Skip to content

nixos/xen: refactor dom0 configuration#324911

Merged
emilazy merged 2 commits intoNixOS:masterfrom
SigmaSquadron:xen-module
Sep 18, 2024
Merged

nixos/xen: refactor dom0 configuration#324911
emilazy merged 2 commits intoNixOS:masterfrom
SigmaSquadron:xen-module

Conversation

@SigmaSquadron
Copy link
Contributor

@SigmaSquadron SigmaSquadron commented Jul 5, 2024
edited
Loading

Description of changes

Refactors the Xen module for Domain 0.

  • Cleans up downstream systemd units in favour of using upstream units.
  • Xen 4.18 on Nixpkgs now supports EFI booting, so we have an EFI boot builder here that runs after systemd-boot-builder.py.
  • Add more options for setting up dom0 resource limits.
  • Adds options for the declarative configuration of oxenstored.
  • Disables the automatic bridge configuration, as it was broken.
  • Deprecates legacy boot.

Things done

  • Built on platform(s)
    • x86_64-linux
  • Tested, as applicable:
    • No automated tests for NixOS/xen yet.
  • 24.11 Release Notes
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
      • I added a release note under highlights. Let me know if this is too presumptuous.
  • Fits CONTRIBUTING.md.

Closes #129780, closes #127404.

Add a 👍 reaction to pull requests you find important.

@github-actions github-actions bot added 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: documentation This PR adds or changes documentation 8.has: changelog This PR adds or changes release notes 8.has: module (update) This PR changes an existing module in `nixos/` labels Jul 5, 2024
@SigmaSquadron SigmaSquadron changed the title Xen module nixos/xen: refactor dom0 configuration Jul 5, 2024
@SigmaSquadron SigmaSquadron mentioned this pull request Jul 5, 2024
Merged
6 tasks
@ofborg ofborg bot added 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin. 10.rebuild-linux: 1-10 This PR causes between 1 and 10 packages to rebuild on Linux. labels Jul 5, 2024
@SigmaSquadron SigmaSquadron force-pushed the xen-module branch 2 times, most recently from 5983d41 to 2a8bdec Compare July 6, 2024 08:19
JulienMalka
JulienMalka previously requested changes Jul 7, 2024
View reviewed changes
Copy link
Member

@JulienMalka JulienMalka left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This feels very intrusive to the systemd-boot-builder codebase to me, which will create maintenance burden. I've never worked with Xen, could you explain why this is necessary? Is it not possible to do the modification to the xen.cfg file at build time, like on the file passed to extraFiles?

@SigmaSquadron

This comment was marked as outdated.

Sign in to view
@SigmaSquadron SigmaSquadron self-assigned this Jul 8, 2024
@SigmaSquadron SigmaSquadron requested a review from JulienMalka July 8, 2024 14:29
@SigmaSquadron SigmaSquadron force-pushed the xen-module branch 2 times, most recently from 1327508 to b7b29a5 Compare July 10, 2024 19:25
@SigmaSquadron
Copy link
Contributor Author

SigmaSquadron commented Jul 10, 2024

Removed instances of with lib; per review in #324693.

@ofborg ofborg bot added the 2.status: merge conflict This PR has merge conflicts with the target branch label Jul 17, 2024
@ofborg ofborg bot removed the 2.status: merge conflict This PR has merge conflicts with the target branch label Jul 17, 2024
@SigmaSquadron SigmaSquadron removed their assignment Jul 19, 2024
@SigmaSquadron
Copy link
Contributor Author

SigmaSquadron commented Jul 19, 2024
edited
Loading

I had some time, so I added more options to configure oxenstored.conf. The options haven't changed in a decade, so I think it's alright to skip building a new config generator for oxenstored.conf's custom syntax, and just use etc."xen/oxenstored.conf".text.

xl's next, but that's a major undertaking which is best left for a separate PR.

@SigmaSquadron SigmaSquadron requested a review from oxij July 19, 2024 21:14
@SigmaSquadron

This comment was marked as outdated.

