commit 7ea9ba60d8d957b0e9c88b717baec75b93b0174c · pyrox.dev/nixpkgs

nixos/doc/manual/release-notes/rl-2411.section.md

···

       872
       872
        
       

     

       873
       873
        
       - `qgis` and `qgis-ltr` are now built without `grass` by default. `grass` support can be enabled with `qgis.override { withGrass = true; }`.

     

       874
       874
        
       

     

       875
       875
       +
       - `virtualisation.incus` module gained new `incus-user.service` and `incus-user.socket` systemd units. It is now possible to add a user to `incus` group instead of `incus-admin` for increased security.

     

       876
       876
       +
       

     

       875
       877
        
       ## Detailed Migration Information {#sec-release-24.11-migration}

     

       876
       878
        
       

     

       877
       879
        
       ### `sound` options removal {#sec-release-24.11-migration-sound}

+37 -1

nixos/modules/virtualisation/incus.nix

···

       153
       153
        
       

     

       154
       154
        
               Users in the "incus-admin" group can interact with

     

       155
       155
        
               the daemon (e.g. to start or stop containers) using the

     

       156
       156
       -
               {command}`incus` command line tool, among others

     

       156
       156
       +
               {command}`incus` command line tool, among others.

     

       157
       157
       +
               Users in the "incus" group can also interact with

     

       158
       158
       +
               the daemon, but with lower permissions

     

       159
       159
       +
               (i.e. administrative operations are forbidden).

     

       157
       160
        
             '';

     

       158
       161
        
       

     

       159
       162
        
             package = lib.mkPackageOption pkgs "incus-lts" { };

     
···

       359
       362
        
             };

     

       360
       363
        
           };

     

       361
       364
        
       

     

       365
       365
       +
           systemd.services.incus-user = {

     

       366
       366
       +
             description = "Incus Container and Virtual Machine Management User Daemon";

     

       367
       367
       +
       

     

       368
       368
       +
             inherit environment;

     

       369
       369
       +
       

     

       370
       370
       +
             after = [

     

       371
       371
       +
               "incus.service"

     

       372
       372
       +
               "incus-user.socket"

     

       373
       373
       +
             ];

     

       374
       374
       +
       

     

       375
       375
       +
             requires = [

     

       376
       376
       +
               "incus-user.socket"

     

       377
       377
       +
             ];

     

       378
       378
       +
       

     

       379
       379
       +
             serviceConfig = {

     

       380
       380
       +
               ExecStart = "${cfg.package}/bin/incus-user --group incus";

     

       381
       381
       +
       

     

       382
       382
       +
               Restart = "on-failure";

     

       383
       383
       +
             };

     

       384
       384
       +
           };

     

       385
       385
       +
       

     

       362
       386
        
           systemd.services.incus-startup = lib.mkIf cfg.softDaemonRestart {

     

       363
       387
        
             description = "Incus Instances Startup/Shutdown";

     

       364
       388
        
       

     
···

       391
       415
        
             };

     

       392
       416
        
           };

     

       393
       417
        
       

     

       418
       418
       +
           systemd.sockets.incus-user = {

     

       419
       419
       +
             description = "Incus user UNIX socket";

     

       420
       420
       +
             wantedBy = [ "sockets.target" ];

     

       421
       421
       +
       

     

       422
       422
       +
             socketConfig = {

     

       423
       423
       +
               ListenStream = "/var/lib/incus/unix.socket.user";

     

       424
       424
       +
               SocketMode = "0660";

     

       425
       425
       +
               SocketGroup = "incus";

     

       426
       426
       +
             };

     

       427
       427
       +
           };

     

       428
       428
       +
       

     

       394
       429
        
           systemd.services.incus-preseed = lib.mkIf (cfg.preseed != null) {

     

       395
       430
        
             description = "Incus initialization with preseed file";

     

       396
       431
        
       

     
···

       409
       444
        
             };

     

       410
       445
        
           };

     

       411
       446
        
       

     

       447
       447
       +
           users.groups.incus = { };

     

       412
       448
        
           users.groups.incus-admin = { };

     

       413
       449
        
       

     

       414
       450
        
           users.users.root = {

+53 -27

nixos/tests/incus/incusd-options.nix

···

       44
       44
        
                 preseed = {

     

       45
       45
        
                   networks = [

     

       46
       46
        
                     {

     

       47
       47
       -
                       name = "nixostestbr0";

     

       47
       47
       +
                       name = "incusbr0";

     

       48
       48
        
                       type = "bridge";

     

       49
       49
        
                       config = {

     

       50
       50
        
                         "ipv4.address" = "10.0.100.1/24";

     
···

       58
       58
        
                       devices = {

     

       59
       59
        
                         eth0 = {

     

       60
       60
        
                           name = "eth0";

     

       61
       61
       -
                           network = "nixostestbr0";

     

       61
       61
       +
                           network = "incusbr0";

     

       62
       62
        
                           type = "nic";

     

       63
       63
        
                         };

     

       64
       64
        
                         root = {

     

       65
       65
        
                           path = "/";

     

       66
       66
       -
                           pool = "nixostest_pool";

     

       66
       66
       +
                           pool = "default";

     

       67
       67
        
                           size = "35GiB";

     

       68
       68
        
                           type = "disk";

     

       69
       69
        
                         };

     
···

       72
       72
        
                   ];

     

       73
       73
        
                   storage_pools = [

     

       74
       74
        
                     {

     

       75
       75
       -
                       name = "nixostest_pool";

     

       75
       75
       +
                       name = "default";

     

       76
       76
        
                       driver = "dir";

     

       77
       77
        
                     }

     

       78
       78
        
                   ];

     

       79
       79
        
                 };

     

       80
       80
        
               };

     

       81
       81
       +
       

     

       81
       82
        
             };

     

       83
       83
       +
       

     

       82
       84
        
             networking.nftables.enable = true;

     

       85
       85
       +
       

     

       86
       86
       +
             users.users.testuser = {

     

       87
       87
       +
               isNormalUser = true;

     

       88
       88
       +
               shell = pkgs.bashInteractive;

     

       89
       89
       +
               group = "incus";

     

       90
       90
       +
               uid = 1000;

     

       91
       91
       +
             };

     

       83
       92
        
           };

     

       84
       93
        
       

     

       85
       85
       -
           testScript = ''

     

       86
       86
       -
             def instance_is_up(_) -> bool:

     

       87
       87
       -
                 status, _ = machine.execute("incus exec container --disable-stdin --force-interactive /run/current-system/sw/bin/systemctl -- is-system-running")

     

       88
       88
       -
                 return status == 0

     

       94
       94
       +
           testScript = # python

     

       95
       95
       +
             ''

     

       96
       96
       +
               def wait_for_instance(name: str, project: str = "default"):

     

       97
       97
       +
                   def instance_is_up(_) -> bool:

     

       98
       98
       +
                       status, _ = machine.execute(f"incus exec {name} --disable-stdin --force-interactive --project {project} -- /run/current-system/sw/bin/systemctl is-system-running")

     

       99
       99
       +
                       return status == 0

     

       89
       100
        
       

     

       90
       90
       -
             machine.wait_for_unit("incus.service")

     

       91
       91
       -
             machine.wait_for_unit("incus-preseed.service")

     

       101
       101
       +
                   with machine.nested(f"Waiting for instance {name} to start and be usable"):

     

       102
       102
       +
                     retry(instance_is_up)

     

       92
       103
        
       

     

       93
       93
       -
             with subtest("Container image can be imported"):

     

       94
       94
       -
                 machine.succeed("incus image import ${container-image-metadata} ${container-image-rootfs} --alias nixos")

     

       104
       104
       +
               machine.wait_for_unit("incus.service")

