc 8Mr0A4yLDeRQJm8lCFEsxMJUNTupgY+ybbsMfVGx1gQvvGOTioV8CLCoRchUCCcm YPArFg40KzIDSNjwdo9EVZDnlPx1hbOppfQydxP+JVnZsqoYmVY4UhIWi/NfOl3V UMjl338INW1zuQENBFEY1PEBCADRSIfelOMjaTH7IfpMFFUc5Gys//njFnW9QAUg wyfs2AFxUp6vKQ7nxXQiJXVhKTwe9iqo+oGxaHp4AeTjC7vXsfMuF5g5lfttbAo3 YEobEe6OG5so41nbwan6SyeIIQ2AmQqJBw8TKKMSec2qUN0Pw7iZRs0o9uJM/obG DPsAsMOQgNLxJyMCP7X2jBtDXxkMFVHMmk50Tl3h3Fi9qWuNxgTXjs0tUvKkXiu2 Pco952jnm7HpCIKBek2pqR/UJXXb5qxy5G6Lc0qaMWZ5GKnSMTJmTY6Xl44EnaLK zh0rqgF9qpoWck470ZbiGASMtB008hy2l0cyxUfvDaS3tY4hABEBAAGJASUEGAEC AA8FAlEY1PECGwwFCQHhM4AACgkQ+mcYuYWXJSoT6AgAkvzvC0EGmeCR3cn9O3Gf yG00Kqk9/1gJvlphis7AAce8iUgU+4xd94Vp0u8rghpdy88xKN5lF1W2YZQmmBaf AVe6b7TOg6kxc3GKkVsWDxNyQKkpB46BwefIGaSljH7502X9aEWosrqWyJJNYCtt QDit4BysX0Ww3Ka5Rx6ZFhC9ybPKoW2i8JwpyBaXDt7R2k+PC/ClBf9qzL+sb2es zh/zCMVKNdm8KUITHU/5lgn2qZpUFZwiASPCMGGFP9u8g6UKeUTYTPD+GWaHIW63 RAgNIAffxx0M1r3P/2ipkAdI3NX/1iBKDQNG8Odsf+BswFKrNCnyUDdLPvJAhODS gw== =tmrm -----END PGP PUBLIC KEY BLOCK-----

-----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.11 (GNU/Linux)

