Merge pull request #290570 from adamcstephens/lxc/sysctl

nixos/lxc/generator: remove sysctl error handling

nixos/tests/incus/container.nix

@@ -5,6 +5,8 @@ let
     configuration = {
       # Building documentation makes the test unnecessarily take a longer time:
       documentation.enable = lib.mkForce false;
+
+      boot.kernel.sysctl."net.ipv4.ip_forward" = "1";
     } // extra;
   };
 
@@ -40,6 +42,12 @@ in
         with machine.nested("Waiting for instance to start and be usable"):
           retry(instance_is_up)
 
+    def check_sysctl(instance):
+        with subtest("systemd sysctl settings are applied"):
+            machine.succeed(f"incus exec {instance} -- systemctl status systemd-sysctl")
+            sysctl = machine.succeed(f"incus exec {instance} -- sysctl net.ipv4.ip_forward").strip().split(" ")[-1]
+            assert "1" == sysctl, f"systemd-sysctl configuration not correctly applied, {sysctl} != 1"
+
     machine.wait_for_unit("incus.service")
 
     # no preseed should mean no service
@@ -83,6 +91,7 @@ in
     with subtest("lxc-container generator configures plain container"):
         # reuse the existing container to save some time
         machine.succeed("incus exec container test -- -e /run/systemd/system/service.d/zzz-lxc-service.conf")
+        check_sysctl("container")
 
     with subtest("lxc-container generator configures nested container"):
         machine.execute("incus delete --force container")
@@ -94,6 +103,8 @@ in
         target = machine.succeed("incus exec container readlink -- -f /run/systemd/system/systemd-binfmt.service").strip()
         assert target == "/dev/null", "lxc generator did not correctly mask /run/systemd/system/systemd-binfmt.service"
 
+        check_sysctl("container")
+
     with subtest("lxc-container generator configures privileged container"):
         machine.execute("incus delete --force container")
         machine.succeed("incus launch nixos container --config security.privileged=true")
@@ -101,5 +112,7 @@ in
           retry(instance_is_up)
 
         machine.succeed("incus exec container test -- -e /run/systemd/system/service.d/zzz-lxc-service.conf")
+
+        check_sysctl("container")
   '';
 })

pkgs/tools/virtualization/distrobuilder/nixos-generator.patch

@@ -1,5 +1,5 @@
 diff --git a/distrobuilder/lxc.generator b/distrobuilder/lxc.generator
-index 0ad81d1..69dbfe7 100644
+index 0ad81d1..21ddb39 100644
 --- a/distrobuilder/lxc.generator
 +++ b/distrobuilder/lxc.generator
 @@ -25,16 +25,6 @@ is_incus_vm() {
@@ -73,9 +73,22 @@ index 0ad81d1..69dbfe7 100644
  
  	mkdir -p /run/systemd/system/systemd-udev-trigger.service.d
  	cat <<-EOF > /run/systemd/system/systemd-udev-trigger.service.d/zzz-lxc-override.conf
-@@ -145,24 +97,12 @@ EOF
+@@ -132,37 +84,13 @@ ExecStart=-${cmd} trigger --type=devices --action=add
+ EOF
  }
  
+-# fix_systemd_sysctl overrides the systemd-sysctl.service to use "ExecStart=-" instead of "ExecStart=".
+-fix_systemd_sysctl() {
+-	cmd=/usr/lib/systemd/systemd-sysctl
+-	! [ -e "${cmd}" ] && cmd=/lib/systemd/systemd-sysctl
+-	mkdir -p /run/systemd/system/systemd-sysctl.service.d
+-	cat <<-EOF > /run/systemd/system/systemd-sysctl.service.d/zzz-lxc-override.conf
+-[Service]
+-ExecStart=
+-ExecStart=-${cmd}
+-EOF
+-}
+-
  ## Main logic
 -# Nothing to do in Incus VM but deployed in case it is later converted to a container
 -is_incus_vm || is_lxd_vm && exit 0
@@ -99,7 +112,15 @@ index 0ad81d1..69dbfe7 100644
  
  # Determine distro name and release
  ID=""
-@@ -222,11 +162,6 @@ ACTION=="add|change|move", ENV{ID_NET_DRIVER}=="veth", ENV{INTERFACE}=="eth[0-9]
+@@ -192,7 +120,6 @@ fi
+ 
+ # Ignore failures on some units.
+ fix_systemd_udev_trigger
+-fix_systemd_sysctl
+ 
+ # Mask some units.
+ fix_systemd_mask dev-hugepages.mount
+@@ -222,11 +149,6 @@ ACTION=="add|change|move", ENV{ID_NET_DRIVER}=="veth", ENV{INTERFACE}=="eth[0-9]
  EOF
  fi