From 9bab95bab70d46a19a63a1659f6888b5e669b3ea Mon Sep 17 00:00:00 2001 From: "Janik H." Date: Sat, 21 Sep 2024 03:30:19 +0200 Subject: [PATCH] fix(builders/netboot): make "normal" evaluation pass Without this patch running `colmena build` will run into a few assertion errors for machines that have `config.bagel.baremetal.builders.netboot == true` set. This is due to an assertion check in the initrd module making sure there is a mount point for `/`. This can be trivially fixed by just setting the mount point to the real world value, which is a tmpfs with 64GB assigned. We also set `deployment.targetHost` to a domain that will never resolve in the public internet, to make sure nobody applies these machines by hand. It would have been nice to throw a error whenever `colmena apply` gets executed for one of these hosts, but doing so would defeat the purpose of this patch, because the colmena `build` and `apply` argument both evaluate the exact same code paths and thus colmena `build` would error again. The motivation behind this was, so we could run `colmena build` in CI in the future, and to not scare of new contributors with random build failures when they first try to build the machines. The proper solution would be to exclude all the network booted builders from the regular colmena hive that is exposed to the cli, but this is too many yaks to shave for now. --- services/baremetal-builder/default.nix | 2 +- services/baremetal-builder/netboot.nix | 13 +++++++++++-- 2 files changed, 12 insertions(+), 3 deletions(-) diff --git a/services/baremetal-builder/default.nix b/services/baremetal-builder/default.nix index fd9075a..418fa9f 100644 --- a/services/baremetal-builder/default.nix +++ b/services/baremetal-builder/default.nix @@ -135,7 +135,7 @@ in { address = "2a01:584:11::1:${toString cfg.num}"; prefixLength = 64; } ]; networking.defaultGateway6 = { interface = "uplink"; address = "2a01:584:11::1"; }; - deployment.targetHost = "2a01:584:11::1:${toString cfg.num}"; + deployment.targetHost = lib.mkIf (!cfg.netboot) "2a01:584:11::1:${toString cfg.num}"; deployment.tags = [ "builders" ]; # Why can't we have nice things? https://bugs.openjdk.org/browse/JDK-8170568 diff --git a/services/baremetal-builder/netboot.nix b/services/baremetal-builder/netboot.nix index 4f6782d..51b7381 100644 --- a/services/baremetal-builder/netboot.nix +++ b/services/baremetal-builder/netboot.nix @@ -21,13 +21,22 @@ in ''; }; + # machines with the netboot module enabled should only be updated by appliying wob-vpn-gw and rebooting + deployment.targetUser = "invalid.example.com"; + # fixes initrd eval warning, and allows `colmena build` to succed + fileSystems."/" = { + device = "none"; + fsType = "tmpfs"; + options = [ "defaults" "size=64G" "mode=755" ]; + }; + system.build = { # Build a kernel and initramfs which will download the IPXE script from hydra using # u-root pxeboot tool and kexec into the final netbooted system. notipxe = import (modulesPath + "/..") { system = "x86_64-linux"; - configuration = + configuration = { pkgs, config, ... }: { @@ -57,7 +66,7 @@ in script = '' ln -sf /dev/console /dev/tty until ${pkgs.iputils}/bin/ping -c 1 hydra.forkos.org; do sleep 1; done - ${pkgs.u-root}/bin/pxeboot -v -ipv4=false -file https://hydra.forkos.org/job/infra/main/${node.config.networking.hostName}/latest/download-by-type/file/ipxe + ${pkgs.u-root}/bin/pxeboot -v -ipv4=false -file https://hydra.forkos.org/job/infra/main/${node.config.networking.hostName}/latest/download-by-type/file/ipxe ''; }; boot.initrd.systemd.contents."/etc/ssl/certs/ca-certificates.crt".source = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";