commit 50bb5d33388e561225b7bdd12f8ee5109cb25b29 · pyrox.dev/nixpkgs

+10 -44

nixos/modules/virtualisation/lxc-container.nix

···

       1
       1
        
       { lib, config, pkgs, ... }:

     

       2
       2
        
       

     

       3
       3
       -
       let

     

       4
       4
       -
         cfg = config.virtualisation.lxc;

     

       5
       5
       -
       in {

     

       3
       3
       +
       {

     

       4
       4
       +
         meta.maintainers = with lib.maintainers; [ adamcstephens ];

     

       5
       5
       +
       

     

       6
       6
        
         imports = [

     

       7
       7
        
           ./lxc-instance-common.nix

     

       8
       8
       -
         ];

     

       9
       8
        
       

     

       10
       10
       -
         options = {

     

       11
       11
       -
           virtualisation.lxc = {

     

       12
       12
       -
             nestedContainer = lib.mkEnableOption (lib.mdDoc ''

     

       13
       13
       -
               Whether this container is configured as a nested container. On LXD containers this is recommended

     

       14
       14
       -
               for all containers and is enabled with `security.nesting = true`.

     

       15
       15
       -
             '');

     

       9
       9
       +
           (lib.mkRemovedOptionModule [ "virtualisation" "lxc" "nestedContainer" ] "")

     

       10
       10
       +
           (lib.mkRemovedOptionModule [ "virtualisation" "lxc" "privilegedContainer" ] "")

     

       11
       11
       +
         ];

     

       16
       12
        
       

     

       17
       17
       -
             privilegedContainer = lib.mkEnableOption (lib.mdDoc ''

     

       18
       18
       -
               Whether this LXC container will be running as a privileged container or not. If set to `true` then

     

       19
       19
       -
               additional configuration will be applied to the `systemd` instance running within the container as

     

       20
       20
       -
               recommended by [distrobuilder](https://linuxcontainers.org/distrobuilder/introduction/).

     

       21
       21
       -
             '');

     

       22
       22
       -
           };

     

       23
       23
       -
         };

     

       13
       13
       +
         options = { };

     

       24
       14
        
       

     

       25
       15
        
         config = {

     

       26
       16
        
           boot.isContainer = true;

     
···

       85
       75
        
             ${pkgs.coreutils}/bin/ln -fs "$1/init" /sbin/init

     

       86
       76
        
           '';

     

       87
       77
        
       

     

       88
       88
       -
           systemd.additionalUpstreamSystemUnits = lib.mkIf cfg.nestedContainer ["systemd-udev-trigger.service"];

     

       78
       78
       +
           # networkd depends on this, but systemd module disables this for containers

     

       79
       79
       +
           systemd.additionalUpstreamSystemUnits = ["systemd-udev-trigger.service"];

     

       89
       80
        
       

     

       90
       90
       -
           # Add the overrides from lxd distrobuilder

     

       91
       91
       -
           # https://github.com/lxc/distrobuilder/blob/05978d0d5a72718154f1525c7d043e090ba7c3e0/distrobuilder/main.go#L630

     

       92
       92
       -
           systemd.packages = [

     

       93
       93
       -
             (pkgs.writeTextFile {

     

       94
       94
       -
               name = "systemd-lxc-service-overrides";

     

       95
       95
       -
               destination = "/etc/systemd/system/service.d/zzz-lxc-service.conf";

     

       96
       96
       -
               text = ''

     

       97
       97
       -
                 [Service]

     

       98
       98
       -
                 ProcSubset=all

     

       99
       99
       -
                 ProtectProc=default

     

       100
       100
       -
                 ProtectControlGroups=no

     

       101
       101
       -
                 ProtectKernelTunables=no

     

       102
       102
       -
                 NoNewPrivileges=no

     

       103
       103
       -
                 LoadCredential=

     

       104
       104
       -
               '' + lib.optionalString cfg.privilegedContainer ''

     

       105
       105
       -
                 # Additional settings for privileged containers

     

       106
       106
       -
                 ProtectHome=no

     

       107
       107
       -
                 ProtectSystem=no

     

       108
       108
       -
                 PrivateDevices=no

     

       109
       109
       -
                 PrivateTmp=no

     

       110
       110
       -
                 ProtectKernelLogs=no

     

       111
       111
       -
                 ProtectKernelModules=no

     

