NixOS Containers: Difference between revisions

(13 intermediate revisions by 9 users not shown)

Line 1:

~~== Native~~ NixOS containers ==

Setup native [https://wiki.archlinux.org/title/systemd-nspawn systemd-nspawn] containers, which are running NixOS and are configured and managed by NixOS using the <code>containers</code> directive.

~~It is possible to configure native~~ [~~https://wiki.archlinux.org/title/systemd-nspawn systemd-nspawn~~] ~~containers~~, ~~which are running NixOS and are configured and managed by NixOS using the <code>containers</code> directive~~.

See [[Docker]] page for OCI container (Docker, Podman) configuration.

=== Configuration ===

The following example creates a container called ~~<code>nextcloud</code>~~ running ~~the~~ web ~~application [[Nextcloud]]~~. It will start automatically at boot and has its private network subnet.

The following example creates a container called webserver running a httpd web server. It will start automatically at boot and has its private network subnet.

{{file|/etc/nixos/configuration.nix|nix|<nowiki>

Line 16:

};

containers.~~nextcloud~~ = {

containers.webserver = {

autoStart = true;

privateNetwork = true;

Line 23:

hostAddress6 = "fc00::1";

localAddress6 = "fc00::2";

config = { config, pkgs, ... }: {

config = { config, pkgs, lib, ... }: {

services.~~nextcloud~~ = {

services.httpd = {

enable = true;

~~package = pkgs.nextcloud28;~~

adminAddr = "admin@example.org";

~~hostName = "localhost";~~

~~config.adminpassFile~~ = "~~${pkgs~~.~~writeText "adminpass" "test123"}~~"; ~~# DON'T DO THIS IN PRODUCTION - the password file will be world-readable in the Nix Store!~~

};

~~system~~.~~stateVersion~~ = ~~"23.11"~~;

networking = {

firewall.allowedTCPPorts = [ 80 ];

~~networking = {~~

~~firewall = {~~

~~enable = true;~~

~~allowedTCPPorts = [ 80 ];~~

};

# Use systemd-resolved inside the container

# Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686

useHostResolvConf = mkForce false;

useHostResolvConf = lib.mkForce false;

};

services.resolved.enable = true;

system.stateVersion = "24.11";

};

Line 99:

Line 94:

Checking the status of the container

# systemctl status container@~~nextcloud~~

# systemctl status container@webserver

</syntaxhighlight>

Login into the container

# nixos-container root-login ~~nextcloud~~

# nixos-container root-login webserver

</syntaxhighlight>

Start or stop a container

# nixos-container start ~~nextcloud~~

# nixos-container start webserver

# nixos-container stop ~~nextcloud~~

# nixos-container stop webserver

</syntaxhighlight>

Destroy a container including its file system

# nixos-container destroy ~~nextcloud~~

# nixos-container destroy webserver

</syntaxhighlight>

Further informations are available in the {{manual:nixos|sec=#ch-containers|chapter=NixOS manual}}.

View log for container<syntaxhighlight lang="console">

# journalctl -M webserver

</syntaxhighlight>Further informations are available in the {{manual:nixos|sec=#ch-containers|chapter=NixOS manual}}.

== Tips and tricks ==

== ~~Declarative docker containers~~ ==

==== Define and create nixos-container from a Flake file ====

We can define and create a custom container called <code>container</code> from a file stored as <code>flake.nix</code>. In this case we use the unstable branch of the nixpkgs repository as a source.<syntaxhighlight lang="nix">

{

inputs.nixpkgs.url = "nixpkgs/nixos-unstable";

~~Example config:~~

outputs = { self, nixpkgs }: {

{ ~~config~~, ~~pkgs, ...~~ }:

{

nixosConfigurations.container = nixpkgs.lib.nixosSystem {

~~config~~.~~virtualisation~~.~~oci-containers~~.~~containers =~~ {

system = "x86_64-linux";

~~hackagecompare = {~~

modules =

~~image~~ = "~~chrissound/hackagecomparestats~~-~~webserver:latest~~";

[ ({ pkgs, ... }: {

~~ports =~~ [~~"127~~.0.0.1:~~3010:3010"]~~;

boot.isContainer = true;

~~volumes~~ = [

~~"/root/hackagecompare/packageStatistics~~.~~json:/root/hackagecompare/packageStatistics.json"~~

networking.firewall.allowedTCPPorts = [ 80 ];

];

~~cmd~~ = [

services.httpd = {

"~~--base-url~~"

enable = true;

~~"\"/hackagecompare\""~~

adminAddr = "morty@example.org";

};

})

];

};

}

</syntaxhighlight>To create and run that container, enter following commands. In this example the <code>flake.nix</code> file is in the same directory.<syntaxhighlight lang="console">

# nixos-container create flake-test --flake .

host IP is 10.233.4.1, container IP is 10.233.4.2

# nixos-container start flake-test

</syntaxhighlight>

==== Use agenix secrets in container ====

To add <code>agenix</code> secrets to a container bind mount the <code>ssh-host.key</code> and import the <code>agenix.nixosModule</code> and set <code>age.identityPaths</code> [https://discourse.nixos.org/t/secrets-inside-nixos-containers/34403/6 Source]<syntaxhighlight lang="nix">

{ agenix, ... }:

{

containers."withSecret" = {

# pass the private key to the container for agenix to decrypt the secret

bindMounts."/etc/ssh/ssh_host_ed25519_key".isReadOnly = true;

config =

{

config,

lib,

pkgs,

...

}:

{

imports = [ agenix.nixosModules.default ]; # import agenix-module into the nixos-container

age.identityPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; # isn't set automatically when openssh is not setup

# import the secret

age.secrets."secret-name" = {

file = ../secrets/secret.age;

};

}

</syntaxhighlight>

== Troubleshooting ==

=== I have changed the host's channel and some services are no longer functional ===

==== I have changed the host's channel and some services are no longer functional ====

'''Symptoms:'''

* Lost data in PostgreSQL database

Line 157:

Line 197:

* [https://blog.beardhatcode.be/2020/12/Declarative-Nixos-Containers.html Blog Article - Declarative NixOS Containers]

* [https://discourse.nixos.org/t/extra-container-run-declarative-containers-without-full-system-rebuilds/511 NixOS Discourse - Extra-container: Run declarative containers without full system rebuilds]

* [https://github.com/NixOS/nixpkgs/blob/master/pkgs/~~tools~~/~~virtualization~~/nixos-container/nixos-container.pl Nixpkgs - nixos-container.pl]

* [https://github.com/NixOS/nixpkgs/blob/master/pkgs/by-name/ni/nixos-container/nixos-container.pl Nixpkgs - nixos-container.pl]

* [https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/virtualisation/nixos-containers.nix Nixpkgs - nixos-containers.nix]

* [https://nixcademy.com/2023/08/29/nixos-nspawn/ nixos-nspawn]

* [https://github.com/tfc/nspawn-nixos tfc/nspawn-nixos]

* MicroVMs as a more isolated alternative, e.g. with https://github.com/astro/microvm.nix

[[Category:Server]]

[[Category:NixOS]]

[[Category:Container]]

