This option allows for TPM to provisionned before the control is handed
over to the qemu VM.
This is useful to add EK certificates.
The socket has been split in two, a server socket as well as the control
socket for compatibility with the tpm2-tss swtpm TCTI.
Because the control socket may now be used for provisioning, the swtpm
does not terminate when a client disconnects, and the stop of the swtpm
daemon is now controlled by a call to `swtpm_ioctl`.
After final improvements to the official formatter implementation,
this commit now performs the first treewide reformat of Nix files using it.
This is part of the implementation of RFC 166.
Only "inactive" files are reformatted, meaning only files that
aren't being touched by any PR with activity in the past 2 months.
This is to avoid conflicts for PRs that might soon be merged.
Later we can do a full treewide reformat to get the rest,
which should not cause as many conflicts.
A CI check has already been running for some time to ensure that new and
already-formatted files are formatted, so the files being reformatted here
should also stay formatted.
This commit was automatically created and can be verified using
nix-build a08b3a4d19.tar.gz \
--argstr baseRev b32a094368
result/bin/apply-formatting $NIXPKGS_PATH
https://github.com/NixOS/nixpkgs/pull/347283 changed the default to
exclude non-physical network Kind, but that unfortunately also includes
`veth` which LXC uses for its network interfaces. Re-enable that
functionality so users can use networkd with useDHCP.
`/etc/os-release` of NixOS containers, which are
`/var/lib/nixos-containers/*/etc/os-release` on the host, are usually
symlinks to the absolute path `/etc/static/os-release` but it doesn't
exist in non-NixOS host. Since `startScript` is evaluated by the host
system, both `[ -e "$root/etc/os-release" ]` and
`touch "$root/etc/os-release"` fail, so that the container fails to
start on the second boot (on the first boot, the symlink doesn't exist,
so the command succeeds).
This commit avoids `touch "$root/etc/os-release"` if
`$root/etc/os-release` is a symlink, so imperative NixOS containers are
usable on non-NixOS host.
The script generation is using the *lib.imap* functions in several other places already so this spot using a shell script variable instead seems a bit off.
Moving the previous shell script code to Nix improves upon the Nix code by removing the additional *lib.optionalString* for the variable initialisation making the code more concise.
The shell code is reduced to a one-liner per disk image, making it much easier to determine that this is a templated loop.
Compare the previous:
```bash
idx=0
if ! test -e "empty$idx.qcow2"; then
/nix/store/73n3qwfazqw8zwr1z840jsirjllqpg9v-qemu-host-cpu-only-for-vm-tests-9.0.2/bin/qemu-img create -f qcow2 "empty$idx.qcow2" "20480M"
fi
idx=$((idx + 1))
if ! test -e "empty$idx.qcow2"; then
/nix/store/73n3qwfazqw8zwr1z840jsirjllqpg9v-qemu-host-cpu-only-for-vm-tests-9.0.2/bin/qemu-img create -f qcow2 "empty$idx.qcow2" "20480M"
fi
idx=$((idx + 1))
if ! test -e "empty$idx.qcow2"; then
/nix/store/73n3qwfazqw8zwr1z840jsirjllqpg9v-qemu-host-cpu-only-for-vm-tests-9.0.2/bin/qemu-img create -f qcow2 "empty$idx.qcow2" "20480M"
fi
idx=$((idx + 1))
```
and the new:
```bash
test -e "empty0.qcow2" || /nix/store/73n3qwfazqw8zwr1z840jsirjllqpg9v-qemu-host-cpu-only-for-vm-tests-9.0.2/bin/qemu-img create -f qcow2 "empty0.qcow2" "20480M"
test -e "empty1.qcow2" || /nix/store/73n3qwfazqw8zwr1z840jsirjllqpg9v-qemu-host-cpu-only-for-vm-tests-9.0.2/bin/qemu-img create -f qcow2 "empty1.qcow2" "20480M"
test -e "empty2.qcow2" || /nix/store/73n3qwfazqw8zwr1z840jsirjllqpg9v-qemu-host-cpu-only-for-vm-tests-9.0.2/bin/qemu-img create -f qcow2 "empty2.qcow2" "20480M"
```
While the line becomes slightly longer it also becomes immediately obvious on a visual level which parts are changing for each invocation (i.e. different disk sizes as well as the incremented counter stick out).
