From bf41254a8add0d7255505afa3ff8068e0baf4127 Mon Sep 17 00:00:00 2001 From: Linus Heckemann Date: Mon, 19 Dec 2022 12:04:13 +0100 Subject: nixos/qemu-vm: allow use without a disk image --- nixos/modules/virtualisation/qemu-vm.nix | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) (limited to 'nixos') diff --git a/nixos/modules/virtualisation/qemu-vm.nix b/nixos/modules/virtualisation/qemu-vm.nix index 1b3c0e23f97d..30f3035941a7 100644 --- a/nixos/modules/virtualisation/qemu-vm.nix +++ b/nixos/modules/virtualisation/qemu-vm.nix @@ -108,9 +108,9 @@ let set -e - NIX_DISK_IMAGE=$(readlink -f "''${NIX_DISK_IMAGE:-${config.virtualisation.diskImage}}") + NIX_DISK_IMAGE=$(readlink -f "''${NIX_DISK_IMAGE:-${toString config.virtualisation.diskImage}}") || test -z "$NIX_DISK_IMAGE" - if ! test -e "$NIX_DISK_IMAGE"; then + if test -n "$NIX_DISK_IMAGE" && ! test -e "$NIX_DISK_IMAGE"; then ${qemu}/bin/qemu-img create -f qcow2 "$NIX_DISK_IMAGE" \ ${toString config.virtualisation.diskSize}M fi @@ -346,7 +346,7 @@ in virtualisation.diskImage = mkOption { - type = types.str; + type = types.nullOr types.str; default = "./${config.system.name}.qcow2"; defaultText = literalExpression ''"./''${config.system.name}.qcow2"''; description = @@ -354,6 +354,9 @@ in Path to the disk image containing the root filesystem. The image will be created on startup if it does not exist. + + If null, a tmpfs will be used as the root filesystem and + the VM's state will not be persistent. ''; }; @@ -975,12 +978,12 @@ in ]; virtualisation.qemu.drives = mkMerge [ - [{ + (mkIf (cfg.diskImage != null) [{ name = "root"; file = ''"$NIX_DISK_IMAGE"''; driveExtraOpts.cache = "writeback"; driveExtraOpts.werror = "report"; - }] + }]) (mkIf cfg.useNixStoreImage [{ name = "nix-store"; file = ''"$TMPDIR"/store.img''; @@ -1031,6 +1034,10 @@ in "/".fsType = "ext4"; "/".autoFormat = true; } // + optionalAttrs (cfg.diskImage == null) { + "/".device = "tmpfs"; + "/".fsType = "tmpfs"; + } // optionalAttrs config.boot.tmpOnTmpfs { "/tmp" = { device = "tmpfs"; -- cgit 1.4.1 From 246d09fea28c85de7a2f6223fad6927429c3697b Mon Sep 17 00:00:00 2001 From: Linus Heckemann Date: Tue, 20 Dec 2022 20:35:40 +0100 Subject: qemu-vm: use nixos module patterns for filesystems --- nixos/modules/virtualisation/qemu-vm.nix | 49 ++++++++++++++------------------ 1 file changed, 22 insertions(+), 27 deletions(-) (limited to 'nixos') diff --git a/nixos/modules/virtualisation/qemu-vm.nix b/nixos/modules/virtualisation/qemu-vm.nix index 30f3035941a7..f594e7ee9c5d 100644 --- a/nixos/modules/virtualisation/qemu-vm.nix +++ b/nixos/modules/virtualisation/qemu-vm.nix @@ -1006,20 +1006,21 @@ in }) cfg.emptyDiskImages) ]; + fileSystems = mkVMOverride cfg.fileSystems; + # Mount the host filesystem via 9P, and bind-mount the Nix store # of the host into our own filesystem. We use mkVMOverride to # allow this module to be applied to "normal" NixOS system # configuration, where the regular value for the `fileSystems' # attribute should be disregarded for the purpose of building a VM # test image (since those filesystems don't exist in the VM). - fileSystems = - let + virtualisation.fileSystems = let mkSharedDir = tag: share: { name = if tag == "nix-store" && cfg.writableStore - then "/nix/.ro-store" - else share.target; + then "/nix/.ro-store" + else share.target; value.device = tag; value.fsType = "9p"; value.neededForBoot = true; @@ -1027,48 +1028,42 @@ in [ "trans=virtio" "version=9p2000.L" "msize=${toString cfg.msize}" ] ++ lib.optional (tag == "nix-store") "cache=loose"; }; - in - mkVMOverride (cfg.fileSystems // - optionalAttrs cfg.useDefaultFilesystems { - "/".device = cfg.bootDevice; - "/".fsType = "ext4"; - "/".autoFormat = true; - } // - optionalAttrs (cfg.diskImage == null) { - "/".device = "tmpfs"; - "/".fsType = "tmpfs"; - } // - optionalAttrs config.boot.tmpOnTmpfs { - "/tmp" = { + in lib.mkMerge [ + (lib.mapAttrs' mkSharedDir cfg.sharedDirectories) + { + "/" = lib.mkIf cfg.useDefaultFilesystems (if cfg.diskImage == null then { + device = "tmpfs"; + fsType = "tmpfs"; + } else { + device = cfg.bootDevice; + fsType = "ext4"; + autoFormat = true; + }); + "/tmp" = lib.mkIf config.boot.tmpOnTmpfs { device = "tmpfs"; fsType = "tmpfs"; neededForBoot = true; # Sync with systemd's tmp.mount; options = [ "mode=1777" "strictatime" "nosuid" "nodev" "size=${toString config.boot.tmpOnTmpfsSize}" ]; }; - } // - optionalAttrs cfg.useNixStoreImage { - "/nix/${if cfg.writableStore then ".ro-store" else "store"}" = { + "/nix/${if cfg.writableStore then ".ro-store" else "store"}" = lib.mkIf cfg.useNixStoreImage { device = "${lookupDriveDeviceName "nix-store" cfg.qemu.drives}"; neededForBoot = true; options = [ "ro" ]; }; - } // - optionalAttrs (cfg.writableStore && cfg.writableStoreUseTmpfs) { - "/nix/.rw-store" = { + "/nix/.rw-store" = lib.mkIf (cfg.writableStore && cfg.writableStoreUseTmpfs) { fsType = "tmpfs"; options = [ "mode=0755" ]; neededForBoot = true; }; - } // - optionalAttrs cfg.useBootLoader { # see note [Disk layout with `useBootLoader`] - "/boot" = { + "/boot" = lib.mkIf cfg.useBootLoader { device = "${lookupDriveDeviceName "boot" cfg.qemu.drives}2"; # 2 for e.g. `vdb2`, as created in `bootDisk` fsType = "vfat"; noCheck = true; # fsck fails on a r/o filesystem }; - } // lib.mapAttrs' mkSharedDir cfg.sharedDirectories); + } + ]; boot.initrd.systemd = lib.mkIf (config.boot.initrd.systemd.enable && cfg.writableStore) { mounts = [{ -- cgit 1.4.1 From 18f85de76dac7d3a86767be3aea313a1add5ec67 Mon Sep 17 00:00:00 2001 From: K900 Date: Sat, 4 Mar 2023 10:50:13 +0300 Subject: nixos/firewall: assert that the kernel supports conntrack helper auto-loading --- nixos/doc/manual/release-notes/rl-2305.section.md | 2 ++ nixos/modules/services/networking/firewall.nix | 4 ++++ 2 files changed, 6 insertions(+) (limited to 'nixos') diff --git a/nixos/doc/manual/release-notes/rl-2305.section.md b/nixos/doc/manual/release-notes/rl-2305.section.md index 6fcab17df5ee..dad97b42d3bb 100644 --- a/nixos/doc/manual/release-notes/rl-2305.section.md +++ b/nixos/doc/manual/release-notes/rl-2305.section.md @@ -142,6 +142,8 @@ In addition to numerous new and upgraded packages, this release has the followin - [services.xserver.videoDrivers](options.html#opt-services.xserver.videoDrivers) now defaults to the `modesetting` driver over device-specific ones. The `radeon`, `amdgpu` and `nouveau` drivers are still available, but effectively unmaintained and not recommended for use. +- conntrack helper autodetection has been removed from kernels 6.0 and up upstream, and an assertion was added to ensure things don't silently stop working. Migrate your configuration to assign helpers explicitly or use an older LTS kernel branch as a temporary workaround. + ## Other Notable Changes {#sec-release-23.05-notable-changes} diff --git a/nixos/modules/services/networking/firewall.nix b/nixos/modules/services/networking/firewall.nix index 4e332d489e4d..ac02a93836b8 100644 --- a/nixos/modules/services/networking/firewall.nix +++ b/nixos/modules/services/networking/firewall.nix @@ -269,6 +269,10 @@ in assertion = cfg.filterForward -> config.networking.nftables.enable; message = "filterForward only works with the nftables based firewall"; } + { + assertion = cfg.autoLoadConntrackHelpers -> lib.versionOlder config.boot.kernelPackages.kernel.version "6"; + message = "conntrack helper autoloading has been removed from kernel 6.0 and newer"; + } ]; networking.firewall.trustedInterfaces = [ "lo" ]; -- cgit 1.4.1 From 84f3520c8ff96b0eb10b9d511e630c5bace07c29 Mon Sep 17 00:00:00 2001 From: K900 Date: Sat, 4 Mar 2023 10:50:38 +0300 Subject: nixos/tests/nat: remove conntrack helpers test Removed upstream --- nixos/tests/all-tests.nix | 2 -- nixos/tests/nat.nix | 15 +++------------ 2 files changed, 3 insertions(+), 14 deletions(-) (limited to 'nixos') diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index 785a5621f57e..28ea9272ffb7 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -433,10 +433,8 @@ in { nagios = handleTest ./nagios.nix {}; nar-serve = handleTest ./nar-serve.nix {}; nat.firewall = handleTest ./nat.nix { withFirewall = true; }; - nat.firewall-conntrack = handleTest ./nat.nix { withFirewall = true; withConntrackHelpers = true; }; nat.standalone = handleTest ./nat.nix { withFirewall = false; }; nat.nftables.firewall = handleTest ./nat.nix { withFirewall = true; nftables = true; }; - nat.nftables.firewall-conntrack = handleTest ./nat.nix { withFirewall = true; withConntrackHelpers = true; nftables = true; }; nat.nftables.standalone = handleTest ./nat.nix { withFirewall = false; nftables = true; }; nats = handleTest ./nats.nix {}; navidrome = handleTest ./navidrome.nix {}; diff --git a/nixos/tests/nat.nix b/nixos/tests/nat.nix index 912a04deae8b..0b617cea7774 100644 --- a/nixos/tests/nat.nix +++ b/nixos/tests/nat.nix @@ -3,7 +3,7 @@ # client on the inside network, a server on the outside network, and a # router connected to both that performs Network Address Translation # for the client. -import ./make-test-python.nix ({ pkgs, lib, withFirewall, withConntrackHelpers ? false, nftables ? false, ... }: +import ./make-test-python.nix ({ pkgs, lib, withFirewall, nftables ? false, ... }: let unit = if nftables then "nftables" else (if withFirewall then "firewall" else "nat"); @@ -16,16 +16,11 @@ import ./make-test-python.nix ({ pkgs, lib, withFirewall, withConntrackHelpers ? networking.nat.internalIPs = [ "192.168.1.0/24" ]; networking.nat.externalInterface = "eth1"; } - (lib.optionalAttrs withConntrackHelpers { - networking.firewall.connectionTrackingModules = [ "ftp" ]; - networking.firewall.autoLoadConntrackHelpers = true; - }) ]; in { name = "nat" + (lib.optionalString nftables "Nftables") - + (if withFirewall then "WithFirewall" else "Standalone") - + (lib.optionalString withConntrackHelpers "withConntrackHelpers"); + + (if withFirewall then "WithFirewall" else "Standalone"); meta = with pkgs.lib.maintainers; { maintainers = [ eelco rob ]; }; @@ -39,10 +34,6 @@ import ./make-test-python.nix ({ pkgs, lib, withFirewall, withConntrackHelpers ? (pkgs.lib.head nodes.router.config.networking.interfaces.eth2.ipv4.addresses).address; networking.nftables.enable = nftables; } - (lib.optionalAttrs withConntrackHelpers { - networking.firewall.connectionTrackingModules = [ "ftp" ]; - networking.firewall.autoLoadConntrackHelpers = true; - }) ]; router = @@ -95,7 +86,7 @@ import ./make-test-python.nix ({ pkgs, lib, withFirewall, withConntrackHelpers ? client.succeed("curl -v ftp://server/foo.txt >&2") # Test whether active FTP works. - client.${if withConntrackHelpers then "succeed" else "fail"}("curl -v -P - ftp://server/foo.txt >&2") + client.fail("curl -v -P - ftp://server/foo.txt >&2") # Test ICMP. client.succeed("ping -c 1 router >&2") -- cgit 1.4.1 From 52006da65b2d65d8d576975b2ee8e52c46f68a09 Mon Sep 17 00:00:00 2001 From: Vladimír Čunát Date: Sat, 4 Mar 2023 09:28:09 +0100 Subject: nixos/release-*: finish dropping the conntrack tests This was forgotten in commit 84f3520c8ff96b. --- nixos/release-combined.nix | 1 - nixos/release-small.nix | 1 - 2 files changed, 2 deletions(-) (limited to 'nixos') diff --git a/nixos/release-combined.nix b/nixos/release-combined.nix index 9652be5d85b4..125086294d41 100644 --- a/nixos/release-combined.nix +++ b/nixos/release-combined.nix @@ -100,7 +100,6 @@ in rec { (onFullSupported "nixos.tests.login") (onFullSupported "nixos.tests.misc") (onFullSupported "nixos.tests.mutableUsers") - (onFullSupported "nixos.tests.nat.firewall-conntrack") (onFullSupported "nixos.tests.nat.firewall") (onFullSupported "nixos.tests.nat.standalone") (onFullSupported "nixos.tests.networking.scripted.bond") diff --git a/nixos/release-small.nix b/nixos/release-small.nix index 05ff9ca2499f..7be300bbcf3b 100644 --- a/nixos/release-small.nix +++ b/nixos/release-small.nix @@ -118,7 +118,6 @@ in rec { "nixos.tests.ipv6" "nixos.tests.login" "nixos.tests.misc" - "nixos.tests.nat.firewall-conntrack" "nixos.tests.nat.firewall" "nixos.tests.nat.standalone" "nixos.tests.nfs3.simple" -- cgit 1.4.1