From 2b1f21249445991940c9d3ebbc54ce41b1eaf9c0 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Tue, 26 Nov 2013 18:17:12 +0100 Subject: [PATCH] Disable various services when running inside a container --- nixos/modules/config/sysctl.nix | 5 +++- nixos/modules/services/audio/alsa.nix | 1 + nixos/modules/services/hardware/acpid.nix | 1 + nixos/modules/services/logging/klogd.nix | 2 ++ nixos/modules/services/misc/nix-daemon.nix | 3 +++ nixos/modules/services/networking/dhcpcd.nix | 2 ++ nixos/modules/system/boot/kernel.nix | 5 +++- nixos/modules/system/boot/shutdown.nix | 24 +++++++++---------- nixos/modules/tasks/cpu-freq.nix | 2 ++ nixos/modules/tasks/network-interfaces.nix | 2 ++ .../tasks/scsi-link-power-management.nix | 2 ++ 11 files changed, 35 insertions(+), 14 deletions(-) diff --git a/nixos/modules/config/sysctl.nix b/nixos/modules/config/sysctl.nix index f987c9c9e944..8f9b31dccff3 100644 --- a/nixos/modules/config/sysctl.nix +++ b/nixos/modules/config/sysctl.nix @@ -46,7 +46,10 @@ in before = [ "sysinit.target" "shutdown.target" ]; wantedBy = [ "sysinit.target" "multi-user.target" ]; restartTriggers = [ config.environment.etc."sysctl.d/nixos.conf".source ]; - unitConfig.DefaultDependencies = false; # needed to prevent a cycle + unitConfig = { + DefaultDependencies = false; # needed to prevent a cycle + ConditionPathIsReadWrite = "/proc/sys/"; # prevent systemd-sysctl in containers + }; serviceConfig = { Type = "oneshot"; RemainAfterExit = true; diff --git a/nixos/modules/services/audio/alsa.nix b/nixos/modules/services/audio/alsa.nix index d021b8bd3ba9..c9a2ef4589bd 100644 --- a/nixos/modules/services/audio/alsa.nix +++ b/nixos/modules/services/audio/alsa.nix @@ -55,6 +55,7 @@ in { description = "Store Sound Card State"; wantedBy = [ "multi-user.target" ]; unitConfig.RequiresMountsFor = "/var/lib/alsa"; + unitConfig.ConditionVirtualization = "!systemd-nspawn"; serviceConfig = { Type = "oneshot"; RemainAfterExit = true; diff --git a/nixos/modules/services/hardware/acpid.nix b/nixos/modules/services/hardware/acpid.nix index adba6394dcf5..2329f38dfc25 100644 --- a/nixos/modules/services/hardware/acpid.nix +++ b/nixos/modules/services/hardware/acpid.nix @@ -110,6 +110,7 @@ in exec = "acpid --confdir ${acpiConfDir}"; + unitConfig.ConditionVirtualization = "!systemd-nspawn"; unitConfig.ConditionPathExists = [ "/proc/acpi" ]; }; diff --git a/nixos/modules/services/logging/klogd.nix b/nixos/modules/services/logging/klogd.nix index d7d0bbf89a54..36b530d0077e 100644 --- a/nixos/modules/services/logging/klogd.nix +++ b/nixos/modules/services/logging/klogd.nix @@ -32,6 +32,8 @@ with pkgs.lib; path = [ pkgs.sysklogd ]; + unitConfig.ConditionVirtualization = "!systemd-nspawn"; + exec = "klogd -c 1 -2 -n " + "-k $(dirname $(readlink -f /run/booted-system/kernel))/System.map"; diff --git a/nixos/modules/services/misc/nix-daemon.nix b/nixos/modules/services/misc/nix-daemon.nix index 1707828d0db6..1aefe75931b1 100644 --- a/nixos/modules/services/misc/nix-daemon.nix +++ b/nixos/modules/services/misc/nix-daemon.nix @@ -279,6 +279,7 @@ in { description = "Nix Daemon Socket"; wantedBy = [ "sockets.target" ]; before = [ "multi-user.target" ]; + unitConfig.ConditionPathIsReadWrite = "/nix/var/nix/daemon-socket/"; socketConfig.ListenStream = "/nix/var/nix/daemon-socket/socket"; }; @@ -290,6 +291,8 @@ in environment = cfg.envVars // { CURL_CA_BUNDLE = "/etc/ssl/certs/ca-bundle.crt"; }; + unitConfig.ConditionPathIsReadWrite = "/nix/var/nix/daemon-socket/"; + serviceConfig = { ExecStart = "@${nix}/bin/nix-daemon