New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nixos/lxc-container: split logic into a profile and installation image module #164129
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I like this a lot. Some minor stuff about where things should go.
] ++ templates.files; | ||
}; | ||
|
||
# Allow the user to login as root without password. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this (until bottom) should either go to the profile or (maybe better) into the hydra image only
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
wait, profile doesn't make much sense here. best would be to just have this in the hydra image. otherwise it's a "surprise feature" for people that build custom images. (none of those configs are strictly required for the image to work)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hydra image only would mean putting the config here, right? https://github.com/NixOS/nixpkgs/blob/master/nixos/release.nix#L314
Personally I'd say these are good settings to have for an installation image. Also chances are high that people will look into the file when building an install image, at least compared to using the profile. It only does things that are also set in profiles/installation-device.nix, even though that does a lot more not very suited for containers I guess.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actually this one https://github.com/NixOS/nixpkgs/blob/master/nixos/release.nix#L255-L284
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I relooked at this and agree now, that passwordless login shouldn't be part of the image generation logic. I moved it into its own module nixos/modules/virtualisation/lxc-passwordless-login.nix
and included it in the hydra image.
While working on this PR I repeatedly stumbled over |
}; | ||
|
||
# Add the overrides from lxd distrobuilder | ||
systemd.extraConfig = '' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done, thanks.
Any idea what the purpose of the empty LoadCredential=
is?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
An empty directive will delete the directive during override.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah ok, I understand.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This block actually isn't serving its purpose. It was already incorrect, but updating it isn't making a difference.
Aug 27 00:33:34 wire1 systemd[1]: /etc/systemd/system.conf:14: Unknown section 'Service'. Ignoring.
These need to be service configs, added to the services. Distrobuilder either adds it to /etc/systemd/system/service.d/lxc.conf
or every .service file in systemd's path. https://github.com/lxc/distrobuilder/blob/f15eec09df7b04f1bede66b0f31354da66748c9a/distrobuilder/main.go#L713-L718
I don't see a way to add it to service.d
currently, but am happy to be corrected. The original author actually asked about creating this global service override, but it ended up here incorrectly.
This pull request has been mentioned on NixOS Discourse. There might be relevant details there: https://discourse.nixos.org/t/lxd-distrobuilder-support-for-nixos/21375/1 |
is this still relevant? this would need an update, since the lxc-container module has changed |
I'm afraid I lost focus on lxc in the last 6 months, as I migrated to systemd containers (via NixOS containers). So I didn't follow the development of the Nixpkgs lxc infrastructure and couldn't tell if this change is still needed. I'll close for now, as I wouldn't work further on it rn. |
I found installing NixOS in a LXC container to be quite cumbersome. I expected there to be a module that I can include in my system config to abstract over the LXC specific configuration so I can configure my system like any other machine, as
qemu-guest.nix
does.But I found only
nixos/modules/virtualisation/lxc-container.nix
, which seems to also provide configuration for an installation image, e.g. by setting an empty password and configuring sshd.So this also addresses #9884.
Description of changes
I introduced the following structure:
profiles/lxc-container.nix
provides configuration that you always want to have inside a lxc container. This also includes the possibility to generate a tarball from system config, to easily deploy a container with the same configuration. This is also included inhardware-configuration.nix
ifnixos-generate-config
detects that we are running in a lxc container.virtualisation/lxc-image.nix
importsprofiles/lxc-container.nix
and provides additional config for creating the installation images.virtualisation/lxc-container.nix
is deprecated and points tovirtualisation/lxc-image.nix
. Could be removed after the next release.Also I took the liberty to remove the
sys-kernel-debug.mount
unit in the profile, as my deployment doesn't complete otherwise. But I have no idea what the unit does.For testing I ran the following NixOS tests:
lxd-image
lxd-image-server
lxd-nftable
lxd
Also I built the
containerTarball
attribute:nix-build -A containerTarball.x86_64-linux nixos/release.nix
sandbox = true
set innix.conf
? (See Nix manual)nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD"
. Note: all changes have to be committed, also see nixpkgs-review usage./result/bin/
)nixos/doc/manual/md-to-db.sh
to update generated release notes