pyrox.dev / nixpkgs
lol
fork atom

amazon-image: fetch metadata only in stage-2

This also removes automatic enablement/mounting of instance store swap
devices and ext3 filesystems. This behaviour is strongly opinionated
and shouldn't be enabled by default.

The unionfs behaviour never took effect anyway, because the AMI
manifest path only exists for instance store-backed AMIs, which have
not been supported by nixpkgs since
84742e22934d697e0476fab5a6c8886723ff92ef (2019).

Linus Heckemann eddfcf86 24e33a4d

+54 -71
+35 -1
nixos/doc/manual/from_md/release-notes/rl-2305.section.xml
··· 30 30 </section> 31 31 <section xml:id="sec-release-23.05-incompatibilities"> 32 32 <title>Backward Incompatibilities</title> 33 - <itemizedlist spacing="compact"> 33 + <itemizedlist> 34 34 <listitem> 35 35 <para> 36 36 <literal>carnix</literal> and <literal>cratesIO</literal> has ··· 40 40 and 41 41 <link xlink:href="https://github.com/kolloch/crate2nix">crate2nix</link> 42 42 instead. 43 + </para> 44 + </listitem> 45 + <listitem> 46 + <para> 47 + The EC2 image module no longer fetches instance metadata in 48 + stage-1. This results in a significantly smaller initramfs, 49 + since network drivers no longer need to be included, and 50 + faster boots, since metadata fetching can happen in parallel 51 + with startup of other services. This breaks services which 52 + rely on metadata being present by the time stage-2 is entered. 53 + Anything which reads EC2 metadata from 54 + <literal>/etc/ec2-metadata</literal> should now have an 55 + <literal>after</literal> dependency on 56 + <literal>fetch-ec2-metadata.service</literal> 57 + </para> 58 + </listitem> 59 + <listitem> 60 + <para> 61 + The EC2 image module previously detected and automatically 62 + mounted ext3-formatted instance store devices and partitions 63 + in stage-1 (initramfs), storing <literal>/tmp</literal> on the 64 + first discovered device. This behaviour, which only catered to 65 + very specific use cases and could not be disabled, has been 66 + removed. Users relying on this should provide their own 67 + implementation, and probably use ext4 and perform the mount in 68 + stage-2. 69 + </para> 70 + </listitem> 71 + <listitem> 72 + <para> 73 + The EC2 image module previously detected and activated 74 + swap-formatted instance store devices and partitions in 75 + stage-1 (initramfs). This behaviour has been removed. Users 76 + relying on this should provide their own implementation. 43 77 </para> 44 78 </listitem> 45 79 </itemizedlist>
+7
nixos/doc/manual/release-notes/rl-2305.section.md
··· 22 22 23 23 - `carnix` and `cratesIO` has been removed due to being unmaintained, use alternatives such as [naersk](https://github.com/nix-community/naersk) and [crate2nix](https://github.com/kolloch/crate2nix) instead. 24 24 25 + - The EC2 image module no longer fetches instance metadata in stage-1. This results in a significantly smaller initramfs, since network drivers no longer need to be included, and faster boots, since metadata fetching can happen in parallel with startup of other services. 26 + This breaks services which rely on metadata being present by the time stage-2 is entered. Anything which reads EC2 metadata from `/etc/ec2-metadata` should now have an `after` dependency on `fetch-ec2-metadata.service` 27 + 28 + - The EC2 image module previously detected and automatically mounted ext3-formatted instance store devices and partitions in stage-1 (initramfs), storing `/tmp` on the first discovered device. This behaviour, which only catered to very specific use cases and could not be disabled, has been removed. Users relying on this should provide their own implementation, and probably use ext4 and perform the mount in stage-2. 29 + 30 + - The EC2 image module previously detected and activated swap-formatted instance store devices and partitions in stage-1 (initramfs). This behaviour has been removed. Users relying on this should provide their own implementation. 31 + 25 32 ## Other Notable Changes {#sec-release-23.05-notable-changes} 26 33 27 34 <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
+11 -70
nixos/modules/virtualisation/amazon-image.nix
