diff options
Diffstat (limited to 'infra/libkookie/nixpkgs/nixos/modules/virtualisation')
14 files changed, 270 insertions, 37 deletions
diff --git a/infra/libkookie/nixpkgs/nixos/modules/virtualisation/amazon-image.nix b/infra/libkookie/nixpkgs/nixos/modules/virtualisation/amazon-image.nix index 20d48add7129..26297a7d0f1f 100644 --- a/infra/libkookie/nixpkgs/nixos/modules/virtualisation/amazon-image.nix +++ b/infra/libkookie/nixpkgs/nixos/modules/virtualisation/amazon-image.nix @@ -11,6 +11,7 @@ with lib; let cfg = config.ec2; metadataFetcher = import ./ec2-metadata-fetcher.nix { + inherit (pkgs) curl; targetRoot = "$targetRoot/"; wgetExtraOptions = "-q"; }; @@ -48,7 +49,7 @@ in ]; boot.initrd.kernelModules = [ "xen-blkfront" "xen-netfront" ]; boot.initrd.availableKernelModules = [ "ixgbevf" "ena" "nvme" ]; - boot.kernelParams = mkIf cfg.hvm [ "console=ttyS0" ]; + boot.kernelParams = mkIf cfg.hvm [ "console=ttyS0" "random.trust_cpu=on" ]; # Prevent the nouveau kernel module from being loaded, as it # interferes with the nvidia/nvidia-uvm modules needed for CUDA. @@ -123,7 +124,7 @@ in boot.initrd.extraUtilsCommands = '' # We need swapon in the initrd. - copy_bin_and_libs ${pkgs.utillinux}/sbin/swapon + copy_bin_and_libs ${pkgs.util-linux}/sbin/swapon ''; # Don't put old configurations in the GRUB menu. The user has no diff --git a/infra/libkookie/nixpkgs/nixos/modules/virtualisation/azure-agent.nix b/infra/libkookie/nixpkgs/nixos/modules/virtualisation/azure-agent.nix index e85482af8392..81413792eda0 100644 --- a/infra/libkookie/nixpkgs/nixos/modules/virtualisation/azure-agent.nix +++ b/infra/libkookie/nixpkgs/nixos/modules/virtualisation/azure-agent.nix @@ -22,7 +22,7 @@ let nettools # for hostname procps # for pidof shadow # for useradd, usermod - utillinux # for (u)mount, fdisk, sfdisk, mkswap + util-linux # for (u)mount, fdisk, sfdisk, mkswap parted ]; pythonPath = [ pythonPackages.pyasn1 ]; diff --git a/infra/libkookie/nixpkgs/nixos/modules/virtualisation/brightbox-image.nix b/infra/libkookie/nixpkgs/nixos/modules/virtualisation/brightbox-image.nix index d0efbcc808aa..4498e3a73618 100644 --- a/infra/libkookie/nixpkgs/nixos/modules/virtualisation/brightbox-image.nix +++ b/infra/libkookie/nixpkgs/nixos/modules/virtualisation/brightbox-image.nix @@ -27,7 +27,7 @@ in popd ''; diskImageBase = "nixos-image-${config.system.nixos.label}-${pkgs.stdenv.hostPlatform.system}.raw"; - buildInputs = [ pkgs.utillinux pkgs.perl ]; + buildInputs = [ pkgs.util-linux pkgs.perl ]; exportReferencesGraph = [ "closure" config.system.build.toplevel ]; } diff --git a/infra/libkookie/nixpkgs/nixos/modules/virtualisation/docker.nix b/infra/libkookie/nixpkgs/nixos/modules/virtualisation/docker.nix index d87ada35a0ae..ec257801b330 100644 --- a/infra/libkookie/nixpkgs/nixos/modules/virtualisation/docker.nix +++ b/infra/libkookie/nixpkgs/nixos/modules/virtualisation/docker.nix @@ -155,6 +155,9 @@ in users.groups.docker.gid = config.ids.gids.docker; systemd.packages = [ cfg.package ]; + # TODO: remove once docker 20.10 is released + systemd.enableUnifiedCgroupHierarchy = false; + systemd.services.docker = { wantedBy = optional cfg.enableOnBoot "multi-user.target"; environment = proxy_env; diff --git a/infra/libkookie/nixpkgs/nixos/modules/virtualisation/ec2-amis.nix b/infra/libkookie/nixpkgs/nixos/modules/virtualisation/ec2-amis.nix index 24de8cf1afbf..3da63078a214 100644 --- a/infra/libkookie/nixpkgs/nixos/modules/virtualisation/ec2-amis.nix +++ b/infra/libkookie/nixpkgs/nixos/modules/virtualisation/ec2-amis.nix @@ -329,5 +329,24 @@ let self = { "20.03".ap-east-1.hvm-ebs = "ami-0d18fdd309cdefa86"; "20.03".sa-east-1.hvm-ebs = "ami-09859378158ae971d"; - latest = self."20.03"; + # 20.09.1632.a6a3a368dda + "20.09".eu-west-1.hvm-ebs = "ami-01a79d5ce435f4db3"; + "20.09".eu-west-2.hvm-ebs = "ami-0cbe14f32904e6331"; + "20.09".eu-west-3.hvm-ebs = "ami-07f493412d6213de6"; + "20.09".eu-central-1.hvm-ebs = "ami-01d4a0c2248cbfe38"; + "20.09".eu-north-1.hvm-ebs = "ami-0003f54dd99d68e0f"; + "20.09".us-east-1.hvm-ebs = "ami-068a62d478710462d"; + "20.09".us-east-2.hvm-ebs = "ami-01ac677ff61399caa"; + "20.09".us-west-1.hvm-ebs = "ami-04befdb203b4b17f6"; + "20.09".us-west-2.hvm-ebs = "ami-0fb7bd4a43261c6b2"; + "20.09".ca-central-1.hvm-ebs = "ami-06d5ee429f153f856"; + "20.09".ap-southeast-1.hvm-ebs = "ami-0db0304e23c535b2a"; + "20.09".ap-southeast-2.hvm-ebs = "ami-045983c4db7e36447"; + "20.09".ap-northeast-1.hvm-ebs = "ami-0beb18d632cf64e5a"; + "20.09".ap-northeast-2.hvm-ebs = "ami-0dd0316af578862db"; + "20.09".ap-south-1.hvm-ebs = "ami-008d15ced81c88aed"; + "20.09".ap-east-1.hvm-ebs = "ami-071f49713f86ea965"; + "20.09".sa-east-1.hvm-ebs = "ami-05ded1ae35209b5a8"; + + latest = self."20.09"; }; in self diff --git a/infra/libkookie/nixpkgs/nixos/modules/virtualisation/ec2-metadata-fetcher.nix b/infra/libkookie/nixpkgs/nixos/modules/virtualisation/ec2-metadata-fetcher.nix index b531787c31a2..dca5c2abd4e0 100644 --- a/infra/libkookie/nixpkgs/nixos/modules/virtualisation/ec2-metadata-fetcher.nix +++ b/infra/libkookie/nixpkgs/nixos/modules/virtualisation/ec2-metadata-fetcher.nix @@ -1,23 +1,77 @@ -{ targetRoot, wgetExtraOptions }: +{ curl, targetRoot, wgetExtraOptions }: +# Note: be very cautious about dependencies, each dependency grows +# the closure of the initrd. Ideally we would not even require curl, +# but there is no reasonable way to send an HTTP PUT request without +# it. Note: do not be fooled: the wget referenced in this script +# is busybox's wget, not the fully featured one with --method support. +# +# Make sure that every package you depend on here is already listed as +# a channel blocker for both the full-sized and small channels. +# Otherwise, we risk breaking user deploys in released channels. +# +# Also note: OpenStack's metadata service for its instances aims to be +# compatible with the EC2 IMDS. Where possible, try to keep the set of +# fetched metadata in sync with ./openstack-metadata-fetcher.nix . '' metaDir=${targetRoot}etc/ec2-metadata mkdir -m 0755 -p "$metaDir" + rm -f "$metaDir/*" - echo "getting EC2 instance metadata..." + get_imds_token() { + # retry-delay of 1 selected to give the system a second to get going, + # but not add a lot to the bootup time + ${curl}/bin/curl \ + -v \ + --retry 3 \ + --retry-delay 1 \ + --fail \ + -X PUT \ + --connect-timeout 1 \ + -H "X-aws-ec2-metadata-token-ttl-seconds: 600" \ + http://169.254.169.254/latest/api/token + } - if ! [ -e "$metaDir/ami-manifest-path" ]; then - wget ${wgetExtraOptions} -O "$metaDir/ami-manifest-path" http://169.254.169.254/1.0/meta-data/ami-manifest-path - fi + preflight_imds_token() { + # retry-delay of 1 selected to give the system a second to get going, + # but not add a lot to the bootup time + ${curl}/bin/curl \ + -v \ + --retry 3 \ + --retry-delay 1 \ + --fail \ + --connect-timeout 1 \ + -H "X-aws-ec2-metadata-token: $IMDS_TOKEN" \ + http://169.254.169.254/1.0/meta-data/instance-id + } - if ! [ -e "$metaDir/user-data" ]; then - wget ${wgetExtraOptions} -O "$metaDir/user-data" http://169.254.169.254/1.0/user-data && chmod 600 "$metaDir/user-data" - fi + try=1 + while [ $try -le 3 ]; do + echo "(attempt $try/3) getting an EC2 instance metadata service v2 token..." + IMDS_TOKEN=$(get_imds_token) && break + try=$((try + 1)) + sleep 1 + done - if ! [ -e "$metaDir/hostname" ]; then - wget ${wgetExtraOptions} -O "$metaDir/hostname" http://169.254.169.254/1.0/meta-data/hostname + if [ "x$IMDS_TOKEN" == "x" ]; then + echo "failed to fetch an IMDS2v token." fi - if ! [ -e "$metaDir/public-keys-0-openssh-key" ]; then - wget ${wgetExtraOptions} -O "$metaDir/public-keys-0-openssh-key" http://169.254.169.254/1.0/meta-data/public-keys/0/openssh-key - fi + try=1 + while [ $try -le 10 ]; do + echo "(attempt $try/10) validating the EC2 instance metadata service v2 token..." + preflight_imds_token && break + try=$((try + 1)) + sleep 1 + done + + echo "getting EC2 instance metadata..." + + wget_imds() { + wget ${wgetExtraOptions} --header "X-aws-ec2-metadata-token: $IMDS_TOKEN" "$@"; + } + + wget_imds -O "$metaDir/ami-manifest-path" http://169.254.169.254/1.0/meta-data/ami-manifest-path + wget_imds -O "$metaDir/user-data" http://169.254.169.254/1.0/user-data && chmod 600 "$metaDir/user-data" + wget_imds -O "$metaDir/hostname" http://169.254.169.254/1.0/meta-data/hostname + wget_imds -O "$metaDir/public-keys-0-openssh-key" http://169.254.169.254/1.0/meta-data/public-keys/0/openssh-key '' diff --git a/infra/libkookie/nixpkgs/nixos/modules/virtualisation/nixos-containers.nix b/infra/libkookie/nixpkgs/nixos/modules/virtualisation/nixos-containers.nix index 8fbb4efd2019..26398afb3cf5 100644 --- a/infra/libkookie/nixpkgs/nixos/modules/virtualisation/nixos-containers.nix +++ b/infra/libkookie/nixpkgs/nixos/modules/virtualisation/nixos-containers.nix @@ -614,17 +614,17 @@ in ''; }; - timeoutStartSec = mkOption { - type = types.str; - default = "1min"; - description = '' - Time for the container to start. In case of a timeout, - the container processes get killed. - See <citerefentry><refentrytitle>systemd.time</refentrytitle> - <manvolnum>7</manvolnum></citerefentry> - for more information about the format. - ''; - }; + timeoutStartSec = mkOption { + type = types.str; + default = "1min"; + description = '' + Time for the container to start. In case of a timeout, + the container processes get killed. + See <citerefentry><refentrytitle>systemd.time</refentrytitle> + <manvolnum>7</manvolnum></citerefentry> + for more information about the format. + ''; + }; bindMounts = mkOption { type = with types; attrsOf (submodule bindMountOpts); diff --git a/infra/libkookie/nixpkgs/nixos/modules/virtualisation/openstack-config.nix b/infra/libkookie/nixpkgs/nixos/modules/virtualisation/openstack-config.nix index c2da5d0d2301..d01e0f23aba1 100644 --- a/infra/libkookie/nixpkgs/nixos/modules/virtualisation/openstack-config.nix +++ b/infra/libkookie/nixpkgs/nixos/modules/virtualisation/openstack-config.nix @@ -3,7 +3,7 @@ with lib; let - metadataFetcher = import ./ec2-metadata-fetcher.nix { + metadataFetcher = import ./openstack-metadata-fetcher.nix { targetRoot = "/"; wgetExtraOptions = "--retry-connrefused"; }; diff --git a/infra/libkookie/nixpkgs/nixos/modules/virtualisation/openstack-metadata-fetcher.nix b/infra/libkookie/nixpkgs/nixos/modules/virtualisation/openstack-metadata-fetcher.nix new file mode 100644 index 000000000000..8c191397cf9a --- /dev/null +++ b/infra/libkookie/nixpkgs/nixos/modules/virtualisation/openstack-metadata-fetcher.nix @@ -0,0 +1,21 @@ +{ targetRoot, wgetExtraOptions }: + +# OpenStack's metadata service aims to be EC2-compatible. Where +# possible, try to keep the set of fetched metadata in sync with +# ./ec2-metadata-fetcher.nix . +'' + metaDir=${targetRoot}etc/ec2-metadata + mkdir -m 0755 -p "$metaDir" + rm -f "$metaDir/*" + + echo "getting instance metadata..." + + wget_imds() { + wget ${wgetExtraOptions} "$@" + } + + wget_imds -O "$metaDir/ami-manifest-path" http://169.254.169.254/1.0/meta-data/ami-manifest-path + wget_imds -O "$metaDir/user-data" http://169.254.169.254/1.0/user-data && chmod 600 "$metaDir/user-data" + wget_imds -O "$metaDir/hostname" http://169.254.169.254/1.0/meta-data/hostname + wget_imds -O "$metaDir/public-keys-0-openssh-key" http://169.254.169.254/1.0/meta-data/public-keys/0/openssh-key +'' diff --git a/infra/libkookie/nixpkgs/nixos/modules/virtualisation/qemu-guest-agent.nix b/infra/libkookie/nixpkgs/nixos/modules/virtualisation/qemu-guest-agent.nix index 665224e35d8c..6a735f451a7e 100644 --- a/infra/libkookie/nixpkgs/nixos/modules/virtualisation/qemu-guest-agent.nix +++ b/infra/libkookie/nixpkgs/nixos/modules/virtualisation/qemu-guest-agent.nix @@ -12,6 +12,11 @@ in { default = false; description = "Whether to enable the qemu guest agent."; }; + package = mkOption { + type = types.package; + default = pkgs.qemu.ga; + description = "The QEMU guest agent package."; + }; }; config = mkIf cfg.enable ( @@ -25,7 +30,7 @@ in { systemd.services.qemu-guest-agent = { description = "Run the QEMU Guest Agent"; serviceConfig = { - ExecStart = "${pkgs.qemu.ga}/bin/qemu-ga"; + ExecStart = "${cfg.package}/bin/qemu-ga"; Restart = "always"; RestartSec = 0; }; diff --git a/infra/libkookie/nixpkgs/nixos/modules/virtualisation/qemu-vm.nix