nixos: deactivate immutablity for /var/empty in container

2019-09-01 21:34:37 +02:00 · 2019-09-01 21:34:37 +02:00 · db9b5f5525
parent ba37b3c622
commit db9b5f5525
2 changed files with 9 additions and 0 deletions
--- a/nixos/modules/system/activation/activation-script.nix
+++ b/nixos/modules/system/activation/activation-script.nix
@ -184,7 +184,14 @@ in
        find /var/empty -mindepth 1 -delete
        chmod 0555 /var/empty
        chown root:root /var/empty
+
+        ${ # reasons for not setting immutable flag:
+           # 1. flag is not changeable inside a container
+           # 2. systemd-nspawn can not perform chown in case of --private-users-chown
+           #    then the owner is nobody and ssh will not start
+          optionalString (!config.boot.isContainer) ''
        ${pkgs.e2fsprogs}/bin/chattr -f +i /var/empty || true
+          ''}
      '';

    system.activationScripts.usrbinenv = if config.environment.usrbinenv != null
--- a/nixos/tests/systemd-machinectl.nix
+++ b/nixos/tests/systemd-machinectl.nix
@ -45,6 +45,8 @@ in {
    $machine->succeed("machinectl start ${containerName}");
    $machine->waitUntilSucceeds("systemctl -M ${containerName} is-active default.target");
    $machine->succeed("ping -n -c 1 ${containerName}");
+    $machine->succeed("test `stat ${containerRoot}/var/empty -c %u%g` != 00");
+
    $machine->succeed("machinectl stop ${containerName}");
  '';
 })