··· 10 10 11 11 let 12 12 cfg = config.ec2; 13 - metadataFetcher = import ./ec2-metadata-fetcher.nix { 14 - inherit (pkgs) curl; 15 - targetRoot = "$targetRoot/"; 16 - wgetExtraOptions = "-q"; 17 - }; 18 13 in 19 14 20 15 { ··· 58 53 boot.extraModulePackages = [ 59 54 config.boot.kernelPackages.ena 60 55 ]; 61 - boot.initrd.kernelModules = [ "xen-blkfront" "xen-netfront" ]; 62 - boot.initrd.availableKernelModules = [ "ixgbevf" "ena" "nvme" ]; 56 + boot.initrd.kernelModules = [ "xen-blkfront" ]; 57 + boot.initrd.availableKernelModules = [ "nvme" ]; 63 58 boot.kernelParams = [ "console=ttyS0,115200n8" "random.trust_cpu=on" ]; 64 59 65 60 # Prevent the nouveau kernel module from being loaded, as it ··· 78 73 terminal_input console serial 79 74 ''; 80 75 81 - boot.initrd.network.enable = true; 82 - 83 - # Mount all formatted ephemeral disks and activate all swap devices. 84 - # We cannot do this with the ‘fileSystems’ and ‘swapDevices’ options 85 - # because the set of devices is dependent on the instance type 86 - # (e.g. "m1.small" has one ephemeral filesystem and one swap device, 87 - # while "m1.large" has two ephemeral filesystems and no swap 88 - # devices). Also, put /tmp and /var on /disk0, since it has a lot 89 - # more space than the root device. Similarly, "move" /nix to /disk0 90 - # by layering a unionfs-fuse mount on top of it so we have a lot more space for 91 - # Nix operations. 92 - boot.initrd.postMountCommands = 93 - '' 94 - ${metadataFetcher} 95 - 96 - diskNr=0 97 - diskForUnionfs= 98 - for device in /dev/xvd[abcde]*; do 99 - if [ "$device" = /dev/xvda -o "$device" = /dev/xvda1 ]; then continue; fi 100 - fsType=$(blkid -o value -s TYPE "$device" || true) 101 - if [ "$fsType" = swap ]; then 102 - echo "activating swap device $device..." 103 - swapon "$device" || true 104 - elif [ "$fsType" = ext3 ]; then 105 - mp="/disk$diskNr" 106 - diskNr=$((diskNr + 1)) 107 - if mountFS "$device" "$mp" "" ext3; then 108 - if [ -z "$diskForUnionfs" ]; then diskForUnionfs="$mp"; fi 109 - fi 110 - else 111 - echo "skipping unknown device type $device" 112 - fi 113 - done 114 - 115 - if [ -n "$diskForUnionfs" ]; then 116 - mkdir -m 755 -p $targetRoot/$diskForUnionfs/root 117 - 118 - mkdir -m 1777 -p $targetRoot/$diskForUnionfs/root/tmp $targetRoot/tmp 119 - mount --bind $targetRoot/$diskForUnionfs/root/tmp $targetRoot/tmp 120 - 121 - if [ "$(cat "$metaDir/ami-manifest-path")" != "(unknown)" ]; then 122 - mkdir -m 755 -p $targetRoot/$diskForUnionfs/root/var $targetRoot/var 123 - mount --bind $targetRoot/$diskForUnionfs/root/var $targetRoot/var 124 - 125 - mkdir -p /unionfs-chroot/ro-nix 126 - mount --rbind $targetRoot/nix /unionfs-chroot/ro-nix 127 - 128 - mkdir -m 755 -p $targetRoot/$diskForUnionfs/root/nix 129 - mkdir -p /unionfs-chroot/rw-nix 130 - mount --rbind $targetRoot/$diskForUnionfs/root/nix /unionfs-chroot/rw-nix 131 - 132 - unionfs -o allow_other,cow,nonempty,chroot=/unionfs-chroot,max_files=32768 /rw-nix=RW:/ro-nix=RO $targetRoot/nix 133 - fi 134 - fi 135 - ''; 136 - 137 - boot.initrd.extraUtilsCommands = 138 - '' 139 - # We need swapon in the initrd. 140 - copy_bin_and_libs ${pkgs.util-linux}/sbin/swapon 141 - ''; 76 + systemd.services.fetch-ec2-metadata = { 77 + wantedBy = [ "multi-user.target" ]; 78 + path = [ pkgs.wget ]; 79 + script = pkgs.callPackage ./ec2-metadata-fetcher.nix { 80 + targetRoot = "/"; 81 + wgetExtraOptions = ""; 82 + }; 83 + serviceConfig.Type = "oneshot"; 84 + }; 142 85 143 86 # Allow root logins only using the SSH key that the user specified 144 87 # at instance creation time. ··· 156 99 157 100 # Always include cryptsetup so that Charon can use it. 158 101 environment.systemPackages = [ pkgs.cryptsetup ]; 159 - 160 - boot.initrd.supportedFilesystems = [ "unionfs-fuse" ]; 161 102 162 103 # EC2 has its own NTP server provided by the hypervisor 163 104 networking.timeServers = [ "169.254.169.123" ];
+1
nixos/modules/virtualisation/ec2-data.nix
··· 18 18 19 19 wantedBy = [ "multi-user.target" "sshd.service" ]; 20 20 before = [ "sshd.service" ]; 21 + after = ["fetch-ec2-metadata.service"]; 21 22 22 23 path = [ pkgs.iproute2 ]; 23 24