nix-daemon --daemon"; KillMode = "process"; diff --git a/nixos/modules/services/networking/dhcpcd.nix b/nixos/modules/services/networking/dhcpcd.nix index 07b5606eacaa..ea263b3c89de 100644 --- a/nixos/modules/services/networking/dhcpcd.nix +++ b/nixos/modules/services/networking/dhcpcd.nix @@ -114,6 +114,8 @@ in path = [ dhcpcd pkgs.nettools pkgs.openresolv ]; + unitConfig.ConditionCapability = "CAP_NET_ADMIN"; + serviceConfig = { Type = "forking"; PIDFile = "/run/dhcpcd.pid"; diff --git a/nixos/modules/system/boot/kernel.nix b/nixos/modules/system/boot/kernel.nix index 64d4c33c9655..c3c38b186bdd 100644 --- a/nixos/modules/system/boot/kernel.nix +++ b/nixos/modules/system/boot/kernel.nix @@ -231,7 +231,10 @@ in wantedBy = [ "sysinit.target" "multi-user.target" ]; before = [ "sysinit.target" "shutdown.target" ]; conflicts = [ "shutdown.target" ]; - unitConfig.DefaultDependencies = "no"; + unitConfig = + { DefaultDependencies = false; + ConditionCapability = "CAP_SYS_MODULE"; + }; serviceConfig = { Type = "oneshot"; RemainAfterExit = true; diff --git a/nixos/modules/system/boot/shutdown.nix b/nixos/modules/system/boot/shutdown.nix index ad71a2e816e3..44cadcd64a76 100644 --- a/nixos/modules/system/boot/shutdown.nix +++ b/nixos/modules/system/boot/shutdown.nix @@ -6,20 +6,20 @@ with pkgs.lib; # This unit saves the value of the system clock to the hardware # clock on shutdown. - systemd.units."save-hwclock.service" = - { wantedBy = [ "shutdown.target" ]; + systemd.services.save-hwclock = + { description = "Save Hardware Clock"; - text = - '' - [Unit] - Description=Save Hardware Clock - DefaultDependencies=no - Before=shutdown.target + wantedBy = [ "shutdown.target" ]; - [Service] - Type=oneshot - ExecStart=${pkgs.utillinux}/sbin/hwclock --systohc ${if config.time.hardwareClockInLocalTime then "--localtime" else "--utc"} - ''; + unitConfig = { + DefaultDependencies = false; + ConditionVirtualization = "!systemd-nspawn"; + }; + + serviceConfig = { + Type = "oneshot"; + ExecStart = "${pkgs.utillinux}/sbin/hwclock --systohc ${if config.time.hardwareClockInLocalTime then "--localtime" else "--utc"}"; + }; }; boot.kernel.sysctl."kernel.poweroff_cmd" = "${config.systemd.package}/sbin/poweroff"; diff --git a/nixos/modules/tasks/cpu-freq.nix b/nixos/modules/tasks/cpu-freq.nix index ce36a8bab096..705ec93a1360 100644 --- a/nixos/modules/tasks/cpu-freq.nix +++ b/nixos/modules/tasks/cpu-freq.nix @@ -33,6 +33,8 @@ with pkgs.lib; after = [ "systemd-modules-load.service" ]; wantedBy = [ "multi-user.target" ]; + unitConfig.ConditionPathIsReadWrite = "/sys/devices/"; + path = [ pkgs.cpufrequtils ]; preStart = '' diff --git a/nixos/modules/tasks/network-interfaces.nix b/nixos/modules/tasks/network-interfaces.nix index d8522b6abba0..b1ab989f130f 100644 --- a/nixos/modules/tasks/network-interfaces.nix +++ b/nixos/modules/tasks/network-interfaces.nix @@ -270,6 +270,8 @@ in before = [ "network.target" ]; wantedBy = [ "network.target" ]; + unitConfig.ConditionCapability = "CAP_NET_ADMIN"; + path = [ pkgs.iproute ]; serviceConfig.Type = "oneshot"; diff --git a/nixos/modules/tasks/scsi-link-power-management.nix b/nixos/modules/tasks/scsi-link-power-management.nix index 4927952080f6..071a80865983 100644 --- a/nixos/modules/tasks/scsi-link-power-management.nix +++ b/nixos/modules/tasks/scsi-link-power-management.nix @@ -31,6 +31,8 @@ with pkgs.lib; task = true; + unitConfig.ConditionPathIsReadWrite = "/sys/class/scsi_host"; + script = '' shopt -s nullglob for x in /sys/class/scsi_host/host*/link_power_management_policy; do