We don't need both wget and curl, so let's use only curl (which is
part of a minimal NixOS closure, unlike wget).
Logging to the console is helpful for debugging.
Instances without SSH keys configured will receive a 404 from the
metadata server when attempting to fetch an SSH key. This is not an
actual problem though, and shouldn't result in the service failing.
If the metadata server cannot be reached, the script will fail at an
earlier stage when attempting to get authentication data.
This also removes automatic enablement/mounting of instance store swap
devices and ext3 filesystems. This behaviour is strongly opinionated
and shouldn't be enabled by default.
The unionfs behaviour never took effect anyway, because the AMI
manifest path only exists for instance store-backed AMIs, which have
not been supported by nixpkgs since
84742e2293 (2019).
Previously we did socket-activation but this breaks the autostart
feature since upstream expects libvirtd to be started unconditionally on
boot.
Fixes#171623.
Allow building other than Legacy-BIOS-only Proxmox images.
Default is unchanged.
To build UEFI proxmox image use:
proxmox.qemuConf.bios = "ovmf";
(default is "seabios")
To build image bootable using both "seabios" and "ovmf" use:
partitionTableType = "hybrid";
BIOS can be switched in Proxmox between "seabios" and "ovmf" and VM still boots.
(GRUB2-only, systemd-boot does not boot under "seabios")
To build systemd-boot UEFI image:
proxmox.qemuConf.bios = "ovmf";
boot.loader.systemd-boot.enable = true;
This adds an option to the qemu virtualisation module to isolate the
guest's from the host's and outside networks.
This is particularly useful for development sandboxes for example.
The option is disabled by default to preserve the current behaviour.
Use hostPlatform if both the host and the containers nixpkgs supports
hostPlatform, otherwise fall back to localSystem. This preseves backwards
compatibility.
Without `ìmageFile` set, the service needs to download the image from
the registry. If the network is not up in time, the service tries to
restart rapidly until it fails.
most of these are hidden because they're either part of a submodule that
doesn't have its type rendered (eg because the submodule type is used in
an either type) or because they are explicitly hidden. some of them are
merely hidden from nix-doc-munge by how their option is put together.
conversions were done using https://github.com/pennae/nix-doc-munge
using (probably) rev f34e145 running
nix-doc-munge nixos/**/*.nix
nix-doc-munge --import nixos/**/*.nix
the tool ensures that only changes that could affect the generated
manual *but don't* are committed, other changes require manual review
and are discarded.
this mostly means marking options that use markdown already
appropriately and making a few adjustments so they still render
correctly. notable for nftables we have to transform the md links
because the manpage would not render them correctly otherwise.
this renders the same in the manpage and a little more clearly in the
html manual. in the manpage there continues to be no distinction from
regular text, the html manual gets code-type markup (which was probably
the intention for most of these uses anyway).
This does make the out-of-the-box install perhaps a bit worse, since
networking may need to be manually configured. However, it makes it less
frustrating that upon every start of this service, a *removed* autostart
network will be re-added when removed by the user. See
https://github.com/NixOS/nixpkgs/issues/73418 for details.
Behavior from other distros:
- Adds autostart net on install: Fedora
- Does not add autostart net : Debian, Arch
This does not break any existing installs since it does not affect any
autostart network already in-place.
This was enabled by default in 18a7ce76fc
with the reason that it would be "useful regardless of the desktop
environment.", which I'm not arguing against.
The reason why this should not be enabled by default is that there are a
lot of systems that NixOS runs on that are not desktop systems.
Users on such systems most likely do not want or need this feature and
could even consider this an antifeature.
Furthermore, it is surprising to them to find out that they have this
enabled on their systems.
They might be even more surprised to find that they have polkit enabled
by default, which was a default that was flipped in
a813be071c. For some discussion as to why
see https://github.com/NixOS/nixpkgs/pull/156858.
Evidently, this default is not only surprising to users, but also module
developers, as most if not all modules for desktop environments already
explicity set services.udisks2.enable = true; which they don't need to
right now.
now nix-doc-munge will not introduce whitespace changes when it replaces
manpage references with the MD equivalent.
no change to the manpage, changes to the HTML manual are whitespace only.
