pyrox.dev / nixpkgs
lol
fork atom

containers: Do not wait for udev for network devices

Test that adding physical devices to containers works, find that network setup
then doesn't work because there is no udev in the container to tell systemd
that the device is present.
Fixed by not depending on the device in the container.

Activate the new container test for release

Bonds, bridges and other network devices need the underlying not as
dependency when used inside the container. Because the device is already
there.

But the address configuration needs the aggregated device itself.

Arnold Krille f0492bd5 2e255a2e

options
unified split
Changed files
+101 -12
nixos
modules
tasks
network-interfaces-scripted.nix
network-interfaces.nix
release.nix
tests
containers-physical_interfaces.nix
+25 -8
nixos/modules/tasks/network-interfaces-scripted.nix 
···

       
46

       
 

       
    systemd.services =


     

       
47

       
 

       
      let


     

       
48

       
 

       



     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
49

       
 

       
        networkLocalCommands = {


     

       
50

       
 

       
          after = [ "network-setup.service" ];


     

       
51

       
 

       
          bindsTo = [ "network-setup.service" ];


     
···

       
120

       
 

       
            # order before network-setup because the routes that are configured


     

       
121

       
 

       
            # there may need ip addresses configured


     

       
122

       
 

       
            before = [ "network-setup.service" ];


     

       
123

       
-

       
            bindsTo = [ (subsystemDevice i.name) ];


     

       
124

       
-

       
            after = [ (subsystemDevice i.name) "network-pre.target" ];


     

       
125

       
 

       
            serviceConfig.Type = "oneshot";


     

       
126

       
 

       
            serviceConfig.RemainAfterExit = true;


     

       
127

       
 

       
            path = [ pkgs.iproute ];


     
···

       
179

       
 

       



     

       
180

       
 

       
        createBridgeDevice = n: v: nameValuePair "${n}-netdev"


     

       
181

       
 

       
          (let


     

       
182

       
-

       
            deps = map subsystemDevice v.interfaces;


     

       
183

       
 

       
          in


     

       
184

       
 

       
          { description = "Bridge Interface ${n}";


     

       
185

       
 

       
            wantedBy = [ "network-setup.service" (subsystemDevice n) ];


     
···

       
220

       
 

       



     

       
221

       
 

       
        createVswitchDevice = n: v: nameValuePair "${n}-netdev"


     

       
222

       
 

       
          (let


     

       
223

       
-

       
            deps = map subsystemDevice v.interfaces;


     

       
224

       
 

       
            ofRules = pkgs.writeText "vswitch-${n}-openFlowRules" v.openFlowRules;


     

       
225

       
 

       
          in


     

       
226

       
 

       
          { description = "Open vSwitch Interface ${n}";


     
···

       
253

       
 

       



     

       
254

       
 

       
        createBondDevice = n: v: nameValuePair "${n}-netdev"


     

       
255

       
 

       
          (let


     

       
256

       
-

       
            deps = map subsystemDevice v.interfaces;


     

       
257

       
 

       
          in


     

       
258

       
 

       
          { description = "Bond Interface ${n}";


     

       
259

       
 

       
            wantedBy = [ "network-setup.service" (subsystemDevice n) ];


     
···

       
291

       
 

       



     

       
292

       
 

       
        createMacvlanDevice = n: v: nameValuePair "${n}-netdev"


     

       
293

       
 

       
          (let


     

       
294

       
-

       
            deps = [ (subsystemDevice v.interface) ];


     

       
295

       
 

       
          in


     

       
296

       
 

       
          { description = "Vlan Interface ${n}";


     

       
297

       
 

       
            wantedBy = [ "network-setup.service" (subsystemDevice n) ];


     
···

       
316

       
 

       



     

       
317

       
 

       
        createSitDevice = n: v: nameValuePair "${n}-netdev"


     

       
318

       
 

       
          (let


     

       
319

       
-

       
            deps = optional (v.dev != null) (subsystemDevice v.dev);


     

       
320

       
 

       
          in


     

       
321

       
 

       
          { description = "6-to-4 Tunnel Interface ${n}";


     

       
322

       
 

       
            wantedBy = [ "network-setup.service" (subsystemDevice n) ];


     
···

       
344

       
 

       



     

       
345

       
 

       
        createVlanDevice = n: v: nameValuePair "${n}-netdev"


     

       
346

       
 

       
          (let


     

       
347

       
-

       
            deps = [ (subsystemDevice v.interface) ];


     

       
348

       
 

       
          in


     

       
349

       
 

       
          { description = "Vlan Interface ${n}";


     

       
350

       
 

       
            wantedBy = [ "network-setup.service" (subsystemDevice n) ];


