Loading nixos/modules/virtualisation/incus.nix +33 −0 Original line number Diff line number Diff line Loading @@ -338,7 +338,40 @@ in "lxc-containers".profile = '' include ${cfg.lxcPackage}/etc/apparmor.d/lxc-containers ''; "incusd".profile = '' # This profile allows everything and only exists to give the # application a name instead of having the label "unconfined" abi <abi/4.0>, include <tunables/global> profile incusd ${lib.getExe' config.virtualisation.incus.package "incusd"} flags=(unconfined) { userns, </var/lib/incus/security/apparmor/cache> </var/lib/incus/security/apparmor/profiles> # Site-specific additions and overrides. See local/README for details. include if exists <local/incusd> } ''; }; includes."abstractions/base" = '' # Allow incusd's various AA profiles to load dynamic libraries from Nix store # https://discuss.linuxcontainers.org/t/creating-new-containers-vms-blocked-by-apparmor-on-nixos/21908/6 mr /nix/store/*/lib/*.so*, r ${pkgs.stdenv.cc.libc}/lib/gconv/gconv-modules, r ${pkgs.stdenv.cc.libc}/lib/gconv/gconv-modules.d/, r ${pkgs.stdenv.cc.libc}/lib/gconv/gconv-modules.d/gconv-modules-extra.conf, # Support use of VM instance mrix ${pkgs.qemu_kvm}/bin/*, k ${OVMF2MB.fd}/FV/*.fd, k ${pkgs.OVMFFull.fd}/FV/*.fd, '' + lib.optionalString pkgs.stdenv.hostPlatform.isx86_64 '' k ${pkgs.seabios-qemu}/share/seabios/bios.bin, ''; }; systemd.services.incus = { Loading nixos/tests/incus/default.nix +7 −1 Original line number Diff line number Diff line Loading @@ -44,6 +44,12 @@ in zfs = incusTest { inherit lts pkgs system; storageLvm = true; storageZfs = true; }; appArmor = incusTest { inherit lts pkgs system; appArmor = true; allTests = true; }; } nixos/tests/incus/incus-tests.nix +4 −0 Original line number Diff line number Diff line Loading @@ -7,6 +7,7 @@ import ../make-test-python.nix ( allTests ? false, appArmor ? false, featureUser ? allTests, initLegacy ? true, initSystemd ? true, Loading Loading @@ -139,6 +140,9 @@ import ../make-test-python.nix ( networking.hostId = "01234567"; networking.firewall.trustedInterfaces = [ "incusbr0" ]; security.apparmor.enable = appArmor; services.dbus.apparmor = (if appArmor then "enabled" else "disabled"); services.lvm = { boot.thin.enable = storageLvm; dmeventd.enable = storageLvm; Loading Loading
nixos/modules/virtualisation/incus.nix +33 −0 Original line number Diff line number Diff line Loading @@ -338,7 +338,40 @@ in "lxc-containers".profile = '' include ${cfg.lxcPackage}/etc/apparmor.d/lxc-containers ''; "incusd".profile = '' # This profile allows everything and only exists to give the # application a name instead of having the label "unconfined" abi <abi/4.0>, include <tunables/global> profile incusd ${lib.getExe' config.virtualisation.incus.package "incusd"} flags=(unconfined) { userns, </var/lib/incus/security/apparmor/cache> </var/lib/incus/security/apparmor/profiles> # Site-specific additions and overrides. See local/README for details. include if exists <local/incusd> } ''; }; includes."abstractions/base" = '' # Allow incusd's various AA profiles to load dynamic libraries from Nix store # https://discuss.linuxcontainers.org/t/creating-new-containers-vms-blocked-by-apparmor-on-nixos/21908/6 mr /nix/store/*/lib/*.so*, r ${pkgs.stdenv.cc.libc}/lib/gconv/gconv-modules, r ${pkgs.stdenv.cc.libc}/lib/gconv/gconv-modules.d/, r ${pkgs.stdenv.cc.libc}/lib/gconv/gconv-modules.d/gconv-modules-extra.conf, # Support use of VM instance mrix ${pkgs.qemu_kvm}/bin/*, k ${OVMF2MB.fd}/FV/*.fd, k ${pkgs.OVMFFull.fd}/FV/*.fd, '' + lib.optionalString pkgs.stdenv.hostPlatform.isx86_64 '' k ${pkgs.seabios-qemu}/share/seabios/bios.bin, ''; }; systemd.services.incus = { Loading
nixos/tests/incus/default.nix +7 −1 Original line number Diff line number Diff line Loading @@ -44,6 +44,12 @@ in zfs = incusTest { inherit lts pkgs system; storageLvm = true; storageZfs = true; }; appArmor = incusTest { inherit lts pkgs system; appArmor = true; allTests = true; }; }
nixos/tests/incus/incus-tests.nix +4 −0 Original line number Diff line number Diff line Loading @@ -7,6 +7,7 @@ import ../make-test-python.nix ( allTests ? false, appArmor ? false, featureUser ? allTests, initLegacy ? true, initSystemd ? true, Loading Loading @@ -139,6 +140,9 @@ import ../make-test-python.nix ( networking.hostId = "01234567"; networking.firewall.trustedInterfaces = [ "incusbr0" ]; security.apparmor.enable = appArmor; services.dbus.apparmor = (if appArmor then "enabled" else "disabled"); services.lvm = { boot.thin.enable = storageLvm; dmeventd.enable = storageLvm; Loading
