the-distro/infra
9
0
Fork 5
Code Issues 39 Pull requests 8 Packages Projects 1 Releases Wiki Activity

fix(builders/netboot): make "normal" evaluation pass

Browse source 
Without this patch running `colmena build` will run into a few assertion
errors for machines that have `config.bagel.baremetal.builders.netboot == true`
set. This is due to an assertion check in the initrd module making sure
there is a mount point for `/`. This can be trivially fixed by just
setting the mount point to the real world value, which is a tmpfs with
64GB assigned.

We also set `deployment.targetHost` to a domain that will
never resolve in the public internet, to make sure nobody applies these
machines by hand. It would have been nice to throw a error whenever
`colmena apply` gets executed for one of these hosts, but doing so would
defeat the purpose of this patch, because the colmena `build` and `apply`
argument both evaluate the exact same code paths and thus colmena
`build` would error again.

The motivation behind this was, so we could run `colmena build` in CI
in the future, and to not scare of new contributors with random build
failures when they first try to build the machines.

The proper solution would be to exclude all the network booted builders
from the regular colmena hive that is exposed to the cli, but this is
too many yaks to shave for now.
This commit is contained in:
Janik Haag 2024-09-21 03:30:19 +02:00
parent c86cefe21f
commit cef88ec598
No known key found for this signature in database
2 changed files with 12 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
services/baremetal-builder/default.nix
View file

@ -135,7 +135,7 @@ in
{ address = "2a01:584:11::1:${toString cfg.num}"; prefixLength = 64; } { address = "2a01:584:11::1:${toString cfg.num}"; prefixLength = 64; }
]; ];
networking.defaultGateway6 = { interface = "uplink"; address = "2a01:584:11::1"; }; networking.defaultGateway6 = { interface = "uplink"; address = "2a01:584:11::1"; };
deployment.targetHost = "2a01:584:11::1:${toString cfg.num}"; deployment.targetHost = lib.mkIf (!cfg.netboot) "2a01:584:11::1:${toString cfg.num}";
deployment.tags = [ "builders" ]; deployment.tags = [ "builders" ];
# Why can't we have nice things? https://bugs.openjdk.org/browse/JDK-8170568 # Why can't we have nice things? https://bugs.openjdk.org/browse/JDK-8170568

13
services/baremetal-builder/netboot.nix
View file

@ -21,13 +21,22 @@ in
''; '';
}; };
# machines with the netboot module enabled should only be updated by appliying wob-vpn-gw and rebooting
deployment.targetHost = "invalid.example.com";
# fixes initrd eval assertion error, and allows `colmena build` to succeed
fileSystems."/" = {
device = "none";
fsType = "tmpfs";
options = [ "defaults" "size=64G" "mode=755" ];
};
system.build = { system.build = {
# Build a kernel and initramfs which will download the IPXE script from hydra using # Build a kernel and initramfs which will download the IPXE script from hydra using
# u-root pxeboot tool and kexec into the final netbooted system. # u-root pxeboot tool and kexec into the final netbooted system.
notipxe = import (modulesPath + "/..") { notipxe = import (modulesPath + "/..") {
system = "x86_64-linux"; system = "x86_64-linux";
configuration = configuration =
{ pkgs, config, ... }: { pkgs, config, ... }:
{ {
@ -57,7 +66,7 @@ in
script = '' script = ''
ln -sf /dev/console /dev/tty ln -sf /dev/console /dev/tty
until ${pkgs.iputils}/bin/ping -c 1 hydra.forkos.org; do sleep 1; done until ${pkgs.iputils}/bin/ping -c 1 hydra.forkos.org; do sleep 1; done
${pkgs.u-root}/bin/pxeboot -v -ipv4=false -file https://hydra.forkos.org/job/infra/main/${node.config.networking.hostName}/latest/download-by-type/file/ipxe ${pkgs.u-root}/bin/pxeboot -v -ipv4=false -file https://hydra.forkos.org/job/infra/main/${node.config.networking.hostName}/latest/download-by-type/file/ipxe
''; '';
}; };
boot.initrd.systemd.contents."/etc/ssl/certs/ca-certificates.crt".source = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"; boot.initrd.systemd.contents."/etc/ssl/certs/ca-certificates.crt".source = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";