fix(builders/netboot): make "normal" evaluation pass

Without this patch running `colmena build` will run into a few assertion errors for machines that have `config.bagel.baremetal.builders.netboot == true` set. This is due to an assertion check in the initrd module making sure there is a mount point for `/`. This can be trivially fixed by just setting the mount point to the real world value, which is a tmpfs with 64GB assigned. We also set `deployment.targetHost` to a domain that will never resolve in the public internet, to make sure nobody applies these machines by hand. It would have been nice to throw a error whenever `colmena apply` gets executed for one of these hosts, but doing so would defeat the purpose of this patch, because the colmena `build` and `apply` argument both evaluate the exact same code paths and thus colmena `build` would error again. The motivation behind this was, so we could run `colmena build` in CI in the future, and to not scare of new contributors with random build failures when they first try to build the machines. The proper solution would be to exclude all the network booted builders from the regular colmena hive that is exposed to the cli, but this is too many yaks to shave for now.
2024-09-21 03:30:19 +02:00 · 2024-09-21 03:30:19 +02:00 · 464a726664
parent e3b6cb72b4
commit 464a726664
2 changed files with 12 additions and 3 deletions
--- a/services/baremetal-builder/default.nix
+++ b/services/baremetal-builder/default.nix
@ -135,7 +135,7 @@ in
      { address = "2a01:584:11::1:${toString cfg.num}"; prefixLength = 64; }
    ];
    networking.defaultGateway6 = { interface = "uplink"; address = "2a01:584:11::1"; };
-    deployment.targetHost = "2a01:584:11::1:${toString cfg.num}";
+    deployment.targetHost = lib.mkIf (!cfg.netboot) "2a01:584:11::1:${toString cfg.num}";
    deployment.tags = [ "builders" ];

    # Why can't we have nice things? https://bugs.openjdk.org/browse/JDK-8170568
--- a/services/baremetal-builder/netboot.nix
+++ b/services/baremetal-builder/netboot.nix
@ -21,13 +21,22 @@ in
      '';
    };

+    # machines with the netboot module enabled should only be updated by appliying wob-vpn-gw and rebooting
+    deployment.targetHost = "invalid.example.com";
+    # fixes initrd eval warning, and allows `colmena build` to succed
+    fileSystems."/" = {
+      device = "none";
+      fsType = "tmpfs";
+      options = [ "defaults" "size=64G" "mode=755" ];
+    };
+
    system.build = {

      # Build a kernel and initramfs which will download the IPXE script from hydra using
      # u-root pxeboot tool and kexec into the final netbooted system.
      notipxe = import (modulesPath + "/..") {
        system = "x86_64-linux";
-        configuration = 
+        configuration =
          { pkgs, config, ... }:

          {
@ -57,7 +66,7 @@ in
              script = ''
                ln -sf /dev/console /dev/tty
                until ${pkgs.iputils}/bin/ping -c 1 hydra.forkos.org; do sleep 1; done
-                ${pkgs.u-root}/bin/pxeboot -v -ipv4=false -file https://hydra.forkos.org/job/infra/main/${node.config.networking.hostName}/latest/download-by-type/file/ipxe 
+                ${pkgs.u-root}/bin/pxeboot -v -ipv4=false -file https://hydra.forkos.org/job/infra/main/${node.config.networking.hostName}/latest/download-by-type/file/ipxe
              '';
            };
            boot.initrd.systemd.contents."/etc/ssl/certs/ca-certificates.crt".source = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";