       112
       112
       -
                 ReadWritePaths=

     

       113
       113
       -
               '';

     

       114
       114
       -
             })

     

       115
       115
       -
           ];

     

       81
       81
       +
           systemd.packages = [ pkgs.distrobuilder.generator ];

     

       116
       82
        
       

     

       117
       83
        
           system.activationScripts.installInitScript = lib.mkForce ''

     

       118
       84
        
             ln -fs $systemConfig/init /sbin/init

+28

nixos/tests/incus/container.nix

···

       73
       73
        
               meminfo = machine.succeed("incus exec container grep -- MemTotal /proc/meminfo").strip()

     

       74
       74
        
               meminfo_bytes = " ".join(meminfo.split(' ')[-2:])

     

       75
       75
        
               assert meminfo_bytes == "125000 kB", f"Wrong amount of memory reported from /proc/meminfo, want: '125000 kB', got: '{meminfo_bytes}'"

     

       76
       76
       +
       

     

       77
       77
       +
           with subtest("lxc-container generator configures plain container"):

     

       78
       78
       +
               machine.execute("incus delete --force container")

     

       79
       79
       +
               machine.succeed("incus launch nixos container")

     

       80
       80
       +
               with machine.nested("Waiting for instance to start and be usable"):

     

       81
       81
       +
                 retry(instance_is_up)

     

       82
       82
       +
       

     

       83
       83
       +
               machine.succeed("incus exec container test -- -e /run/systemd/system/service.d/zzz-lxc-service.conf")

     

       84
       84
       +
       

     

       85
       85
       +
           with subtest("lxc-container generator configures nested container"):

     

       86
       86
       +
               machine.execute("incus delete --force container")

     

       87
       87
       +
               machine.succeed("incus launch nixos container --config security.nesting=true")

     

       88
       88
       +
               with machine.nested("Waiting for instance to start and be usable"):

     

       89
       89
       +
                 retry(instance_is_up)

     

       90
       90
       +
       

     

       91
       91
       +
               machine.fail("incus exec container test -- -e /run/systemd/system/service.d/zzz-lxc-service.conf")

     

       92
       92
       +
               target = machine.succeed("incus exec container readlink -- -f /run/systemd/system/systemd-binfmt.service").strip()

     

       93
       93
       +
               assert target == "/dev/null", "lxc generator did not correctly mask /run/systemd/system/systemd-binfmt.service"

     

       94
       94
       +
       

     

       95
       95
       +
           with subtest("lxc-container generator configures privileged container"):

     

       96
       96
       +
               machine.execute("incus delete --force container")

     

       97
       97
       +
               machine.succeed("incus launch nixos container --config security.privileged=true")

     

       98
       98
       +
               with machine.nested("Waiting for instance to start and be usable"):

     

       99
       99
       +
                 retry(instance_is_up)

     

       100
       100
       +
               # give generator an extra second to run

     

       101
       101
       +
               machine.sleep(1)

     

       102
       102
       +
       

     

       103
       103
       +
               machine.succeed("incus exec container test -- -e /run/systemd/system/service.d/zzz-lxc-service.conf")

     

       76
       104
        
         '';

     

       77
       105
        
       })

+16 -23

pkgs/tools/virtualization/distrobuilder/default.nix

···

       8
       8
        
       , gnutar

     

       9
       9
        
       , squashfsTools

     

       10
       10
        
       , debootstrap

     

       11
       11
       -
       , fetchpatch

     

       11
       11
       +
       , callPackage

     

       12
       12
       +
       , nixosTests

     

       12
       13
        
       }:

     

       13
       14
        
       

     

       14
       15
        
       let

     
···

       22
       23
        
       in

     

       23
       24
        
       buildGoModule rec {

     

       24
       25
        
         pname = "distrobuilder";

     

       25
       25
       -
         version = "2.1";

     

       26
       26
       +
         version = "3.0";

     

       26
       27
        
       

     

       27
       27
       -
         vendorHash = "sha256-yRMsf8KfpNmVUX4Rn4ZPLUPFZCT/g78MKAfgbFDPVkE=";

     

       28
       28
       +
         vendorHash = "sha256-pFrEkZnrcx0d3oM1klQrNHH+MiLvO4V1uFQdE0kXUqM=";

     

       28
       29
        
       

     