A warning regarding enabling NixOS containers and
virtualisation.containers at the same time with state versions < 22.05
had been added in commit 3c49151f15. But
this warning had accidentally been defined in the wrong place, and the
warning has therefore not actually been in effect. This commit fixes
that.
we can't embed syntactic annotations of this kind in markdown code
blocks without yet another extension. replaceable is rare enough to make
this not much worth it, so we'll go with «thing» instead. the module
system already uses this format for its placeholder names in attrsOf
paths.
markdown can't represent the difference without another extension and
both the html manual and the manpage render them the same, so keeping the
distinction is not very useful on its own. with the distinction removed
we can automatically convert many options that use <code> tags to markdown.
the manpage remains unchanged, html manual does not render
differently (but class names on code tags do change from "code" to "literal").
the conversion procedure is simple:
- find all things that look like options, ie calls to either `mkOption`
or `lib.mkOption` that take an attrset. remember the attrset as the
option
- for all options, find a `description` attribute who's value is not a
call to `mdDoc` or `lib.mdDoc`
- textually convert the entire value of the attribute to MD with a few
simple regexes (the set from mdize-module.sh)
- if the change produced a change in the manual output, discard
- if the change kept the manual unchanged, add some text to the
description to make sure we've actually found an option. if the
manual changes this time, keep the converted description
this procedure converts 80% of nixos options to markdown. around 2000
options remain to be inspected, but most of those fail the "does not
change the manual output check": currently the MD conversion process
does not faithfully convert docbook tags like <code> and <package>, so
any option using such tags will not be converted at all.
This avoids putting a large disk image in the store (and possibly
in a binary cache), while improving runtime performance.
Assuming you're running an SSD, and/or with plenty of cache (?)
it is feasible to preempt the virtualization overhead before
VM start, in single-digit seconds.
For some tests that perform many reads on the store, the improved
performance of EROFS is sufficient that not only the image creation
overhead is compensated for, but is actually faster.
Stats for nixosTests.gitlab:
Baseline without useNixStoreImage: >1000s
Baseline with useNixStoreImage without writableStore = false
ext4 image in store: 277 seconds
+ significant image build time and/or disk space
Disposable erofs image: 249 seconds _including_ image build time
Custom erofs overlay on 9p host store: 391 seconds; presumably
because the overlay still performs too many 9p accesses, or perhaps
some other overhead. This solution had no obvious performance
advantage, while requiring extra options to work, so it was
discarded.
Install Parallel Tools updated for version 17 of Parallels for macOS. This
fixes clipboard sharing, so that copy and paste works between the host
macOS and the guest NixOS VM. Support for guests on M1 Apple Silicon-based
Macs (aarch64-linux) is also added.
Co-authored-by: Paul Smith <paulsmith@gmail.com>
Co-authored-by: Weijia Wang <9713184+wegank@users.noreply.github.com>
Potential use cases for disabling `useDefaultFilesystems` include:
- Testing with uncommon filesystem layouts
- Testing scenarios where swapping occurs
- Testing with LUKS-encrypted disks
Closes#177963
Prior to this patch:
$ nix-instantiate --eval -E '
> with import ./. {
> localSystem.config = "aarch64-unknown-linux-musl";
> };
> (nixos {}).config.nixpkgs.localSystem.config
> '
"aarch64-unknown-linux-gnu"
Because only the system triple was being passed through, the Musl part
of the system specification was lost. This patch fixes various
occurrences of NixOS evaluation when a Nixpkgs evaluation is already
available, to pass through the full elaborated system attribute set,
to avoid this loss of precision.
Previously, it was held back due to the ENA driver not building on the
current default (5.15). The previous commit bumps the ENA driver, which
allows 5.15 to work.
This has a number of benefits such as that applying service limits will
actually work since there isn't a layer of indirection (the Docker daemon)
between the systemd service and the container runtime.
We need to move NixOS containers somewhere else so these don't clash
with Podman, Skopeo & other container software in the libpod &
cri-o/cri-u/libcontainer ecosystems.
The state directory move is not strictly a requirement but is good for
consistency.
Otherwise, starting this daemon fails with the message
```
virtchd[3484224]: Initialization of mandatory cloud-hypervisor state driver skipped
virtchd[3484224]: Driver state initialization failed
```
Fixes#167850
using freeform is the new standard way of using modules and should replace
extraConfig.
In particular, this will allow us to place a condition on mails
* With the upgrade to waydroid to 1.2.0, dependencies that previously
were shipped in the service's path have been moved to the waydroid
package.
* Make sure /var/lib/misc exists when starting waydroid. As required
by dnsmasq
While doing kernel development with the nixos testing infrastructure, it
is useful to quickly compile the kernel on the side and boot it in the testing VM.
This patch allows overriding the kernel through the environment
variable. For example, the following:
$ NIXPKGS_QEMU_KERNEL_testvm=$LINUX_SRC/arch/x86/boot/bzImage $VM/bin/nixos-test-driver
runs testvm testing VM with the fresh kernel compiled in $LINUX_SRC.
Co-authored-by: Robert Hensing <roberth@users.noreply.github.com>
