From 5f1345a30318cf9559e58576dff8c5d3e4d77a62 Mon Sep 17 00:00:00 2001 From: Patryk Wychowaniec Date: Fri, 26 Feb 2021 16:03:49 +0100 Subject: [PATCH 1/2] nixos/containers: styling improvements --- nixos/tests/containers-bridge.nix | 8 +++----- nixos/tests/containers-custom-pkgs.nix | 6 +++--- nixos/tests/containers-ephemeral.nix | 7 ++++--- nixos/tests/containers-extra_veth.nix | 8 +++----- nixos/tests/containers-hosts.nix | 8 +++----- nixos/tests/containers-imperative.nix | 8 +++----- nixos/tests/containers-ip.nix | 8 +++----- nixos/tests/containers-macvlans.nix | 8 +++----- nixos/tests/containers-physical_interfaces.nix | 7 +++---- nixos/tests/containers-portforward.nix | 8 +++----- nixos/tests/containers-reloadable.nix | 7 +++---- nixos/tests/containers-restart_networking.nix | 8 +++----- nixos/tests/containers-tmpfs.nix | 8 +++----- 13 files changed, 40 insertions(+), 59 deletions(-) diff --git a/nixos/tests/containers-bridge.nix b/nixos/tests/containers-bridge.nix index 1208aa8fced7..12fa67c8b015 100644 --- a/nixos/tests/containers-bridge.nix +++ b/nixos/tests/containers-bridge.nix @@ -1,5 +1,3 @@ -# Test for NixOS' container support. - let hostIp = "192.168.0.1"; containerIp = "192.168.0.100/24"; @@ -7,10 +5,10 @@ let containerIp6 = "fc00::2/7"; in -import ./make-test-python.nix ({ pkgs, ...} : { +import ./make-test-python.nix ({ pkgs, lib, ... }: { name = "containers-bridge"; - meta = with pkgs.lib.maintainers; { - maintainers = [ aristid aszlig eelco kampfschlaefer ]; + meta = { + maintainers = with lib.maintainers; [ aristid aszlig eelco kampfschlaefer ]; }; machine = diff --git a/nixos/tests/containers-custom-pkgs.nix b/nixos/tests/containers-custom-pkgs.nix index 1412c32bfb5f..c050e49bc29d 100644 --- a/nixos/tests/containers-custom-pkgs.nix +++ b/nixos/tests/containers-custom-pkgs.nix @@ -1,4 +1,4 @@ -import ./make-test-python.nix ({ pkgs, lib, ...} : let +import ./make-test-python.nix ({ pkgs, lib, ... }: let customPkgs = pkgs.appendOverlays [ (self: super: { hello = super.hello.overrideAttrs (old: { @@ -8,8 +8,8 @@ import ./make-test-python.nix ({ pkgs, lib, ...} : let in { name = "containers-custom-pkgs"; - meta = with lib.maintainers; { - maintainers = [ adisbladis earvstedt ]; + meta = { + maintainers = with lib.maintainers; [ adisbladis earvstedt ]; }; machine = { config, ... }: { diff --git a/nixos/tests/containers-ephemeral.nix b/nixos/tests/containers-ephemeral.nix index 692554ac0ba2..fabf0593f23a 100644 --- a/nixos/tests/containers-ephemeral.nix +++ b/nixos/tests/containers-ephemeral.nix @@ -1,7 +1,8 @@ -# Test for NixOS' container support. - -import ./make-test-python.nix ({ pkgs, ...} : { +import ./make-test-python.nix ({ pkgs, lib, ... }: { name = "containers-ephemeral"; + meta = { + maintainers = with lib.maintainers; [ patryk27 ]; + }; machine = { pkgs, ... }: { virtualisation.memorySize = 768; diff --git a/nixos/tests/containers-extra_veth.nix b/nixos/tests/containers-extra_veth.nix index 212f3d0f46cb..cbbb25258325 100644 --- a/nixos/tests/containers-extra_veth.nix +++ b/nixos/tests/containers-extra_veth.nix @@ -1,9 +1,7 @@ -# Test for NixOS' container support. - -import ./make-test-python.nix ({ pkgs, ...