     
···

       
46

       
 

       
    systemd.services =


     

       
47

       
 

       
      let


     

       
48

       
 

       



     

       
49

       
+

       
        deviceDependency = dev:


     

       
50

       
+

       
          if (config.boot.isContainer == false)


     

       
51

       
+

       
          then


     

       
52

       
+

       
            # Trust udev when not in the container


     

       
53

       
+

       
            [ (subsystemDevice dev) ]


     

       
54

       
+

       
          else


     

       
55

       
+

       
            # When in the container, check whether the interface is built from other definitions


     

       
56

       
+

       
            if (hasAttr dev cfg.bridges) ||


     

       
57

       
+

       
               (hasAttr dev cfg.bonds) ||


     

       
58

       
+

       
               (hasAttr dev cfg.macvlans) ||


     

       
59

       
+

       
               (hasAttr dev cfg.sits) ||


     

       
60

       
+

       
               (hasAttr dev cfg.vlans) ||


     

       
61

       
+

       
               (hasAttr dev cfg.vswitches) ||


     

       
62

       
+

       
               (hasAttr dev cfg.wlanInterfaces)


     

       
63

       
+

       
            then [ "${dev}-netdev.service" ]


     

       
64

       
+

       
            else [];


     

       
65

       
+

       



     

       
66

       
 

       
        networkLocalCommands = {


     

       
67

       
 

       
          after = [ "network-setup.service" ];


     

       
68

       
 

       
          bindsTo = [ "network-setup.service" ];


     
···

       
137

       
 

       
            # order before network-setup because the routes that are configured


     

       
138

       
 

       
            # there may need ip addresses configured


     

       
139

       
 

       
            before = [ "network-setup.service" ];


     

       
140

       
+

       
            bindsTo = deviceDependency i.name;


     

       
141

       
+

       
            after = [ "network-pre.target" ] ++ (deviceDependency i.name);


     

       
142

       
 

       
            serviceConfig.Type = "oneshot";


     

       
143

       
 

       
            serviceConfig.RemainAfterExit = true;


     

       
144

       
 

       
            path = [ pkgs.iproute ];


     
···

       
196

       
 

       



     

       
197

       
 

       
        createBridgeDevice = n: v: nameValuePair "${n}-netdev"


     

       
198

       
 

       
          (let


     

       
199

       
+

       
            deps = if config.boot.isContainer then [] else map subsystemDevice v.interfaces;


     

       
200

       
 

       
          in


     

       
201

       
 

       
          { description = "Bridge Interface ${n}";


     

       
202

       
 

       
            wantedBy = [ "network-setup.service" (subsystemDevice n) ];


     
···

       
237

       
 

       



     

       
238

       
 

       
        createVswitchDevice = n: v: nameValuePair "${n}-netdev"


     

       
239

       
 

       
          (let


     

       
240

       
+

       
            deps = if config.boot.isContainer then [] else map subsystemDevice v.interfaces;


     

       
241

       
 

       
            ofRules = pkgs.writeText "vswitch-${n}-openFlowRules" v.openFlowRules;


     

       
242

       
 

       
          in


     

       
243

       
 

       
          { description = "Open vSwitch Interface ${n}";


     
···

       
270

       
 

       



     

       
271

       
 

       
        createBondDevice = n: v: nameValuePair "${n}-netdev"


     

       
272

       
 

       
          (let


     

       
273

       
+

       
            deps = if config.boot.isContainer then [] else map subsystemDevice v.interfaces;


     

       
274

       
 

       
          in


     

       
275

       
 

       
          { description = "Bond Interface ${n}";


     

       
276

       
 

       
            wantedBy = [ "network-setup.service" (subsystemDevice n) ];


     
···

       
308

       
 

       



     

       
309

       
 

       
        createMacvlanDevice = n: v: nameValuePair "${n}-netdev"


     

       
310

       
 

       
          (let


     

       
311

       
+

       
            deps = deviceDependency v.interface;


     

       
312

       
 

       
          in


     

       
313

       
 

       
          { description = "Vlan Interface ${n}";


     

       
314

       
 

       
            wantedBy = [ "network-setup.service" (subsystemDevice n) ];


     
···

       
333

       
 

       



     

       
334

       
 

       
        createSitDevice = n: v: nameValuePair "${n}-netdev"


     

       
335

       
 

       
          (let


     

       
336

       
+

       
            deps = optional (v.dev != null) (deviceDependency v.dev);


     

       
337

       
 

       
          in


     

       
338

       
 

       
          { description = "6-to-4 Tunnel Interface ${n}";


     

       
339

       
 

       
            wantedBy = [ "network-setup.service" (subsystemDevice n) ];


