!VhzbGHamdfMiGxpXyg:robins.wtf

NixOS LXC

33 Members
lxc, lxd, incus discussions related to NixOS14 Servers

Load older messages


SenderMessageTime
10 Mar 2024
@mkg20001:mkg20001.iomkg20001https://github.com/NixOS/nixpkgs/pull/29480219:50:36
@cmspam:matrix.orgcmspamRedacted or Malformed Event20:06:39
@cmspam:matrix.orgcmspamRedacted or Malformed Event20:11:26
@cmspam:matrix.orgcmspamI figured it out. Here is the pull request for the new test.20:36:35
@cmspam:matrix.orgcmspamhttps://github.com/NixOS/nixpkgs/pull/29481920:36:36
@adam:robins.wtfadamcstephens
In reply to @cmspam:matrix.org
https://github.com/NixOS/nixpkgs/pull/294819
I was expecting you to add that to your other PR. :)
21:34:42
@cmspam:matrix.orgcmspam adamcstephens 🐝: Yes, it would have made much more sense to put it there :D
The code review you put requesting changes to requires, the changes have been fulfilled. Have I submitted that correctly and it's back to you, or I need to do something further to indicate it's implemented in github?
22:17:34
@adam:robins.wtfadamcstephens
In reply to @cmspam:matrix.org
adamcstephens 🐝: Yes, it would have made much more sense to put it there :D
The code review you put requesting changes to requires, the changes have been fulfilled. Have I submitted that correctly and it's back to you, or I need to do something further to indicate it's implemented in github?
Yeah it’s back to me. I’ll take a look, probably this evening, and get back to you 
22:44:39
14 Mar 2024
@mjolnir:nixos.orgNixOS Moderation Botchanged room power levels.18:44:26
18 Mar 2024
@mkg20001:mkg20001.iomkg20001 Should we add networking.firewall.trustedInterfaces = [ "incusbr*" ]; as part of the default incus configuration? Or is there a better solution? 13:45:05
@mkg20001:mkg20001.iomkg20001people are running into this quite often: https://discuss.linuxcontainers.org/t/incus-on-nixos-with-tailscale-on-the-side-no-internet-access-for-the-containers/19385/213:45:43
@adam:robins.wtfadamcstephensunfortunately they could name the bridge whatever they want13:48:08
@adam:robins.wtfadamcstephens incusbr0 is a convention (following on lxdbr0) but you could just as easily name the network/bridge myfavbr0 13:48:49
@adam:robins.wtfadamcstephensi'm hoping to start building out a wiki page once Wiki 2 is official13:50:47
@adam:robins.wtfadamcstephensmaybe this advice could live there?13:50:55
@adam:robins.wtfadamcstephens * i'm hoping to start building out a wiki page once Wiki 2 is live13:51:08
@mkg20001:mkg20001.iomkg20001wiki 2?13:51:38
@adam:robins.wtfadamcstephenshttps://discourse.nixos.org/t/official-nixos-wiki/3871513:52:00
@adam:robins.wtfadamcstephensor whatever we want to call it :)13:52:15
@mkg20001:mkg20001.iomkg20001i'm thinking if there is a good way to make incus work by default13:53:23
@mkg20001:mkg20001.iomkg20001I've seen your paste aswell with the nftables rules, but I feel like the real fix is just adding a hook to lxd that it adds the trusted interface dynamically, as otherwise we end up trying to allow everything lxd wants, while lxd may or may not require something extra depending on it's settings... we could use named sets to achive the trusted interface change dynamically and temporarly13:53:50
@mkg20001:mkg20001.iomkg20001https://wiki.nftables.org/wiki-nftables/index.php/Sets#Named_sets_specifications13:54:28
@mkg20001:mkg20001.iomkg20001This. Also tables can be flushed in such a way that all sets remain with their values.13:54:53
@mkg20001:mkg20001.iomkg20001this would not only be useful for incus, but also for virsh, etc.13:55:43
@mkg20001:mkg20001.iomkg20001s/lxd/incus/13:56:14
@adam:robins.wtfadamcstephens

since we're enforcing nftables now, we could also do something like

    networking.nftables = {
      enable = true;
      tables.allow-forward = {
        family = "inet";
        content = ''
          chain forward {
            type filter hook forward priority 0;
            accept
          }
        '';
      };
    };
13:56:27
@adam:robins.wtfadamcstephensthough i guess that doesn't help for dnsmasq13:57:16
@mkg20001:mkg20001.iomkg20001that allows all forward traffic. for all interfaces. now i need to go and deny by default any forwards from interfaces that aren't part of incus.13:57:58
@mkg20001:mkg20001.iomkg20001 * that allows all forward traffic. for all interfaces. now i need to go and deny by default any forward traffic from interfaces that aren't part of incus.13:58:04
@mkg20001:mkg20001.iomkg20001if i have, say, a vpn or something else on that server13:58:21

Show newer messages


Back to Room ListRoom Version: 10