search

NixOS / nixpkgs

Nix Packages collection & NixOS
MIT License
17.84k stars 13.92k forks source link

Use `systemd-run` for `nixos-container run` again #83432

Open Ma27 opened 4 years ago

Ma27 commented 4 years ago

Describe the bug

In #83392 I had to revert 7cb100b6833e020d4a4b25c3766cfde507e763e6 which used systemd-run for nixos-container run as a first step towards unprivileged containers.

The problem is that when deploying a nixos-container e.g. using the container-backend from nixops, the backend will run nixos-container run -- [...] switch-to-configuration on the container's host which will reload systemd. This will make the systemd-run call hanging due to the reload and the deployment never finishes, also the new configuration is never activated.

See also https://github.com/NixOS/nixpkgs/pull/67332#issuecomment-604145869

cc @worldofpeace @arianvp @uvNikita

arianvp commented 4 years ago

I think systemd-run might be the wrong command here to be honest! Stupid oversight on my side. systemd-run starts a new transient unit inside the container; which probably gets confused as it gets reloaded (Sounds like a systemd bug too to me? not sure) We should be running machinectl shell <container-name> switch-to-configuration that will probably just work

arianvp commented 4 years ago

Also from the systemd-run docs on systemd-run --pty:

  Note that machinectl(1)'s shell command is usually a better alternative for requesting a new, interactive login
           session on the local host or a local container.
Ma27 commented 4 years ago

Thanks for sharing those insights! Interestingly this breaks the config-activation when using the container-backend in nixops, but works fine when activating a new configuration for a .nspawn-unit as demonstrated in #84608.

Since this issue reproducibly fixes the config-activation for nixops, we may want to think of a solution for 20.09 that covers use-cases for this as far as possible. I'm currently working on improved nspawn-containers for the sake of improved networkd-integration (#69414), so when we have a draft to discuss, we can decide how to proceed with nixos-containers IMHO :)

uvNikita commented 4 years ago

Note that, as far as I know, machinectl shell does not propagate the return code of the executed command. This means that the error will be hidden if the container fails to switch the configuration. I'm not sure if this is something we want.

Other than that, machinectl shell works fine in my custom nixos containers module.

stale[bot] commented 3 years ago

I marked this as stale due to inactivity. → More info

kirelagin commented 3 years ago

Is there anything that can be done here to keep this work moving?

stale[bot] commented 3 years ago

I marked this as stale due to inactivity. → More info

uvNikita commented 3 years ago

I think the most recent effort related to this is happening here: https://github.com/NixOS/nixpkgs/issues/69414#issuecomment-775174806

stale[bot] commented 2 years ago

I marked this as stale due to inactivity. → More info