       29
       30
        
         src = fetchFromGitHub {

     

       30
       31
        
           owner = "lxc";

     

       31
       32
        
           repo = "distrobuilder";

     

       32
       32
       -
           rev = "distrobuilder-${version}";

     

       33
       33
       -
           sha256 = "sha256-t3ECLtb0tvIzTWgjmVQDFza+kcm3abTZZMSGYjvw1qQ=";

     

       33
       33
       +
           rev = "refs/tags/distrobuilder-${version}";

     

       34
       34
       +
           sha256 = "sha256-JfME9VaqaQnrhnzhSLGUy9uU+tki1hXdnwqBUD/5XH0=";

     

       34
       35
        
           fetchSubmodules = false;

     

       35
       36
        
         };

     

       36
       37
        
       

     

       37
       38
        
         buildInputs = bins;

     

       38
       39
        
       

     

       39
       39
       -
         patches = [

     

       40
       40
       -
           # go.mod update: needed to to include a newer lxd which contains

     

       41
       41
       -
           # https://github.com/canonical/lxd/commit/d83f061a21f509d42b7a334b97403d2a019a7b52

     

       42
       42
       -
           # which is needed to fix the build w/glibc-2.36.

     

       43
       43
       -
           (fetchpatch {

     

       44
       44
       -
             url = "https://github.com/lxc/distrobuilder/commit/5346bcc77dd7f141a36a8da851f016d0b929835e.patch";

     

       45
       45
       -
             sha256 = "sha256-H6cSbY0v/FThx72AvoAvUCs2VCYN/PQ0W4H82mQQ3SI=";

     

       46
       46
       -
           })

     

       47
       47
       -
           # Fixup to keep it building after go.mod update.

     

       48
       48
       -
           (fetchpatch {

     

       49
       49
       -
             url = "https://github.com/lxc/distrobuilder/commit/2c8cbfbf603e7446efce9f30812812336ccf4f2c.patch";

     

       50
       50
       -
             sha256 = "sha256-qqofghcHGosR2qycGb02c8rwErFyRRhsRKdQfyah8Ds=";

     

       51
       51
       -
           })

     

       52
       52
       -
         ];

     

       53
       40
        
       

     

       54
       41
        
         # tests require a local keyserver (mkg20001/nixpkgs branch distrobuilder-with-tests) but gpg is currently broken in tests

     

       55
       42
        
         doCheck = false;

     
···

       63
       50
        
           wrapProgram $out/bin/distrobuilder --prefix PATH ":" ${lib.makeBinPath bins}

     

       64
       51
        
         '';

     

       65
       52
        
       

     

       66
       66
       -
         meta = with lib; {

     

       53
       53
       +
         passthru = {

     

       54
       54
       +
           tests.incus = nixosTests.incus.container;

     

       55
       55
       +
       

     

       56
       56
       +
           generator = callPackage ./generator.nix { inherit src version; };

     

       57
       57
       +
         };

     

       58
       58
       +
       

     

       59
       59
       +
         meta = {

     

       67
       60
        
           description = "System container image builder for LXC and LXD";

     

       68
       61
        
           homepage = "https://github.com/lxc/distrobuilder";

     

       69
       69
       -
           license = licenses.asl20;

     

       70
       70
       -
           maintainers = with maintainers; [ megheaiulian ];

     

       71
       71
       -
           platforms = platforms.linux;

     

       62
       62
       +
           license = lib.licenses.asl20;

     

       63
       63
       +
           maintainers = with lib.maintainers; [ megheaiulian adamcstephens ];

     

       64
       64
       +
           platforms = lib.platforms.linux;

     

       72
       65
        
           mainProgram = "distrobuilder";

     

       73
       66
        
         };

     

       74
       67
        
       }

+19

pkgs/tools/virtualization/distrobuilder/generator.nix

···

       1
       1
       +
       { stdenvNoCC, lib, src, version, makeWrapper, coreutils, findutils, gnugrep, systemd }:

     

       2
       2
       +
       

     

       3
       3
       +
       stdenvNoCC.mkDerivation {

     

       4
       4
       +
         name = "distrobuilder-nixos-generator";

     

       5
       5
       +
       

     

       6
       6
       +
         inherit src version;

     

       7
       7
       +
       

     

       8
       8
       +
         patches = [

     