Sign in to view
@SigmaSquadron SigmaSquadron force-pushed the xen-module branch 2 times, most recently from 95ecd4e to a03f9f6 Compare July 20, 2024 19:49
@SigmaSquadron
Copy link
Contributor Author

SigmaSquadron commented Sep 17, 2024

I notice that the module has gone through nixfmt; would you be able to reformat it in a separate commit before your substantive changes so that it’s easier to review exactly what changed, or do you think it has been sufficiently rewritten that comparing against the old state doesn’t even make sense?

I formatted the old version in a separate commit as requested. That said, the diff is still really hard to read because many options were moved around and config entries were deduplicated/nested, so I'd recommend looking at the full file instead of just the diff.

CertainLach
CertainLach reviewed Sep 17, 2024
View reviewed changes
@SigmaSquadron
nixos/xen: format with nixfmt-rfc-style
c3fa245 
Signed-off-by: Fernando Rodrigues <alpha@sigmasquadron.net>
@SigmaSquadron SigmaSquadron removed the 12.approvals: 1 This PR was reviewed and approved by one person. label Sep 17, 2024
CertainLach
CertainLach reviewed Sep 17, 2024
View reviewed changes
@SigmaSquadron SigmaSquadron added the 12.approvals: 1 This PR was reviewed and approved by one person. label Sep 17, 2024
emilazy
emilazy requested changes Sep 18, 2024
View reviewed changes
Copy link
Member

@emilazy emilazy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks broadly good to me. I don’t know much about Xen, so my review here is mostly human linting and asking about things that stood out to me, but this shouldn’t interfere with setups that don’t use Xen and seems to be better quality code than what it’s replacing, which is good enough for me. A few things I’d like to see changed, but I’m deferring to @CertainLach’s approval as far as Xen matters go.

nixos/modules/virtualisation/xen-dom0.nix Outdated
Copy link
Member

@emilazy emilazy Sep 18, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If the C implementation is legacy and adds complexity to the implementation here, should we only support the OCaml one? Is there anything the OCaml one can’t do that the C one can?

Copy link
Contributor Author

@SigmaSquadron SigmaSquadron Sep 18, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can't, unfortunately. oxenstored does not support untrusted device domains, which is the main reason why Qubes OS (#341215) doesn't use it.

nixos/modules/virtualisation/xen-dom0.nix Outdated
Comment on lines 622 to 633
Copy link
Member

@emilazy emilazy Sep 18, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are these sufficiently bad configurations that we want them to be assertions, rather than warnings? (I’m perfectly fine with ruling out footguns like this; just want to check.)

Copy link
Contributor Author

@SigmaSquadron SigmaSquadron Sep 18, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The quota stuff should certainly be kept, otherwise users might unknowingly open themselves to a known security vulnerability. The tracing stuff is more of a footgun, but could be replaced with a lib.warn with no issues. I don't see why someone would want to debug Xen without logs though.

@SigmaSquadron @CertainLach
nixos/xen: refactor dom0 configuration
9e5f77a 
- Cleans up downstream systemd units in favour of using upstream units.
- Xen 4.18 on Nixpkgs now supports EFI booting, so we have an EFI boot
  builder here that runs after systemd-boot-builder.py.
- Add more options for setting up dom0 resource limits.
- Adds options for the declarative configuration of oxenstored.
- Disables the automatic bridge configuration, as it was broken.
- Drops legacy BIOS boot
- Adds an EFI boot entry builder script.

Signed-off-by: Fernando Rodrigues <alpha@sigmasquadron.net>
Co-authored-by: Yaroslav Bolyukin <iam@lach.pw>
@SigmaSquadron
Copy link
Contributor Author

SigmaSquadron commented Sep 18, 2024

Changes addressed, except for the removal of the footgun assertions.

emilazy
emilazy approved these changes Sep 18, 2024
View reviewed changes
Copy link
Member

@emilazy emilazy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me! Any further improvements can be handled in future PRs. Thanks for all the work you’ve put into this.

