pyrox.dev / nixpkgs
lol
fork atom

nixos/incus: fix AppArmor issue (#415057)

Adam C. Stephens 9d9e0f91 fed6a2f2

options
unified split
Changed files
+12 -2
nixos
modules
virtualisation
incus.nix
tests
incus
incus-tests.nix
+4 -2
nixos/modules/virtualisation/incus.nix 
···

       
348

       
348

       
 

       



     

       
349

       
349

       
 

       
          profile incusd ${lib.getExe' config.virtualisation.incus.package "incusd"} flags=(unconfined) {


     

       
350

       
350

       
 

       
            userns,


     

       
351

       

       
-

       
            </var/lib/incus/security/apparmor/cache>


     

       
352

       

       
-

       
            </var/lib/incus/security/apparmor/profiles>


     

       

       
351

       
+

       



     

       

       
352

       
+

       
            include "/var/lib/incus/security/apparmor/cache"


     

       
353

       
353

       
 

       



     

       
354

       
354

       
 

       
            # Site-specific additions and overrides. See local/README for details.


     

       
355

       
355

       
 

       
            include if exists <local/incusd>


     

       
356

       
356

       
 

       
          }


     

       

       
357

       
+

       



     

       

       
358

       
+

       
          include "/var/lib/incus/security/apparmor/profiles"


     

       
357

       
359

       
 

       
        '';


     

       
358

       
360

       
 

       
      };


     

       
359

       
361

       
 

       
      includes."abstractions/base" =
+8
nixos/tests/incus/incus-tests.nix 
···

       
221

       
221

       
 

       
            machine.succeed("incus storage show default")


     

       
222

       
222

       
 

       



     

       
223

       
223

       
 

       
      ''


     

       

       
224

       
+

       
      + lib.optionalString appArmor ''


     

       

       
225

       
+

       
        with subtest("Verify AppArmor service is started without issue"):


     

       

       
226

       
+

       
            # restart AppArmor service since the Incus AppArmor folders are


     

       

       
227

       
+

       
            # created after AA service is started


     

       

       
228

       
+

       
            machine.systemctl("restart apparmor.service")


     

       

       
229

       
+

       
            machine.succeed("systemctl --no-pager -l status apparmor.service")


     

       

       
230

       
+

       
            machine.wait_for_unit("apparmor.service")


     

       

       
231

       
+

       
      ''


     

       
224

       
232

       
 

       
      + lib.optionalString instanceContainer (


     

       
225

       
233

       
 

       
        lib.foldl (


     

       
226

       
234

       
 

       
          acc: variant: