Incus: Difference between revisions
→NixOS Instances: Add flag to actually launch a VM |
mNo edit summary |
||
(6 intermediate revisions by 6 users not shown) | |||
Line 1: | Line 1: | ||
[https://linuxcontainers.org/incus/ {{PAGENAME}}] (<s>[[wikipedia:en:LXC#LXD]]</s>) is a next generation system container and virtual machine manager. It is a community driven alternative to Canonical's [[LXD]], keeping the Apache-2.0 license. | |||
This document aims to provide NixOS specific information related to Incus. For non-NixOS specific documentation, please see the upstream documentation: https://linuxcontainers.org/incus/docs/main/ | This document aims to provide NixOS specific information related to Incus. For non-NixOS specific documentation, please see the upstream documentation: https://linuxcontainers.org/incus/docs/main/ | ||
Line 6: | Line 6: | ||
The service can be enabled and started by adding the service to your NixOS configuration. It must still be initialized. | The service can be enabled and started by adding the service to your NixOS configuration. It must still be initialized. | ||
virtualisation.incus.enable = true; | virtualisation.incus.enable = true; | ||
To provide non-root access to the Incus server, you will want to add your user to the incus-admin group. Don't forget to | networking.nftables.enable = true; | ||
See [[#Networking/Firewall]] for more information on the latter option. | |||
To provide non-root access to the Incus server, you will want to add your user to the incus-admin group. Don't forget to reboot. | |||
users.users.YOUR_USERNAME.extraGroups = ["incus-admin"]; | users.users.YOUR_USERNAME.extraGroups = ["incus-admin"]; | ||
You should now be able to use the incus client to talk to the server.<syntaxhighlight lang="shell-session"> | You should now be able to use the incus client to talk to the server.<syntaxhighlight lang="shell-session"> | ||
Line 72: | Line 75: | ||
== Networking/Firewall == | == Networking/Firewall == | ||
When using Incus on NixOS, nftables is required to ensure broadest compatibility with other services that manage firewall rules | When using Incus on NixOS, nftables is required to ensure broadest compatibility with other services that manage firewall rules. Trying to use iptables will fail eval, and this can be fixed by switching to nftables and for simple firewalls should be a drop-in replacement for iptables.<syntaxhighlight lang="nix"> | ||
networking.nftables.enable = true; | |||
By default the NixOS firewall will block DHCP requests to the Incus network, meaning instances will not get an IPv4 address. | </syntaxhighlight> | ||
By default the NixOS firewall will block DHCP requests to the Incus network, meaning instances will not get an IPv4 address. Ensure you allow 53 for DNS and 67 for DHCPv4 on any Incus bridge network interfaces. This interface name should match the name given during initialization or configured through the incus interfaces.<syntaxhighlight lang="nix"> | |||
networking.firewall.interfaces.incusbr0.allowedTCPPorts = [ | |||
53 | |||
67 | |||
]; | |||
networking.firewall.interfaces.incusbr0.allowedUDPPorts = [ | |||
53 | |||
67 | |||
]; | |||
</syntaxhighlight> | |||
OR, the entire intreface can be trusted. <syntaxhighlight lang="nix"> | |||
networking.firewall.trustedInterfaces = [ "incusbr0" ]; | |||
</syntaxhighlight> | |||
== NixOS Instances == | == NixOS Instances == | ||
Line 116: | Line 131: | ||
CI: https://jenkins.linuxcontainers.org/job/image-nixos/ | CI: https://jenkins.linuxcontainers.org/job/image-nixos/ | ||
== Custom Images == | |||
All the necessary build infrastructure exists in nixpkgs to build custom images. | |||
=== VMs === | |||
All the necessary build infrastructure exists in nixpkgs to build custom images. | |||
Define some NixOS systems.<syntaxhighlight lang="nix"> | Define some NixOS systems.<syntaxhighlight lang="nix"> | ||
Line 149: | Line 168: | ||
</syntaxhighlight>Then you can build the image and associated metadata.<syntaxhighlight lang="shell-session"> | </syntaxhighlight>Then you can build the image and associated metadata.<syntaxhighlight lang="shell-session"> | ||
$ nix build .#nixosConfigurations.vm.config.system.build.qemuImage --print-out-paths | |||
/nix/store/ | /nix/store/znk28bp34bycb3h5k0byb61bwda23q5l-nixos-disk-image | ||
$ nix build .#nixosConfigurations.vm.config.system.build.metadata --print-out-paths | |||
/nix/store/2snjw9y8brfh5gia44jv6bhdhmmdydva-tarball | /nix/store/2snjw9y8brfh5gia44jv6bhdhmmdydva-tarball | ||
