Defining a package that isn't the default results in podman-compat linking to a different version of podman (always the default one). This PR changes the behavior so that the given alternative package is used for the dockerCompat option as well. This could technically break things for people who rely on this quirk, albeit the previous behavior is probably not what one would expect.
Co-authored-by: Winter <winter@winter.cafe>
Warnings and descriptions for `virtualisation.docker.enableNvidia` and
`virtualisation.podman.enableNvidia` point erroneously to set
`virtualisation.containers.cdi.dynamic.nvidia.enable`. This NixOS
option has been deprecated and the recommended NixOS option is
`hardware.nvidia-container-toolkit.enable`.
Summary of this change:
- Simplify code.
- Stop a disk image from being cached in the binary cache.
- Make erofs Nix Store image build in an acceptable time outside of
testing environments (like `darwin.builder`).
- Do not regress on performance for tests that use many store paths in
their Nix store image.
- Slightly longer startup time for tests where not many store paths are
included in the image (these probably shouldn't use `useNixStoreImage`
anyways).
- Slightly longer startup time when inputs of VM do not change because
the Nix store image is not cached anymore.
Remove the `storeImage` built with make-disk-image.nix. This produced a
separate derivation which is then cached in the binary cache. These
types of images should be avoided because they gunk up the cache as they
change frequently. Now all Nix store images, whether read-only or
writable are based on the erofs image previously only used for read-only
images.
Additionally, simplify the way the erofs image is built by copying the
paths to include to a separate directory and build the erofs image from
there.
Before this change, the list of Nix store paths to include in the Nix
store image was converted to a complex regex that *excludes* all other
paths from a potentially large Nix store.
This previous approach suffers from two issues:
1. The regex is complex and, as admitted in the source code of the
includes-to-excludes.py script, most likely contains at least one
error. This means that it's unlikely that anyone will touch this
piece of software again.
2. When the Nix store image is built from a large Nix store (like when
you build the VM script to run outside of any testing context) this
regex becomes painfully slow. There is at least one prominent
use-case where this matters: `darwin.builder`.
Benchmarking impressions:
- Building Nix store via make-disk-image.nix takes ~25s
- Building Nix store as an erofs image takes ~4s
- Running nixosTests.qemu-vm-writable-store-image takes ~10s when
building the erofs image with the regex vs ~14s when building by
copying to a temporary directory.
- nixosTests.gitlab which had the biggest gains from the initial erofs
change takes the same time as before.
- On a host with ~140k paths in /nix/store, building the erofs image
with the regex takes 410s as opposed to 6s when copying to a temporary
directory.
When `services.resolved` is enabled, then `resolve [!UNAVAIL=return]`
is added to `system.nssDatabases.hosts` with priority 501,
which prevents lower-priority NSS modules from running
unless systemd-resolved is not available.
Quoting from `man nss-resolve`:
> To activate the NSS module, add "resolve [!UNAVAIL=return]" to the line
> starting with "hosts:" in /etc/nsswitch.conf. Specifically, it is
> recommended to place "resolve" early in /etc/nsswitch.conf's "hosts:"
> line. It should be before the "files" entry, since systemd-resolved
> supports /etc/hosts internally, but with caching. To the contrary, it
> should be after "mymachines", to give hostnames given to local VMs and
> containers precedence over names received over DNS. Finally, we
> recommend placing "dns" somewhere after "resolve", to fall back to
> nss-dns if systemd-resolved.service is not available.
Note that the man page (just) recommends "early" and means with this
"before the 'files' and 'dns' entries". It does not insist on being
first or excluding other modules.
For this reason, libvirt NSS modules should run before the `resolve`
module. They should come right next to `mymachines` because both are
conceptually very similar -- they resolve local VMs/containers.
Since the data source of the libvirt NSS modules are local
plain text files (see source code of the libvirt NSS module),
no performance impact is expected form this raise of priorities.
Other NSS modules in NixOS also explicitly set their priority, which is
why this change increases consistency.
Fixes#322022
The recent move to strip out DSS support from the openssh package
means that older key formats cause the key-printing command to
fail. Rather than causing the entire unit to fail, we should instead
skip those keys - while still letting the error through to the
console - and continue to print other keys the loop may find.
diskSize defaults to the previous hard-coded 8192:
no change for existing users.
Users can set diskSize when building images which require
larger disk space; thus avoiding the error:
ERROR: cptofs failed. diskSize might be too small for closure.
Signed-off-by: Sirio Balmelli <sirio@b-ad.ch>
Co-authored-by: superherointj <5861043+superherointj@users.noreply.github.com>
- rename hardware.opengl to hardware.graphics
- remove hardware.opengl.driSupport, which does nothing
- remove hardware.opengl.setLdLibraryPath, which should never be done
- rename hardware.opengl.driSupport32Bit to hardware.graphics.enable32Bit
- lost of small docs / formatting cleanups
