Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

nixos-containers: add networkNamespace option #359352

Merged
merged 2 commits into from
Dec 22, 2024

Conversation

felbinger
Copy link
Member

@felbinger felbinger commented Nov 26, 2024

This PR implements the network namespace option for the systemd-nspawn module (nixos-containers).

Things done

  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
    • sandbox = relaxed
    • sandbox = true
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 25.05 Release Notes (or backporting 24.11 and 25.05 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
  • Fits CONTRIBUTING.md.

Add a 👍 reaction to pull requests you find important.

@github-actions github-actions bot added 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: module (update) This PR changes an existing module in `nixos/` 6.topic: nixos-container Imperative and declarative systemd-nspawn containers labels Nov 26, 2024
@felbinger felbinger force-pushed the nixos-containers-netns branch 7 times, most recently from d52d621 to a0c5593 Compare November 27, 2024 07:42
@felbinger felbinger marked this pull request as ready for review November 27, 2024 07:43
@wegank wegank added the 12.approvals: 1 This PR was reviewed and approved by one reputable person label Dec 1, 2024
@nixos-discourse
Copy link

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/prs-ready-for-review/3032/4980

@SuperSandro2000
Copy link
Member

@ofborg test containers-restart_networking

@felbinger
Copy link
Member Author

felbinger commented Dec 22, 2024

Test is broken on master too, I'm trying to fix it...
Just for reference:

nix -L build -f . nixosTests.containers-restart_networking
...
client # [    8.786183] dhcpcd[693]: eth0: soliciting an IPv6 router
client # [    8.786751] dhcpcd[693]: eth0: Router Advertisement from fe80::2
client # [    8.787293] dhcpcd[693]: eth0: adding address fec0::5054:ff:fe12:3456/64
client # [    8.787881] dhcpcd[693]: eth0: adding route to fec0::/64
client # [    8.788399] dhcpcd[693]: eth0: adding default route via fe80::2
client # [   13.370374] dhcpcd[693]: eth0: leased 10.0.2.15 for 86400 seconds
client # [   13.371095] dhcpcd[693]: eth0: adding route to 10.0.2.0/24
client # [   13.371620] dhcpcd[693]: eth0: adding default route via 10.0.2.2
client # [   13.442624] systemd[1]: Started DHCP Client.
client # [   13.443777] systemd[1]: Reached target Multi-User System.
client # [   13.444794] systemd[1]: Startup finished in 2.051s (kernel) + 11.392s (userspace) = 13.444s.
(finished: waiting for unit default.target, in 14.29 seconds)
subtest: Initial configuration connectivity check
client: must succeed: ping 192.168.1.122 -c 1 -n >&2
client # PING 192.168.1.122 (192.168.1.122) 56(84) bytes of data.
client # From 192.168.1.1 icmp_seq=1 Destination Host Unreachable
client # 
client # --- 192.168.1.122 ping statistics ---
client # 1 packets transmitted, 0 received, +1 errors, 100% packet loss, time 0ms
client # 
client: output: 
Test "Initial configuration connectivity check" failed with error: "command `ping 192.168.1.122 -c 1 -n >&2` failed (exit code 1)"
cleanup
kill machine (pid 11)
qemu-system-x86_64: terminating on signal 15 from pid 8 (/nix/store/zv1kaq7f1q20x62kbjv6pfjygw5jmwl6-python3-3.12.7/bin/python3.12)
kill vlan (pid 9)
(finished: cleanup, in 0.01 seconds)

Network config uses same ip on two different interfaces:

 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
     link/ether 52:54:00:12:01:01 brd ff:ff:ff:ff:ff:ff
     inet 192.168.1.1/24 scope global eth1
        valid_lft forever preferred_lft forever
     inet6 2001:db8:1::1/64 scope global
        valid_lft forever preferred_lft forever
     inet6 fe80::5054:ff:fe12:101/64 scope link proto kernel_ll
        valid_lft forever preferred_lft forever
 4: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
     link/ether 2e:ff:a9:48:10:18 brd ff:ff:ff:ff:ff:ff
     inet 192.168.1.1/24 scope global br0
        valid_lft forever preferred_lft forever
     inet6 fe80::9004:bfff:fe6e:2214/64 scope link proto kernel_ll
        valid_lft forever preferred_lft forever

So I don't think that networking.bridges.br0.interfaces = [ "eth1" ]; works as expected...

@felbinger felbinger force-pushed the nixos-containers-netns branch from 88e50dc to fce9607 Compare December 22, 2024 23:15
@felbinger felbinger force-pushed the nixos-containers-netns branch from fce9607 to 5e4c8f1 Compare December 22, 2024 23:18
@felbinger
Copy link
Member Author

felbinger commented Dec 22, 2024

@ofborg test containers-restart_networking

@SuperSandro2000 SuperSandro2000 merged commit 31413db into NixOS:master Dec 22, 2024
26 of 29 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 6.topic: nixos-container Imperative and declarative systemd-nspawn containers 8.has: module (update) This PR changes an existing module in `nixos/` 10.rebuild-darwin: 1-10 10.rebuild-linux: 1-10 12.approvals: 1 This PR was reviewed and approved by one reputable person
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants