From 80e263b3890565035c78341d7f937c2cf296f774 Mon Sep 17 00:00:00 2001 From: ryneeverett Date: Thu, 10 Sep 2020 16:13:07 +0000 Subject: [PATCH 1/4] nixos/lxd: explicitly load kernel modules This is analogous to #70447 and #76487. These are all needed to attach a container to the default bridge network, without which the final line of the following script fails with the error for each respective kernel module listed below. ```sh lxc storage create foo dir lxc launch -s foo ubuntu:trusty bar lxc network attach lxdbr0 bar ``` veth ---- > Error: Failed to start device 'lxdbr0': Failed to create the veth interfaces vethefbc3cd6 and vetha4abbcbc: Failed to run: ip link add dev vethefbc3cd6 type veth peer name vetha4abbcbc: RTNETLINK answers: Operation not supported iptable_mangle -------------- > lvl=eror msg="Failed to bring up network" err="Failed to list ipv4 rules for LXD network lxdbr0 (table mangle)" name=lxdbr0 xt_comment ---------- > lvl=error msg="Failed to bring up network" err="Failed to run: iptables -w -t filter -I INPUT -i lxdbr0 -p udp --dport 67 -j ACCEPT -m comment --comment generated for LXD network lxdbr0: iptables v1.8.4 (legacy): Couldn't load match `comment':No such file or directory\n\nTry `iptables -h' or 'iptables --help' for more information." name=lxdbr0 xt_MASQUERADE ------------- > vl=eror msg="Failed to bring up network" err="Failed to run: iptables -w -t nat -I POSTROUTING -s 10.0.107.0/24 ! -d 10.0.107.0/24 -j MASQUERADE -m comment --comment generated for LXD network lxdbr0: iptables v1.8.4 (legacy): Couldn't load target `MASQUERADE':No such file or directory\n\nTry `iptables -h' or 'iptables --help' for more information." name=lxdbr0 --- nixos/modules/virtualisation/lxd.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/nixos/modules/virtualisation/lxd.nix b/nixos/modules/virtualisation/lxd.nix index 96e8d68ae50..375fc1d256c 100644 --- a/nixos/modules/virtualisation/lxd.nix +++ b/nixos/modules/virtualisation/lxd.nix @@ -169,5 +169,8 @@ in { "net.ipv6.neigh.default.gc_thresh3" = 8192; "kernel.keys.maxkeys" = 2000; }; + + boot.kernelModules = [ "veth" "xt_comment" "xt_MASQUERADE" ] + ++ optionals (!config.networking.nftables.enable) [ "iptable_mangle" ]; }; } From c1b8fdf83b9f7dd9172879334d8fef4ccc4c0f9a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Sun, 6 Dec 2020 09:59:59 +0100 Subject: [PATCH 2/4] lxd: reference nixos tests --- pkgs/tools/admin/lxd/default.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/pkgs/tools/admin/lxd/default.nix b/pkgs/tools/admin/lxd/default.nix index 417e01a325d..9ab7d37d767 100644 --- a/pkgs/tools/admin/lxd/default.nix +++ b/pkgs/tools/admin/lxd/default.nix @@ -7,6 +7,7 @@ , bash , installShellFiles , nftablesSupport ? false +, nixosTests }: let @@ -58,6 +59,8 @@ buildGoPackage rec { installShellCompletion --bash --name lxd go/src/github.com/lxc/lxd/scripts/bash/lxd-client ''; + passthru.tests.lxd = nixosTests.lxd; + nativeBuildInputs = [ installShellFiles pkg-config makeWrapper ]; buildInputs = [ lxc acl libcap libco-canonical.dev dqlite.dev raft-canonical.dev sqlite-replication udev.dev ]; From 243521f52f9e24033e18650adb5e37ae2a1f3025 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Sun, 6 Dec 2020 12:50:04 +0100 Subject: [PATCH 3/4] nixos/lxd: fix race condition in test --- nixos/tests/lxd.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/nixos/tests/lxd.nix b/nixos/tests/lxd.nix index ab56b75c02e..889ca9598e3 100644 --- a/nixos/tests/lxd.nix +++ b/nixos/tests/lxd.nix @@ -96,6 +96,7 @@ in { ## limits.cpu ## machine.succeed("lxc config set test limits.cpu 1") + machine.succeed("lxc restart test") # Since Alpine doesn't have `nproc` pre-installed, we've gotta resort # to the primal methods @@ -105,6 +106,7 @@ in { ) machine.succeed("lxc config set test limits.cpu 2") + machine.succeed("lxc restart test") assert ( "2" @@ -115,6 +117,7 @@ in { ## limits.memory ## machine.succeed("lxc config set test limits.memory 64MB") + machine.succeed("lxc restart test") assert ( "MemTotal: 62500 kB" @@ -122,6 +125,7 @@ in { ) machine.succeed("lxc config set test limits.memory 128MB") + machine.succeed("lxc restart test") assert ( "MemTotal: 125000 kB" From 161a35b0b8e4a5cb8d5fac3d5083ee9fb82cfbe2 Mon Sep 17 00:00:00 2001 From: ryneeverett Date: Sun, 14 Feb 2021 01:12:43 -0500 Subject: [PATCH 4/4] nixos/lxd: explicitly load xt_CHECKSUM module This module is needed to create bridge networks such as the default lxdbr0 created by `lxd init`. Without this module, running `lxc network create lxdbr0` errors with: > Error: Failed to create network 'lxdbr0': Failed to run: iptables -w -t mangle -I POSTROUTING -o lxdbr0 -p udp --dport 68 -j CHECKSUM --checksum-fill -m comment --comment generated for LXD network lxdbr0: iptables v1.8.5 (legacy): unknown option "--checksum-fill" --- nixos/modules/virtualisation/lxd.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nixos/modules/virtualisation/lxd.nix b/nixos/modules/virtualisation/lxd.nix index 375fc1d256c..42a1f2f1a30 100644 --- a/nixos/modules/virtualisation/lxd.nix +++ b/nixos/modules/virtualisation/lxd.nix @@ -170,7 +170,7 @@ in { "kernel.keys.maxkeys" = 2000; }; - boot.kernelModules = [ "veth" "xt_comment" "xt_MASQUERADE" ] + boot.kernelModules = [ "veth" "xt_comment" "xt_CHECKSUM" "xt_MASQUERADE" ] ++ optionals (!config.networking.nftables.enable) [ "iptable_mangle" ]; }; }