nixos: enrich systemd.nspawn.* options #74316
Conversation
tekeri
force-pushed
the
enrich-systemd-nspawn
branch
from
2bd368e
to
3415eb0
Compare
|
I'm new to NixOS tests, so it takes a while. |
tekeri
force-pushed
the
enrich-systemd-nspawn
branch
from
3415eb0
to
08abb1d
Compare
tekeri
force-pushed
the
enrich-systemd-nspawn
branch
from
f1b0fa3
to
23ab76d
Compare
tekeri
force-pushed
the
enrich-systemd-nspawn
branch
from
23ab76d
to
f425b77
Compare
|
@andir test is ready |
|
Thanks, I'll fix them. |
tekeri
force-pushed
the
enrich-systemd-nspawn
branch
from
f425b77
to
1007deb
Compare
tekeri
force-pushed
the
enrich-systemd-nspawn
branch
from
1007deb
to
4a7819c
Compare
|
@flokli I'm sorry, no. But added it on my todolist for tomorrow 😅 |
|
pushed, while github is down |
Ma27
force-pushed
the
enrich-systemd-nspawn
branch
from
8d61e3d
to
701dec4
Compare
| default = ""; | ||
| description = '' | ||
| Optional mount options. See | ||
| <link xlink:href="url">https://www.freedesktop.org/software/systemd/man/systemd-nspawn.html#Mount%20Options</link> |
There was a problem hiding this comment.
shouldn't the href attribute contain a URL
There was a problem hiding this comment.
could you tell me how to make a link to the 'Mount options' section in the manual?
| systemd.services."systemd-nspawn@".serviceConfig.ExecStart = [ | ||
| "" # deliberately empty. signals systemd to override the ExecStart | ||
| # Only difference between upstream is that we do not pass the -U flag | ||
| "${config.systemd.package}/bin/systemd-nspawn --quiet --keep-unit --boot --link-journal=try-guest --network-veth --settings=override --machine=%i" |
There was a problem hiding this comment.
@flokli do you know if the systemd bug which made this necessary is fixed? Also, I'd prefer to set disableUnprivilegedNspawn to true by default since it's been a valid workaround for us.
| ] | ||
| ); | ||
| default = []; | ||
| example = [ "/tmp" { path = "/var/tmp"; mountOption = ""; } ]; |
There was a problem hiding this comment.
Please use literalExample for examples that contain a list or an attr-path for better formatting in the manual.
| }; | ||
| in | ||
|
|
||
| import ./make-test-python.nix ({ pkgs, ...} : { |
There was a problem hiding this comment.
Do you know why nscd inside the container breaks:
machine # [ 13.949141] systemd-nspawn[786]: [ OK ] Reached target Basic System.
machine # [ 13.953850] systemd-nspawn[786]: Starting Name Service Cache Daemon...
machine # [ 13.960114] systemd-nspawn[786]: Starting resolvconf update...
machine # [ 13.982618] systemd-nspawn[786]: [FAILED] Failed to start Name Service Cache Daemon.
machine # [ 13.984544] systemd-nspawn[786]: See 'systemctl status nscd.service' for details.
machine # [ 13.988963] systemd-nspawn[786]: [ OK ] Reached target Host and Network Name Lookups.
machine # [ 13.992789] systemd-nspawn[786]: [ OK ] Reached target User and Group Name Lookups.
machine # [ 14.002572] systemd-nspawn[786]: Starting Login Service...
machine # [ 14.054966] systemd-nspawn[786]: [FAILED] Failed to start Login Service.
machine # [ 14.057025] systemd-nspawn[786]: See 'systemctl status systemd-logind.service' for details.
machine # [ 14.061889] systemd-nspawn[786]: [ OK ] Stopped Login Service.
machine # [ 14.068607] systemd-nspawn[786]: Starting Login Service...
machine # [ 14.094932] systemd-nspawn[786]: [ OK ] Stopped Name Service Cache Daemon.
machine # [ 14.101640] systemd-nspawn[786]: Starting Name Service Cache Daemon...
machine # [ 14.129406] systemd-nspawn[786]: [FAILED] Failed to start Name Service Cache Daemon.
machine # [ 14.131745] systemd-nspawn[786]: See 'systemctl status nscd.service' for details.
machine # [ 14.154355] systemd-nspawn[786]: [FAILED] Failed to start Login Service.
machine # [ 14.156893] systemd-nspawn[786]: See 'systemctl status systemd-logind.service' for details.
machine # [ 14.163836] systemd-nspawn[786]: [ OK ] Stopped Login Service.
machine # [ 14.178079] systemd-nspawn[786]: Starting Login Service...
machine # [ 14.243987] systemd-nspawn[786]: [ OK ] Stopped Name Service Cache Daemon.
machine # [ 14.249399] systemd-nspawn[786]: Starting Name Service Cache Daemon...
machine # [ 14.258114] systemd-nspawn[786]: [FAILED] Failed to start Login Service.
machine # [ 14.261136] systemd-nspawn[786]: See 'systemctl status systemd-logind.service' for details.
| # assert "Overlay=+/usr::/usr" in conf | ||
|
|
||
| # Checks filesConfig, networkConfig | ||
| assert "ReadOnly=false" in conf |
There was a problem hiding this comment.