       9
       9
       +
           ./nixos-generator.patch

     

       10
       10
       +
         ];

     

       11
       11
       +
       

     

       12
       12
       +
         dontBuild = true;

     

       13
       13
       +
         nativeBuildInputs = [ makeWrapper ];

     

       14
       14
       +
       

     

       15
       15
       +
         installPhase = ''

     

       16
       16
       +
           install -D -m 0555 distrobuilder/lxc.generator $out/lib/systemd/system-generators/lxc

     

       17
       17
       +
           wrapProgram $out/lib/systemd/system-generators/lxc --prefix PATH : ${lib.makeBinPath [coreutils findutils gnugrep systemd]}:${systemd}/lib/systemd

     

       18
       18
       +
         '';

     

       19
       19
       +
       }

+113

pkgs/tools/virtualization/distrobuilder/nixos-generator.patch

···

       1
       1
       +
       diff --git a/distrobuilder/lxc.generator b/distrobuilder/lxc.generator

     

       2
       2
       +
       index 0ad81d1..69dbfe7 100644

     

       3
       3
       +
       --- a/distrobuilder/lxc.generator

     

       4
       4
       +
       +++ b/distrobuilder/lxc.generator

     

       5
       5
       +
       @@ -25,16 +25,6 @@ is_incus_vm() {

     

       6
       6
       +
        	[ -e /dev/virtio-ports/org.linuxcontainers.incus ]

     

       7
       7
       +
        }

     

       8
       8
       +
        

     

       9
       9
       +
       -# is_in_path succeeds if the given file exists in on of the paths

     

       10
       10
       +
       -is_in_path() {

     

       11
       11
       +
       -	# Don't use $PATH as that may not include all relevant paths

     

       12
       12
       +
       -	for path in /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin; do

     

       13
       13
       +
       -		[ -e "${path}/$1" ] && return 0

     

       14
       14
       +
       -	done

     

       15
       15
       +
       -

     

       16
       16
       +
       -	return 1

     

       17
       17
       +
       -}

     

       18
       18
       +
       -

     

       19
       19
       +
        ## Fix functions

     

       20
       20
       +
        # fix_ro_paths avoids udevd issues with /sys and /proc being writable

     

       21
       21
       +
        fix_ro_paths() {

     

       22
       22
       +
       @@ -45,35 +35,6 @@ BindReadOnlyPaths=/sys /proc

     

       23
       23
       +
        EOF

     

       24
       24
       +
        }

     

       25
       25
       +
        

     

       26
       26
       +
       -# fix_nm_link_state forces the network interface to a DOWN state ahead of NetworkManager starting up

     

       27
       27
       +
       -fix_nm_link_state() {

     

       28
       28
       +
       -	[ -e "/sys/class/net/$1" ] || return 0

     

       29
       29
       +
       -	ip_path=

     

       30
       30
       +
       -	if [ -f /sbin/ip ]; then

     

       31
       31
       +
       -		ip_path=/sbin/ip

     

       32
       32
       +
       -	elif [ -f /bin/ip ]; then

     

       33
       33
       +
       -		ip_path=/bin/ip

     

       34
       34
       +
       -	else

     

       35
       35
       +
       -		return 0

     

       36
       36
       +
       -	fi

     

       37
       37
       +
       -	cat <<-EOF > /run/systemd/system/network-device-down.service

     

       38
       38
       +
       -[Unit]

     

       39
       39
       +
       -Description=Turn off network device

     

       40
       40
       +
       -Before=NetworkManager.service

     

       41
       41
       +
       -Before=systemd-networkd.service

     

       42
       42
       +
       -[Service]

     

       43
       43
       +
       -# do not turn off if there is a default route to 169.254.0.1, i.e. the device is a routed nic

     

       44
       44
       +
       -ExecCondition=/bin/sh -c '! /usr/bin/grep -qs 00000000.0100FEA9 /proc/net/route'

     

       45
       45
       +
       -ExecStart=-${ip_path} link set $1 down

     

       46
       46
       +
       -Type=oneshot

     

       47
       47
       +
       -RemainAfterExit=true

     

       48
       48
       +
       -[Install]

     

       49
       49
       +
       -WantedBy=default.target

     

       50
       50
       +
       -EOF

     

       51
       51
       +
       -	mkdir -p /run/systemd/system/default.target.wants

     