     

       105
       105
       +
               machine.wait_for_unit("incus-preseed.service")

     

       95
       106
        
       

     

       96
       96
       -
             with subtest("Container can be launched and managed"):

     

       97
       97
       -
                 machine.succeed("incus launch nixos container")

     

       98
       98
       -
                 with machine.nested("Waiting for instance to start and be usable"):

     

       99
       99
       -
                   retry(instance_is_up)

     

       100
       100
       -
                 machine.succeed("echo true | incus exec container /run/current-system/sw/bin/bash -")

     

       107
       107
       +
               with subtest("Container image can be imported"):

     

       108
       108
       +
                   machine.succeed("incus image import ${container-image-metadata} ${container-image-rootfs} --alias nixos")

     

       101
       109
        
       

     

       102
       102
       -
             with subtest("Verify preseed resources created"):

     

       103
       103
       -
                 machine.succeed("incus profile show default")

     

       104
       104
       -
                 machine.succeed("incus network info nixostestbr0")

     

       105
       105
       -
                 machine.succeed("incus storage show nixostest_pool")

     

       110
       110
       +
               with subtest("Container can be launched and managed"):

     

       111
       111
       +
                   machine.succeed("incus launch nixos instance1")

     

       112
       112
       +
                   wait_for_instance("instance1")

     

       113
       113
       +
                   machine.succeed("echo true | incus exec instance1 /run/current-system/sw/bin/bash -")

     

       106
       114
        
       

     

       107
       107
       -
             with subtest("Instance is stopped when softDaemonRestart is disabled and services is stopped"):

     

       108
       108
       -
                 pid = machine.succeed("incus info container | grep 'PID'").split(":")[1].strip()

     

       109
       109
       -
                 machine.succeed(f"ps {pid}")

     

       110
       110
       -
                 machine.succeed("systemctl stop incus")

     

       111
       111
       -
                 machine.fail(f"ps {pid}")

     

       112
       112
       -
           '';

     

       115
       115
       +
               with subtest("Verify preseed resources created"):

     

       116
       116
       +
                   machine.succeed("incus profile show default")

     

       117
       117
       +
                   machine.succeed("incus network info incusbr0")

     

       118
       118
       +
                   machine.succeed("incus storage show default")

     

       119
       119
       +
       

     

       120
       120
       +
               with subtest("Instance is stopped when softDaemonRestart is disabled and services is stopped"):

     

       121
       121
       +
                   pid = machine.succeed("incus info instance1 | grep 'PID'").split(":")[1].strip()

     

       122
       122
       +
                   machine.succeed(f"ps {pid}")

     

       123
       123
       +
                   machine.succeed("systemctl stop incus")

     

       124
       124
       +
                   machine.fail(f"ps {pid}")

     

       125
       125
       +
       

     

       126
       126
       +
               with subtest("incus-user allows restricted access for users"):

     

       127
       127
       +
                   machine.fail("incus project show user-1000")

     

       128
       128
       +
                   machine.succeed("su - testuser bash -c 'incus list'")

     

       129
       129
       +
                   # a project is created dynamically for the user

     

       130
       130
       +
                   machine.succeed("incus project show user-1000")

     

       131
       131
       +
                   # users shouldn't be able to list storage pools

     

       132
       132
       +
                   machine.fail("su - testuser bash -c 'incus storage list'")

     

       133
       133
       +
       

     

       134
       134
       +
               with subtest("incus-user allows users to launch instances"):

     

       135
       135
       +
                   machine.succeed("su - testuser bash -c 'incus image import ${container-image-metadata} ${container-image-rootfs} --alias nixos'")

     

       136
       136
       +
                   machine.succeed("su - testuser bash -c 'incus launch nixos instance2'")

     

       137
       137
       +
                   wait_for_instance("instance2", "user-1000")

     

       138
       138
       +
             '';

     

       113
       139
        
         }

     

       114
       140
        
       )