containers module: Add tmpfs options (#20557)

Allows one or more directories to be mounted as a read-only file system. This makes it convenient to run volatile containers that do not retain application state.
2016-11-22 02:11:33 +01:00
parent 49d608ac00
commit 35ecef2c6d
3 changed files with 97 additions and 1 deletions
--- a/nixos/modules/virtualisation/containers.nix
+++ b/nixos/modules/virtualisation/containers.nix
@@ -129,9 +129,12 @@ let
        --setenv HOST_ADDRESS6="$HOST_ADDRESS6" \
        --setenv LOCAL_ADDRESS6="$LOCAL_ADDRESS6" \
        --setenv PATH="$PATH" \
-        ${if cfg.additionalCapabilities != null then
+        ${if cfg.additionalCapabilities != null && cfg.additionalCapabilities != [] then
          ''--capability="${concatStringsSep " " cfg.additionalCapabilities}"'' else ""
        } \
+        ${if cfg.tmpfs != null && cfg.tmpfs != [] then
+          ''--tmpfs=${concatStringsSep " --tmpfs=" cfg.tmpfs}'' else ""
+        } \
        ${containerInit cfg} "''${SYSTEM_PATH:-/nix/var/nix/profiles/system}/init"
    '';

@@ -367,6 +370,7 @@ let
      hostAddress6 = null;
      localAddress = null;
      localAddress6 = null;
+      tmpfs = null;
    };

 in
@@ -510,6 +514,18 @@ in
              '';
            };

+            tmpfs = mkOption {
+              type = types.listOf types.str;
+              default = [];
+              example = [ "/var" ];
+              description = ''
+                Mounts a set of tmpfs file systems into the container.
+                Multiple paths can be specified.
+                Valid items must conform to the --tmpfs argument
+                of systemd-nspawn. See systemd-nspawn(1) for details.
+              '';
+            };
+
          } // networkOptions;

          config = mkMerge