Commit graph

742 commits

Author SHA1 Message Date
Florian Klink
38be383a6f
Merge pull request #53419 from uvNikita/containers/fix-bridge
nixos/containers: add bridge without address specified
2019-01-28 12:39:13 +01:00
Franz Pletz
ca0639837c
Merge pull request #53871 from elseym/fix-container-extraveths
nixos/containers: explicitly set link up on host for extraVeths
2019-01-14 03:59:19 +00:00
Profpatsch
c8c53fcb11 modules/profiles/minimal: sound is disabled by default
The option is `false` by default since
e349ccc77f, so we don’t need to mention
it explicitely in these minimal configs.
2019-01-13 13:47:36 +01:00
elseym
8a8bf886b5
nixos/containers: explicitly set link up on host for extraVeths 2019-01-13 11:27:39 +01:00
Nikita Uvarov
53013ead39
nixos/containers: add bridge without address specified
According to systemd-nspawn(1), --network-bridge implies --network-veth,
and --port option is supported only when private networking is enabled.
Fixes #52417.
2019-01-07 14:21:17 +01:00
Florian Klink
706efadcb6 nixos/modules/virtualisation/google-compute-config.nix: remove google-accounts-daemon
Use googleOsLogin for login instead.
This allows setting users.mutableUsers back to false, and to strip the
security.sudo.extraConfig.

security.sudo.enable is default anyhow, so we can remove that as well.
2018-12-21 17:52:37 +01:00
Florian Klink
0834e98ece
Merge pull request #51393 from arianvp/container-names
nixos/containers: Add assertion for container name length
2018-12-05 01:25:16 +01:00
Jörg Thalheim
958d8e625e
Merge pull request #49392 from uvNikita/nixos/containers/veths
nixos/containers: don't create veths if not configured
2018-12-03 23:44:50 +00:00
Arian van Putten
bf102825ef nixos/containers: Add assertion for container name length
When privateNetwork is enabled, currently the container's interface name
is derived from the container name. However, there's a hard limit
on the size of interface names. To avoid conflicts and other issues,
we set a limit on the container name when privateNetwork is enabled.

Fixes #38509
2018-12-02 15:26:39 +01:00
Erik Arvstedt
c64a9718ce nixos/containers: simplify env var definition
Also clear up the misleading comment: This env var isn't
root-specific, it's needed for all users.
2018-11-26 23:06:56 +01:00
Ding Xiang Fei
88570538b3 google-compute-image: make it a module and the size tuneable (#49854)
* move GCE system configuration to `google-compute-config.nix`
* remove `fetch-ssh-keys` service (disabled in comment)
2018-11-26 14:51:00 +00:00
Ding Xiang Fei
b011049cf6 Merge branch 'master' of https://github.com/nixos/nixpkgs into tarball-closureinfo 2018-11-26 12:04:07 +08:00
Craig Younkins
eff461c8ef treewide: systemd timeout arguments to use infinity instead of 0 (#50934)
Fixes https://github.com/NixOS/nixpkgs/issues/49700
2018-11-25 13:33:22 +01:00
Jörg Thalheim
50daffc4b8
nixos/docker-image: add example usage 2018-11-23 15:40:10 +00:00
Rob Vermaas
02b60418b1 Update GCE image for 18.09
(cherry picked from commit e0eb712136aa8cd786955e9109afbbf8ba42555c)
2018-11-16 11:43:42 +01:00
Matthew Bauer
2b604c2836
Merge pull request #49670 from matthewbauer/pkgs-i686-remove
Fix pkgsi686Linux assertion
2018-11-04 12:49:09 -06:00
Sarah Brofeldt
99c052bac4 nixos/google-network-daemon: systemd job type simple instead of oneshot (#49692) 2018-11-03 16:16:17 +01:00
Florian Klink
4d51002216
Merge pull request #49650 from srghma/srghma-patch-1
amazon-image: fix typo in comment
2018-11-03 16:04:47 +01:00
Matthew Bauer
4a8fc5b9aa treewide: remove pkgs_i686
This was getting evaluated eagerly causing assertion failures in
aarch64 systems. We can replace usages of pkgs_i686 with
pkgs.pkgsi686Linux.
2018-11-03 00:56:39 -05:00
lewo
3fb4eb1c43 nixos/dockerPreloader: preload docker images (#49379)
This module permits to preload Docker image in a VM in order to reduce
OIs on file copies. This module has to be only used in testing
environments, when the test requires several Docker images such as in
Kubernetes tests. In this case,
`virtualisation.dockerPreloader.images` can replace the
`services.kubernetes.kubelet.seedDockerImages` options.

The idea is to populate the /var/lib/docker directory by mounting qcow
files (we uses qcow file to avoid permission issues) that contain images.