Since the "idx" variable is now embedded, this also becomes copy&pastable, and also shows the maximum index readily in the last line, as opposed to having to count the number of if statements otherwise.
None of this is *needed* of course.
Signed-off-by: benaryorg <binary@benary.org>
Xen is a trademark of the Cloud Software Group; we're not packaging
Xen(Server), we're packaging the Xen Project Hypervisor, which is open
source and owned by the Linux Foundation.
This is based on advice from Kelly Choi, the Xen Project Community
Manager, who has assisted us in the branding aspects of pacakaging.
Signed-off-by: Fernando Rodrigues <alpha@sigmasquadron.net>
When `diskImage = null`, the root fs is a tmpfs instead of
`/dev/vda`. Thus, it doesn't have to wait for virtio modules to load
before being mounted. The root fs is a dependency of shared
directories by nature of being their parent directory. Without
depending on `/dev/vda`, these shared directories may attempt to mount
without virtio modules being loaded.
In preparation for the deprecation of `stdenv.isX`.
These shorthands are not conducive to cross-compilation because they
hide the platforms.
Darwin might get cross-compilation for which the continued usage of `stdenv.isDarwin` will get in the way
One example of why this is bad and especially affects compiler packages
https://www.github.com/NixOS/nixpkgs/pull/343059
There are too many files to go through manually but a treewide should
get users thinking when they see a `hostPlatform.isX` in a place where it
doesn't make sense.
```
fd --type f "\.nix" | xargs sd --fixed-strings "stdenv.is" "stdenv.hostPlatform.is"
fd --type f "\.nix" | xargs sd --fixed-strings "stdenv'.is" "stdenv'.hostPlatform.is"
fd --type f "\.nix" | xargs sd --fixed-strings "clangStdenv.is" "clangStdenv.hostPlatform.is"
fd --type f "\.nix" | xargs sd --fixed-strings "gccStdenv.is" "gccStdenv.hostPlatform.is"
fd --type f "\.nix" | xargs sd --fixed-strings "stdenvNoCC.is" "stdenvNoCC.hostPlatform.is"
fd --type f "\.nix" | xargs sd --fixed-strings "inherit (stdenv) is" "inherit (stdenv.hostPlatform) is"
fd --type f "\.nix" | xargs sd --fixed-strings "buildStdenv.is" "buildStdenv.hostPlatform.is"
fd --type f "\.nix" | xargs sd --fixed-strings "effectiveStdenv.is" "effectiveStdenv.hostPlatform.is"
fd --type f "\.nix" | xargs sd --fixed-strings "originalStdenv.is" "originalStdenv.hostPlatform.is"
```
It thinks we want to expand the `*` regex expressions inside the `sed`
commands. We do not.
Signed-off-by: Fernando Rodrigues <alpha@sigmasquadron.net>
- Cleans up downstream systemd units in favour of using upstream units.
- Xen 4.18 on Nixpkgs now supports EFI booting, so we have an EFI boot
builder here that runs after systemd-boot-builder.py.
- Add more options for setting up dom0 resource limits.
- Adds options for the declarative configuration of oxenstored.
- Disables the automatic bridge configuration, as it was broken.
- Drops legacy BIOS boot
- Adds an EFI boot entry builder script.
Signed-off-by: Fernando Rodrigues <alpha@sigmasquadron.net>
Co-authored-by: Yaroslav Bolyukin <iam@lach.pw>
It is surprising that software which was installed by the user at AMI
generation time isn't available to a script run over user data by
default.