} : { +import ./make-test-python.nix ({ pkgs, lib, ... }: { name = "containers-extra_veth"; - meta = with pkgs.lib.maintainers; { - maintainers = [ kampfschlaefer ]; + meta = { + maintainers = with lib.maintainers; [ kampfschlaefer ]; }; machine = diff --git a/nixos/tests/containers-hosts.nix b/nixos/tests/containers-hosts.nix index 65a983c42a78..1f24ed1f3c2c 100644 --- a/nixos/tests/containers-hosts.nix +++ b/nixos/tests/containers-hosts.nix @@ -1,9 +1,7 @@ -# Test for NixOS' container support. - -import ./make-test-python.nix ({ pkgs, ...} : { +import ./make-test-python.nix ({ pkgs, lib, ... }: { name = "containers-hosts"; - meta = with pkgs.lib.maintainers; { - maintainers = [ montag451 ]; + meta = { + maintainers = with lib.maintainers; [ montag451 ]; }; machine = diff --git a/nixos/tests/containers-imperative.nix b/nixos/tests/containers-imperative.nix index 393b4a5135dd..0ff0d3f95452 100644 --- a/nixos/tests/containers-imperative.nix +++ b/nixos/tests/containers-imperative.nix @@ -1,9 +1,7 @@ -# Test for NixOS' container support. - -import ./make-test-python.nix ({ pkgs, ...} : { +import ./make-test-python.nix ({ pkgs, lib, ... }: { name = "containers-imperative"; - meta = with pkgs.lib.maintainers; { - maintainers = [ aristid aszlig eelco kampfschlaefer ]; + meta = { + maintainers = with lib.maintainers; [ aristid aszlig eelco kampfschlaefer ]; }; machine = diff --git a/nixos/tests/containers-ip.nix b/nixos/tests/containers-ip.nix index 0265ed92d41c..5abea2dbad9f 100644 --- a/nixos/tests/containers-ip.nix +++ b/nixos/tests/containers-ip.nix @@ -1,5 +1,3 @@ -# Test for NixOS' container support. - let webserverFor = hostAddress: localAddress: { inherit hostAddress localAddress; @@ -13,10 +11,10 @@ let }; }; -in import ./make-test-python.nix ({ pkgs, ...} : { +in import ./make-test-python.nix ({ pkgs, lib, ... }: { name = "containers-ipv4-ipv6"; - meta = with pkgs.lib.maintainers; { - maintainers = [ aristid aszlig eelco kampfschlaefer ]; + meta = { + maintainers = with lib.maintainers; [ aristid aszlig eelco kampfschlaefer ]; }; machine = diff --git a/nixos/tests/containers-macvlans.nix b/nixos/tests/containers-macvlans.nix index 9425252cb886..d0f41be8c125 100644 --- a/nixos/tests/containers-macvlans.nix +++ b/nixos/tests/containers-macvlans.nix @@ -1,15 +1,13 @@ -# Test for NixOS' container support. - let # containers IP on VLAN 1 containerIp1 = "192.168.1.253"; containerIp2 = "192.168.1.254"; in -import ./make-test-python.nix ({ pkgs, ...} : { +import ./make-test-python.nix ({ pkgs, lib, ... }: { name = "containers-macvlans"; - meta = with pkgs.lib.maintainers; { - maintainers = [ montag451 ]; + meta = { + maintainers = with lib.maintainers; [ montag451 ]; }; nodes = { diff --git a/nixos/tests/containers-physical_interfaces.nix b/nixos/tests/containers-physical_interfaces.nix index 0b55c3418edf..57bd0eedcc33 100644 --- a/nixos/tests/containers-physical_interfaces.nix +++ b/nixos/tests/containers-physical_interfaces.nix @@ -1,8 +1,7 @@ - -import ./make-test-python.nix ({ pkgs, ...} : { +import ./make-test-python.nix ({ pkgs, lib, ... }: { name = "containers-physical_interfaces"; - meta = with pkgs.lib.maintainers; { - maintainers = [ kampfschlaefer ]; + meta = { + maintainers = with lib.maintainers; [ kampfschlaefer ]; }; nodes = { diff --git a/nixos/tests/containers-portforward.nix b/nixos/tests/containers-portforward.nix index d0be3c7d43ec..221a6f50efd1 100644 --- a/nixos/tests/containers-portforward.nix +++ b/nixos/tests/containers-portforward.nix @@ -1,5 +1,3 @@ -# Test for NixOS' container support. - let hostIp = "192.168.0.1"; hostPort = 10080; @@ -7,10 +5,10 @@ let containerPort = 80; in -import ./make-test-python.nix ({ pkgs, ...