b/infra/libkookie/nixpkgs/nixos/modules/virtualisation/qemu-vm.nix index 42e43f5ee023..447d1f091c8c 100644 --- a/infra/libkookie/nixpkgs/nixos/modules/virtualisation/qemu-vm.nix +++ b/infra/libkookie/nixpkgs/nixos/modules/virtualisation/qemu-vm.nix @@ -14,10 +14,11 @@ with import ../../lib/qemu-flags.nix { inherit pkgs; }; let - qemu = config.system.build.qemu or pkgs.qemu_test; cfg = config.virtualisation; + qemu = cfg.qemu.package; + consoles = lib.concatMapStringsSep " " (c: "console=${c}") cfg.qemu.consoles; driveOpts = { ... }: { @@ -189,7 +190,7 @@ let '' else '' ''} ''; - buildInputs = [ pkgs.utillinux ]; + buildInputs = [ pkgs.util-linux ]; QEMU_OPTS = "-nographic -serial stdio -monitor none" + lib.optionalString cfg.useEFIBoot ( " -drive if=pflash,format=raw,unit=0,readonly=on,file=${efiFirmware}" @@ -401,6 +402,14 @@ in }; virtualisation.qemu = { + package = + mkOption { + type = types.package; + default = pkgs.qemu; + example = "pkgs.qemu_test"; + description = "QEMU package to use."; + }; + options = mkOption { type = types.listOf types.unspecified; @@ -735,16 +744,19 @@ in (isEnabled "VIRTIO_PCI") (isEnabled "VIRTIO_NET") (isEnabled "EXT4_FS") + (isEnabled "NET_9P_VIRTIO") + (isEnabled "9P_FS") (isYes "BLK_DEV") (isYes "PCI") - (isYes "EXPERIMENTAL") (isYes "NETDEVICES") (isYes "NET_CORE") (isYes "INET") (isYes "NETWORK_FILESYSTEMS") - ] ++ optional (!cfg.graphics) [ + ] ++ optionals (!cfg.graphics) [ (isYes "SERIAL_8250_CONSOLE") (isYes "SERIAL_8250") + ] ++ optionals (cfg.writableStore) [ + (isEnabled "OVERLAY_FS") ]; }; diff --git a/infra/libkookie/nixpkgs/nixos/modules/virtualisation/vagrant-guest.nix b/infra/libkookie/nixpkgs/nixos/modules/virtualisation/vagrant-guest.nix new file mode 100644 index 000000000000..263b1ebca086 --- /dev/null +++ b/infra/libkookie/nixpkgs/nixos/modules/virtualisation/vagrant-guest.nix @@ -0,0 +1,58 @@ +# Minimal configuration that vagrant depends on + +{ config, pkgs, ... }: +let + # Vagrant uses an insecure shared private key by default, but we + # don't use the authorizedKeys attribute under users because it should be + # removed on first boot and replaced with a random one. This script sets + # the correct permissions and installs the temporary key if no + # ~/.ssh/authorized_keys exists. + install-vagrant-ssh-key = pkgs.writeScriptBin "install-vagrant-ssh-key" '' + #!${pkgs.runtimeShell} + if [ ! -e ~/.ssh/authorized_keys ]; then + mkdir -m 0700 -p ~/.ssh + echo "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA6NF8iallvQVp22WDkTkyrtvp9eWW6A8YVr+kz4TjGYe7gHzIw+niNltGEFHzD8+v1I2YJ6oXevct1YeS0o9HZyN1Q9qgCgzUFtdOKLv6IedplqoPkcmF0aYet2PkEDo3MlTBckFXPITAMzF8dJSIFo9D8HfdOV0IAdx4O7PtixWKn5y2hMNG0zQPyUecp4pzC6kivAIhyfHilFR61RGL+GPXQ2MWZWFYbAGjyiYJnAmCP3NOTd0jMZEnDkbUvxhMmBYSdETk1rRgm+R4LOzFUGaHqHDLKLX+FIPKcF96hrucXzcWyLbIbEgE98OHlnVYCzRdK8jlqm8tehUc9c9WhQ== vagrant insecure public key" >> ~/.ssh/authorized_keys + chmod 0600 ~/.ssh/authorized_keys + fi + ''; +in +{ + # Enable the OpenSSH daemon. + services.openssh.enable = true; + + # Packages used by Vagrant + environment.systemPackages = with pkgs; [ + findutils + iputils + nettools + netcat + nfs-utils + rsync + ]; + + users.extraUsers.vagrant = { + isNormalUser = true; + createHome = true; + description = "Vagrant user account"; + extraGroups = [ "users" "wheel" ]; + home = "/home/vagrant"; + password = "vagrant"; + useDefaultShell = true; + uid = 1000; + }; + + systemd.services.install-vagrant-ssh-key = { + description = "Vagrant SSH key install (if needed)"; + after = [ "fs.target" ]; + wants = [ "fs.