     
···

       
361

       
 

       



     

       
362

       
 

       
        createVlanDevice = n: v: nameValuePair "${n}-netdev"


     

       
363

       
 

       
          (let


     

       
364

       
+

       
            deps = deviceDependency v.interface;


     

       
365

       
 

       
          in


     

       
366

       
 

       
          { description = "Vlan Interface ${n}";


     

       
367

       
 

       
            wantedBy = [ "network-setup.service" (subsystemDevice n) ];
+9 -4
nixos/modules/tasks/network-interfaces.nix 
···

       
310

       
 

       
        generate a random 32-bit ID using the following commands:


     

       
311

       
 

       



     

       
312

       
 

       
        <literal>cksum /etc/machine-id | while read c rest; do printf "%x" $c; done</literal>


     

       
313

       
-

       
        


     

       
314

       
 

       
        (this derives it from the machine-id that systemd generates) or


     

       
315

       
-

       
        


     

       
316

       
 

       
        <literal>head -c4 /dev/urandom | od -A none -t x4</literal>


     

       
317

       
 

       
      '';


     

       
318

       
 

       
    };


     
···

       
972

       
 

       
        '';


     

       
973

       
 

       
      };


     

       
974

       
 

       
    } // (listToAttrs (flip map interfaces (i:


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
975

       
 

       
      nameValuePair "network-link-${i.name}"


     

       
976

       
 

       
      { description = "Link configuration of ${i.name}";


     

       
977

       
 

       
        wantedBy = [ "network-interfaces.target" ];


     

       
978

       
 

       
        before = [ "network-interfaces.target" ];


     

       
979

       
-

       
        bindsTo = [ (subsystemDevice i.name) ];


     

       
980

       
-

       
        after = [ (subsystemDevice i.name) "network-pre.target" ];


     

       
981

       
 

       
        path = [ pkgs.iproute ];


     

       
982

       
 

       
        serviceConfig = {


     

       
983

       
 

       
          Type = "oneshot";


     
···

       
310

       
 

       
        generate a random 32-bit ID using the following commands:


     

       
311

       
 

       



     

       
312

       
 

       
        <literal>cksum /etc/machine-id | while read c rest; do printf "%x" $c; done</literal>


     

       
313

       
+

       



     

       
314

       
 

       
        (this derives it from the machine-id that systemd generates) or


     

       
315

       
+

       



     

       
316

       
 

       
        <literal>head -c4 /dev/urandom | od -A none -t x4</literal>


     

       
317

       
 

       
      '';


     

       
318

       
 

       
    };


     
···

       
972

       
 

       
        '';


     

       
973

       
 

       
      };


     

       
974

       
 

       
    } // (listToAttrs (flip map interfaces (i:


     

       
975

       
+

       
      let


     

       
976

       
+

       
        deviceDependency = if config.boot.isContainer


     

       
977

       
+

       
          then []


     

       
978

       
+

       
          else [ (subsystemDevice i.name) ];


     

       
979

       
+

       
      in


     

       
980

       
 

       
      nameValuePair "network-link-${i.name}"


     

       
981

       
 

       
      { description = "Link configuration of ${i.name}";


     

       
982

       
 

       
        wantedBy = [ "network-interfaces.target" ];


     

       
983

       
 

       
        before = [ "network-interfaces.target" ];


     

       
984

       
+

       
        bindsTo = deviceDependency;


     

       
985

       
+

       
        after = [ "network-pre.target" ] ++ deviceDependency;


     

       
986

       
 

       
        path = [ pkgs.iproute ];


     

       
987

       
 

       
        serviceConfig = {


     

       
988

       
 

       
          Type = "oneshot";
+1
nixos/release.nix 
···

       
227

       
 

       
  tests.containers-bridge = callTest tests/containers-bridge.nix {};


     

       
228

       
 

       
  tests.containers-imperative = callTest tests/containers-imperative.nix {};


     

       
229

       
 

       
  tests.containers-extra_veth = callTest tests/containers-extra_veth.nix {};


     

       

       

       
     

       
230

       
 

       
  tests.docker = hydraJob (import tests/docker.nix { system = "x86_64-linux"; });


     

       
231

       
 

       
  tests.dnscrypt-proxy = callTest tests/dnscrypt-proxy.nix { system = "x86_64-linux"; };


     

       
232

       
 

       
  tests.ecryptfs = callTest tests/ecryptfs.nix {};


     
···

       
227

       
 

       
  tests.containers-bridge = callTest tests/containers-bridge.nix {};


     

       
228

       
 

       
  tests.containers-imperative = callTest tests/containers-imperative.nix {};


     