For each image specified in
config.virtualisation.dockerPreloader.images:
1. The image is loaded by Docker in a VM
2. The resulting /var/lib/docker is written to a QCOW file

This set of QCOW files can then be used to populate the
/var/lib/docker:
1. Each QCOW is mounted in the VM
2. Symlink are created from these mount points to /var/lib/docker
3. A /var/lib/docker/image/overlay2/repositories.json file is generated
4. The docker daemon is started.
2018-11-03 01:00:53 +01:00
Jörg Thalheim
553e0d81ee
Merge pull request #48771 from arianvp/container-tweaks
nixos/containers: Introduce several tweaks to systemd-nspawn from upstream systemd
2018-10-31 16:08:16 +00:00
Lizard
a937dbedea nixos/libvirtd: utilize onShutdown option (#49480)
`services.virtualisation.libvirtd.onShutdown` was previously unused.
While suspending a domain on host shutdown is the default, this commit
makes it so domains can be shut down, also.
2018-10-31 00:01:00 +01:00
Alyssa Ross
c6c7d55790
postgresql*: use underscores in version numbers 2018-10-30 14:32:21 +00:00
Nikita Uvarov
6d4b02df3f
nixos/containers: don't create veths if not configured
Previously, setting "privateNetwork = true" without specifying host and
local addresses would create unconfigured interfaces: ve-$INSTANCE on the host
and eth0 inside the container.

These changes is rebased part of the original PR #3021.
2018-10-29 14:02:50 +01:00
Renaud
7ab76cc5e8
nixos/virtualbox-image: increase disk to 50G
100GB breaks cptofs but 50GB is fine and benchmarks shows it takes the same time as building the demo VBox VM with a 10GB disk

+ enabled VM sound output by default
+ set USB controller in USB2.0 mode
+ add manifest file in the OVA as it allows integrity checking on imports
2018-10-28 00:53:54 +02:00
Arian van Putten
9f72791516 nixos/containers: Introduce several tweaks to systemd-nspawn from upstream systemd
* Lets container@.service  be activated by machines.target instead of
  multi-user.target

  According to the systemd manpages, all containers that are registered
  by machinectl, should be inside machines.target for easy stopping
  and starting container units altogether

* make sure container@.service and container.slice instances are
  actually located in machine.slice

  https://plus.google.com/112206451048767236518/posts/SYAueyXHeEX
  See original commit: https://github.com/NixOS/systemd/commit/45d383a3b8

* Enable Cgroup delegation for nixos-containers

  Delegate=yes should be set for container scopes where a systemd instance
  inside the container shall manage the hierarchies below its own cgroup
  and have access to all controllers.

  This is equivalent to enabling all accounting options on the systemd
  process inside the system container.  This means that systemd inside
  the container is responsible for managing Cgroup resources for
  unit files that enable accounting options inside.  Without this
  option, units that make use of cgroup features within system
  containers might misbehave

  See original commit: https://github.com/NixOS/systemd/commit/a931ad47a8

  from the manpage:
    Turns on delegation of further resource control partitioning to
    processes of the unit. Units where this is enabled may create and
    manage their own private subhierarchy of control groups below the
    control group of the unit itself. For unprivileged services (i.e.
    those using the User= setting) the unit's control group will be made
    accessible to the relevant user. When enabled the service manager
    will refrain from manipulating control groups or moving processes
    below the unit's control group, so that a clear concept of ownership
    is established: the control group tree above the unit's control
    group (i.e. towards the root control group) is owned and managed by
    the service manager of the host, while the control group tree below
    the unit's control group is owned and managed by the unit itself.
    Takes either a boolean argument or a list of control group
    controller names. If true, delegation is turned on, and all
    supported controllers are enabled for the unit, making them
    available to the unit's processes for management. If false,
    delegation is turned off entirely (and no additional controllers are
    enabled). If set to a list of controllers, delegation is turned on,
    and the specified controllers are enabled for the unit. Note that
    additional controllers than the ones specified might be made
    available as well, depending on configuration of the containing
    slice unit or other units contained in it. Note that assigning the
    empty string will enable delegation, but reset the list of
    controllers, all assignments prior to this will have no effect.
    Defaults to false.

    Note that controller delegation to less privileged code is only safe
    on the unified control group hierarchy. Accordingly, access to the
    specified controllers will not be granted to unprivileged services
    on the legacy hierarchy, even when requested.

