From 4aef2212eea0da66843328da839487744537356d Mon Sep 17 00:00:00 2001
From: Marek Mahut <marek.mahut@gmail.com>
Date: Fri, 23 Aug 2019 08:24:06 +0200
Subject: [PATCH] Revert "nixos/containers: add unprivileged option"

---
 nixos/modules/virtualisation/containers.nix | 16 +-----
 nixos/tests/all-tests.nix                   |  1 -
 nixos/tests/containers-unprivileged.nix     | 56 ---------------------
 3 files changed, 2 insertions(+), 71 deletions(-)
 delete mode 100644 nixos/tests/containers-unprivileged.nix

diff --git a/nixos/modules/virtualisation/containers.nix b/nixos/modules/virtualisation/containers.nix
index 97325847bd1a..b65374c92577 100644
--- a/nixos/modules/virtualisation/containers.nix
+++ b/nixos/modules/virtualisation/containers.nix
@@ -139,7 +139,6 @@ let
         --bind="/nix/var/nix/profiles/per-container/$INSTANCE:/nix/var/nix/profiles" \
         --bind="/nix/var/nix/gcroots/per-container/$INSTANCE:/nix/var/nix/gcroots" \
         ${optionalString (!cfg.ephemeral) "--link-journal=try-guest"} \
-        ${optionalString (cfg.unprivileged) "-U"} \
         --setenv PRIVATE_NETWORK="$PRIVATE_NETWORK" \
         --setenv HOST_BRIDGE="$HOST_BRIDGE" \
         --setenv HOST_ADDRESS="$HOST_ADDRESS" \
@@ -239,8 +238,8 @@ let
     ExecReload = pkgs.writeScript "reload-container"
       ''
         #! ${pkgs.runtimeShell} -e
-        ${pkgs.systemd}/bin/machinectl shell "$INSTANCE" \
-          ''${SYSTEM_PATH:-/nix/var/nix/profiles/system}/bin/switch-to-configuration test
+        ${pkgs.nixos-container}/bin/nixos-container run "$INSTANCE" -- \
+          bash --login -c "''${SYSTEM_PATH:-/nix/var/nix/profiles/system}/bin/switch-to-configuration test"
       '';
 
     SyslogIdentifier = "container %i";
@@ -424,7 +423,6 @@ let
       extraVeths = {};
       additionalCapabilities = [];
       ephemeral = false;
-      unprivileged = false;
       allowedDevices = [];
       hostAddress = null;
       hostAddress6 = null;
@@ -518,16 +516,6 @@ in
               '';
             };
 
-            unprivileged = mkOption {
-              type = types.bool;
-              default = false;
-              description = ''
-                Run container in unprivileged mode using private users feature of <command>systemd-nspawn</command>.
-                This option is eqvivalent of adding -U parameter to <command>systemd-nspawn</command> command.
-                See <literal>systemd-nspawn(1)</literal> man page for more information.
-              '';
-            };
-
             ephemeral = mkOption {
               type = types.bool;
               default = false;
diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix
index 3ac3d683b535..b6930cc3a706 100644
--- a/nixos/tests/all-tests.nix
+++ b/nixos/tests/all-tests.nix
@@ -48,7 +48,6 @@ in
   colord = handleTest ./colord.nix {};
   containers-bridge = handleTest ./containers-bridge.nix {};
   containers-ephemeral = handleTest ./containers-ephemeral.nix {};
-  containers-unprivileged = handleTest ./containers-unprivileged.nix {};
   containers-extra_veth = handleTest ./containers-extra_veth.nix {};
   containers-hosts = handleTest ./containers-hosts.nix {};
   containers-imperative = handleTest ./containers-imperative.nix {};
diff --git a/nixos/tests/containers-unprivileged.nix b/nixos/tests/containers-unprivileged.nix
deleted file mode 100644
index 2db6b7e4f022..000000000000
--- a/nixos/tests/containers-unprivileged.nix
+++ /dev/null
@@ -1,56 +0,0 @@
-# Test for NixOS' container support.
-
-import ./make-test.nix ({ pkgs, ...} : {
-  name = "containers-unprivileged";
-
-  machine = { pkgs, ... }: {
-    virtualisation.memorySize = 768;
-    virtualisation.writableStore = true;
-
-    containers.webserver = {
-      unprivileged = true;
-      privateNetwork = true;
-      hostAddress = "10.231.136.1";
-      localAddress = "10.231.136.2";
-      config = {
-        services.nginx = {
-          enable = true;
-          virtualHosts.localhost = {
-            root = (pkgs.runCommand "localhost" {} ''
-              mkdir "$out"
-              echo hello world > "$out/index.html"
-            '');
-          };
-        };
-        networking.firewall.allowedTCPPorts = [ 80 ];
-      };
-    };
-  };
-
-  testScript = ''
-    $machine->succeed("nixos-container list") =~ /webserver/ or die;
-
-    # Start the webserver container.
-    $machine->succeed("nixos-container start webserver");
-
-    my $ip = $machine->succeed("nixos-container show-ip webserver");
-    chomp $ip;
-    $machine->succeed("ping -n -c1 $ip");
-
-    # Check that container root folder is owned by a new private user
-    $machine->succeed('test $(stat -c "%U" /var/lib/containers/webserver) == "vu-webserver-0"');
-
-    # Check that webserver is working before reload
-    $machine->succeed("curl --fail http://$ip/ > /dev/null");
-
-    # Reload container
-    $machine->succeed('systemctl reload container@webserver');
-
-    # Check that webserver is working after reload
-    $machine->succeed("curl --fail http://$ip/ > /dev/null");
-
-    # Stop the container.
-    $machine->succeed("nixos-container stop webserver");
-    $machine->fail("curl --fail --connect-timeout 2 http://$ip/ > /dev/null");
-  '';
-})