startup=0 gpu_passthrough_intel=0 gpu_passthrough_nvidia=0 # Turning off seccomp filtering improves performance at the expense of security seccomp=1 # Use bridge networking to provide an isolated network namespace, # so docker can manage firewall rules # Alternatively use --network-macvlan=eno1 instead of --network-bridge # Ensure to change eno1/br1 to the interface name you want to use # You may want to add additional options here, e.g. bind mounts systemd_nspawn_user_args=--network-bridge=br1 --resolv-conf=bind-host --system-call-filter='add_key keyctl bpf' # Script to run on the HOST before starting the jail # Load kernel module and config kernel settings required for docker pre_start_hook=#!/usr/bin/bash set -euo pipefail echo 'PRE_START_HOOK' echo 1 > /proc/sys/net/ipv4/ip_forward modprobe br_netfilter echo 1 > /proc/sys/net/bridge/bridge-nf-call-iptables echo 1 > /proc/sys/net/bridge/bridge-nf-call-ip6tables # Only used while creating the jail distro=debian release=bookworm # Install docker inside the jail: # https://docs.docker.com/engine/install/debian/#install-using-the-repository # Will also install the NVIDIA Container Toolkit if gpu_passthrough_nvidia=1 during initial setup # https://docs.nvidia.com/datacenter/cloud-native/container-toolkit/latest/install-guide.html initial_setup=#!/usr/bin/bash set -euo pipefail apt-get update && apt-get -y install ca-certificates curl install -m 0755 -d /etc/apt/keyrings curl -fsSL https://download.docker.com/linux/debian/gpg -o /etc/apt/keyrings/docker.asc chmod a+r /etc/apt/keyrings/docker.asc echo \ "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/debian \ $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \ tee /etc/apt/sources.list.d/docker.list > /dev/null apt-get update apt-get install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin # The /usr/bin/nvidia-smi will be present when gpu_passthrough_nvidia=1 if [ -f /usr/bin/nvidia-smi ]; then curl -fsSL https://nvidia.github.io/libnvidia-container/gpgkey -o /etc/apt/keyrings/nvidia.asc chmod a+r /etc/apt/keyrings/nvidia.asc curl -s -L https://nvidia.github.io/libnvidia-container/stable/deb/nvidia-container-toolkit.list | \ sed 's#deb https://#deb [signed-by=/etc/apt/keyrings/nvidia.asc] https://#g' | \ tee /etc/apt/sources.list.d/nvidia-container-toolkit.list apt-get update apt-get install -y nvidia-container-toolkit nvidia-ctk runtime configure --runtime=docker systemctl restart docker fi docker info # You generally will not need to change the options below systemd_run_default_args=--property=KillMode=mixed --property=Type=notify --property=RestartForceExitStatus=133 --property=SuccessExitStatus=133 --property=Delegate=yes --property=TasksMax=infinity --collect --setenv=SYSTEMD_NSPAWN_LOCK=0 systemd_nspawn_default_args=--keep-unit --quiet --boot --bind-ro=/sys/module --inaccessible=/sys/module/apparmor