The minimum reproduction for the problem I'm trying to solve is that
the following NixOS test with a trivial NixOS container:
```
{ inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/24.05";
flake-utils.url = "github:numtide/flake-utils/v1.0.0";
};
outputs = { flake-utils, nixpkgs, self, ... }:
flake-utils.lib.eachDefaultSystem (system: {
checks.default = nixpkgs.legacyPackages."${system}".nixosTest {
name = "test";
nodes.machine.containers.tutorial.config = { };
testScript = "";
};
});
}
```
… fails with the following error message:
```
error: Neither nodes.machine.nixpkgs.hostPlatform nor the legacy option nodes.machine.nixpkgs.system has been set.
You can set nodes.machine.nixpkgs.hostPlatform in hardware-configuration.nix by re-running
a recent version of nixos-generate-config.
The option nodes.machine.nixpkgs.system is still fully supported for NixOS 22.05 interoperability,
but will be deprecated in the future, so we recommend to set nodes.machine.nixpkgs.hostPlatform.
```
The root of the problem appears to be that in
`nixos/modules/virtualisation/nixos-containers.nix` there is support
for deriving the guest's `nixpkgs.hostPlatform` or
`nixpkgs.localSystem` from the corresponding host's values, but this
doesn't work if the host sets `nixpkgs.pkgs` instead of one of those
values. In fact, this is what happens when using `pkgs.nixosTest`
(which sets `nixpkgs.pkgs` in
`pkgs/build-support/testers/default.nix`).
The solution I went with was to forward the `nixpkgs.pkgs` setting from
the host to the guest, but only if it is defined (matching the same
treatment as `nixpkgs.hostPlatform` and `nixpkgs.localSystem`.
these changes were generated with nixq 0.0.2, by running
nixq ">> lib.mdDoc[remove] Argument[keep]" --batchmode nixos/**.nix
nixq ">> mdDoc[remove] Argument[keep]" --batchmode nixos/**.nix
nixq ">> Inherit >> mdDoc[remove]" --batchmode nixos/**.nix
two mentions of the mdDoc function remain in nixos/, both of which
are inside of comments.
Since lib.mdDoc is already defined as just id, this commit is a no-op as
far as Nix (and the built manual) is concerned.
This commit makes auto-restarting declarative containers optional.
This is useful when you don't want changes to your config to automatically
restart the container and thus stop any applications running inside it.
Calling `eval-config.nix` without a `system` from a Nix flake fails with
`error: attribute 'currentSystem' missing` since #230523. Setting
`system = null` removes the use of `currentSystem` and instead uses the
value from the `nixpkgs` module.
Use hostPlatform if both the host and the containers nixpkgs supports
hostPlatform, otherwise fall back to localSystem. This preseves backwards
compatibility.
conversions were done using https://github.com/pennae/nix-doc-munge
using (probably) rev f34e145 running
nix-doc-munge nixos/**/*.nix
nix-doc-munge --import nixos/**/*.nix
the tool ensures that only changes that could affect the generated
manual *but don't* are committed, other changes require manual review
and are discarded.
now nix-doc-munge will not introduce whitespace changes when it replaces
manpage references with the MD equivalent.
no change to the manpage, changes to the HTML manual are whitespace only.
A warning regarding enabling NixOS containers and
virtualisation.containers at the same time with state versions < 22.05
had been added in commit 3c49151f15. But
this warning had accidentally been defined in the wrong place, and the
warning has therefore not actually been in effect. This commit fixes
that.
we can't embed syntactic annotations of this kind in markdown code
blocks without yet another extension. replaceable is rare enough to make
this not much worth it, so we'll go with «thing» instead. the module
system already uses this format for its placeholder names in attrsOf
paths.
the conversion procedure is simple:
- find all things that look like options, ie calls to either `mkOption`
or `lib.mkOption` that take an attrset. remember the attrset as the
option
- for all options, find a `description` attribute who's value is not a
call to `mdDoc` or `lib.mdDoc`
- textually convert the entire value of the attribute to MD with a few
simple regexes (the set from mdize-module.sh)
- if the change produced a change in the manual output, discard
- if the change kept the manual unchanged, add some text to the
description to make sure we've actually found an option. if the
manual changes this time, keep the converted description
this procedure converts 80% of nixos options to markdown. around 2000
options remain to be inspected, but most of those fail the "does not
change the manual output check": currently the MD conversion process
does not faithfully convert docbook tags like <code> and <package>, so
any option using such tags will not be converted at all.
Prior to this patch:
$ nix-instantiate --eval -E '
> with import ./. {
> localSystem.config = "aarch64-unknown-linux-musl";
> };
> (nixos {}).config.nixpkgs.localSystem.config
> '
"aarch64-unknown-linux-gnu"
Because only the system triple was being passed through, the Musl part
of the system specification was lost. This patch fixes various
occurrences of NixOS evaluation when a Nixpkgs evaluation is already
available, to pass through the full elaborated system attribute set,
to avoid this loss of precision.
We need to move NixOS containers somewhere else so these don't clash
with Podman, Skopeo & other container software in the libpod &
cri-o/cri-u/libcontainer ecosystems.
The state directory move is not strictly a requirement but is good for
consistency.
Changed the startup timeout from 15 seconds to one minute as 15 seconds is really low.
Also it's currently not possible to change it without editing your system configuration.
systemd-nspawn can react to SIGTERM and send a shutdown signal to the container
init process. use that instead of going through dbus and machined to request
nspawn sending the signal, since during host shutdown machined or dbus may have
gone away by the point a container unit is stopped.
to solve the issue that a container that is still starting cannot be stopped
cleanly we must also handle this signal in containerInit/stage-2.
Related to #85746 which addresses documentation issue,
digging deeper for a reason why this was disabled
was simply because it wasn't working which is not the case anymore.
Launching a container with a private network requires creating a
dedicated networking interface for it; name of that interface is derived
from the container name itself - e.g. a container named `foo` gets
attached to an interface named `ve-foo`.
An interface name can span up to IFNAMSIZ characters, which means that a
container name must contain at most IFNAMSIZ - 3 - 1 = 11 characters;
it's a limit that we validate using a build-time assertion.
This limit has been upgraded with Linux 5.8, as it allows for an
interface to contain a so-called altname, which can be much longer,
while remaining treated as a first-class citizen.
Since altnames have been supported natively by systemd for a while now,
due diligence on our side ends with dropping the name-assertion on newer
kernels.
This commit closes#38509.
systemd/systemd#14467systemd/systemd#17220https://lwn.net/Articles/794289/
