pyrox.dev / nixpkgs
lol
fork atom

nixos/containers: allow containers with long names to create private networks

Launching a container with a private network requires creating a
dedicated networking interface for it; name of that interface is derived
from the container name itself - e.g. a container named `foo` gets
attached to an interface named `ve-foo`.

An interface name can span up to IFNAMSIZ characters, which means that a
container name must contain at most IFNAMSIZ - 3 - 1 = 11 characters;
it's a limit that we validate using a build-time assertion.

This limit has been upgraded with Linux 5.8, as it allows for an
interface to contain a so-called altname, which can be much longer,
while remaining treated as a first-class citizen.

Since altnames have been supported natively by systemd for a while now,
due diligence on our side ends with dropping the name-assertion on newer
kernels.

This commit closes #38509.

systemd/systemd#14467
systemd/systemd#17220
https://lwn.net/Articles/794289/

Patryk Wychowaniec 336ef2de 5f1345a3

options
unified split
Changed files
+46 -4
nixos
modules
virtualisation
nixos-containers.nix
tests
all-tests.nix
containers-names.nix
+8 -4
nixos/modules/virtualisation/nixos-containers.nix 
···

       
271

       
271

       
 

       
    DeviceAllow = map (d: "${d.node} ${d.modifier}") cfg.allowedDevices;


     

       
272

       
272

       
 

       
  };


     

       
273

       
273

       
 

       



     

       
274

       

       
-

       



     

       
275

       
274

       
 

       
  system = config.nixpkgs.localSystem.system;


     

       

       
275

       
+

       
  kernelVersion = config.boot.kernelPackages.kernel.version;


     

       
276

       
276

       
 

       



     

       
277

       
277

       
 

       
  bindMountOpts = { name, ... }: {


     

       
278

       
278

       
 

       



     
···

       
320

       
320

       
 

       
      };


     

       
321

       
321

       
 

       
    };


     

       
322

       
322

       
 

       
  };


     

       
323

       

       
-

       



     

       
324

       
323

       
 

       



     

       
325

       
324

       
 

       
  mkBindFlag = d:


     

       
326

       
325

       
 

       
               let flagPrefix = if d.isReadOnly then " --bind-ro=" else " --bind=";


     
···

       
482

       
481

       
 

       
                          networking.useDHCP = false;


     

       
483

       
482

       
 

       
                          assertions = [


     

       
484

       
483

       
 

       
                            {


     

       
485

       

       
-

       
                              assertion =  config.privateNetwork -> stringLength name < 12;


     

       

       
484

       
+

       
                              assertion =


     

       

       
485

       
+

       
                                (builtins.compareVersions kernelVersion "5.8" <= 0)


     

       

       
486

       
+

       
                                -> config.privateNetwork


     

       

       
487

       
+

       
                                -> stringLength name <= 11;


     

       
486

       
488

       
 

       
                              message = ''


     

       
487

       
489

       
 

       
                                Container name `${name}` is too long: When `privateNetwork` is enabled, container names can


     

       
488

       
490

       
 

       
                                not be longer than 11 characters, because the container's interface name is derived from it.


     

       
489

       

       
-

       
                                This might be fixed in the future. See https://github.com/NixOS/nixpkgs/issues/38509


     

       

       
491

       
+

       
                                You should either make the container name shorter or upgrade to a more recent kernel that


     

       

       
492

       
+

       
                                supports interface altnames (i.e. at least Linux 5.8 - please see https://github.com/NixOS/nixpkgs/issues/38509


     

       

       
493

       
+

       
                                for details).


     

       
490

       
494

       
 

       
                              '';


     

       
491

       
495

       
 

       
                            }


     

       
492

       
496

       
 

       
                          ];
+1
nixos/tests/all-tests.nix 
···

       
72

       
72

       
 

       
  containers-imperative = handleTest ./containers-imperative.nix {};


     

       
73

       
73

       
 

       
  containers-ip = handleTest ./containers-ip.nix {};


     

       
74

       
74

       
 

       
  containers-macvlans = handleTest ./containers-macvlans.nix {};


     

       

       
75

       
+

       
  containers-names = handleTest ./containers-names.nix {};


     

       
75

       
76

       
 

       
  containers-physical_interfaces = handleTest ./containers-physical_interfaces.nix {};


     

       
76

       
77

       
 

       
  containers-portforward = handleTest ./containers-portforward.nix {};


     

       
77

       
78

       
 

       
  containers-reloadable = handleTest ./containers-reloadable.nix {};
+37
nixos/tests/containers-names.nix 
···

       

       
1

       
+

       
import ./make-test-python.nix ({ pkgs, lib, ... }: {


     

       

       
2

       
+

       
  name = "containers-names";


     

       

       
3

       
+

       
  meta = {


     

       

       
4

       
+

       
    maintainers = with lib.maintainers; [ patryk27 ];


     

       

       
5

       
+

       
  };


     

       

       
6

       
+

       



     

       

       
7

       
+

       
  machine = { ... }: {


     

       

       
8

       
+

       
    # We're using the newest kernel, so that we can test containers with long names.


     

       

       
9

       
+

       
    # Please see https://github.com/NixOS/nixpkgs/issues/38509 for details.


     

       

       
10

       
+

       
    boot.kernelPackages = pkgs.linuxPackages_latest;


     

       

       
11

       
+

       



     

       

       
12

       
+

       
    containers = let


     

       

       
13

       
+

       
      container = subnet: {


     

       

       
14

       
+

       
        autoStart = true;


     

       

       
15

       
+

       
        privateNetwork = true;


     

       

       
16

       
+

       
        hostAddress = "192.168.${subnet}.1";


     

       

       
17

       
+

       
        localAddress = "192.168.${subnet}.2";


     

       

       
18

       
+

       
        config = { };


     

       

       
19

       
+

       
      };


     

       

       
20

       
+

       



     

       

       
21

       
+

       
     in {


     

       

       
22

       
+

       
      first = container "1";


     

       

       
23

       
+

       
      second = container "2";


     

       

       
24

       
+

       
      really-long-name = container "3";


     

       

       
25

       
+

       
      really-long-long-name-2 = container "4";


     

       

       
26

       
+

       
    };


     

       

       
27

       
+

       
  };


     

       

       
28

       
+

       



     

       

       
29

       
+

       
  testScript = ''


     

       

       
30

       
+

       
    machine.wait_for_unit("default.target")


     

       

       
31

       
+

       



     

       

       
32

       
+

       
    machine.succeed("ip link show | grep ve-first")


     

       

       
33

       
+

       
    machine.succeed("ip link show | grep ve-second")


     

       

       
34

       
+

       
    machine.succeed("ip link show | grep ve-really-lFYWO")


     

       

       
35

       
+

       
    machine.succeed("ip link show | grep ve-really-l3QgY")


     

       

       
36

       
+

       
  '';


     

       

       
37

       
+

       
})