From 2b97d363cab83fb39e3e913b841f0bb68ee934ff Mon Sep 17 00:00:00 2001 From: Adam Stephens Date: Thu, 22 Feb 2024 00:03:43 -0500 Subject: [PATCH 1/2] nixos/lxc/generator: remove sysctl error handling --- .../distrobuilder/nixos-generator.patch | 27 ++++++++++++++++--- 1 file changed, 24 insertions(+), 3 deletions(-) diff --git a/pkgs/tools/virtualization/distrobuilder/nixos-generator.patch b/pkgs/tools/virtualization/distrobuilder/nixos-generator.patch index 6194f33e1918..3c0d726e610d 100644 --- a/pkgs/tools/virtualization/distrobuilder/nixos-generator.patch +++ b/pkgs/tools/virtualization/distrobuilder/nixos-generator.patch @@ -1,5 +1,5 @@ diff --git a/distrobuilder/lxc.generator b/distrobuilder/lxc.generator -index 0ad81d1..69dbfe7 100644 +index 0ad81d1..21ddb39 100644 --- a/distrobuilder/lxc.generator +++ b/distrobuilder/lxc.generator @@ -25,16 +25,6 @@ is_incus_vm() { @@ -73,9 +73,22 @@ index 0ad81d1..69dbfe7 100644 mkdir -p /run/systemd/system/systemd-udev-trigger.service.d cat <<-EOF > /run/systemd/system/systemd-udev-trigger.service.d/zzz-lxc-override.conf -@@ -145,24 +97,12 @@ EOF +@@ -132,37 +84,13 @@ ExecStart=-${cmd} trigger --type=devices --action=add + EOF } +-# fix_systemd_sysctl overrides the systemd-sysctl.service to use "ExecStart=-" instead of "ExecStart=". +-fix_systemd_sysctl() { +- cmd=/usr/lib/systemd/systemd-sysctl +- ! [ -e "${cmd}" ] && cmd=/lib/systemd/systemd-sysctl +- mkdir -p /run/systemd/system/systemd-sysctl.service.d +- cat <<-EOF > /run/systemd/system/systemd-sysctl.service.d/zzz-lxc-override.conf +-[Service] +-ExecStart= +-ExecStart=-${cmd} +-EOF +-} +- ## Main logic -# Nothing to do in Incus VM but deployed in case it is later converted to a container -is_incus_vm || is_lxd_vm && exit 0 @@ -99,7 +112,15 @@ index 0ad81d1..69dbfe7 100644 # Determine distro name and release ID="" -@@ -222,11 +162,6 @@ ACTION=="add|change|move", ENV{ID_NET_DRIVER}=="veth", ENV{INTERFACE}=="eth[0-9] +@@ -192,7 +120,6 @@ fi + + # Ignore failures on some units. + fix_systemd_udev_trigger +-fix_systemd_sysctl + + # Mask some units. + fix_systemd_mask dev-hugepages.mount +@@ -222,11 +149,6 @@ ACTION=="add|change|move", ENV{ID_NET_DRIVER}=="veth", ENV{INTERFACE}=="eth[0-9] EOF fi From 5f1b65f75fd893933bcea6f74598f6990bebb115 Mon Sep 17 00:00:00 2001 From: Adam Stephens Date: Thu, 22 Feb 2024 20:23:54 -0500 Subject: [PATCH 2/2] nixos/tests/incus: ensure sysctl rules apply successfully to lxc containers --- nixos/tests/incus/container.nix | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/nixos/tests/incus/container.nix b/nixos/tests/incus/container.nix index 0f42d16f133d..eb00429e53fe 100644 --- a/nixos/tests/incus/container.nix +++ b/nixos/tests/incus/container.nix @@ -5,6 +5,8 @@ let configuration = { # Building documentation makes the test unnecessarily take a longer time: documentation.enable = lib.mkForce false; + + boot.kernel.sysctl."net.ipv4.ip_forward" = "1"; } // extra; }; @@ -40,6 +42,12 @@ in with machine.nested("Waiting for instance to start and be usable"): retry(instance_is_up) + def check_sysctl(instance): + with subtest("systemd sysctl settings are applied"): + machine.succeed(f"incus exec {instance} -- systemctl status systemd-sysctl") + sysctl = machine.succeed(f"incus exec {instance} -- sysctl net.ipv4.ip_forward").strip().split(" ")[-1] + assert "1" == sysctl, f"systemd-sysctl configuration not correctly applied, {sysctl} != 1" + machine.wait_for_unit("incus.service") # no preseed should mean no service @@ -83,6 +91,7 @@ in with subtest("lxc-container generator configures plain container"): # reuse the existing container to save some time machine.succeed("incus exec container test -- -e /run/systemd/system/service.d/zzz-lxc-service.conf") + check_sysctl("container") with subtest("lxc-container generator configures nested container"): machine.execute("incus delete --force container") @@ -94,6 +103,8 @@ in target = machine.succeed("incus exec container readlink -- -f /run/systemd/system/systemd-binfmt.service").strip() assert target == "/dev/null", "lxc generator did not correctly mask /run/systemd/system/systemd-binfmt.service" + check_sysctl("container") + with subtest("lxc-container generator configures privileged container"): machine.execute("incus delete --force container") machine.succeed("incus launch nixos container --config security.privileged=true") @@ -101,5 +112,7 @@ in retry(instance_is_up) machine.succeed("incus exec container test -- -e /run/systemd/system/service.d/zzz-lxc-service.conf") + + check_sysctl("container") ''; })