       52
       52
       +
       -	ln -sf /run/systemd/system/network-device-down.service /run/systemd/system/default.target.wants/network-device-down.service

     

       53
       53
       +
       -}

     

       54
       54
       +
       -

     

       55
       55
       +
        # fix_systemd_override_unit generates a unit specific override

     

       56
       56
       +
        fix_systemd_override_unit() {

     

       57
       57
       +
        	dropin_dir="/run/systemd/${1}.d"

     

       58
       58
       +
       @@ -112,16 +73,7 @@ fix_systemd_mask() {

     

       59
       59
       +
        # fix_systemd_udev_trigger overrides the systemd-udev-trigger.service to match the latest version

     

       60
       60
       +
        # of the file which uses "ExecStart=-" instead of "ExecStart=".

     

       61
       61
       +
        fix_systemd_udev_trigger() {

     

       62
       62
       +
       -	cmd=

     

       63
       63
       +
       -	if [ -f /usr/bin/udevadm ]; then

     

       64
       64
       +
       -		cmd=/usr/bin/udevadm

     

       65
       65
       +
       -	elif [ -f /sbin/udevadm ]; then

     

       66
       66
       +
       -		cmd=/sbin/udevadm

     

       67
       67
       +
       -	elif [ -f /bin/udevadm ]; then

     

       68
       68
       +
       -		cmd=/bin/udevadm

     

       69
       69
       +
       -	else

     

       70
       70
       +
       -		return 0

     

       71
       71
       +
       -	fi

     

       72
       72
       +
       +	cmd=udevadm

     

       73
       73
       +
        

     

       74
       74
       +
        	mkdir -p /run/systemd/system/systemd-udev-trigger.service.d

     

       75
       75
       +
        	cat <<-EOF > /run/systemd/system/systemd-udev-trigger.service.d/zzz-lxc-override.conf

     

       76
       76
       +
       @@ -145,24 +97,12 @@ EOF

     

       77
       77
       +
        }

     

       78
       78
       +
        

     

       79
       79
       +
        ## Main logic

     

       80
       80
       +
       -# Nothing to do in Incus VM but deployed in case it is later converted to a container

     

       81
       81
       +
       -is_incus_vm || is_lxd_vm && exit 0

     

       82
       82
       +
        

     

       83
       83
       +
        # Exit immediately if not an Incus/LXC container

     

       84
       84
       +
        is_lxc_container || exit 0

     

       85
       85
       +
        

     

       86
       86
       +
       -# Check for NetworkManager

     

       87
       87
       +
       -nm_exists=0

     

       88
       88
       +
       -

     

       89
       89
       +
       -is_in_path NetworkManager && nm_exists=1

     

       90
       90
       +
       -

     

       91
       91
       +
        # Determine systemd version

     

       92
       92
       +
       -for path in /usr/lib/systemd/systemd /lib/systemd/systemd; do

     

       93
       93
       +
       -	[ -x "${path}" ] || continue

     

       94
       94
       +
       -

     

       95
       95
       +
       -	systemd_version="$("${path}" --version | head -n1 | cut -d' ' -f2)"

     

       96
       96
       +
       -	break

     

       97
       97
       +
       -done

     

       98
       98
       +
       +systemd_version="$(systemd --version | head -n1 | cut -d' ' -f2)"

     

       99
       99
       +
        

     

       100
       100
       +
        # Determine distro name and release

     

       101
       101
       +
        ID=""

     

       102
       102
       +
       @@ -222,11 +162,6 @@ ACTION=="add|change|move", ENV{ID_NET_DRIVER}=="veth", ENV{INTERFACE}=="eth[0-9]

     

       103
       103
       +
        EOF

     

       104
       104
       +
        fi

     

       105
       105
       +
        

     

       106
       106
       +
       -# Workarounds for NetworkManager in containers

     

       107
       107
       +
       -if [ "${nm_exists}" -eq 1 ]; then

     

       108
       108
       +
       -	fix_nm_link_state eth0

     

       109
       109
       +
       -fi

     

       110
       110
       +
       -

     

       111
       111
       +
        # Allow masking units created by the lxc system-generator.

     

       112
       112
       +
        for d in /etc/systemd/system /usr/lib/systemd/system /lib/systemd/system; do

     

       113
       113
       +
        	if ! [ -d "${d}" ]; then