# nix build .#nixosConfigurations.vm.config.system.build.qemuImage --print-out-paths | </syntaxhighlight>Finally, you can manually import into an Incus storage pool and used to launch instances.<syntaxhighlight lang="bash"> | ||
/nix/store/ | $ incus image import --alias nixos-gen/custom/jellyfin /nix/store/2snjw9y8brfh5gia44jv6bhdhmmdydva-tarball/tarball/nixos-system-x86_64-linux.tar.xz /nix/store/znk28bp34bycb3h5k0byb61bwda23q5l-nixos-disk-image/nixos.qcow2 | ||
</syntaxhighlight>To build and import the VM in one command, follow the steps below.<syntaxhighlight lang="bash"> | |||
$ incus image import --alias nixos-gen/custom/jellyfin $(nix build .#nixosConfigurations.vm.config.system.build.metadata --print-out-paths)/tarball/nixos-system-x86_64-linux.tar.xz $(nix build .#nixosConfigurations.vm.config.system.build.qemuImage --print-out-paths)/nixos.qcow2 | |||
# Image imported with fingerprint: *** | |||
</syntaxhighlight>You can verify the import with the commands below. <syntaxhighlight lang="bash"> | |||
$ incus image list nixos/custom/vm | |||
+------------------------+--------------+--------+--------------------------------------------------+--------------+-----------+-----------+----------------------+ | |||
| ALIAS | FINGERPRINT | PUBLIC | DESCRIPTION | ARCHITECTURE | TYPE | SIZE | UPLOAD DATE | | |||
+------------------------+--------------+--------+--------------------------------------------------+--------------+-----------+-----------+----------------------+ | |||
| nixos/custom/vm | 9d0d6f3df0cc | no | NixOS Uakari 24.05.20240513.a39a12a x86_64-linux | x86_64 | CONTAINER | 170.31MiB | 2024/05/21 09:21 EDT | | |||
+------------------------+--------------+--------+--------------------------------------------------+--------------+-----------+-----------+----------------------+ | |||
$ incus launch nixos/custom/vm | |||
Launching the instance | |||
Instance name is: square-heron | |||
$ incus shell square-heron | |||
[root@nixos:~]# which vim | |||
/run/current-system/sw/bin/vim | |||
</syntaxhighlight> | |||
=== Containers === | |||
<syntaxhighlight lang="bash"> | |||
$ nix build .#nixosConfigurations.container.config.system.build.squashfs --print-out-paths | |||
/nix/store/24djf2qlpkyh29va8z6pxrqp8x5z6xyv-nixos-lxc-image-x86_64-linux.img | |||
$ nix build .#nixosConfigurations.container.config.system.build.metadata --print-out-paths | |||
/nix/store/2snjw9y8brfh5gia44jv6bhdhmmdydva-tarball | /nix/store/2snjw9y8brfh5gia44jv6bhdhmmdydva-tarball | ||
</syntaxhighlight><syntaxhighlight lang="shell-session"> | |||
</syntaxhighlight> | $ incus image import --alias nixos/custom/container /nix/store/2snjw9y8brfh5gia44jv6bhdhmmdydva-tarball/tarball/nixos-system-x86_64-linux.tar.xz /nix/store/24djf2qlpkyh29va8z6pxrqp8x5z6xyv-nixos-lxc-image-x86_64-linux.img | ||
Image imported with fingerprint: 9d0d6f3df0cccec4da7ce4f69952bd389b6dd655fd9070e498f591aaffbb2cda | Image imported with fingerprint: 9d0d6f3df0cccec4da7ce4f69952bd389b6dd655fd9070e498f591aaffbb2cda | ||
$ incus image list nixos/custom/container | |||
+------------------------+--------------+--------+--------------------------------------------------+--------------+-----------+-----------+----------------------+ | +------------------------+--------------+--------+--------------------------------------------------+--------------+-----------+-----------+----------------------+ | ||
| ALIAS | FINGERPRINT | PUBLIC | DESCRIPTION | ARCHITECTURE | TYPE | SIZE | UPLOAD DATE | | | ALIAS | FINGERPRINT | PUBLIC | DESCRIPTION | ARCHITECTURE | TYPE | SIZE | UPLOAD DATE | | ||
Line 172: | Line 221: | ||
+------------------------+--------------+--------+--------------------------------------------------+--------------+-----------+-----------+----------------------+ | +------------------------+--------------+--------+--------------------------------------------------+--------------+-----------+-----------+----------------------+ | ||
$ incus launch nixos/custom/container -c security.nesting=true | |||
Launching the instance | Launching the instance | ||
Instance name is: square-heron | Instance name is: square-heron | ||
$ incus shell square-heron | |||
[root@nixos:~] | [root@nixos:~] which vim | ||
/run/current-system/sw/bin/vim | /run/current-system/sw/bin/vim | ||
</syntaxhighlight>Or, the all in one command:<syntaxhighlight lang="bash"> | |||
incus image import --alias nixos/custom/vm $(nix build .#nixosConfigurations.vm.config.system.build.metadata --print-out-paths)/tarball/nixos-system-x86_64-linux.tar.xz $(nix build .#nixosConfigurations.vm.config.system.build.qemuImage --print-out-paths)/nixos.qcow2 | |||
</syntaxhighlight> | </syntaxhighlight> | ||
[[Category:Server]] | [[Category:Server]] | ||
[[Category:Container]] | [[Category:Container]] | ||
[[Category:Virtualization]] |