When authoring user data to execute at startup, users will now have
more predictable access to baked-in software instead of an extremely
bare-minimum set currently there.
noXLibs is an advanced option for advanced users which know how to recognize and debug build failures which might be caused by the added overlays.
The minimal profile should be minimal but also save to use for many people and not cause build failures in packages it really shouldn't.
Because `virtualisation.diskSize = null` does result in a broken vm runner,
see https://github.com/NixOS/nixpkgs/issues/292901.
diskSize was declared to be nullable when it first got types in a
tree-wide commit:
30f0faac22
But it seemingly never actually supported it, as "${cfg.diskSize}M" is
passed to qemu-img create, which doesn't allow an empty size parameter.
closes: https://github.com/NixOS/nixpkgs/issues/292901
This list of microsoft-hosted, pre-built azure-images might have been
useful, but it hasn't seen any updates since NixOS 16.0.9, eight years
ago. As there is also no in-tree usage, and the results of a quick
GitHub search yielded no out-tree usage which was *not* either about
the same age or looked like vendored copies of this list, this seems
safe to drop to me.
Added extra option to enable unprivileged containers. This includes a
patch to remove the hard-coded path to `lxc-user-nic` and a new security
wrapper to set SUID to `lxc-user-nic`.
This adds a new `imageStream` option that can be used in conjunction
with `pkgs.dockerTools.streamLayeredImage` so that the image archive
never needs to be materialized in the `/nix/store`. This greatly
improves the disk utilization for systems that use container images
built using Nix because they only need to store image layers instead of
the full image. Additionally, when deploying the new system and only
new layers need to be built/copied.
The mkfs.erofs utility has a lot of output by default that slows down
running tests. We don't need to capture any of the output from
mkfs.erofs, so we can suppress it.
The minimum reproduction for the problem I'm trying to solve is that
the following NixOS test with a trivial NixOS container:
```
{ inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/24.05";
flake-utils.url = "github:numtide/flake-utils/v1.0.0";
};
outputs = { flake-utils, nixpkgs, self, ... }:
flake-utils.lib.eachDefaultSystem (system: {
checks.default = nixpkgs.legacyPackages."${system}".nixosTest {
name = "test";
nodes.machine.containers.tutorial.config = { };
testScript = "";
};
});
}
```
… fails with the following error message:
```
error: Neither nodes.machine.nixpkgs.hostPlatform nor the legacy option nodes.machine.nixpkgs.system has been set.
You can set nodes.machine.nixpkgs.hostPlatform in hardware-configuration.nix by re-running
a recent version of nixos-generate-config.
The option nodes.machine.nixpkgs.system is still fully supported for NixOS 22.05 interoperability,
but will be deprecated in the future, so we recommend to set nodes.machine.nixpkgs.hostPlatform.
```
The root of the problem appears to be that in
`nixos/modules/virtualisation/nixos-containers.nix` there is support
for deriving the guest's `nixpkgs.hostPlatform` or
`nixpkgs.localSystem` from the corresponding host's values, but this
doesn't work if the host sets `nixpkgs.pkgs` instead of one of those
values. In fact, this is what happens when using `pkgs.nixosTest`
(which sets `nixpkgs.pkgs` in
`pkgs/build-support/testers/default.nix`).
The solution I went with was to forward the `nixpkgs.pkgs` setting from
the host to the guest, but only if it is defined (matching the same
treatment as `nixpkgs.hostPlatform` and `nixpkgs.localSystem`.
Although CDI should be used in order to not require container runtime
wrappers anymore, fix the nvidia-container-runtime integration with
Docker for cases when Docker < 25.
Defining a package that isn't the default results in podman-compat linking to a different version of podman (always the default one). This PR changes the behavior so that the given alternative package is used for the dockerCompat option as well. This could technically break things for people who rely on this quirk, albeit the previous behavior is probably not what one would expect.
Co-authored-by: Winter <winter@winter.cafe>