I don't really think that we need this. As soon as some upstream options change we have to fix this test accordingly. Those kind of assertions don't belong in an integration test IMHO.
There was a problem hiding this comment.
This is actually an unit test to check whether the boolean value is rendered as intended. Also, these lines gives an idea of how the options works.
No problem, however, to remove those assertions.
| "touch /var/lib/machines/test-container/etc/os-release", | ||
| "machinectl start test-container", | ||
| "machinectl terminate test-container", | ||
| ) |
There was a problem hiding this comment.
Can you please add a more detailed test to make sure that the machine actually works? Some ideas:
- Wait at least for
multi-user.target. - Check if networking is fine.
- Check if bind-mounts and restrictions do work.
There was a problem hiding this comment.
FYI: This changeset is intended to be used with nixops-container backend. NixOS/nixops#1226
I'm internally using it and It works over 1 year with networking and bind-mounts.
|
I'll fix the conflict and add tests when I have spare time. |
|
Interest |
|
I haven't reviewed this PR in detail but I'm strongly in favor of a refactor of {
# Boilerplate
systemd.targets.machines.enable = true;
systemd.services."systemd-nspawn@archlinux" = {
enable = true;
wantedBy = [ "machines.target" ];
};
# Actual container
systemd.nspawn."archlinux" = {
enable = true; # does this even do anything?
execConfig = {
Boot = true;
};
};
}But even with these options, the container still refuses to shut down properly on reboot and I'm stuck at the dreaded In the journal it leaves |
|
Im pretty sure the machines.target is enabled by default...
I agree that Systemd-nspawn@.service should have a wantedBy=machines.target
by default though if that isn't the case. To align it with upstream.
…On Wed, 30 Dec 2020, 20:33 Henri Menke, ***@***.***> wrote:
I haven't reviewed this PR in detail but I'm strongly in favor of a
refactor of systemd.nspawn. Right now it's barely usable. I had to add
some boilerplate which is nowhere to be found in the documentation to make
the container boot at all.
{
# Boilerplate
systemd.targets.machines.enable = true;
***@***.***" = {
enable = true;
wantedBy = [ "machines.target" ];
};
# Actual container
systemd.nspawn."archlinux" = {
enable = true; # does this even do anything?
execConfig = {
Boot = true;
};
};
}
But even with these options, the container still refuses to shut down
properly on reboot and I'm stuck at the dreaded
[ **] A stop job is running for ***@***.*** (7s / 1min 30s)
In the journal it leaves
Dec 30 19:21:48 nixos systemd[1]: Stopping ***@***.***
Dec 30 19:21:48 nixos systemd-nspawn[499]: archlinux login: Trying to halt container. Send SIGTERM again to trigger immed>
Dec 30 19:21:48 nixos systemd-nspawn[499]: systemd 245.5-2-arch running in system mode. (+PAM +AUDIT -SELINUX -IMA -APPAR>
Dec 30 19:21:48 nixos systemd-nspawn[499]: Detected virtualization systemd-nspawn.
Dec 30 19:21:48 nixos systemd-nspawn[499]: Detected architecture x86-64.
Dec 30 19:23:18 nixos systemd[1]: ***@***.***: State 'stop-sigterm' timed out. Killing.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#74316 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAEZNI6XEG7JM2R6NNYB6I3SXN6BDANCNFSM4JSEIS6Q>
.
|
|
Let me rephrase: I think having the explicit So we should also add that. That you needed surprises me though. |
|
@arianvp Indeed, I just checked again and {
systemd.services."systemd-nspawn@archlinux".enable = true;
}NixOS does not instantiate the I've opened a new issue for that: #108054 |
|
@hmenke I think |
|
I marked this as stale due to inactivity. → More info |
stale
bot
added
the
2.status: stale
stale
bot
removed
the
2.status: stale
wegank
added
the
2.status: stale
Motivation for this change
Add a practical systemd-nspawn configuration options.
Possibly resolves #51076 and #40367 .
Things done
sandboxinnix.confon non-NixOS linux)nix-shell -p nix-review --run "nix-review wip"./result/bin/)nix path-info -Sbefore and after)Notify maintainers
cc @c0bw3b @volth @arianvp @Mic92