Incus: Difference between revisions

← Older editNewer edit →
VisualWikitext
added install, initialize, network/firewall. cleaned up image and instance info.
show more restrictive firewall config
(3 intermediate revisions by 2 users not shown)
Line 1: Line 1:
Incus is a next generation system container and virtual machine manager. It is a community driven alternative to Canonical's LXD, created by those who started LXD.
Incus is a next generation system container and virtual machine manager. It is a community driven alternative to Canonical's LXD, keeping the Apache-2.0 license.


This document aims to provide NixOS specific information related to Incus. For non-NixOS specific documentation, please see the upstream documentation: https://linuxcontainers.org/incus/docs/main/
This document aims to provide NixOS specific information related to Incus. For non-NixOS specific documentation, please see the upstream documentation: https://linuxcontainers.org/incus/docs/main/
Line 31: Line 31:
NixOS has an option for providing a preseed to Incus, as documented in the initialize link above. This is a declarative initialization, with the caveat that Incus preseed will never remove a resource created. Here is an example that is similar to the Minimal initialization option.<syntaxhighlight lang="nix">
NixOS has an option for providing a preseed to Incus, as documented in the initialize link above. This is a declarative initialization, with the caveat that Incus preseed will never remove a resource created. Here is an example that is similar to the Minimal initialization option.<syntaxhighlight lang="nix">
virtualisation.incus.preseed = {
virtualisation.incus.preseed = {
networks = [
  networks = [
     {
     {
       config = {
       config = {
Line 72: Line 72:


== Networking/Firewall ==
== Networking/Firewall ==
When using Incus on NixOS, nftables is required to ensure broadest compatibility with other services that manage firewall rules from release 24.05. Trying to use iptables will fail eval, and this can be fixed by switching to nftables and for simple firewalls should be a drop-in replacement for iptables.
When using Incus on NixOS, nftables is required to ensure broadest compatibility with other services that manage firewall rules from release 24.05. Trying to use iptables will fail eval, and this can be fixed by switching to nftables and for simple firewalls should be a drop-in replacement for iptables.<syntaxhighlight lang="nix">
networking.nftables.enable = true;
networking.nftables.enable = true;
By default the NixOS firewall will block DHCP requests to the Incus network, meaning instances will not get an IPv4 address. The simplest fix for this is to mark the Incus bridged interface as trusted. This interface name should match the name given during initialization or configured through the incus command line.
</syntaxhighlight>
networking.firewall.trustedInterfaces = [ "incusbr0" ];
By default the NixOS firewall will block DHCP requests to the Incus network, meaning instances will not get an IPv4 address. Ensure you allow 53 for DNS and 67 for DHCPv4 on any Incus bridge network interfaces. This interface name should match the name given during initialization or configured through the incus interfaces.<syntaxhighlight lang="nix">
networking.firewall.interfaces.incusbr0.allowedTCPPorts = [
  53
  67
];
networking.firewall.interfaces.incusbr0.allowedUDPPorts = [
  53
  67
];
</syntaxhighlight>
OR, the entire intreface can be trusted. <syntaxhighlight lang="nix">
networking.firewall.trustedInterfaces = [ "incusbr0" ];
</syntaxhighlight>
 
== NixOS Instances ==
To launch a new NixOS container use the following command.
 
<pre>
incus launch images:nixos/unstable nixos -c security.nesting=true
</pre>
 
A NixOS virtual machine is launched with the following.
incus launch --vm images:nixos/unstable nixos -c security.secureboot=false


== NixOS Images ==
== NixOS Images ==
Line 97: Line 119:


https://hydra.nixos.org/job/nixos/trunk-combined/nixos.lxdVirtualMachineImage.x86_64-linux
https://hydra.nixos.org/job/nixos/trunk-combined/nixos.lxdVirtualMachineImage.x86_64-linux




Line 106: Line 129:


=== Custom Images ===
=== Custom Images ===
All the necessary build infrastructure exists in nixpkgs to build custom images.
Define some NixOS systems.<syntaxhighlight lang="nix">
nixosConfigurations = {
  container = inputs.nixpkgs.lib.nixosSystem {
    system = "x86_64-linux";
    modules = [
      "${inputs.nixpkgs}/nixos/modules/virtualisation/lxc-container.nix"
      (
        { pkgs, ... }:
        {
          environment.systemPackages = [ pkgs.vim ];
        }
      )
    ];
  };
  vm = inputs.nixpkgs.lib.nixosSystem {
    system = "x86_64-linux";
    modules = [
      "${inputs.nixpkgs}/nixos/modules/virtualisation/lxd-virtual-machine.nix"
      (
        { pkgs, ... }:
        {
          environment.systemPackages = [ pkgs.vim ];
        }
      )
    ];
  };
};
</syntaxhighlight>Then you can build the image and associated metadata.<syntaxhighlight lang="shell-session">
# nix build .#nixosConfigurations.container.config.system.build.squashfs --print-out-paths
/nix/store/24djf2qlpkyh29va8z6pxrqp8x5z6xyv-nixos-lxc-image-x86_64-linux.img
# nix build .#nixosConfigurations.container.config.system.build.metadata --print-out-paths
/nix/store/2snjw9y8brfh5gia44jv6bhdhmmdydva-tarball
# nix build .#nixosConfigurations.vm.config.system.build.qemuImage --print-out-paths
/nix/store/znk28bp34bycb3h5k0byb61bwda23q5l-nixos-disk-image
# nix build .#nixosConfigurations.vm.config.system.build.metadata --print-out-paths
/nix/store/2snjw9y8brfh5gia44jv6bhdhmmdydva-tarball
</syntaxhighlight>Finally, the image can be imported into an Incus storage pool and used to launch instances.<syntaxhighlight lang="shell-session">
# incus image import --alias nixos/custom/container /nix/store/2snjw9y8brfh5gia44jv6bhdhmmdydva-tarball/tarball/nixos-system-x86_64-linux.tar.xz /nix/store/24djf2qlpkyh29va8z6pxrqp8x5z6xyv-nixos-lxc-image-x86_64-linux.img
Image imported with fingerprint: 9d0d6f3df0cccec4da7ce4f69952bd389b6dd655fd9070e498f591aaffbb2cda


== NixOS Instances ==
# incus image list nixos/custom/container
To launch a new NixOS container use the following command.
+------------------------+--------------+--------+--------------------------------------------------+--------------+-----------+-----------+----------------------+
|        ALIAS          | FINGERPRINT  | PUBLIC |                  DESCRIPTION                    | ARCHITECTURE |  TYPE    |  SIZE    |    UPLOAD DATE      |
+------------------------+--------------+--------+--------------------------------------------------+--------------+-----------+-----------+----------------------+
| nixos/custom/container | 9d0d6f3df0cc | no    | NixOS Uakari 24.05.20240513.a39a12a x86_64-linux | x86_64      | CONTAINER | 170.31MiB | 2024/05/21 09:21 EDT |
+------------------------+--------------+--------+--------------------------------------------------+--------------+-----------+-----------+----------------------+


<pre>
# incus launch nixos/custom/container -c security.nesting=true
incus launch images:nixos/unstable nixos -c security.nesting=true
Launching the instance
</pre>
Instance name is: square-heron


A NixOS virtual machine is launched with the following.
# incus shell square-heron
incus launch images:nixos/unstable nixos -c security.secureboot=false


[root@nixos:~]# which vim
/run/current-system/sw/bin/vim


</syntaxhighlight>
[[Category:Server]]
[[Category:Server]]
[[Category:Container]]
[[Category:Container]]
Retrieved from "https://wiki.nixos.org/wiki/Incus"