mQENBFEY1PEBCADPOfERF2wo4qeoq9L1m2z4pKfWqNd4B6BsoFUWPNd7BXmY+9JG jJddSkmYobWec7XjAFTBL0Xbttt+rK9SIED2dCOmU1FYMQElhGlM3PNA3kaiQFeV ijgH318GCfZzDd0dWa5TN/IshVeWXwgngsIEmZTVf1VSeb3eO3B8Fxe3zsSLUq0b 71MmU5eLVP9pMkm5V5BTYp+lV70FIekKygkKq+uTDo1csWUatbs4Qvgv37Bymy2t oTwOBXGoinQk5N/6asR1jWs3vKv0L0SruoZy/kEG/jXb4l2OZUP85EVMganYKouE OchVmcmhBdWV+t3HK4r2ATfyEcMRzvzSflA1ABEBAAG0Jkpha2EgSHVkb2tsaW4g PGpha2FodWRva2xpbkBnbWFpbC5jb20+iQE+BBMBAgAoBQJRGNTxAhsDBQkB4TOA BgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRD6Zxi5hZclKnXNCACLOKa8abQp eTWv9SXUwC7LVM5pP2mXcgn+Ipqr6YWBdLx4Iij0YlvUok9VeKvwTpUlT+cx++o3 wCM3AYrUyJE+zrtw49lInUmutz9seqJLU895oq+D+UuGoORrLBpEZrYR5f83uUmQ E3Z1ZmWrNGXYtITWDtVZD/KauMF2nkPcmy/XaYXhd4WHD81DGNlKtGAHig6A3Phc 8Mr0A4yLDeRQJm8lCFEsxMJUNTupgY+ybbsMfVGx1gQvvGOTioV8CLCoRchUCCcm YPArFg40KzIDSNjwdo9EVZDnlPx1hbOppfQydxP+JVnZsqoYmVY4UhIWi/NfOl3V UMjl338INW1zuQENBFEY1PEBCADRSIfelOMjaTH7IfpMFFUc5Gys//njFnW9QAUg wyfs2AFxUp6vKQ7nxXQiJXVhKTwe9iqo+oGxaHp4AeTjC7vXsfMuF5g5lfttbAo3 YEobEe6OG5so41nbwan6SyeIIQ2AmQqJBw8TKKMSec2qUN0Pw7iZRs0o9uJM/obG DPsAsMOQgNLxJyMCP7X2jBtDXxkMFVHMmk50Tl3h3Fi9qWuNxgTXjs0tUvKkXiu2 Pco952jnm7HpCIKBek2pqR/UJXXb5qxy5G6Lc0qaMWZ5GKnSMTJmTY6Xl44EnaLK zh0rqgF9qpoWck470ZbiGASMtB008hy2l0cyxUfvDaS3tY4hABEBAAGJASUEGAEC AA8FAlEY1PECGwwFCQHhM4AACgkQ+mcYuYWXJSoT6AgAkvzvC0EGmeCR3cn9O3Gf yG00Kqk9/1gJvlphis7AAce8iUgU+4xd94Vp0u8rghpdy88xKN5lF1W2YZQmmBaf AVe6b7TOg6kxc3GKkVsWDxNyQKkpB46BwefIGaSljH7502X9aEWosrqWyJJNYCtt QDit4BysX0Ww3Ka5Rx6ZFhC9ybPKoW2i8JwpyBaXDt7R2k+PC/ClBf9qzL+sb2es zh/zCMVKNdm8KUITHU/5lgn2qZpUFZwiASPCMGGFP9u8g6UKeUTYTPD+GWaHIW63 RAgNIAffxx0M1r3P/2ipkAdI3NX/1iBKDQNG8Odsf+BswFKrNCnyUDdLPvJAhODS gw== =tmrm -----END PGP PUBLIC KEY BLOCK-----

[wmertens]

The only reason I want to run NixOS in a Docker container is other people.

Docker wraps LXC and provides a semblance of repeatable builds, but NixOS can do the same thing much better. OTOH, everybody knows Docker and feels comfortable running containers.

So given that LXC is everywhere where Docker runs, I would be happy with something that integrates well.

BTW, if I read http://www.freedesktop.org/wiki/Software/systemd/ContainerInterface/ correctly, the only capability systemd needs is CAP_MKNOD. On Jun 9, 2014 9:05 PM, "Jaka Hudoklin" notifications@github.com wrote:

I think solution from @zefhemel is still the best( http://zef.me/6049/nix-docker), except that i have to make a pull request for a few patches :)

On Mon, Jun 9, 2014 at 8:56 PM, Jaka Hudoklin jakahudoklin@gmail.com wrote:

Sure, it runs, as i said, by refference from this article:

http://developerblog.redhat.com/2014/05/05/running-systemd-within-docker-container/

"This means for now you have to run systemd within a privileged container since privileged containers do not drop any capabilities." -> you are also unsecure ;)

"The Docker Model suggests that it is better to run a single service within a container. If you wanted to build an application that required an Apache service and a MariaDB database, you should generate two different containers."

Ok for development, good luck in deplying that.

On Mon, Jun 9, 2014 at 8:49 PM, Domen Kožar notifications@github.com wrote:

I don't know much about Docker inner workings, but people are running full containers:

http://stackoverflow.com/questions/19332662/start-full-container-in-docker

And there are blog posts about running systemd:

http://developerblog.redhat.com/2014/05/05/running-systemd-within-docker-container/

— Reply to this email directly or view it on GitHub https://github.com/NixOS/nixpkgs/issues/1088#issuecomment-45528546.

