diff options
author | Patryk Wychowaniec <wychowaniec.patryk@gmail.com> | 2021-02-26 17:14:08 +0100 |
---|---|---|
committer | Patryk Wychowaniec <wychowaniec.patryk@gmail.com> | 2021-02-26 17:48:49 +0100 |
commit | 336ef2de99197dd9c07b302685dc9e6282fa5b55 (patch) | |
tree | 37c3eb96823750ef2dd985c3ab8862c2bb5f91cb /nixos/modules/virtualisation/nixos-containers.nix | |
parent | 5f1345a30318cf9559e58576dff8c5d3e4d77a62 (diff) | |
download | nixpkgs-336ef2de99197dd9c07b302685dc9e6282fa5b55.tar nixpkgs-336ef2de99197dd9c07b302685dc9e6282fa5b55.tar.gz nixpkgs-336ef2de99197dd9c07b302685dc9e6282fa5b55.tar.bz2 nixpkgs-336ef2de99197dd9c07b302685dc9e6282fa5b55.tar.lz nixpkgs-336ef2de99197dd9c07b302685dc9e6282fa5b55.tar.xz nixpkgs-336ef2de99197dd9c07b302685dc9e6282fa5b55.tar.zst nixpkgs-336ef2de99197dd9c07b302685dc9e6282fa5b55.zip |
nixos/containers: allow containers with long names to create private networks
Launching a container with a private network requires creating a dedicated networking interface for it; name of that interface is derived from the container name itself - e.g. a container named `foo` gets attached to an interface named `ve-foo`. An interface name can span up to IFNAMSIZ characters, which means that a container name must contain at most IFNAMSIZ - 3 - 1 = 11 characters; it's a limit that we validate using a build-time assertion. This limit has been upgraded with Linux 5.8, as it allows for an interface to contain a so-called altname, which can be much longer, while remaining treated as a first-class citizen. Since altnames have been supported natively by systemd for a while now, due diligence on our side ends with dropping the name-assertion on newer kernels. This commit closes #38509. systemd/systemd#14467 systemd/systemd#17220 https://lwn.net/Articles/794289/
Diffstat (limited to 'nixos/modules/virtualisation/nixos-containers.nix')
-rw-r--r-- | nixos/modules/virtualisation/nixos-containers.nix | 12 |
1 files changed, 8 insertions, 4 deletions
diff --git a/nixos/modules/virtualisation/nixos-containers.nix b/nixos/modules/virtualisation/nixos-containers.nix index f06977f88fc..3754fe6dac6 100644 --- a/nixos/modules/virtualisation/nixos-containers.nix +++ b/nixos/modules/virtualisation/nixos-containers.nix @@ -271,8 +271,8 @@ let DeviceAllow = map (d: "${d.node} ${d.modifier}") cfg.allowedDevices; }; - system = config.nixpkgs.localSystem.system; + kernelVersion = config.boot.kernelPackages.kernel.version; bindMountOpts = { name, ... }: { @@ -321,7 +321,6 @@ let }; }; - mkBindFlag = d: let flagPrefix = if d.isReadOnly then " --bind-ro=" else " --bind="; mountstr = if d.hostPath != null then "${d.hostPath}:${d.mountPoint}" else "${d.mountPoint}"; @@ -482,11 +481,16 @@ in networking.useDHCP = false; assertions = [ { - assertion = config.privateNetwork -> stringLength name < 12; + assertion = + (builtins.compareVersions kernelVersion "5.8" <= 0) + -> config.privateNetwork + -> stringLength name <= 11; message = '' Container name `${name}` is too long: When `privateNetwork` is enabled, container names can not be longer than 11 characters, because the container's interface name is derived from it. - This might be fixed in the future. See https://github.com/NixOS/nixpkgs/issues/38509 + You should either make the container name shorter or upgrade to a more recent kernel that + supports interface altnames (i.e. at least Linux 5.8 - please see https://github.com/NixOS/nixpkgs/issues/38509 + for details). ''; } ]; |