From 9f6e0f48d31e0b187c7918616da0aa10dc94b724 Mon Sep 17 00:00:00 2001 From: Daniel Bulant Date: Fri, 27 Feb 2026 21:13:49 +0100 Subject: [PATCH] add sysbox --- configuration.nix | 6 +- flake.nix | 14 ++++- modules/sysbox-README.md | 131 +++++++++++++++++++++++++++++++++++++++ modules/sysbox.nix | 106 +++++++++++++++++++++++++++++++ pkgs/sysbox/package.nix | 66 ++++++++++++++++++++ 5 files changed, 321 insertions(+), 2 deletions(-) create mode 100644 modules/sysbox-README.md create mode 100644 modules/sysbox.nix create mode 100644 pkgs/sysbox/package.nix diff --git a/configuration.nix b/configuration.nix index 3dd0603..347287f 100644 --- a/configuration.nix +++ b/configuration.nix @@ -289,6 +289,10 @@ in # enableNvidia = true; }; # hardware.nvidia-container-toolkit.enable = true; + + # Enable sysbox for system containers + virtualisation.sysbox.enable = true; + services.avahi.enable = true; boot = { @@ -467,7 +471,7 @@ in # USB_DENYLIST = "04d9:a0b8"; # }; powerManagement.enable = true; - powerManagement.powertop.enable = true; + #powerManagement.powertop.enable = true; powerManagement.cpuFreqGovernor = "schedutil"; services.thermald.enable = true; diff --git a/flake.nix b/flake.nix index bd99a0c..c20e34d 100644 --- a/flake.nix +++ b/flake.nix @@ -67,6 +67,14 @@ ... }@attrs: { + # Export sysbox package overlay for external use + overlays.default = final: prev: { + sysbox = final.callPackage ./pkgs/sysbox/package.nix { }; + }; + + # Export sysbox NixOS module for external use + nixosModules.sysbox = import ./modules/sysbox.nix; + nixosConfigurations.aura = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; specialArgs = attrs; @@ -74,7 +82,9 @@ { nixpkgs.overlays = [ # dolphin-overlay.overlays.default - (_: prev: { + # Add sysbox overlay + (final: prev: { + sysbox = final.callPackage ./pkgs/sysbox/package.nix { }; tailscale = prev.tailscale.overrideAttrs (old: { checkFlags = builtins.map ( flag: @@ -97,6 +107,8 @@ home-manager.backupFileExtension = "backup"; } ./configuration.nix + # Import sysbox module + ./modules/sysbox.nix nix-index-database.nixosModules.nix-index { programs.nix-index-database.comma.enable = true; } #./powersave.nix diff --git a/modules/sysbox-README.md b/modules/sysbox-README.md new file mode 100644 index 0000000..9cf4e2d --- /dev/null +++ b/modules/sysbox-README.md @@ -0,0 +1,131 @@ +# Sysbox Integration + +This directory contains a NixOS module for [Sysbox](https://github.com/nestybox/sysbox), a next-generation OCI runtime for running system containers. + +## What is Sysbox? + +Sysbox enables running system containers with enhanced security and isolation. It allows you to run Docker, Systemd, Kubernetes, and other system-level software inside containers without privileged mode. + +## Usage in This Configuration + +Sysbox is already enabled for the `aura` system in `configuration.nix:295`: + +```nix +virtualisation.sysbox.enable = true; +``` + +## Testing Sysbox + +After rebuilding your system, you can test sysbox with Docker: + +### 1. Check Services +```bash +systemctl status sysbox-mgr sysbox-fs +``` + +### 2. Verify Docker Integration +```bash +docker info | grep sysbox-runc +``` + +### 3. Run a Test Container +```bash +# Run a simple container with sysbox-runc +docker run --runtime=sysbox-runc --rm -it ubuntu:latest bash +``` + +### 4. Run Docker-in-Docker +```bash +# Run