-----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.11 (GNU/Linux)

mQENBFEY1PEBCADPOfERF2wo4qeoq9L1m2z4pKfWqNd4B6BsoFUWPNd7BXmY+9JG jJddSkmYobWec7XjAFTBL0Xbttt+rK9SIED2dCOmU1FYMQElhGlM3PNA3kaiQFeV ijgH318GCfZzDd0dWa5TN/IshVeWXwgngsIEmZTVf1VSeb3eO3B8Fxe3zsSLUq0b 71MmU5eLVP9pMkm5V5BTYp+lV70FIekKygkKq+uTDo1csWUatbs4Qvgv37Bymy2t oTwOBXGoinQk5N/6asR1jWs3vKv0L0SruoZy/kEG/jXb4l2OZUP85EVMganYKouE OchVmcmhBdWV+t3HK4r2ATfyEcMRzvzSflA1ABEBAAG0Jkpha2EgSHVkb2tsaW4g PGpha2FodWRva2xpbkBnbWFpbC5jb20+iQE+BBMBAgAoBQJRGNTxAhsDBQkB4TOA BgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRD6Zxi5hZclKnXNCACLOKa8abQp eTWv9SXUwC7LVM5pP2mXcgn+Ipqr6YWBdLx4Iij0YlvUok9VeKvwTpUlT+cx++o3 wCM3AYrUyJE+zrtw49lInUmutz9seqJLU895oq+D+UuGoORrLBpEZrYR5f83uUmQ E3Z1ZmWrNGXYtITWDtVZD/KauMF2nkPcmy/XaYXhd4WHD81DGNlKtGAHig6A3Phc 8Mr0A4yLDeRQJm8lCFEsxMJUNTupgY+ybbsMfVGx1gQvvGOTioV8CLCoRchUCCcm YPArFg40KzIDSNjwdo9EVZDnlPx1hbOppfQydxP+JVnZsqoYmVY4UhIWi/NfOl3V UMjl338INW1zuQENBFEY1PEBCADRSIfelOMjaTH7IfpMFFUc5Gys//njFnW9QAUg wyfs2AFxUp6vKQ7nxXQiJXVhKTwe9iqo+oGxaHp4AeTjC7vXsfMuF5g5lfttbAo3 YEobEe6OG5so41nbwan6SyeIIQ2AmQqJBw8TKKMSec2qUN0Pw7iZRs0o9uJM/obG DPsAsMOQgNLxJyMCP7X2jBtDXxkMFVHMmk50Tl3h3Fi9qWuNxgTXjs0tUvKkXiu2 Pco952jnm7HpCIKBek2pqR/UJXXb5qxy5G6Lc0qaMWZ5GKnSMTJmTY6Xl44EnaLK zh0rqgF9qpoWck470ZbiGASMtB008hy2l0cyxUfvDaS3tY4hABEBAAGJASUEGAEC AA8FAlEY1PECGwwFCQHhM4AACgkQ+mcYuYWXJSoT6AgAkvzvC0EGmeCR3cn9O3Gf yG00Kqk9/1gJvlphis7AAce8iUgU+4xd94Vp0u8rghpdy88xKN5lF1W2YZQmmBaf AVe6b7TOg6kxc3GKkVsWDxNyQKkpB46BwefIGaSljH7502X9aEWosrqWyJJNYCtt QDit4BysX0Ww3Ka5Rx6ZFhC9ybPKoW2i8JwpyBaXDt7R2k+PC/ClBf9qzL+sb2es zh/zCMVKNdm8KUITHU/5lgn2qZpUFZwiASPCMGGFP9u8g6UKeUTYTPD+GWaHIW63 RAgNIAffxx0M1r3P/2ipkAdI3NX/1iBKDQNG8Odsf+BswFKrNCnyUDdLPvJAhODS gw== =tmrm -----END PGP PUBLIC KEY BLOCK-----

