Use bcarnes' squashfs label patches instead of the dubious kludge

[nixos-qemu-vm-isolation] / modules / qemu-vm-isolation.nix

diff --git a/modules/qemu-vm-isolation.nix b/modules/qemu-vm-isolation.nix
index bea417449b767c9c8466b39075abb85f70e8bd52..5467f29a366de753f2714a6001762d2ae821999b 100644 (file)
--- a/modules/qemu-vm-isolation.nix
+++ b/modules/qemu-vm-isolation.nix
@@ -16,37 +16,52 @@ let
     hostPkgs.closureInfo { rootPaths = config.virtualisation.additionalPaths; };
 
   nixStoreImages = {
     hostPkgs.closureInfo { rootPaths = config.virtualisation.additionalPaths; };
 
   nixStoreImages = {

-    ext4 = import (modulesPath + "/../lib/make-disk-image.nix") {
-      inherit pkgs config lib;
-      additionalPaths = [ storeContents ];
-      onlyNixStore = true;
-      label = "nix-store";
-      partitionTableType = "none";
-      installBootLoader = false;
-      diskSize = "auto";
-      additionalSpace = "0M";
-      copyChannel = false;
-    };
-    erofs = hostPkgs.runCommand "nix-store-image" { } ''
-      mkdir $out
-      cd ${builtins.storeDir}
-      ${hostPkgs.erofs-utils}/bin/mkfs.erofs \
-        --force-uid=0 \
-        --force-gid=0 \
-        -L nix-store \
-        -U eb176051-bd15-49b7-9e6b-462e0b467019 \
-        -T 0 \
-        --exclude-regex="$(
-          <${storeContents}/store-paths \
-            sed -e 's^.*/^^g' \
-          | cut -c -10 \
-          | ${hostPkgs.python3}/bin/python -c ${
-            escapeShellArg (builtins.readFile
-              (modulesPath + "/virtualisation/includes-to-excludes.py"))
-          } )" \
-        $out/nixos.img \
-        .
-    '';
+    ext4 = "${
+        import (modulesPath + "/../lib/make-disk-image.nix") {
+          inherit pkgs config lib;
+          additionalPaths = [ storeContents ];
+          onlyNixStore = true;
+          label = "nix-store";
+          partitionTableType = "none";
+          installBootLoader = false;
+          diskSize = "auto";
+          additionalSpace = "0M";
+          copyChannel = false;
+        }
+      }/nixos.img";
+    erofs = "${
+        hostPkgs.runCommand "nix-store-image" { } ''
+          mkdir $out
+          ${hostPkgs.gnutar}/bin/tar --create \
+            --absolute-names \
+            --verbatim-files-from \
+            --transform 'flags=rSh;s|/nix/store/||' \
+            --files-from ${storeContents}/store-paths \
+            | ${hostPkgs.erofs-utils}/bin/mkfs.erofs \
+              --force-uid=0 \
+              --force-gid=0 \
+              -L nix-store \
+              -U eb176051-bd15-49b7-9e6b-462e0b467019 \
+              -T 0 \
+              --tar=f \
+              $out/nix-store.img
+        ''
+      }/nix-store.img";
+    squashfs =
+      "${hostPkgs.callPackage (modulesPath + "/../lib/make-squashfs.nix") {
+        squashfsTools = hostPkgs.squashfsTools.overrideAttrs (old: {
+          # We patch in support for squashfs labels because
+          # https://github.com/NixOS/nixpkgs/pull/236656 requires filesystems to have labels and
+          # https://github.com/plougher/squashfs-tools/issues/59 squashfs doesn't support labels
+          patches = (old.patches or []) ++ [ ./squashfs-tools-label.patch ];
+          buildInputs = (old.buildInputs or []) ++ [ hostPkgs.makeWrapper ];
+          postInstall = (old.postInstall or "") + ''
+            wrapProgram "$out/bin/mksquashfs" \
+              --append-flags "-label nix-store"
+          '';
+        });
+        storeContents = config.virtualisation.additionalPaths;
+      }}";

   };
 
 in {
   };
 
 in {


@@ -56,8 +71,10 @@ in {
         What filesystem to use for the guest's Nix store.
 
         erofs is more compact than ext4, but less mature.
         What filesystem to use for the guest's Nix store.
 
         erofs is more compact than ext4, but less mature.

+
+        squashfs is best, but requires patches to set the filesystem label.

       '';
       '';

-      type = lib.types.enum [ "ext4" "erofs" ];
+      type = lib.types.enum [ "ext4" "erofs" "squashfs" ];

       default = "ext4";
     };
   };
       default = "ext4";
     };
   };


@@ -66,6 +83,16 @@ in {
       boot.initrd.kernelModules =
         optional (cfg.nixStoreFilesystemType == "erofs") "erofs";
 
       boot.initrd.kernelModules =
         optional (cfg.nixStoreFilesystemType == "erofs") "erofs";
 

+      nixpkgs.overlays = optional (cfg.nixStoreFilesystemType == "squashfs")
+        (final: prev: {
+          util-linux = prev.util-linux.overrideAttrs (old: {
+            # We patch in support for squashfs labels because
+            # https://github.com/NixOS/nixpkgs/pull/236656 requires filesystems to have labels and
+            # https://github.com/plougher/squashfs-tools/issues/59 squashfs doesn't support labels
+            patches = (old.patches or [ ]) ++ [ ./util-linux-squashfs-label.patch ];
+          });
+        });
+

       fileSystems = mkVMOverride {
         "${storeMountPath}" = {
           fsType = cfg.nixStoreFilesystemType;
       fileSystems = mkVMOverride {
         "${storeMountPath}" = {
           fsType = cfg.nixStoreFilesystemType;


@@ -83,7 +110,7 @@ in {
         sharedDirectories = mkForce { };
 
         qemu.drives = [{
         sharedDirectories = mkForce { };
 
         qemu.drives = [{

-          file = "${config.system.build.nixStoreImage}/nixos.img";
+          file = config.system.build.nixStoreImage;

           driveExtraOpts = {
             format = "raw";
             read-only = "on";
           driveExtraOpts = {
             format = "raw";
             read-only = "on";