Google compute image #26214
Google compute image #26214
Conversation
|
@zimbatm, thanks for your PR! By analyzing the history of the files in this pull request, we identified @rbvermaa, @8573 and @copumpkin to be potential reviewers. |
|
|
||
| pushd google_compute_engine | ||
|
|
||
| patchPath /bin/systemctl /var/run/current-system/sw/bin/systemctl |
There was a problem hiding this comment.
don't understand motivation behind patchPath vs patchShebangs with proper links into store &c.
There was a problem hiding this comment.
Probably executables are referenced not just in shebangs. But I would actually also prefer explicit links to nix store.
|
LGTM except for patchPath stuff |
| wants = [ "local-fs.target" "network-online.target" "network.target"]; | ||
| wantedBy = [ "multi-user.target" ]; | ||
| serviceConfig = { | ||
| ExecStart = "/run/current-system/sw/bin/true"; |
There was a problem hiding this comment.
ExecStart = "${coreutils}/bin/true";
| @@ -191,56 +191,6 @@ in | |||
| }; | |||
| }; | |||
|
|
|||
| # TODO: remove this | |||
| systemd.services.fetch-ssh-keys = | |||
| { description = "Fetch host keys and authorized_keys for root user"; | |||
There was a problem hiding this comment.
The google-accounts-daemon also scans for the SSH keys, but creates individual accounts per SSH key owner (with passwordless sudo). The root account isn't directly accessible through SSH anymore.
|
using |
|
How does the google compute engine tool behave when you chose not to allow mutableUsers? Is it possible to disable anything related to creating users in the tool? If so, can we implement that depending on the mutableUsers config option? |
|
|
||
| patches = [ ./0001-allow-nologin-other-paths.patch ]; | ||
|
|
||
| patchPhase = '' |
There was a problem hiding this comment.
use postPatch, otherwise your patches is ignored because you define a new patchPhase.
Good idea. I could not start the google-accounts-daemon is There is still work to do on this PR but thanks everyone for your feedback. I will let you know when it's ready for another round of review. |
| cp -r google_config/udev/*.rules $out/lib/udev/rules.d | ||
| ''; | ||
|
|
||
| propagatedBuildInputs = with pythonPackages; [ boto setuptools ]; |
There was a problem hiding this comment.
Curious why this would depend on boto 😮
There was a problem hiding this comment.
Apparently just for one thing: setup boto to use the Google Cloud Storage as a backend (GCS has a S3-compatible API) ^_^ https://github.com/GoogleCloudPlatform/compute-image-packages#instance-setup
What do you mean with 'through the metadata startup-script'? I am mostly interested in if this is backwards compatible with nixops. |
Okay we need to have a bit of a conversation because right now it breaks backward-compatibility. Potentially I could leave the fetch-ssh-keys service and provide a migration path for future nixops release. Do you know how SSH keys are being provisioned with nixops? |
zimbatm
force-pushed
the
google-compute-image
branch
3 times, most recently
from
b40fe2f to
0895e6d
Compare
|
Fixed all the things and left the fetch-ssh-keys daemon for nixops back-compat as both can live side-by-side. I don't have a clear idea of what to do with the mutableUsers option yet as this module is not really meant to be designed to be configurable in the first place. |
For EC2 at least, we left two options in place, so that the userdata could be used in two different ways for NixOps and for non-NixOps use cases. It would be nice to converge Google and EC2 behavior, so you can also configure Google Compute machines via userdata. |
|
What's the status of this? |
|
@8573 it's missing a corner-case where |
|
Okay; I don't understand GCE enough to help, so I'll wait. Thanks! |
zimbatm
force-pushed
the
google-compute-image
branch
from
0895e6d to
b4ba2cb
Compare
This adds a few google-specific services to setup the machine. Accounts are now dynamically created using the google-accounts-daemon, which allows to click on the "SSH" button in the console and have it working. The NixOS image now supports the userdata startup and shutdown scripts. Misc: * add all the google services from https://github.com/GoogleCloudPlatform/compute-image-packages/tree/master/google_compute_engine_init/systemd * add udev rules for disk labels * synched sysctl rules with https://github.com/GoogleCloudPlatform/compute-image-packages/blob/master/google_config/sysctl/11-gce-network-security.conf
zimbatm
force-pushed
the
google-compute-image
branch
from
b4ba2cb to
c93d68b
Compare
|
Alright, the account service is now disabled if |
|
I think the solution is reasonable right now. Let me know if you hit any issues. |
Motivation for this change
This makes NixOS a first-class citizen on the Google Cloud Platform, allowing to integrate with the dynamic features of the platform.
Things done
(nix.useSandbox on NixOS,
or option
build-use-sandboxinnix.confon non-NixOS)
nix-shell -p nox --run "nox-review wip"./result/bin/)