} : { +import ./make-test-python.nix ({ pkgs, lib, ... }: { name = "containers-portforward"; - meta = with pkgs.lib.maintainers; { - maintainers = [ aristid aszlig eelco kampfschlaefer ianwookim ]; + meta = { + maintainers = with lib.maintainers; [ aristid aszlig eelco kampfschlaefer ianwookim ]; }; machine = diff --git a/nixos/tests/containers-reloadable.nix b/nixos/tests/containers-reloadable.nix index 877246917672..876e62c1da9e 100644 --- a/nixos/tests/containers-reloadable.nix +++ b/nixos/tests/containers-reloadable.nix @@ -1,7 +1,6 @@ -import ./make-test-python.nix ({ pkgs, lib, ...} : +import ./make-test-python.nix ({ pkgs, lib, ... }: let client_base = { - containers.test1 = { autoStart = true; config = { @@ -16,8 +15,8 @@ let }; in { name = "containers-reloadable"; - meta = with pkgs.lib.maintainers; { - maintainers = [ danbst ]; + meta = { + maintainers = with lib.maintainers; [ danbst ]; }; nodes = { diff --git a/nixos/tests/containers-restart_networking.nix b/nixos/tests/containers-restart_networking.nix index b35552b5b191..e1ad8157b288 100644 --- a/nixos/tests/containers-restart_networking.nix +++ b/nixos/tests/containers-restart_networking.nix @@ -1,5 +1,3 @@ -# Test for NixOS' container support. - let client_base = { networking.firewall.enable = false; @@ -16,11 +14,11 @@ let }; }; }; -in import ./make-test-python.nix ({ pkgs, ...} : +in import ./make-test-python.nix ({ pkgs, lib, ... }: { name = "containers-restart_networking"; - meta = with pkgs.lib.maintainers; { - maintainers = [ kampfschlaefer ]; + meta = { + maintainers = with lib.maintainers; [ kampfschlaefer ]; }; nodes = { diff --git a/nixos/tests/containers-tmpfs.nix b/nixos/tests/containers-tmpfs.nix index 7ebf0d02a240..fd9f9a252ca8 100644 --- a/nixos/tests/containers-tmpfs.nix +++ b/nixos/tests/containers-tmpfs.nix @@ -1,9 +1,7 @@ -# Test for NixOS' container support. - -import ./make-test-python.nix ({ pkgs, ...} : { +import ./make-test-python.nix ({ pkgs, lib, ... }: { name = "containers-tmpfs"; - meta = with pkgs.lib.maintainers; { - maintainers = [ ]; + meta = { + maintainers = with lib.maintainers; [ patryk27 ]; }; machine = From 336ef2de99197dd9c07b302685dc9e6282fa5b55 Mon Sep 17 00:00:00 2001 From: Patryk Wychowaniec Date: Fri, 26 Feb 2021 17:14:08 +0100 Subject: [PATCH 2/2] nixos/containers: allow containers with long names to create private networks Launching a container with a private network requires creating a dedicated networking interface for it; name of that interface is derived from the container name itself - e.g. a container named `foo` gets attached to an interface named `ve-foo`. An interface name can span up to IFNAMSIZ characters, which means that a container name must contain at most IFNAMSIZ - 3 - 1 = 11 characters; it's a limit that we validate using a build-time assertion. This limit has been upgraded with Linux 5.8, as it allows for an interface to contain a so-called altname, which can be much longer, while remaining treated as a first-class citizen. Since altnames have been supported natively by systemd for a while now, due diligence on our side ends with dropping the name-assertion on newer kernels. This commit closes #38509. systemd/systemd#14467 systemd/systemd#17220 https://lwn.net/Articles/794289/ --- .../virtualisation/nixos-containers.nix | 12 ++++-- nixos/tests/all-tests.nix | 1 + nixos/tests/containers-names.nix | 37 +++++++++++++++++++ 