>> > - I tried adding `--shared-dir /tmp/ff:ff:type=9p` to share a host >> > directory. Then `mount -t 9p -o trans=virtio,version=9p2000.L ff /tmp` >> > in the VM seemed to work, but `ls /tmp` crashed the VM. >> >> Yeah, this is a known issue. I have a patch[1] for it but didn't add it >> to the package since I mostly have been working with my own source >> builds of crosvm. >> >> [1]: https://spectrum-os.org/git/crosvm/commit/?id=1e318da5b57c12f67bed3b528100dbe4ec287ac5 > > Ah, I didn't realise it was using seccomp too. I'm not sure how to > compile specific versions of crosvm. I tried with: > > srcs = lib.genAttrs [ > "src/third_party/adhd" > "src/aosp/external/minijail" > ] getSrc // { "src/platform/crosvm" = /home/.../crosvm; }; > > and blanked out the hash as it requested, but then: > > error: failed to sync Caused by: failed to load pkg lockfile Caused > by: failed to resolve patches for > `https://github.com/rust-lang/crates.io-index` Caused by: failed to > load source for dependency `libvda` Caused by: Unable to update > /build/src/platform2/arc/vm/libvda/rust Caused by: failed to read > `/build/src/platform2/arc/vm/libvda/rust/Cargo.toml` > > Looks like this happens since 57df6a0ab23c3b2ba233b9aa5886ecf47ba3f91f > (added a dependency?). Commit 460406d10bbfaa890d56d616b4610813da63a312 > just before that gets further, but: > > error: the lock file /build/src/platform/crosvm/Cargo.lock needs to be > updated but --frozen was passed to prevent this > > How do you build it? > > (sorry for these basic Nix/Rust questions) > > However, I could get 9p to work by running the previous version with > --seccomp-log-failures. With that, I can read and write files from the > console, but I can't chown things and so can't write from the terminal > window, which is running as a user. I guess it needs uidmap set, but > I'm not sure how to make that work. Yeah, crosvm isn't a very nice program to build or package. :( I tried to get the libvda stuff working some time in the past, but it was very complicated. I think you might be able to disable it with cargoBuildFlags = [ "--no-default-features" ]; but my knowledge here is a few months out of date. I can have a look in more detail once I get back from my break. :) >> Yeah, crosvm needs to be CAP_NET_ADMIN for that (which is difficult to >> do with Nix). You can make a TAP device yourself iproute2 and use >> --tap-fd to tell crosvm to use it, or you can use the mktuntap program I >> wrote (with a privelege drop after running mktuntap), like this: >> >> sudo mktuntap -pvB 3 \ >> sudo -u $USER -C 4 result/bin/spectrum-vm -- --tap-fd 3 > > OK, I tried like this: > > exec sudo "$mktuntap" -pvB 3 \ > sudo -u "$USER" -C 4 \ > "$crosvm" run \ > -p init=/sbin/init \ > -p "spectrumcmd=$(printf %s "$command" | base64 -w0)" \ > --tap-fd 3 \ > --seccomp-log-failures \ > --root "$rootfs" \ > --host_ip 10.0.0.1 \ > --netmask 255.0.0.0 \ > --mac c0:ff:ee:c0:ff:ee \ > -m 4096 \ > "$@" \ > "$kernel" > > I got "sudo: you are not permitted to use the -C option", which I > fixed by editing the sudoers file. Then it fails with: > > [ERROR:src/main.rs:1351] The architecture failed to build the vm: > error creating devices: failed to set up virtio networking: failed to > open tap device: failed to create tap interface: Operation not > permitted (os error 1) > > Strace shows: > > openat(AT_FDCWD, "/dev/net/tun", O_RDWR|O_NONBLOCK|O_CLOEXEC) = 31 > ioctl(31, TUNSETIFF, 0x7ffee7ede238) = -1 EPERM (Operation not permitted) > > Maybe it's just because my crosvm is too old? This is because if you specify --host_ip, --netmask, or --mac, crosvm will try to create its own TAP device. If you omit all those arguments I think it should work. >> Hope that's all clear -- please ask more questions if you have them, >> although if it's anything particularly in the weeds I might wait until >> I'm back from my break to answer. :) > > I have many questions :-) But don't feel pressured to answer them; I > need to figure out how to make this all work myself anyway, and it's > just a bonus if you've already done the work for me... Well, my ultimate goal is to provide a distribution so that people don't need to figure this stuff out for themselves, but we are a little while away from that. ;)