Docker inside Docker using sysbox +docker run --runtime=sysbox-runc --name=docker-in-docker -d nestybox/ubuntu-jammy-docker + +# Execute commands inside +docker exec -it docker-in-docker docker run hello-world +``` + +## External Usage + +Other flakes can use this sysbox module: + +```nix +{ + inputs.your-dotfiles.url = "github:youruser/dotfiles"; + + outputs = { nixpkgs, your-dotfiles, ... }: { + nixosConfigurations.myhost = nixpkgs.lib.nixosSystem { + modules = [ + your-dotfiles.nixosModules.sysbox + { + virtualisation.sysbox.enable = true; + virtualisation.docker.enable = true; # or podman + } + ]; + }; + }; +} +``` + +You can also use just the package overlay: + +```nix +{ + inputs.your-dotfiles.url = "github:youruser/dotfiles"; + + outputs = { nixpkgs, your-dotfiles, ... }: { + nixosConfigurations.myhost = nixpkgs.lib.nixosSystem { + modules = [{ + nixpkgs.overlays = [ your-dotfiles.overlays.default ]; + environment.systemPackages = [ pkgs.sysbox ]; + }]; + }; + }; +} +``` + +## Configuration Options + +The module provides these options: + +- `virtualisation.sysbox.enable` - Enable sysbox (default: false) +- `virtualisation.sysbox.package` - The sysbox package to use (default: pkgs.sysbox) + +## What the Module Does + +When enabled, the module automatically: + +1. **Configures Container Runtimes** + - Registers `sysbox-runc` with Docker (if Docker is enabled) + - Registers `sysbox-runc` with Podman (if Podman is enabled) + +2. **Sets Up Services** + - `sysbox-mgr.service` - Manager service + - `sysbox-fs.service` - Filesystem service + +3. **Applies System Configuration** + - Enables unprivileged user namespaces + - Sets required sysctl values (inotify limits, kernel.keys) + - Creates iptables compatibility layer in /sbin + +4. **Installs Binaries** + - `sysbox-runc` - The OCI runtime + - `sysbox-mgr` - Manager daemon + - `sysbox-fs` - Filesystem daemon + +## Implementation Details + +- **Version**: 0.6.7 +- **License**: Apache 2.0 +- **Platforms**: x86_64-linux, aarch64-linux +- **Package Type**: Pre-built .deb packages (not built from source) + +The implementation is based on [this commit](https://github.com/CyberShadow/nixpkgs/commit/9f14ecca828c47b9696ffe588759779d5d7784a7) with improvements for: +- Module system compatibility (avoiding infinite recursion) +- Sysctl conflict resolution +- Automatic runtime registration + +## Files + +- `pkgs/sysbox/package.nix` - Package definition +- `modules/sysbox.nix` - NixOS module +- Exported as `nixosModules.sysbox` in flake.nix +- Exported as `overlays.default` in flake.nix diff --git a/modules/sysbox.nix b/modules/sysbox.nix new file mode 100644 index 0000000..535542e --- /dev/null +++ b/modules/sysbox.nix @@ -0,0 +1,106 @@ +{ + config, + lib, + pkgs, + ... +}: + +let + cfg = config.virtualisation.sysbox; +in + +{ + options.virtualisation.sysbox = { + enable = lib.mkEnableOption "Sysbox, a next-generation runc for running system containers"; + + package = lib.mkOption { + type = lib.types.package; + description = "The sysbox package to use."; + }; + }; + + config = lib.mkIf cfg.enable { + virtualisation.sysbox.package = lib.mkDefault pkgs.sysbox; + + # Configure Docker to use sysbox-runc runtime + virtualisation.docker.daemon.settings = lib.mkIf config.virtualisation.docker.enable { + runtimes.sysbox-runc = { + path = "${cfg.package}/bin/sysbox-runc"; + }; + }; + + # Configure