nixos: enrich systemd.nspawn.* options

[tekeri]

Motivation for this change

Add a practical systemd-nspawn configuration options.

Possibly resolves #51076 and #40367 .

Things done

• Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
• Built on platform(s)
  • NixOS
  • macOS
  • other Linux distributions
• Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
• Tested compilation of all pkgs that depend on this change using nix-shell -p nix-review --run "nix-review wip"
• Tested execution of all binary files (usually in ./result/bin/)
• Determined the impact on package closure size (by running nix path-info -S before and after)
• Ensured that relevant documentation is up to date
• Fits CONTRIBUTING.md.

Notify maintainers

cc @c0bw3b @volth @arianvp @Mic92

[andir]

It looks good. Could you make sure we have a test for this feature?

[tekeri]

I'm new to NixOS tests, so it takes a while.

[tekeri]

@andir test is ready

[tekeri]

Thanks, I'll fix them.

[Ma27]

Thanks a lot for your work on this and your patience! I have found a few more notes, but apart from that, the change seems pretty fine. Will test it as soon as I have time to :)

[flokli]

@tekeri this needs another rebase.

@Ma27 did you get a chance to test this in the meantime?

[Ma27]

@flokli I'm sorry, no. But added it on my todolist for tomorrow 😅

[tekeri]

pushed, while github is down

[Ma27]

shouldn't the href attribute contain a URL

[tekeri]

could you tell me how to make a link to the 'Mount options' section in the manual?

[Ma27]

@flokli do you know if the systemd bug which made this necessary is fixed? Also, I'd prefer to set disableUnprivilegedNspawn to true by default since it's been a valid workaround for us.

[Ma27]

Please use literalExample for examples that contain a list or an attr-path for better formatting in the manual.

[Ma27]

Do you know why nscd inside the container breaks:

machine # [   13.949141] systemd-nspawn[786]: [  OK  ] Reached target Basic System.
machine # [   13.953850] systemd-nspawn[786]:          Starting Name Service Cache Daemon...
machine # [   13.960114] systemd-nspawn[786]:          Starting resolvconf update...
machine # [   13.982618] systemd-nspawn[786]: [FAILED] Failed to start Name Service Cache Daemon.
machine # [   13.984544] systemd-nspawn[786]: See 'systemctl status nscd.service' for details.
machine # [   13.988963] systemd-nspawn[786]: [  OK  ] Reached target Host and Network Name Lookups.
machine # [   13.992789] systemd-nspawn[786]: [  OK  ] Reached target User and Group Name Lookups.
machine # [   14.002572] systemd-nspawn[786]:          Starting Login Service...
machine # [   14.054966] systemd-nspawn[786]: [FAILED] Failed to start Login Service.
machine # [   14.057025] systemd-nspawn[786]: See 'systemctl status systemd-logind.service' for details.
machine # [   14.061889] systemd-nspawn[786]: [  OK  ] Stopped Login Service.
machine # [   14.068607] systemd-nspawn[786]:          Starting Login Service...
machine # [   14.094932] systemd-nspawn[786]: [  OK  ] Stopped Name Service Cache Daemon.
machine # [   14.101640] systemd-nspawn[786]:          Starting Name Service Cache Daemon...
machine # [   14.129406] systemd-nspawn[786]: [FAILED] Failed to start Name Service Cache Daemon.
machine # [   14.131745] systemd-nspawn[786]: See 'systemctl status nscd.service' for details.
machine # [   14.154355] systemd-nspawn[786]: [FAILED] Failed to start Login Service.
machine # [   14.156893] systemd-nspawn[786]: See 'systemctl status systemd-logind.service' for details.
machine # [   14.163836] systemd-nspawn[786]: [  OK  ] Stopped Login Service.
machine # [   14.178079] systemd-nspawn[786]:          Starting Login Service...
machine # [   14.243987] systemd-nspawn[786]: [  OK  ] Stopped Name Service Cache Daemon.
machine # [   14.249399] systemd-nspawn[786]:          Starting Name Service Cache Daemon...
machine # [   14.258114] systemd-nspawn[786]: [FAILED] Failed to start Login Service.
machine # [   14.261136] systemd-nspawn[786]: See 'systemctl status systemd-logind.service' for details.

[Ma27]

I don't really think that we need this. As soon as some upstream options change we have to fix this test accordingly. Those kind of assertions don't belong in an integration test IMHO.

[tekeri]

This is actually an unit test to check whether the boolean value is rendered as intended. Also, these lines gives an idea of how the options works.
No problem, however, to remove those assertions.

[Ma27]

Can you please add a more detailed test to make sure that the machine actually works? Some ideas:

• Wait at least for multi-user.target.
• Check if networking is fine.
• Check if bind-mounts and restrictions do work.

[tekeri]

FYI: This changeset is intended to be used with nixops-container backend. NixOS/nixops#1226
I'm internally using it and It works over 1 year with networking and bind-mounts.

[tekeri]

I'll fix the conflict and add tests when I have spare time.

[bqv]

Interest

[hmenke]

I haven't reviewed this PR in detail but I'm strongly in favor of a refactor of systemd.nspawn. Right now it's barely usable. I had to add some boilerplate which is nowhere to be found in the documentation to make the container boot at all.

{
  # Boilerplate
  systemd.targets.machines.enable = true;
  systemd.services."systemd-nspawn@archlinux" = {
    enable = true;
    wantedBy = [ "machines.target" ];
  };

  # Actual container
  systemd.nspawn."archlinux" = {
    enable = true; # does this even do anything?
    execConfig = {
      Boot = true;
    };
  };
}

But even with these options, the container still refuses to shut down properly on reboot and I'm stuck at the dreaded

[    **] A stop job is running for systemd-n…@archlinux.service (7s / 1min 30s)

In the journal it leaves

Dec 30 19:21:48 nixos systemd[1]: Stopping [email protected]...
Dec 30 19:21:48 nixos systemd-nspawn[499]: archlinux login: Trying to halt container. Send SIGTERM again to trigger immed>
Dec 30 19:21:48 nixos systemd-nspawn[499]: systemd 245.5-2-arch running in system mode. (+PAM +AUDIT -SELINUX -IMA -APPAR>
Dec 30 19:21:48 nixos systemd-nspawn[499]: Detected virtualization systemd-nspawn.
Dec 30 19:21:48 nixos systemd-nspawn[499]: Detected architecture x86-64.
Dec 30 19:23:18 nixos systemd[1]: [email protected]: State 'stop-sigterm' timed out. Killing.

[arianvp]

Im pretty sure the machines.target is enabled by default... I agree that [email protected] should have a wantedBy=machines.target by default though if that isn't the case. To align it with upstream.

…

On Wed, 30 Dec 2020, 20:33 Henri Menke, ***@***.***> wrote: I haven't reviewed this PR in detail but I'm strongly in favor of a refactor of systemd.nspawn. Right now it's barely usable. I had to add some boilerplate which is nowhere to be found in the documentation to make the container boot at all. { # Boilerplate systemd.targets.machines.enable = true; ***@***.***" = { enable = true; wantedBy = [ "machines.target" ]; }; # Actual container systemd.nspawn."archlinux" = { enable = true; # does this even do anything? execConfig = { Boot = true; }; }; } But even with these options, the container still refuses to shut down properly on reboot and I'm stuck at the dreaded [ **] A stop job is running for ***@***.*** (7s / 1min 30s) In the journal it leaves Dec 30 19:21:48 nixos systemd[1]: Stopping ***@***.*** Dec 30 19:21:48 nixos systemd-nspawn[499]: archlinux login: Trying to halt container. Send SIGTERM again to trigger immed> Dec 30 19:21:48 nixos systemd-nspawn[499]: systemd 245.5-2-arch running in system mode. (+PAM +AUDIT -SELINUX -IMA -APPAR> Dec 30 19:21:48 nixos systemd-nspawn[499]: Detected virtualization systemd-nspawn. Dec 30 19:21:48 nixos systemd-nspawn[499]: Detected architecture x86-64. Dec 30 19:23:18 nixos systemd[1]: ***@***.***: State 'stop-sigterm' timed out. Killing. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#74316 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAEZNI6XEG7JM2R6NNYB6I3SXN6BDANCNFSM4JSEIS6Q> .

[arianvp]

Let me rephrase:

I think having systemd.nspawn.<name>.enable imply systemd.services.'systemd-nspawn@<name>'.enable makes sense. We should add that.

the explicit wantedBy is needed because NixOS doesn't handle the upstream [Install] sections in unit files

So we should also add that.

That you needed

 systemd.targets.machines.enable = true;

surprises me though. enable = true is the default for all systemd units.

[hmenke]

@arianvp Indeed, I just checked again and systemd.targets.machines.enable = true; is not necessary. However, there is another problem with the systemd integration of NixOS. By specifying

{
  systemd.services."systemd-nspawn@archlinux".enable = true;
}

NixOS does not instantiate the [email protected] unit but instead creates a completely new unit named [email protected] which of course doesn't inherit anything from the uninstantiated unit. So this way of enabling the container is clearly wrong. To see this better, simply compare and contrast the output of systemctl cat [email protected] with systemctl cat [email protected] (or have a look at https://github.com/systemd/systemd/blob/master/units/systemd-nspawn%40.service.in). This is quite problematic because now essential options for the proper working of the container are missing.

I've opened a new issue for that: #108054

[tekeri]

@hmenke I think systemd-nspawn@$machine.service is necessary for integration with machinectl start $machine.
That is currently implemented as a call of systemctl start systemd-nspawn@$machine.service and no way to override the behavior.

[stale]

I marked this as stale due to inactivity. → More info