3 files changed, 46 insertions(+), 4 deletions(-) create mode 100644 nixos/tests/containers-names.nix diff --git a/nixos/modules/virtualisation/nixos-containers.nix b/nixos/modules/virtualisation/nixos-containers.nix index f06977f88fc1..3754fe6dac6d 100644 --- a/nixos/modules/virtualisation/nixos-containers.nix +++ b/nixos/modules/virtualisation/nixos-containers.nix @@ -271,8 +271,8 @@ let DeviceAllow = map (d: "${d.node} ${d.modifier}") cfg.allowedDevices; }; - system = config.nixpkgs.localSystem.system; + kernelVersion = config.boot.kernelPackages.kernel.version; bindMountOpts = { name, ... }: { @@ -321,7 +321,6 @@ let }; }; - mkBindFlag = d: let flagPrefix = if d.isReadOnly then " --bind-ro=" else " --bind="; mountstr = if d.hostPath != null then "${d.hostPath}:${d.mountPoint}" else "${d.mountPoint}"; @@ -482,11 +481,16 @@ in networking.useDHCP = false; assertions = [ { - assertion = config.privateNetwork -> stringLength name < 12; + assertion = + (builtins.compareVersions kernelVersion "5.8" <= 0) + -> config.privateNetwork + -> stringLength name <= 11; message = '' Container name `${name}` is too long: When `privateNetwork` is enabled, container names can not be longer than 11 characters, because the container's interface name is derived from it. - This might be fixed in the future. See https://github.com/NixOS/nixpkgs/issues/38509 + You should either make the container name shorter or upgrade to a more recent kernel that + supports interface altnames (i.e. at least Linux 5.8 - please see https://github.com/NixOS/nixpkgs/issues/38509 + for details). ''; } ]; diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index bf094dbe9848..02723f88c315 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -72,6 +72,7 @@ in containers-imperative = handleTest ./containers-imperative.nix {}; containers-ip = handleTest ./containers-ip.nix {}; containers-macvlans = handleTest ./containers-macvlans.nix {}; + containers-names = handleTest ./containers-names.nix {}; containers-physical_interfaces = handleTest ./containers-physical_interfaces.nix {}; containers-portforward = handleTest ./containers-portforward.nix {}; containers-reloadable = handleTest ./containers-reloadable.nix {}; diff --git a/nixos/tests/containers-names.nix b/nixos/tests/containers-names.nix new file mode 100644 index 000000000000..9ad2bfb748a8 --- /dev/null +++ b/nixos/tests/containers-names.nix @@ -0,0 +1,37 @@ +import ./make-test-python.nix ({ pkgs, lib, ... }: { + name = "containers-names"; + meta = { + maintainers = with lib.maintainers; [ patryk27 ]; + }; + + machine = { ... }: { + # We're using the newest kernel, so that we can test containers with long names. + # Please see https://github.com/NixOS/nixpkgs/issues/38509 for details. + boot.kernelPackages = pkgs.linuxPackages_latest; + + containers = let + container = subnet: { + autoStart = true; + privateNetwork = true; + hostAddress = "192.168.${subnet}.1"; + localAddress = "192.168.${subnet}.2"; + config = { }; + }; + + in { + first = container "1"; + second = container "2"; + really-long-name = container "3"; + really-long-long-name-2 = container "4"; + }; + }; + + testScript = '' + machine.wait_for_unit("default.target") + + machine.succeed("ip link show | grep ve-first") + machine.succeed("ip link show | grep ve-second") + machine.succeed("ip link show | grep ve-really-lFYWO") + machine.succeed("ip link show | grep ve-really-l3QgY") + ''; +})