Podman to use sysbox-runc runtime + virtualisation.containers.containersConf.settings = lib.mkIf config.virtualisation.podman.enable { + engine.runtimes.sysbox-runc = [ + "${cfg.package}/bin/sysbox-runc" + ]; + }; + + systemd.services.sysbox-mgr = { + description = "Sysbox Manager Service"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + + path = with pkgs; [ + rsync + kmod + iptables + ]; + + serviceConfig = { + Type = "notify"; + ExecStart = "${cfg.package}/bin/sysbox-mgr"; + Restart = "on-failure"; + RestartSec = "10s"; + User = "root"; + Group = "root"; + }; + + preStart = '' + # Ensure iptables is available in /sbin for sysbox compatibility + mkdir -p /sbin + for cmd in ${pkgs.iptables}/bin/iptables*; do + ln -sf "$cmd" "/sbin/$(basename $cmd)" || true + done + ''; + }; + + systemd.services.sysbox-fs = { + description = "Sysbox FileSystem Service"; + wantedBy = [ "multi-user.target" ]; + after = [ "sysbox-mgr.service" ]; + requires = [ "sysbox-mgr.service" ]; + + path = with pkgs; [ + rsync + kmod + fuse + iptables + ]; + + serviceConfig = { + Type = "notify"; + ExecStart = "${cfg.package}/bin/sysbox-fs"; + Restart = "on-failure"; + RestartSec = "10s"; + User = "root"; + Group = "root"; + }; + }; + + # Enable unprivileged user namespace cloning (required for sysbox) + security.unprivilegedUsernsClone = true; + + # Apply sysctl configuration (sysbox requires higher values than system defaults) + boot.kernel.sysctl = { + "fs.inotify.max_queued_events" = lib.mkOverride 999 1048576; + "fs.inotify.max_user_watches" = lib.mkOverride 999 1048576; + "fs.inotify.max_user_instances" = lib.mkOverride 999 1048576; + "kernel.keys.maxkeys" = lib.mkOverride 999 20000; + "kernel.keys.maxbytes" = lib.mkOverride 999 400000; + }; + + # Make sysbox-runc available in PATH for container runtimes + environment.systemPackages = [ cfg.package ]; + }; +} diff --git a/pkgs/sysbox/package.nix b/pkgs/sysbox/package.nix new file mode 100644 index 0000000..d4e77c1 --- /dev/null +++ b/pkgs/sysbox/package.nix @@ -0,0 +1,66 @@ +{ + lib, + stdenv, + fetchurl, + dpkg, + rsync, + fuse, + kmod, +}: + +stdenv.mkDerivation rec { + pname = "sysbox"; + version = "0.6.7"; + + src = fetchurl { + url = "https://github.com/nestybox/sysbox/releases/download/v${version}/sysbox-ce_${version}.linux_${ + { + x86_64-linux = "amd64"; + aarch64-linux = "arm64"; + } + .${stdenv.hostPlatform.system} + }.deb"; + hash = + { + x86_64-linux = "sha256-t6w4nloZWSyt8W4Mow5AkZUWEo9uG3+Z4ctP9kVUFy4="; + aarch64-linux = "sha256-FugBvWoeqk/5bO0hXCvJjvbM7qk1W0qOt6TYOSwj5JE="; + } + .${stdenv.hostPlatform.system} or (throw "Unsupported system: ${stdenv.hostPlatform.system}"); + }; + + nativeBuildInputs = [ dpkg ]; + + buildInputs = [ + rsync + fuse + kmod + ]; + + unpackPhase = '' + runHook preUnpack + dpkg-deb -x $src . + runHook postUnpack + ''; + + installPhase = '' + runHook preInstall + + mkdir -p $out + cp -r usr/* $out/ + cp -r lib $out/ + + runHook postInstall + ''; + + meta = with lib; { + description = "Next-generation runc that empowers rootless containers to run workloads such as Systemd, Docker, and Kubernetes"; + homepage = "https://github.com/nestybox/sysbox"; + license = licenses.asl20; + maintainers = with maintainers; [ ]; + platforms = [ + "x86_64-linux" + "aarch64-linux" + ]; + mainProgram = "sysbox-runc"; + }; +}