@ofborg test simple

(just to make sure that NixOS eval is okay)

@SigmaSquadron SigmaSquadron added 12.approvals: 2 This PR was reviewed and approved by two persons. and removed 12.approvals: 1 This PR was reviewed and approved by one person. labels Sep 18, 2024
@SigmaSquadron
Copy link
Contributor Author

SigmaSquadron commented Sep 18, 2024

The simple test has passed!

@emilazy emilazy merged commit 5320e21 into NixOS:master Sep 18, 2024
@SigmaSquadron SigmaSquadron deleted the xen-module branch September 18, 2024 22:23
@SigmaSquadron
Copy link
Contributor Author

SigmaSquadron commented Sep 18, 2024

A sincere thank you to everyone who has helped in this Xen endeavour!

@CertainLach, @hehongbo, @digitalrayne, @radhus and @matdibu, I've sent everyone who has been involved in these Xen PRs an email which may be of interest to you. Let me know what you think!

(If you haven't received it, then I did a terrible job finding your address. Please do tell me if that's the case.)

@hehongbo hehongbo mentioned this pull request Sep 21, 2024
Closed
@SigmaSquadron SigmaSquadron added the 6.topic: xen-project Issues and PRs related to the Xen Project Hypervisor. label Sep 25, 2024
CertainLach added a commit to CertainLach/lanzaboote that referenced this pull request Nov 11, 2024
@CertainLach
feat: parse bootspec xen extension
347536a 
As defined in NixOS/nixpkgs#324911
CertainLach added a commit to CertainLach/lanzaboote that referenced this pull request Jan 17, 2025
@CertainLach
feat: parse bootspec xen extension
b7d572f 
As defined in NixOS/nixpkgs#324911
CertainLach added a commit to CertainLach/lanzaboote that referenced this pull request Jan 17, 2025
@CertainLach
feat: parse bootspec xen extension
a9bbde1 
As defined in NixOS/nixpkgs#324911
CertainLach added a commit to CertainLach/lanzaboote that referenced this pull request Feb 5, 2025
@CertainLach
feat: parse bootspec xen extension
5512b16 
As defined in NixOS/nixpkgs#324911
@SigmaSquadron SigmaSquadron mentioned this pull request Aug 9, 2025
Closed
CertainLach added a commit to CertainLach/lanzaboote that referenced this pull request Jan 7, 2026
@CertainLach
feat: parse bootspec xen extension
626501d 
As defined in NixOS/nixpkgs#324911
CertainLach added a commit to CertainLach/lanzaboote that referenced this pull request Jan 7, 2026
@CertainLach
feat: parse bootspec xen extension
a884665 
As defined in NixOS/nixpkgs#324911
andre4ik3 pushed a commit to andre4ik3/lanzaboote that referenced this pull request Mar 1, 2026
@CertainLach @andre4ik3
feat: parse bootspec xen extension
fd2ee26 
As defined in NixOS/nixpkgs#324911
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@emilazy emilazy emilazy approved these changes

@JulienMalka JulienMalka JulienMalka left review comments

+4 more reviewers

@hehongbo hehongbo hehongbo left review comments

@radhus radhus radhus left review comments

@Kreyren Kreyren Kreyren requested changes

@CertainLach CertainLach CertainLach approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 6.topic: xen-project Issues and PRs related to the Xen Project Hypervisor. 8.has: changelog This PR adds or changes release notes 8.has: documentation This PR adds or changes documentation 8.has: module (update) This PR changes an existing module in `nixos/` 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin. 10.rebuild-linux: 1-10 This PR causes between 1 and 10 packages to rebuild on Linux. 12.approvals: 2 This PR was reviewed and approved by two persons.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Xen doesn't work Xen does not build on EFI systems, deprecated checks being performed

10 participants

@SigmaSquadron @Kreyren @emilazy @digitalrane @JulienMalka @hehongbo @CertainLach @nixos-discourse @radhus @wegank