@@ Line 1: / Line 1: @@
-== Native NixOS containers ==
+Setup native [https://wiki.archlinux.org/title/systemd-nspawn systemd-nspawn] containers, which are running NixOS and are configured and managed by NixOS using the <code>containers</code> directive.
-It is possible to configure native [https://wiki.archlinux.org/title/systemd-nspawn systemd-nspawn] containers, which are running NixOS and are configured and managed by NixOS using the <code>containers</code> directive.
+See [[Docker]] page for OCI container (Docker, Podman) configuration.
 === Configuration ===
-The following example creates a container called <code>nextcloud</code> running the web application [[Nextcloud]]. It will start automatically at boot and has its private network subnet.
+The following example creates a container called webserver running a httpd web server. It will start automatically at boot and has its private network subnet.
 {{file|/etc/nixos/configuration.nix|nix|<nowiki>
@@ Line 16: / Line 16: @@
 };
-containers.nextcloud = {
+containers.webserver = {
    autoStart = true;
    privateNetwork = true;
@@ Line 23: / Line 23: @@
    hostAddress6 = "fc00::1";
    localAddress6 = "fc00::2";
-   config = { config, pkgs, ... }: {
+   config = { config, pkgs, lib, ... }: {
-     services.nextcloud = {
+     services.httpd = {
        enable = true;
-       package = pkgs.nextcloud28;
+       adminAddr = "admin@example.org";
-      hostName = "localhost";
-      config.adminpassFile = "${pkgs.writeText "adminpass" "test123"}"; # DON'T DO THIS IN PRODUCTION - the password file will be world-readable in the Nix Store!
      };
-     system.stateVersion = "23.11";
+     networking = {
+      firewall.allowedTCPPorts = [ 80 ];
-    networking = {
-      firewall = {
-        enable = true;
-        allowedTCPPorts = [ 80 ];
-      };
        # Use systemd-resolved inside the container
        # Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
-       useHostResolvConf = mkForce false;
+       useHostResolvConf = lib.mkForce false;
      };
      services.resolved.enable = true;
+    system.stateVersion = "24.11";
    };
 };
@@ Line 99: / Line 94: @@
 Checking the status of the container
 <syntaxhighlight lang="console">
-# systemctl status container@nextcloud
+# systemctl status container@webserver
 </syntaxhighlight>
 Login into the container
 <syntaxhighlight lang="console">
-# nixos-container root-login nextcloud
+# nixos-container root-login webserver
 </syntaxhighlight>
 Start or stop a container
 <syntaxhighlight lang="console">
-# nixos-container start nextcloud
+# nixos-container start webserver
-# nixos-container stop nextcloud
+# nixos-container stop webserver
 </syntaxhighlight>
 Destroy a container including its file system
 <syntaxhighlight lang="console">
-# nixos-container destroy nextcloud
+# nixos-container destroy webserver
 </syntaxhighlight>
-Further informations are available in the {{manual:nixos|sec=#ch-containers|chapter=NixOS manual}}.
+View log for container<syntaxhighlight lang="console">
+# journalctl -M webserver
+</syntaxhighlight>Further informations are available in the {{manual:nixos|sec=#ch-containers|chapter=NixOS manual}}.
+== Tips and tricks ==
-== Declarative docker containers ==
+==== Define and create nixos-container from a Flake file ====
+We can define and create a custom container called <code>container</code> from a file stored as <code>flake.nix</code>. In this case we use the unstable branch of the nixpkgs repository as a source.<syntaxhighlight lang="nix">
+{
+  inputs.nixpkgs.url = "nixpkgs/nixos-unstable";
-Example config:
+   outputs = { self, nixpkgs }: {
-   { config, pkgs, ... }:
-  {
+     nixosConfigurations.container = nixpkgs.lib.nixosSystem {
-     config.virtualisation.oci-containers.containers = {
+       system = "x86_64-linux";
-       hackagecompare = {
+      modules =
-        image = "chrissound/hackagecomparestats-webserver:latest";
+         [ ({ pkgs, ... }: {
-         ports = ["127.0.0.1:3010:3010"];
+            boot.isContainer = true;
-        volumes = [
-          "/root/hackagecompare/packageStatistics.json:/root/hackagecompare/packageStatistics.json"
+            networking.firewall.allowedTCPPorts = [ 80 ];
-        ];
-        cmd = [
+            services.httpd = {
-          "--base-url"
+              enable = true;
-           "\"/hackagecompare\""
+              adminAddr = "morty@example.org";
+            };
+           })
          ];
+    };
+  };
+}
+</syntaxhighlight>To create and run that container, enter following commands. In this example the <code>flake.nix</code> file is in the same directory.<syntaxhighlight lang="console">
+# nixos-container create flake-test --flake .
+host IP is 10.233.4.1, container IP is 10.233.4.2
+# nixos-container start flake-test
+</syntaxhighlight>
+==== Use agenix secrets in container ====
+To add <code>agenix</code> secrets to a container bind mount the <code>ssh-host.key</code> and import the <code>agenix.nixosModule</code> and set <code>age.identityPaths</code> [https://discourse.nixos.org/t/secrets-inside-nixos-containers/34403/6 Source]<syntaxhighlight lang="nix">
+{ agenix, ... }:
+{
+  containers."withSecret" = {
+    # pass the private key to the container for agenix to decrypt the secret
+    bindMounts."/etc/ssh/ssh_host_ed25519_key".isReadOnly = true;
+    config =
+      {
+        config,
+        lib,
+        pkgs,
+        ...
+      }:
+      {
+        imports = [ agenix.nixosModules.default ]; # import agenix-module into the nixos-container
+        age.identityPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; # isn't set automatically when openssh is not setup
+        # import the secret
+        age.secrets."secret-name" = {
+          file = ../secrets/secret.age;
+        };
        };
-    };
+  };
-  }
+}
+</syntaxhighlight>
 == Troubleshooting ==
-=== I have changed the host's channel and some services are no longer functional ===
+==== I have changed the host's channel and some services are no longer functional ====
 '''Symptoms:'''
 * Lost data in PostgreSQL database
@@ Line 157: / Line 197: @@
 * [https://blog.beardhatcode.be/2020/12/Declarative-Nixos-Containers.html Blog Article - Declarative NixOS Containers]
 * [https://discourse.nixos.org/t/extra-container-run-declarative-containers-without-full-system-rebuilds/511 NixOS Discourse - Extra-container: Run declarative containers without full system rebuilds]
-* [https://github.com/NixOS/nixpkgs/blob/master/pkgs/tools/virtualization/nixos-container/nixos-container.pl Nixpkgs - nixos-container.pl]
+* [https://github.com/NixOS/nixpkgs/blob/master/pkgs/by-name/ni/nixos-container/nixos-container.pl Nixpkgs - nixos-container.pl]
 * [https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/virtualisation/nixos-containers.nix Nixpkgs - nixos-containers.nix]
 * [https://nixcademy.com/2023/08/29/nixos-nspawn/ nixos-nspawn]
 * [https://github.com/tfc/nspawn-nixos tfc/nspawn-nixos]
+* MicroVMs as a more isolated alternative, e.g. with https://github.com/astro/microvm.nix
 [[Category:Server]]
 [[Category:NixOS]]
+[[Category:Container]]