From d0b60f93984cde15be81276dc25dcfc808bba9ce Mon Sep 17 00:00:00 2001 From: Bruno Bigras Date: Fri, 15 Nov 2024 12:26:57 -0500 Subject: [PATCH 1/3] incus: 6.6.0 -> 6.7.0 --- pkgs/by-name/in/incus/package.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pkgs/by-name/in/incus/package.nix b/pkgs/by-name/in/incus/package.nix index 5819ee61744f..b42bc2379873 100644 --- a/pkgs/by-name/in/incus/package.nix +++ b/pkgs/by-name/in/incus/package.nix @@ -1,6 +1,6 @@ import ./generic.nix { - hash = "sha256-hjBJGtIBYwgPpnWb1337RP1jU9rQNLQ3yp1AnwBH13o="; - version = "6.6.0"; - vendorHash = "sha256-Cpbgn2WHMVKtPrAzuNnXkS1rYvzLwde6oTcKTKW3XHs="; + hash = "sha256-k7DHJRbhUJwamEOW8B7wdCWQyYEUtsIHwuHh20lpLmA="; + version = "6.7.0"; + vendorHash = "sha256-u12zYcKiHNUH1kWpkMIyixtK9t+G4N2QerzOGsujjFQ="; patches = [ ]; } From 0e12722d4b512441ba92f6ec90c4c55cc85f7f57 Mon Sep 17 00:00:00 2001 From: Adam Stephens Date: Sat, 23 Nov 2024 16:28:31 -0500 Subject: [PATCH 2/3] incus: fix tpm support --- nixos/tests/incus/virtual-machine.nix | 6 +- pkgs/by-name/in/incus/1377-reverse.patch | 77 ++++++++++++++++++++++++ pkgs/by-name/in/incus/generic.nix | 2 +- pkgs/by-name/in/incus/package.nix | 2 +- 4 files changed, 81 insertions(+), 6 deletions(-) create mode 100644 pkgs/by-name/in/incus/1377-reverse.patch diff --git a/nixos/tests/incus/virtual-machine.nix b/nixos/tests/incus/virtual-machine.nix index f5ac4c8eee1f..4e9103818011 100644 --- a/nixos/tests/incus/virtual-machine.nix +++ b/nixos/tests/incus/virtual-machine.nix @@ -30,9 +30,6 @@ in memorySize = 1024; diskSize = 4096; - # Provide a TPM to test vTPM support for guests - tpm.enable = true; - incus = { enable = true; package = incus; @@ -41,7 +38,8 @@ in networking.nftables.enable = true; }; - testScript = '' + testScript = # python + '' def instance_is_up(_) -> bool: status, _ = machine.execute("incus exec ${instance-name} --disable-stdin --force-interactive /run/current-system/sw/bin/systemctl -- is-system-running") return status == 0 diff --git a/pkgs/by-name/in/incus/1377-reverse.patch b/pkgs/by-name/in/incus/1377-reverse.patch new file mode 100644 index 000000000000..860b8693271c --- /dev/null +++ b/pkgs/by-name/in/incus/1377-reverse.patch @@ -0,0 +1,77 @@ +--- b/internal/server/device/tpm.go ++++ a/internal/server/device/tpm.go +@@ -202,13 +202,11 @@ + }, + } + ++ proc, err := subprocess.NewProcess("swtpm", []string{"socket", "--tpm2", "--tpmstate", fmt.Sprintf("dir=%s", tpmDevPath), "--ctrl", fmt.Sprintf("type=unixio,path=%s", socketPath)}, "", "") +- proc, err := subprocess.NewProcess("swtpm", []string{"socket", "--tpm2", "--tpmstate", fmt.Sprintf("dir=%s", tpmDevPath), "--ctrl", fmt.Sprintf("type=unixio,path=swtpm-%s.sock", d.name)}, "", "") + if err != nil { + return nil, err + } + +- proc.Cwd = tpmDevPath +- + // Start the TPM emulator. + err = proc.Start(context.Background()) + if err != nil { +--- b/internal/server/instance/drivers/driver_qemu.go ++++ a/internal/server/instance/drivers/driver_qemu.go +@@ -3668,7 +3668,7 @@ + + // Add TPM device. + if len(runConf.TPMDevice) > 0 { ++ err = d.addTPMDeviceConfig(&cfg, runConf.TPMDevice) +- err = d.addTPMDeviceConfig(&cfg, runConf.TPMDevice, fdFiles) + if err != nil { + return "", nil, err + } +@@ -4852,7 +4852,7 @@ + return monHook, nil + } + ++func (d *qemu) addTPMDeviceConfig(cfg *[]cfgSection, tpmConfig []deviceConfig.RunConfigItem) error { +-func (d *qemu) addTPMDeviceConfig(cfg *[]cfgSection, tpmConfig []deviceConfig.RunConfigItem, fdFiles *[]*os.File) error { + var devName, socketPath string + + for _, tpmItem := range tpmConfig { +@@ -4863,16 +4863,9 @@ + } + } + +- fd, err := unix.Open(socketPath, unix.O_PATH, 0) +- if err != nil { +- return err +- } +- +- tpmFD := d.addFileDescriptor(fdFiles, os.NewFile(uintptr(fd), socketPath)) +- + tpmOpts := qemuTPMOpts{ + devName: devName, ++ path: socketPath, +- path: fmt.Sprintf("/proc/self/fd/%d", tpmFD), + } + *cfg = append(*cfg, qemuTPM(&tpmOpts)...) + +--- b/shared/subprocess/proc.go ++++ a/shared/subprocess/proc.go +@@ -27,7 +27,6 @@ + Name string `yaml:"name"` + Args []string `yaml:"args,flow"` + Apparmor string `yaml:"apparmor"` +- Cwd string `yaml:"cwd"` + PID int64 `yaml:"pid"` + Stdin io.ReadCloser `yaml:"-"` + Stdout io.WriteCloser `yaml:"-"` +@@ -154,11 +153,6 @@ + cmd.Stderr = p.Stderr + cmd.Stdin = p.Stdin + cmd.SysProcAttr = p.SysProcAttr +- +- if p.Cwd != "" { +- cmd.Dir = p.Cwd +- } +- + if cmd.SysProcAttr == nil { + cmd.SysProcAttr = &syscall.SysProcAttr{} + } diff --git a/pkgs/by-name/in/incus/generic.nix b/pkgs/by-name/in/incus/generic.nix index 4216710c0280..7e2483f1b2d2 100644 --- a/pkgs/by-name/in/incus/generic.nix +++ b/pkgs/by-name/in/incus/generic.nix @@ -1,7 +1,7 @@ { hash, lts ? false, - patches, + patches ? [ ], updateScriptArgs ? "", vendorHash, version, diff --git a/pkgs/by-name/in/incus/package.nix b/pkgs/by-name/in/incus/package.nix index b42bc2379873..65985513e517 100644 --- a/pkgs/by-name/in/incus/package.nix +++ b/pkgs/by-name/in/incus/package.nix @@ -2,5 +2,5 @@ import ./generic.nix { hash = "sha256-k7DHJRbhUJwamEOW8B7wdCWQyYEUtsIHwuHh20lpLmA="; version = "6.7.0"; vendorHash = "sha256-u12zYcKiHNUH1kWpkMIyixtK9t+G4N2QerzOGsujjFQ="; - patches = [ ]; + patches = [ ./1377-reverse.patch ]; } From ed24c80ef65159238e23b223fbcc6b54ba410075 Mon Sep 17 00:00:00 2001 From: Adam Stephens Date: Sat, 23 Nov 2024 16:37:31 -0500 Subject: [PATCH 3/3] incus: add tpm to container test --- nixos/tests/incus/container.nix | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/nixos/tests/incus/container.nix b/nixos/tests/incus/container.nix index 2329721d9504..ffccf6a43ff0 100644 --- a/nixos/tests/incus/container.nix +++ b/nixos/tests/incus/container.nix @@ -36,7 +36,8 @@ in networking.nftables.enable = true; }; - testScript = '' + testScript = # python + '' def instance_is_up(_) -> bool: status, _ = machine.execute("incus exec container --disable-stdin --force-interactive /run/current-system/sw/bin/systemctl -- is-system-running") return status == 0 @@ -94,6 +95,13 @@ in meminfo_bytes = " ".join(meminfo.split(' ')[-2:]) assert meminfo_bytes == "125000 kB", f"Wrong amount of memory reported from /proc/meminfo, want: '125000 kB', got: '{meminfo_bytes}'" + with subtest("virtual tpm can be configured"): + machine.succeed("incus config device add container vtpm tpm path=/dev/tpm0 pathrm=/dev/tpmrm0") + machine.succeed("incus exec container -- test -e /dev/tpm0") + machine.succeed("incus exec container -- test -e /dev/tpmrm0") + machine.succeed("incus config device remove container vtpm") + machine.fail("incus exec container -- test -e /dev/tpm0") + with subtest("lxc-generator"): with subtest("lxc-container generator configures plain container"): # reuse the existing container to save some time