    The following controller names may be specified: cpu, cpuacct, io,
    blkio, memory, devices, pids. Not all of these controllers are
    available on all kernels however, and some are specific to the
    unified hierarchy while others are specific to the legacy hierarchy.
    Also note that the kernel might support further controllers, which
    aren't covered here yet as delegation is either not supported at all
    for them or not defined cleanly.
2018-10-22 22:36:08 +02:00
Jörg Thalheim
e37892744f
Merge pull request #48640 from gnidorah/kvmgt
kvmgt module: add restart on failure
2018-10-19 10:45:04 +01:00
gnidorah
a6603fd8a8 kvmgt module: add service restart on failure 2018-10-18 22:35:32 +03:00
Silvan Mosberger
8319ec35b2
Merge pull request #47975 from aneeshusa/make-container-journals-available-from-host
containers: Make systemd journals available from the host
2018-10-17 02:56:05 +02:00
Eelco Dolstra
0bdd0d8e04
amazon-image.nix: Disable udisks
This reduces the system closure by 89 MiB.
2018-10-15 21:54:28 +02:00
Eelco Dolstra
47dfe25e1b
ec2-amis.nix: Add 18.09 images 2018-10-15 21:43:16 +02:00
Aneesh Agrawal
d85317c7b2 nixos/containers: Make systemd journals available from the host
This is set by default if using the upstream systemd-nspawn@ units.
2018-10-14 14:40:08 -07:00
volth
0d44d639f6 nixos/qemu-guest-agent: pkgs.{kvm -> qemu} (#48293)
there is no top-level pkgs.kvm
2018-10-13 00:41:46 +02:00
Silvan Mosberger
c881a04a5d
Merge pull request #47902 from pvgoran/correct-mkEnableOption-uses
nixos: correct improper uses of mkEnableOption, clarify service descr…
2018-10-11 21:31:32 +02:00
Renaud
d3b79965df
Revert "Increase Virtualbox disk image size" (#48151) 2018-10-10 12:53:48 +02:00
Samuel Dionne-Riel
7fb45271b2
Merge pull request #47917 from arianvp/fix-imperative-containers
Fix imperative containers
2018-10-08 16:55:38 -04:00
Matthew Bauer
751dc01977
Merge pull request #46649 from brainrape/patch-1
Increase Virtualbox disk image size
2018-10-05 22:42:06 -05:00
Arian van Putten
3624bb5362 nixos-container: Force container to talk to host nix-daemon
When logging into a container by using
  nixos-container root-login
all nix-related commands in the container would fail, as they
tried to modify the nix db and nix store, which are mounted
read-only in the container.  We want nixos-container to not
try to modify the nix store at all, but instead delegate
any build commands to the nix daemon of the host operating system.

This already works for non-root users inside a nixos-container,
as it doesn't 'own' the nix-store, and thus defaults
to talking to the daemon socket at /nix/var/nix/daemon-socket/,
which is bind-mounted to the host daemon-socket, causing all nix
commands to be delegated to the host.

However, when we are the root user inside the container, we have the
same uid as the nix store owner, eventhough it's not actually
the same root user (due to user namespaces). Nix gets confused,
and is convinced it's running in single-user mode, and tries
to modify the nix store directly instead.

By setting `NIX_REMOTE=daemon` in `/etc/profile`, we force nix
to operate in multi-user mode, so that it will talk to the host
daemon instead, which will modify the nix store for the container.

This fixes #40355
2018-10-05 18:36:47 +02:00
Pavel Goran
858b263bf0 nixos: correct improper uses of mkEnableOption, clarify service descriptions
Several service definitions used `mkEnableOption` with text starting
with "Whether to", which produced funny option descriptions like
"Whether to enable Whether to run the rspamd daemon..".

This commit corrects this, and adds short descriptions of services
to affected service definitions.
2018-10-05 13:14:45 +07:00
Peter Hoeg
6e3e136f77 nixos on hyperv: hot-add CPU 2018-09-28 22:28:26 +08:00
Peter Hoeg
3a76bc7a79 nixos on hyperv: load modules and set video mode 2018-09-28 22:28:17 +08:00
zimbatm
9fb79868ab google-compute-engine: 20180510 -> 20180905
The list of corresponding NixOS services are also updated
2018-09-26 11:48:16 +02:00
Sarah Brofeldt
ded8f28c3a Revert "virtualization/qemu-vm: fix and improve virtio/scsi switching"
This reverts commit f777d2b719.
cc #34409
This breaks evaluation of the tested job:
attribute 'diskInterface' missing, at /nix/store/5k9kk52bv6zsvsyyvpxhm8xmwyn2yjvx-source/pkgs/build-support/vm/default.nix:316:24
2018-09-25 11:10:10 +02:00
Stefan Junker
f777d2b719 virtualization/qemu-vm: fix and improve virtio/scsi switching 2018-09-22 23:29:19 +02:00
Márton Boros
f96dde6fd7
Increase Virtualbox disk image size
10G is not enough for a desktop installation, and resizing a Virtualbox disk image is a pain. 
Let's increase the default disk size to 100G. It does not require more storage space, since the empty bits are left out.
2018-09-13 23:15:41 +02:00
John Ericson
2c2f1e37d4 reewide: Purge all uses stdenv.system and top-level system
It is deprecated and will be removed after 18.09.
2018-08-30 17:20:32 -04:00
Sarah Brofeldt
78fb4bd644 nixos/qemu-vm: Don't explicitly mknod /dev/vda*
And don't need to source the uevent files anymore either since $MAJOR
or $MINOR aren't used elsewhere.

[dezgeg: The reason these are no longer needed is that 0d27df280f
switched /tmp to a devtmpfs which automatically creates such device
nodes]
2018-08-16 14:19:41 +03:00
(cdep)illabout
e04e92d38b
Merge remote-tracking branch 'origin/master' into vbox-extpack 2018-08-16 00:40:09 +09:00
zimbatm
1e65420eb3
virtualbox module: allow to pass the package (#44907) 2018-08-11 19:40:00 +01:00
(cdep)illabout
56ad359d93
virtualization: update the virtualbox-host module to use the extension pack if enabled. 2018-08-11 02:48:29 +09:00