| 27 May 2024 |
 hexa | huh, so why CRIU | 13:46:13 |
| hexa | or is that stateful migration with ZFS? 😄 | 13:46:35 |
| hexa | * or is that a stateful migration with ZFS? 😄 | 13:46:39 |
| hexa | where it tries to freeze the VM | 13:46:47 |
 adamcstephens | yeah thats a stateful migration | 13:47:00 |
| adamcstephens | a stateless migration works, so maybe we're missing something | 13:52:51 |
| hexa | does your kernel have CRIU? | 13:56:20 |
| hexa | $ zgrep -i CHECKPOINT_RESTORE /proc/config.gz
CONFIG_CHECKPOINT_RESTORE=y
| 13:57:55 |
| hexa | kernel 5.9. added CAP_CHECKPOINT_RESTORE | 13:58:05 |
| adamcstephens | yeah i'm using the nixos 6.6 lts | 13:58:22 |
| hexa | yeah, just if you have set a capab boundingset | 13:58:41 |
| adamcstephens | ❯ /nix/store/d5f5grj684mp1xl6h7llgr2cklpdg2z4-criu-3.19/bin/criu check
CRIU needs to have the CAP_SYS_ADMIN or the CAP_CHECKPOINT_RESTORE capability:
setcap cap_checkpoint_restore+eip /nix/store/d5f5grj684mp1xl6h7llgr2cklpdg2z4-criu-3.19/bin/criu
~ adam@blank
❯ sudo /nix/store/d5f5grj684mp1xl6h7llgr2cklpdg2z4-criu-3.19/bin/criu check
Looks good.
~ adam@blank
❯ sudo systemd-analyze security incus | rg sys_admin
✗ CapabilityBoundingSet=~CAP_SYS_ADMIN Service has administrator privileges
| 14:01:31 |
| hexa | and the "or" is not misleading? | 14:13:23 |
| adamcstephens | incus runs as root with admin capability. is that not sufficient? | 14:23:59 |
| hexa | the messages implies that | 14:31:50 |
| hexa | just want to rule out we're missing anything obvious due to that sentence being dogshit | 14:32:10 |
| adamcstephens | yeah, agreed. i figured the sudo exec showed it should work | 15:27:18 |
| adamcstephens | now you have me doubting it :) | 15:27:27 |
| hexa | sudo is unconstrained root access | 15:29:08 |
| hexa | if your incus systemd units don't have hardening (CapabilityBoundingSet in this case), then all is well | 15:29:41 |
| adamcstephens | they don't | 15:38:27 |
| 28 May 2024 |
| hexa | # incus launch images:nixos/unstable nixos -c security.secureboot=false
Launching nixos
Error: Failed instance creation: Failed creating instance record: Unknown configuration key: security.secureboot
| 11:54:50 |
| hexa | on 6.0.0 🤔 | 11:54:57 |
| hexa | missing --vm flag in wiki example, fixed | 11:57:20 |
| adamcstephens | thanks for fixing | 13:06:45 |
| hexa | online migration with zfs is working fine | 14:11:58 |
| hexa | loving the remote cli acccess to the cluster | 14:12:09 |
| hexa | a bit annoying that it is stuck with a single node | 14:14:54 |
| hexa | 
Download image.png | 14:25:02 |
| hexa | the capitalization is off | 14:25:12 |
