Introduce micro-activate (RIIR activate script + tiny bit of tmpfiles)
Instead of interpreting all that shell and running actual tmpfiles, use a tiny stage before systemd that mounts a tmpfs at /run (preventing systemd from doing the same), populates it with NixOS symlinks and preserved resolv.conf, and mounts the immutable /etc overlay before passing control over to systemd.
This commit is contained in:
Val Packett
parent
3d2f6c4732
commit
0bd986f97f
5 changed files with 151 additions and 40 deletions
27
munix
27
munix
|
|
@ -180,38 +180,31 @@ BWRAP_ARGS+=(
|
|||
bwrap --unshare-all --share-net \
|
||||
--uid $MICROVM_UID --gid $MICROVM_GID \
|
||||
--tmpfs / \
|
||||
--dir /run --dir /var --symlink /run /var/run --dir /tmp --dir /mnt \
|
||||
--dir /run --dir /var --symlink /run /var/run --dir /tmp --dir /mnt --dir /bin --dir /usr/bin \
|
||||
--proc /proc --ro-bind /sys /sys \
|
||||
--dev /dev --dir /dev/input --dev-bind /dev/kvm /dev/kvm \
|
||||
--ro-bind "$MUVM_PATH" /run/munix/muvm \
|
||||
--ro-bind "$PASST_PATH" /run/munix/passt \
|
||||
--ro-bind "$SCRIPT_PATH/micro-activate" /opt/bin/micro-activate \
|
||||
--ro-bind "$MUVM_PATH/muvm-guest" /opt/bin/muvm-remote \
|
||||
--ro-bind "$MUVM_PATH/muvm-guest" /opt/bin/muvm-configure-network \
|
||||
--ro-bind "$MUVM_PATH/muvm-guest" /opt/bin/muvm-pwbridge \
|
||||
--symlink "$MICROVM_CLOSURE/etc/systemd" /etc/systemd \
|
||||
--symlink "$MICROVM_CLOSURE/etc" /etc \
|
||||
--symlink "$MICROVM_CLOSURE/sw/bin/sh" /bin/sh \
|
||||
--symlink "$MICROVM_CLOSURE/sw/bin/env" /usr/bin/env \
|
||||
--symlink "$MICROVM_CLOSURE" /run/current-system \
|
||||
--ro-bind /nix/store /nix/store \
|
||||
--ro-bind /run/systemd/resolve /run/systemd/resolve \
|
||||
--file 11 /etc/passwd \
|
||||
--file 12 /etc/group \
|
||||
--file 13 /etc/resolv.conf \
|
||||
--file 12 /run/machine-id \
|
||||
--file 13 /run/resolv.conf \
|
||||
--dir "$XDG_RUNTIME_DIR" \
|
||||
--setenv PATH "/run/munix/muvm:/run/munix/passt:$MICROVM_CLOSURE/sw/bin" \
|
||||
"${BWRAP_ARGS[@]}" \
|
||||
muvm \
|
||||
--custom-init-cmdline "$MICROVM_CLOSURE/sw/sbin/init --log-target=console systemd.set_credential=sidebus.port:50000" \
|
||||
--custom-init-cmdline "/opt/bin/micro-activate $MICROVM_CLOSURE/sw/sbin/init --log-target=console systemd.set_credential=sidebus.port:50000" \
|
||||
"${MUVM_ARGS[@]}" \
|
||||
-e container=munix \
|
||||
-e MICROVM_CLOSURE="$MICROVM_CLOSURE" \
|
||||
-e MICROVM_UID="$MICROVM_UID" -e MICROVM_GID="$MICROVM_GID" \
|
||||
-i -t "${MICROVM_COMMAND[@]}" \
|
||||
11< <(cat <<EOF
|
||||
munix:x:$MICROVM_UID:$MICROVM_GID:Hypervisor:/:/run/current-system/sw/bin/nologin
|
||||
nobody:x:65534:65534:Unprivileged account:/var/empty:/run/current-system/sw/bin/nologin
|
||||
EOF
|
||||
) \
|
||||
12< <(cat <<EOF
|
||||
munix:x:$MICROVM_GID:
|
||||
nogroup:x:65534:
|
||||
EOF
|
||||
) \
|
||||
12< /etc/machine-id \
|
||||
13< /etc/resolv.conf
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue