Also, probably more details than is necessary, but here’s what we currently are doing: https://arxiv.org/pdf/2005.07252.pdf We have an old version of Singularity and NixOS containers at the moment, with other container types being supported a possibility, but I prefer to use Nix where possible.
In this case, extra-container (and NixOS containers) won’t exactly fit your requirements, because you probably want to use unprivileged containers (not yet supported by NixOS containers) and want to manage the container instances as subprocesses of your web app (and not as systemd services).
But NixOS is certainly a great platform for implementing CCRS.
If you still want to employ NixOS containers, have you considered to directly use the container service template (
systemctl cat container@)?
Just store a configuration file at
/etc/containers/<mycontainer>.conf and run
systemctl start container@<mycontainer> to start an instance.
For further inspiration you might also want to look into nixcloud-container which uses unprivileged LXC containers.
Con you explain to me why unprivileged containers arent possible with NixOS currently? is it because of the extensional model of the nix store? eg sharing a nix daemon and input based model vs the content addressed model?
I wish i could have a nixos container run like so
nixos-container --user start foo
IIRC there was a bug in systemd-nspawn which kept us from using it, but I don’t know the current state on this. As I’m currently drafting a new containers-module (which uses systemd-networkd, see also Implement NixOS container networking with networkd · Issue #69414 · NixOS/nixpkgs · GitHub), I guess I’ll try that out when I have time to.
ok thanks for the information, i will follow your updates there