From: Scott Worley Date: Sun, 21 Nov 2021 01:38:13 +0000 (-0800) Subject: Note that useNixStoreImage exists now X-Git-Url: http://git.scottworley.com/nixos-qemu-vm-isolation/commitdiff_plain/0fb3685a199d2804993f5b414cf4cca1be35e66a Note that useNixStoreImage exists now I'm disappointed that it doesn't work. :( When it's fixed, it can replace this module. --- diff --git a/README b/README index f0be89d..c0aea31 100644 --- a/README +++ b/README @@ -2,3 +2,6 @@ Isolate NixOS QEMU VMs from each other and from the host by using a squashfs for the VM's /nix/store that contains only the VM's dependencies (like the installer has) rather than a virtio mount of the host's entire /nix/store. + +**Update:** `virtualisation.useNixStoreImage` exists now! But it doesn't +work! :( See the note in `checks/mount-grep.nix` diff --git a/checks/mount-grep.nix b/checks/mount-grep.nix index 5be45d7..99084ea 100644 --- a/checks/mount-grep.nix +++ b/checks/mount-grep.nix @@ -1,20 +1,31 @@ -{ pkgs, ... }: { +{ lib, pkgs, ... }: { name = "qemu-private-store-mount-grep"; nodes = { shared = _: { }; private = _: { imports = [ ../modules/qemu-vm-isolation.nix ]; }; + useNixStoreImage = { + virtualisation = { + sharedDirectories = lib.mkForce { }; + useNixStoreImage = true; + }; + }; }; testScript = '' start_all() shared.wait_for_unit("multi-user.target") private.wait_for_unit("multi-user.target") + useNixStoreImage.wait_for_unit("multi-user.target") shared.succeed("[[ $(mount | grep -c virt) -gt 0 ]]") private.succeed("[[ $(mount | grep -c virt) -eq 0 ]]") + useNixStoreImage.succeed("[[ $(mount | grep -c virt) -eq 0 ]]") shared.succeed("[[ -e ${pkgs.pv} ]]") private.fail("[[ -e ${pkgs.pv} ]]") + + # useNixStoreImage isn't ready until this works: + # useNixStoreImage.fail("[[ -e ${pkgs.pv} ]]") ''; }