       
229

       
 

       
  tests.containers-extra_veth = callTest tests/containers-extra_veth.nix {};


     

       
230

       
+

       
  tests.containers-physical_interfaces = callTest tests/containers-physical_interfaces.nix {};


     

       
231

       
 

       
  tests.docker = hydraJob (import tests/docker.nix { system = "x86_64-linux"; });


     

       
232

       
 

       
  tests.dnscrypt-proxy = callTest tests/dnscrypt-proxy.nix { system = "x86_64-linux"; };


     

       
233

       
 

       
  tests.ecryptfs = callTest tests/ecryptfs.nix {};
+66
nixos/tests/containers-physical_interfaces.nix 
···

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     
···

       
1

       
+

       



     

       
2

       
+

       
import ./make-test.nix ({ pkgs, ...} : {


     

       
3

       
+

       
  name = "containers-physical_interfaces";


     

       
4

       
+

       
  meta = with pkgs.stdenv.lib.maintainers; {


     

       
5

       
+

       
    maintainers = [ kampfschlaefer ];


     

       
6

       
+

       
  };


     

       
7

       
+

       



     

       
8

       
+

       
  nodes = {


     

       
9

       
+

       
    server = { config, pkgs, ... }:


     

       
10

       
+

       
      {


     

       
11

       
+

       
        virtualisation.memorySize = 256;


     

       
12

       
+

       
        virtualisation.vlans = [ 1 ];


     

       
13

       
+

       



     

       
14

       
+

       
        containers.server = {


     

       
15

       
+

       
          privateNetwork = true;


     

       
16

       
+

       
          interfaces = [ "eth1" ];


     

       
17

       
+

       



     

       
18

       
+

       
          config = {


     

       
19

       
+

       
            networking.interfaces.eth1 = {


     

       
20

       
+

       
              ip4 = [ { address = "10.10.0.1"; prefixLength = 24; } ];


     

       
21

       
+

       
            };


     

       
22

       
+

       
            networking.firewall.enable = false;


     

       
23

       
+

       
          };


     

       
24

       
+

       
        };


     

       
25

       
+

       
      };


     

       
26

       
+

       
    client = { config, pkgs, ... }: {


     

       
27

       
+

       
      virtualisation.memorySize = 256;


     

       
28

       
+

       
      virtualisation.vlans = [ 1 ];


     

       
29

       
+

       



     

       
30

       
+

       
      containers.client = {


     

       
31

       
+

       
        privateNetwork = true;


     

       
32

       
+

       
        interfaces = [ "eth1" ];


     

       
33

       
+

       



     

       
34

       
+

       
        config = {


     

       
35

       
+

       
          networking.bridges.br0.interfaces = [ "eth1" ];


     

       
36

       
+

       
          networking.interfaces.br0 = {


     

       
37

       
+

       
            ip4 = [ { address = "10.10.0.2"; prefixLength = 24; } ];


     

       
38

       
+

       
          };


     

       
39

       
+

       
          networking.firewall.enable = false;


     

       
40

       
+

       
        };


     

       
41

       
+

       
      };


     

       
42

       
+

       
    };


     

       
43

       
+

       
  };


     

       
44

       
+

       



     

       
45

       
+

       
  testScript = ''


     

       
46

       
+

       
    startAll;


     

       
47

       
+

       



     

       
48

       
+

       
    $server->waitForUnit("default.target");


     

       
49

       
+

       
    $server->execute("ip link >&2");


     

       
50

       
+

       



     

       
51

       
+

       
    $server->succeed("ip link show dev eth1 >&2");


     

       
52

       
+

       



     

       
53

       
+

       
    $server->succeed("nixos-container start server");


     

       
54

       
+

       
    $server->waitForUnit("container\@server");


     

       
55

       
+

       
    $server->succeed("systemctl -M server list-dependencies network-addresses-eth1.service >&2");


     

       
56

       
+

       



     

       
57

       
+

       
    $server->succeed("nixos-container run server -- ip a show dev eth1 >&2");


     

       
58

       
+

       



     

       
59

       
+

       
    $client->waitForUnit("default.target");


     

       
60

       
+

       
    $client->succeed("nixos-container start client");


     

       
61

       
+

       
    $client->waitForUnit("container\@client");


     

       
62

       
+

       
    $client->succeed("systemctl -M client list-dependencies network-addresses-br0.service >&2");


     

       
63

       
+

       
    $client->succeed("systemctl -M client status -n 30 -l network-addresses-br0.service");


     

       
64

       
+

       
    $client->succeed("nixos-container run client -- ping -w 10 -c 1 -n 10.10.0.1");


     

       
65

       
+

       
  '';


     

       
66

       
+

       
})