yadunut/clan-core
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Files
4d6ab607935f01f9d7a5305a0cb9e59810b9c028
clan-core/lib/test/container-test-driver/nixos-module.nix

55 lines
2.0 KiB
Nix
Raw Blame History

{
pkgs,
lib,
options,
...
}:
{
boot.isContainer = true;
# needed since nixpkgs 7fb2f407c01b017737eafc26b065d7f56434a992 removed the getty unit by default
console.enable = true;
# undo qemu stuff
system.build.initialRamdisk = "";
virtualisation = lib.optionalAttrs (options ? virtualisation.sharedDirectories) {
sharedDirectories = lib.mkForce { };
};
networking.useDHCP = false;
# PAM requires setuid and doesn't work in our containers
services.openssh.settings.UsePAM = false;
# We use networkd to assign static ip addresses
networking.useNetworkd = true;
networking.useHostResolvConf = false;
services.resolved.enable = false;
# Rename the host0 interface to eth1 to match what we expect in VM tests.
system.activationScripts.renameInterface = ''
if ${pkgs.iproute2}/bin/ip link show host0 2>/dev/null; then
${pkgs.iproute2}/bin/ip link set dev host0 name eth1
fi
'';
systemd.services.backdoor.enable = false;
# we don't have permission to set cpu scheduler in our container
systemd.services.nix-daemon.serviceConfig.CPUSchedulingPolicy = lib.mkForce "";
# Disable suid-sgid-wrappers.service as it fails in the nix sandbox
systemd.services.suid-sgid-wrappers.enable = false;
# Disable resolvconf as it can cause issues in containers because it cannot apply posix acl
systemd.services.resolvconf.enable = false;
# Adds `Include /nix/store/...` to `/etc/ssh/ssh_config`[1] which will make
# SSH fail when running inside a container test as SSH checks the permissions
# of the config files it reads which can't be disabled[2] and all the store
# paths inside the build sandbox (and the container by extension) are owned
# by `nobody:nogroup` rather than `root:nixbld`.
# [1]: https://github.com/NixOS/nixpkgs/blob/29335f23bea5e34228349ea739f31ee79e267b88/nixos/modules/programs/ssh.nix#L344-L347
# [2]: https://github.com/openssh/openssh-portable/blob/b5b405fee7f3e79d44e2d2971a4b6b4cc53f112e/readconf.c#L2579-L2587
programs.ssh.systemd-ssh-proxy.enable = false;
}
Reference in New Issue View Git Blame Copy Permalink