-----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.11 (GNU/Linux)

mQENBFEY1PEBCADPOfERF2wo4qeoq9L1m2z4pKfWqNd4B6BsoFUWPNd7BXmY+9JG jJddSkmYobWec7XjAFTBL0Xbttt+rK9SIED2dCOmU1FYMQElhGlM3PNA3kaiQFeV ijgH318GCfZzDd0dWa5TN/IshVeWXwgngsIEmZTVf1VSeb3eO3B8Fxe3zsSLUq0b 71MmU5eLVP9pMkm5V5BTYp+lV70FIekKygkKq+uTDo1csWUatbs4Qvgv37Bymy2t oTwOBXGoinQk5N/6asR1jWs3vKv0L0SruoZy/kEG/jXb4l2OZUP85EVMganYKouE OchVmcmhBdWV+t3HK4r2ATfyEcMRzvzSflA1ABEBAAG0Jkpha2EgSHVkb2tsaW4g PGpha2FodWRva2xpbkBnbWFpbC5jb20+iQE+BBMBAgAoBQJRGNTxAhsDBQkB4TOA BgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRD6Zxi5hZclKnXNCACLOKa8abQp eTWv9SXUwC7LVM5pP2mXcgn+Ipqr6YWBdLx4Iij0YlvUok9VeKvwTpUlT+cx++o3 wCM3AYrUyJE+zrtw49lInUmutz9seqJLU895oq+D+UuGoORrLBpEZrYR5f83uUmQ E3Z1ZmWrNGXYtITWDtVZD/KauMF2nkPcmy/XaYXhd4WHD81DGNlKtGAHig6A3Phc 8Mr0A4yLDeRQJm8lCFEsxMJUNTupgY+ybbsMfVGx1gQvvGOTioV8CLCoRchUCCcm YPArFg40KzIDSNjwdo9EVZDnlPx1hbOppfQydxP+JVnZsqoYmVY4UhIWi/NfOl3V UMjl338INW1zuQENBFEY1PEBCADRSIfelOMjaTH7IfpMFFUc5Gys//njFnW9QAUg wyfs2AFxUp6vKQ7nxXQiJXVhKTwe9iqo+oGxaHp4AeTjC7vXsfMuF5g5lfttbAo3 YEobEe6OG5so41nbwan6SyeIIQ2AmQqJBw8TKKMSec2qUN0Pw7iZRs0o9uJM/obG DPsAsMOQgNLxJyMCP7X2jBtDXxkMFVHMmk50Tl3h3Fi9qWuNxgTXjs0tUvKkXiu2 Pco952jnm7HpCIKBek2pqR/UJXXb5qxy5G6Lc0qaMWZ5GKnSMTJmTY6Xl44EnaLK zh0rqgF9qpoWck470ZbiGASMtB008hy2l0cyxUfvDaS3tY4hABEBAAGJASUEGAEC AA8FAlEY1PECGwwFCQHhM4AACgkQ+mcYuYWXJSoT6AgAkvzvC0EGmeCR3cn9O3Gf yG00Kqk9/1gJvlphis7AAce8iUgU+4xd94Vp0u8rghpdy88xKN5lF1W2YZQmmBaf AVe6b7TOg6kxc3GKkVsWDxNyQKkpB46BwefIGaSljH7502X9aEWosrqWyJJNYCtt QDit4BysX0Ww3Ka5Rx6ZFhC9ybPKoW2i8JwpyBaXDt7R2k+PC/ClBf9qzL+sb2es zh/zCMVKNdm8KUITHU/5lgn2qZpUFZwiASPCMGGFP9u8g6UKeUTYTPD+GWaHIW63 RAgNIAffxx0M1r3P/2ipkAdI3NX/1iBKDQNG8Odsf+BswFKrNCnyUDdLPvJAhODS gw== =tmrm -----END PGP PUBLIC KEY BLOCK-----

— Reply to this email directly or view it on GitHub https://github.com/NixOS/nixpkgs/issues/1088#issuecomment-45530545.

[CMCDragonkai]

@wmertens but what about the resource constraints?