Incus: Difference between revisions
drop 24.05 compat |
m Fix minor typo. "intreface" -> "interface" |
||
| (5 intermediate revisions by 5 users not shown) | |||
| Line 1: | Line 1: | ||
[https://linuxcontainers.org/incus/ {{PAGENAME}}] (<s>[[wikipedia:en:LXC#LXD]]</s>) is a next generation system container and virtual machine manager. It is a community driven alternative to Canonical's [[LXD]], keeping the Apache-2.0 license. | |||
This document aims to provide NixOS specific information related to Incus. For non-NixOS specific documentation, please see the upstream documentation: https://linuxcontainers.org/incus/docs/main/ | This document aims to provide NixOS specific information related to Incus. For non-NixOS specific documentation, please see the upstream documentation: https://linuxcontainers.org/incus/docs/main/ | ||
| Line 6: | Line 6: | ||
The service can be enabled and started by adding the service to your NixOS configuration. It must still be initialized. | The service can be enabled and started by adding the service to your NixOS configuration. It must still be initialized. | ||
virtualisation.incus.enable = true; | virtualisation.incus.enable = true; | ||
To provide non-root access to the Incus server, you will want to add your user to the incus-admin group. Don't forget to | networking.nftables.enable = true; | ||
See [[#Networking/Firewall]] for more information on the latter option. | |||
To provide non-root access to the Incus server, you will want to add your user to the incus-admin group. Don't forget to reboot. | |||
users.users.YOUR_USERNAME.extraGroups = ["incus-admin"]; | users.users.YOUR_USERNAME.extraGroups = ["incus-admin"]; | ||
You should now be able to use the incus client to talk to the server.<syntaxhighlight lang="shell-session"> | You should now be able to use the incus client to talk to the server.<syntaxhighlight lang="shell-session"> | ||
| Line 85: | Line 88: | ||
]; | ]; | ||
</syntaxhighlight> | </syntaxhighlight> | ||
OR, the entire | OR, the entire interface can be trusted. <syntaxhighlight lang="nix"> | ||
networking.firewall.trustedInterfaces = [ "incusbr0" ]; | networking.firewall.trustedInterfaces = [ "incusbr0" ]; | ||
</syntaxhighlight> | |||
Prior to version [https://nixos.org/blog/announcements/2023/nixos-2311/ NixOS 23.11 "Tapir"] the default behavior of the NixOS nftables [[Firewall]] implementation was to flush the full ruleset at any change to the nftables rules. This behavior has since been changed; however, for back-portability, it still persists in configurations with a {{nixos:option|system.stateVersion}} value set prior to <code>"23.11"</code>. This often results in the Incus ruleset table (named "incus") being wiped, resulting in loss of connectivity across VMs and containers. To prevent this from occurring on affected NixOS instances, the new implementation has to be enabled manually.<syntaxhighlight lang="nix"> | |||
networking.nftables.flushRuleset = false; | |||
</syntaxhighlight> | </syntaxhighlight> | ||
| Line 116: | Line 122: | ||
Container and VM images are built by Hydra as part of the [https://github.com/NixOS/nixpkgs/blob/master/nixos/release.nix NixOS release]. | Container and VM images are built by Hydra as part of the [https://github.com/NixOS/nixpkgs/blob/master/nixos/release.nix NixOS release]. | ||
https://hydra.nixos.org/job/nixos/trunk-combined/nixos. | https://hydra.nixos.org/job/nixos/trunk-combined/nixos.incusContainerImage.x86_64-linux | ||
https://hydra.nixos.org/job/nixos/trunk-combined/nixos.incusVirtualMachineImage.x86_64-linux | |||
| Line 153: | Line 160: | ||
system = "x86_64-linux"; | system = "x86_64-linux"; | ||
modules = [ | modules = [ | ||
"${inputs.nixpkgs}/nixos/modules/virtualisation/ | "${inputs.nixpkgs}/nixos/modules/virtualisation/incus-virtual-machine.nix" | ||
( | ( | ||
{ pkgs, ... }: | { pkgs, ... }: | ||
| Line 232: | Line 239: | ||
[[Category:Server]] | [[Category:Server]] | ||
[[Category:Container]] | [[Category:Container]] | ||
[[Category:Virtualization]] | |||