From 01973ea5ae3a467d12e18a8c629ca942b82164e4 Mon Sep 17 00:00:00 2001 From: Markus Rudy Date: Fri, 13 Dec 2024 15:35:05 +0100 Subject: [PATCH] caa: adjust peer-pod image to immutable /etc --- .../0001-azure-fix-sublevel.patch | 25 ---------- .../by-name/kernel-podvm-azure/package.nix | 47 ------------------- packages/by-name/mkNixosConfig/package.nix | 1 - packages/nixos/azure.nix | 3 +- packages/nixos/peerpods.nix | 13 +++++ 5 files changed, 15 insertions(+), 74 deletions(-) delete mode 100644 packages/by-name/kernel-podvm-azure/0001-azure-fix-sublevel.patch delete mode 100644 packages/by-name/kernel-podvm-azure/package.nix diff --git a/packages/by-name/kernel-podvm-azure/0001-azure-fix-sublevel.patch b/packages/by-name/kernel-podvm-azure/0001-azure-fix-sublevel.patch deleted file mode 100644 index 83087f37a6..0000000000 --- a/packages/by-name/kernel-podvm-azure/0001-azure-fix-sublevel.patch +++ /dev/null @@ -1,25 +0,0 @@ -From d492c78b4db68c39ee38799b8fe0fee5c9ba4e9f Mon Sep 17 00:00:00 2001 -From: Moritz Sanft <58110325+msanft@users.noreply.github.com> -Date: Mon, 15 Apr 2024 16:54:38 +0200 -Subject: [PATCH] fix sublevel - -Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> ---- - Makefile | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/Makefile b/Makefile -index 15958568c..da457313a 100644 ---- a/Makefile -+++ b/Makefile -@@ -1,7 +1,7 @@ - # SPDX-License-Identifier: GPL-2.0 - VERSION = 6 - PATCHLEVEL = 2 --SUBLEVEL = 16 -+SUBLEVEL = 0 - EXTRAVERSION = - NAME = Hurr durr I'ma ninja sloth - --- -2.44.0 diff --git a/packages/by-name/kernel-podvm-azure/package.nix b/packages/by-name/kernel-podvm-azure/package.nix deleted file mode 100644 index 042d8d1ee7..0000000000 --- a/packages/by-name/kernel-podvm-azure/package.nix +++ /dev/null @@ -1,47 +0,0 @@ -# Copyright 2024 Edgeless Systems GmbH -# SPDX-License-Identifier: AGPL-3.0-only - -{ - lib, - fetchurl, - buildLinux, - ... -}: - -buildLinux { - version = "6.2"; - modDirVersion = "6.2.0"; - - src = fetchurl { - url = "https://cdn.confidential.cloud/constellation/kernel/6.2.0-100.constellation/linux-6.2.0-1018-azure.tar.gz"; - sha256 = "sha256-5UKJsAoQUg2UHzz7OPdCZdlvr7neBIm/J5avu2YKA0Q="; - }; - - kernelPatches = [ - { - name = "0001-azure-fix-sublevel.patch"; - patch = ./0001-azure-fix-sublevel.patch; - } - ]; - - structuredExtraConfig = with lib.kernel; { - AMD_MEM_ENCRYPT = lib.mkForce (option yes); - DRM_AMDGPU = lib.mkForce (option no); - DRM_AMDGPU_CIK = lib.mkForce (option no); - DRM_AMDGPU_SI = lib.mkForce (option no); - DRM_AMDGPU_USERPTR = lib.mkForce (option no); - DRM_AMD_DC_FP = lib.mkForce (option no); - DRM_AMD_DC_SI = lib.mkForce (option no); - HSA_AMD = lib.mkForce (option no); - DRM_AMD_ACP = lib.mkForce (option no); - DRM_AMD_DC_DCN = lib.mkForce (option no); - DRM_AMD_DC_HDCP = lib.mkForce (option no); - DRM_AMD_SECURE_DISPLAY = lib.mkForce (option no); - HYPERV_AZURE_BLOB = lib.mkForce (option no); - INTEL_TDX_GUEST = lib.mkForce (option yes); - DEFAULT_SECURITY_APPARMOR = lib.mkForce (option no); - DEFAULT_SECURITY_SELINUX = lib.mkForce (option no); - }; - - extraMeta.branch = "6.2"; -} diff --git a/packages/by-name/mkNixosConfig/package.nix b/packages/by-name/mkNixosConfig/package.nix index e5b90e109d..a96255bcc6 100644 --- a/packages/by-name/mkNixosConfig/package.nix +++ b/packages/by-name/mkNixosConfig/package.nix @@ -39,7 +39,6 @@ lib.makeOverridable ( inherit (outerPkgs) azure-no-agent cloud-api-adaptor - kernel-podvm-azure pause-bundle nvidia-ctk-oci-hook nvidia-ctk-with-config diff --git a/packages/nixos/azure.nix b/packages/nixos/azure.nix index 6da4f97e47..c5527ded5d 100644 --- a/packages/nixos/azure.nix +++ b/packages/nixos/azure.nix @@ -55,7 +55,8 @@ in }; config = lib.mkIf cfg.enable { - boot.kernelPackages = pkgs.recurseIntoAttrs (pkgs.linuxPackagesFor pkgs.kernel-podvm-azure); + # TODO(burgerdev): find a recent kernel tailored for Azure. + boot.kernelPackages = pkgs.linuxPackages_latest; boot.initrd = { kernelModules = [ diff --git a/packages/nixos/peerpods.nix b/packages/nixos/peerpods.nix index 116768e519..e85d7044ec 100644 --- a/packages/nixos/peerpods.nix +++ b/packages/nixos/peerpods.nix @@ -97,6 +97,19 @@ in ExecStop = "${pkgs.iproute2}/bin/ip netns del %I"; }; }; + # Contrary to bare-metal, a peer pod needs regular network access and DNS. The default setup + # with dhcpcd and resolvconf does not play well with the immutable /etc, so we use the full + # systemd stack instead. + networking.dhcpcd.enable = false; + systemd.network.enable = true; + networking.useNetworkd = true; + services.resolved.enable = true; + + # The /etc/machine-id should be populated by systemd, but the immutable /etc seems to prevent + # that. We manually fill this file with `uninitialized` to force first-boot behavior. This is + # required by systemd-networkd. + # https://www.man7.org/linux//man-pages/man5/machine-id.5.html#FIRST_BOOT_SEMANTICS + environment.etc."machine-id".text = "uninitialized"; environment.etc."kata-opa/default-policy.rego".source = pkgs.cloud-api-adaptor.default-policy; };