2024-02-11 17:30:47 +00:00
|
|
|
startup=0
|
2024-04-28 09:59:16 +00:00
|
|
|
gpu_passthrough_intel=0
|
2024-02-25 15:19:48 +00:00
|
|
|
gpu_passthrough_nvidia=0
|
2024-04-22 18:50:40 +00:00
|
|
|
# Turning off seccomp filtering improves performance at the expense of security
|
|
|
|
seccomp=1
|
2024-02-11 17:30:47 +00:00
|
|
|
|
|
|
|
# Use macvlan networking to provide an isolated network namespace,
|
|
|
|
# so docker can manage firewall rules
|
2024-05-08 20:24:59 +00:00
|
|
|
# Alternatively use --network-macvlan=eno1 instead of --network-bridge
|
2024-02-11 17:30:47 +00:00
|
|
|
# Ensure to change eno1/br1 to the interface name you want to use
|
|
|
|
# You may want to add additional options here, e.g. bind mounts
|
2024-05-08 20:24:59 +00:00
|
|
|
systemd_nspawn_user_args=--network-bridge=br1
|
2024-02-11 17:30:47 +00:00
|
|
|
--resolv-conf=bind-host
|
|
|
|
--system-call-filter='add_key keyctl bpf'
|
|
|
|
|
|
|
|
# Script to run on the HOST before starting the jail
|
|
|
|
# Load kernel module and config kernel settings required for docker
|
|
|
|
pre_start_hook=#!/usr/bin/bash
|
2024-02-25 15:19:48 +00:00
|
|
|
set -euo pipefail
|
2024-02-11 17:30:47 +00:00
|
|
|
echo 'PRE_START_HOOK'
|
|
|
|
echo 1 > /proc/sys/net/ipv4/ip_forward
|
|
|
|
modprobe br_netfilter
|
|
|
|
echo 1 > /proc/sys/net/bridge/bridge-nf-call-iptables
|
|
|
|
echo 1 > /proc/sys/net/bridge/bridge-nf-call-ip6tables
|
|
|
|
|
2024-02-25 15:19:48 +00:00
|
|
|
# Only used while creating the jail
|
|
|
|
distro=debian
|
|
|
|
release=bookworm
|
|
|
|
|
2024-02-11 17:30:47 +00:00
|
|
|
# Install docker inside the jail:
|
|
|
|
# https://docs.docker.com/engine/install/debian/#install-using-the-repository
|
2024-05-08 20:24:59 +00:00
|
|
|
# Will also install the NVIDIA Container Toolkit if gpu_passthrough_nvidia=1 during initial setup
|
|
|
|
# https://docs.nvidia.com/datacenter/cloud-native/container-toolkit/latest/install-guide.html
|
2024-02-11 17:30:47 +00:00
|
|
|
initial_setup=#!/usr/bin/bash
|
2024-02-25 15:19:48 +00:00
|
|
|
set -euo pipefail
|
2024-02-11 17:30:47 +00:00
|
|
|
|
|
|
|
apt-get update && apt-get -y install ca-certificates curl
|
|
|
|
install -m 0755 -d /etc/apt/keyrings
|
|
|
|
curl -fsSL https://download.docker.com/linux/debian/gpg -o /etc/apt/keyrings/docker.asc
|
|
|
|
chmod a+r /etc/apt/keyrings/docker.asc
|
|
|
|
|
|
|
|
echo \
|
|
|
|
"deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/debian \
|
|
|
|
$(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \
|
|
|
|
tee /etc/apt/sources.list.d/docker.list > /dev/null
|
2024-05-08 20:24:59 +00:00
|
|
|
|
2024-02-11 17:30:47 +00:00
|
|
|
apt-get update
|
|
|
|
apt-get install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
|
2024-05-08 20:24:59 +00:00
|
|
|
|
|
|
|
# The /usr/bin/nvidia-smi will be present when gpu_passthrough_nvidia=1
|
|
|
|
if [ -f /usr/bin/nvidia-smi ]; then
|
|
|
|
curl -fsSL https://nvidia.github.io/libnvidia-container/gpgkey -o /etc/apt/keyrings/nvidia.asc
|
|
|
|
chmod a+r /etc/apt/keyrings/nvidia.asc
|
|
|
|
curl -s -L https://nvidia.github.io/libnvidia-container/stable/deb/nvidia-container-toolkit.list | \
|
|
|
|
sed 's#deb https://#deb [signed-by=/etc/apt/keyrings/nvidia.asc] https://#g' | \
|
|
|
|
tee /etc/apt/sources.list.d/nvidia-container-toolkit.list
|
|
|
|
|
|
|
|
apt-get update
|
|
|
|
apt-get install -y nvidia-container-toolkit
|
|
|
|
|
|
|
|
nvidia-ctk runtime configure --runtime=docker
|
|
|
|
systemctl restart docker
|
|
|
|
fi
|
|
|
|
|
|
|
|
docker info
|
2024-02-11 17:30:47 +00:00
|
|
|
|
|
|
|
# You generally will not need to change the options below
|
|
|
|
systemd_run_default_args=--property=KillMode=mixed
|
2024-02-25 15:19:48 +00:00
|
|
|
--property=Type=notify
|
|
|
|
--property=RestartForceExitStatus=133
|
|
|
|
--property=SuccessExitStatus=133
|
|
|
|
--property=Delegate=yes
|
|
|
|
--property=TasksMax=infinity
|
|
|
|
--collect
|
|
|
|
--setenv=SYSTEMD_NSPAWN_LOCK=0
|
2024-02-11 17:30:47 +00:00
|
|
|
|
|
|
|
systemd_nspawn_default_args=--keep-unit
|
2024-02-25 15:19:48 +00:00
|
|
|
--quiet
|
|
|
|
--boot
|
|
|
|
--bind-ro=/sys/module
|
|
|
|
--inaccessible=/sys/module/apparmor
|