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + ExecStart = "${install-vagrant-ssh-key}/bin/install-vagrant-ssh-key"; + User = "vagrant"; + # So it won't be (needlessly) restarted: + RemainAfterExit = true; + }; + }; + + security.sudo.wheelNeedsPassword = false; +} diff --git a/infra/libkookie/nixpkgs/nixos/modules/virtualisation/vagrant-virtualbox-image.nix b/infra/libkookie/nixpkgs/nixos/modules/virtualisation/vagrant-virtualbox-image.nix new file mode 100644 index 000000000000..2a921894ab61 --- /dev/null +++ b/infra/libkookie/nixpkgs/nixos/modules/virtualisation/vagrant-virtualbox-image.nix @@ -0,0 +1,60 @@ +# Vagrant + VirtualBox + +{ config, pkgs, ... }: + +{ + imports = [ + ./vagrant-guest.nix + ./virtualbox-image.nix + ]; + + virtualbox.params = { + audio = "none"; + audioin = "off"; + audioout = "off"; + usb = "off"; + usbehci = "off"; + }; + sound.enable = false; + documentation.man.enable = false; + documentation.nixos.enable = false; + + users.extraUsers.vagrant.extraGroups = [ "vboxsf" ]; + + # generate the box v1 format which is much easier to generate + # https://www.vagrantup.com/docs/boxes/format.html + system.build.vagrantVirtualbox = pkgs.runCommand + "virtualbox-vagrant.box" + {} + '' + mkdir workdir + cd workdir + + # 1. create that metadata.json file + echo '{"provider":"virtualbox"}' > metadata.json + + # 2. create a default Vagrantfile config + cat <<VAGRANTFILE > Vagrantfile + Vagrant.configure("2") do |config| + config.vm.base_mac = "0800275F0936" + end + VAGRANTFILE + + # 3. add the exported VM files + tar xvf ${config.system.build.virtualBoxOVA}/*.ova + + # 4. move the ovf to the fixed location + mv *.ovf box.ovf + + # 5. generate OVF manifest file + rm *.mf + touch box.mf + for fname in *; do + checksum=$(sha256sum $fname | cut -d' ' -f 1) + echo "SHA256($fname)= $checksum" >> box.mf + done + + # 6. compress everything back together + tar --owner=0 --group=0 --sort=name --numeric-owner -czf $out . + ''; +} diff --git a/infra/libkookie/nixpkgs/nixos/modules/virtualisation/xen-dom0.nix b/infra/libkookie/nixpkgs/nixos/modules/virtualisation/xen-dom0.nix index 7b2a66c43489..5ad647769bbd 100644 --- a/infra/libkookie/nixpkgs/nixos/modules/virtualisation/xen-dom0.nix +++ b/infra/libkookie/nixpkgs/nixos/modules/virtualisation/xen-dom0.nix @@ -201,8 +201,8 @@ in '' if [ -d /proc/xen ]; then ${pkgs.kmod}/bin/modprobe xenfs 2> /dev/null - ${pkgs.utillinux}/bin/mountpoint -q /proc/xen || \ - ${pkgs.utillinux}/bin/mount -t xenfs none /proc/xen + ${pkgs.util-linux}/bin/mountpoint -q /proc/xen || \ + ${pkgs.util-linux}/bin/mount -t xenfs none /proc/xen fi ''; |