From fc764b0a777b53e73c8cf462121b7e4a83a0e704 Mon Sep 17 00:00:00 2001 From: Markus Rudy Date: Fri, 13 Dec 2024 15:35:05 +0100 Subject: [PATCH] caa: adjust peer-pod image to immutable /etc --- packages/nixos/azure.nix | 3 ++- packages/nixos/peerpods.nix | 14 ++++++++++++++ 2 files changed, 16 insertions(+), 1 deletion(-) diff --git a/packages/nixos/azure.nix b/packages/nixos/azure.nix index 6da4f97e4..c5527ded5 100644 --- a/packages/nixos/azure.nix +++ b/packages/nixos/azure.nix @@ -55,7 +55,8 @@ in }; config = lib.mkIf cfg.enable { - boot.kernelPackages = pkgs.recurseIntoAttrs (pkgs.linuxPackagesFor pkgs.kernel-podvm-azure); + # TODO(burgerdev): find a recent kernel tailored for Azure. + boot.kernelPackages = pkgs.linuxPackages_latest; boot.initrd = { kernelModules = [ diff --git a/packages/nixos/peerpods.nix b/packages/nixos/peerpods.nix index 116768e51..1bbefce33 100644 --- a/packages/nixos/peerpods.nix +++ b/packages/nixos/peerpods.nix @@ -97,6 +97,20 @@ in ExecStop = "${pkgs.iproute2}/bin/ip netns del %I"; }; }; + # Contrary to bare-metal, a peer pod needs regular network access and DNS. The default setup + # with dhcpcd and resolvconf does not play well with the immutable /etc, so we use the full + # systemd stack instead. + networking.dhcpcd.enable = false; + systemd.network.enable = true; + networking.useNetworkd = true; + services.resolved.enable = true; + + # The /etc/machine-id should be populated by systemd, but the immutable /etc seems to prevent + # that. However, systemd-networkd requires this file to exist, so we add an empty file which + # will then be bind-mounted over by systemd. Let's hope no important services are gated on + # first-boot. + # https://www.man7.org/linux//man-pages/man5/machine-id.5.html#FIRST_BOOT_SEMANTICS + environment.etc."machine-id".text = ""; environment.etc."kata-opa/default-policy.rego".source = pkgs.cloud-api-adaptor.default-policy; };