From 708e1eb8ba6403e9ff03586204b74c9b293b9810 Mon Sep 17 00:00:00 2001 From: Samuel Dionne-Riel Date: Thu, 3 Jun 2021 21:56:17 -0400 Subject: nixos/anbox: mark anbox0 as unmanaged with NetworkManager --- nixos/modules/virtualisation/anbox.nix | 3 +++ 1 file changed, 3 insertions(+) (limited to 'nixos/modules/virtualisation') diff --git a/nixos/modules/virtualisation/anbox.nix b/nixos/modules/virtualisation/anbox.nix index c7e9e23c4c92..0473742c8550 100644 --- a/nixos/modules/virtualisation/anbox.nix +++ b/nixos/modules/virtualisation/anbox.nix @@ -87,6 +87,9 @@ in internalInterfaces = [ "anbox0" ]; }; + # Ensures NetworkManager doesn't touch anbox0 + networking.networkmanager.unmanaged = [ "anbox0" ]; + systemd.services.anbox-container-manager = let anboxloc = "/var/lib/anbox"; in { -- cgit 1.4.1 From cdc51c811a492b8b7e20e2c579cb51a57d6dc922 Mon Sep 17 00:00:00 2001 From: Samuel Dionne-Riel Date: Thu, 3 Jun 2021 21:59:08 -0400 Subject: nixos/anbox: handle new kernel configurations --- nixos/modules/virtualisation/anbox.nix | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) (limited to 'nixos/modules/virtualisation') diff --git a/nixos/modules/virtualisation/anbox.nix b/nixos/modules/virtualisation/anbox.nix index 0473742c8550..6323a3b72c53 100644 --- a/nixos/modules/virtualisation/anbox.nix +++ b/nixos/modules/virtualisation/anbox.nix @@ -5,7 +5,7 @@ with lib; let cfg = config.virtualisation.anbox; - kernelPackages = config.boot.kernelPackages; + addrOpts = v: addr: pref: name: { address = mkOption { default = addr; @@ -67,16 +67,19 @@ in config = mkIf cfg.enable { assertions = singleton { - assertion = versionAtLeast (getVersion config.boot.kernelPackages.kernel) "4.18"; - message = "Anbox needs user namespace support to work properly"; + assertion = with config.boot.kernelPackages; kernelAtLeast "5.5" && kernelOlder "5.18"; + message = "Anbox needs a kernel with binder and ashmem support"; }; environment.systemPackages = with pkgs; [ anbox ]; - services.udev.extraRules = '' - KERNEL=="ashmem", NAME="%k", MODE="0666" - KERNEL=="binder*", NAME="%k", MODE="0666" - ''; + systemd.mounts = singleton { + requiredBy = [ "anbox-container-manager.service" ]; + description = "Anbox Binder File System"; + what = "binder"; + where = "/dev/binderfs"; + type = "binder"; + }; virtualisation.lxc.enable = true; networking.bridges.anbox0.interfaces = []; -- cgit 1.4.1 From 7fa154f3ee4d93236bb844b97ca0dac32559dc37 Mon Sep 17 00:00:00 2001 From: Samuel Dionne-Riel Date: Fri, 4 Jun 2021 17:34:33 -0400 Subject: nixos/anbox: allow applying changes to the image --- nixos/modules/virtualisation/anbox.nix | 36 +++++++++++++++++++++++++++++++++- 1 file changed, 35 insertions(+), 1 deletion(-) (limited to 'nixos/modules/virtualisation') diff --git a/nixos/modules/virtualisation/anbox.nix b/nixos/modules/virtualisation/anbox.nix index 6323a3b72c53..dd4a49413f7c 100644 --- a/nixos/modules/virtualisation/anbox.nix +++ b/nixos/modules/virtualisation/anbox.nix @@ -25,6 +25,28 @@ let }; }; + finalImage = if cfg.imageModifications == "" then cfg.image else ( pkgs.callPackage ( + { runCommandNoCC, squashfsTools }: + + runCommandNoCC "${cfg.image.name}-modified.img" { + nativeBuildInputs = [ + squashfsTools + ]; + } '' + echo "-> Extracting Anbox root image..." + unsquashfs -dest rootfs ${cfg.image} + + echo "-> Modifying Anbox root image..." + ( + cd rootfs + ${cfg.imageModifications} + ) + + echo "-> Packing modified Anbox root image..." + mksquashfs rootfs $out -comp xz -no-xattrs -all-root + '' + ) { }); + in { @@ -42,6 +64,18 @@ in ''; }; + imageModifications = mkOption { + default = ""; + type = types.lines; + description = lib.mdDoc '' + Commands to edit the image filesystem. + + This can be used to e.g. bundle a privileged F-Droid. + + Commands are ran with PWD being at the root of the filesystem. + ''; + }; + extraInit = mkOption { type = types.lines; default = ""; @@ -127,7 +161,7 @@ in ExecStart = '' ${pkgs.anbox}/bin/anbox container-manager \ --data-path=${anboxloc} \ - --android-image=${cfg.image} \ + --android-image=${finalImage} \ --container-network-address=${cfg.ipv4.container.address} \ --container-network-gateway=${cfg.ipv4.gateway.address} \ --container-network-dns-servers=${cfg.ipv4.dns} \ -- cgit 1.4.1 From 7425d9254ddbce7a8764a7e1cf8a6f2d30b812a9 Mon Sep 17 00:00:00 2001 From: Samuel Dionne-Riel Date: Sat, 5 Jun 2021 15:53:31 -0400 Subject: nixos/anbox: use `--daemon` to squash warning As noted in https://github.com/NixOS/nixpkgs/pull/102341 this is not actually running as a forked process. It only tells the process that it is running "as a daemon, so shut the warning up". See `daemon_` here - https://github.com/anbox/anbox/blob/9de4e87cdd05135e1c71e6eadb68bf82719cebdf/src/anbox/cmds/container_manager.cpp#L38-L79 It is **strictly** used to hide that message. Co-authored-by: Matt Votava --- nixos/modules/virtualisation/anbox.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'nixos/modules/virtualisation') diff --git a/nixos/modules/virtualisation/anbox.nix b/nixos/modules/virtualisation/anbox.nix index dd4a49413f7c..523d9a9576ef 100644 --- a/nixos/modules/virtualisation/anbox.nix +++ b/nixos/modules/virtualisation/anbox.nix @@ -166,7 +166,8 @@ in --container-network-gateway=${cfg.ipv4.gateway.address} \ --container-network-dns-servers=${cfg.ipv4.dns} \ --use-rootfs-overlay \ - --privileged + --privileged \ + --daemon ''; }; }; -- cgit 1.4.1