lambda-pirate/nix/modules/firecracker-containerd.nix at main · pogoba/lambda-pirate · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
{ config, lib, pkgs, ... }:

let
  cfg = config.services.firecracker-containerd;
  writeJson = (pkgs.formats.json { }).generate;
  writeToml = (pkgs.formats.toml { }).generate;

  vmConfigBase = {
    boot-source = {
      inherit (cfg.extraRuntimeConfig) kernel_image_path;
      boot_args = cfg.extraRuntimeConfig.kernel_args;
    };
    drives = [{
      drive_id = "rootfs";
      path_on_host = cfg.extraRuntimeConfig.root_drive;
      is_root_device = true;
      is_read_only = true;
    }];
    machine-config = {
      vcpu_count = 2;
      mem_size_mib = 1024;
      ht_enabled = false;
    };
  };

  vmConfigNet = vmConfigBase // {
    network-interfaces = [{
      iface_id = "eth0";
      guest_mac = "AA:FC:00:00:00:01";
      host_dev_name = "tap0";
    }];
  };
  devmapperDir = "/var/lib/firecracker-containerd/snapshotter/devmapper";
  socket = "/run/firecracker-containerd/containerd.sock";
  # that way we can support running container
  poolName = "fc-dev-thinpool-${config.networking.hostName}";

  firecracker-ctr = (pkgs.runCommandNoCC "firecracker-ctr"
    {
      buildInputs = [ pkgs.makeWrapper ];
    } ''
    makeWrapper ${pkgs.firecracker-ctr}/bin/firecracker-ctr $out/bin/firecracker-ctr \
      --add-flags "--address ${socket}"
  '');
in
{
  options.services.firecracker-containerd = {
    extraConfig = lib.mkOption {
      default = { };
      description = "Extra configuration options for /etc/firecracker-containerd/config.toml";
    };
    extraRuntimeConfig = lib.mkOption {
      default = { };
      description = "Extra configuration options for /etc/firecracker-containerd/firecracker-runtime.json";
    };
  };

  config = {
    environment.etc."containerd/config.toml".source = writeToml "config.toml" cfg.extraConfig;
    # For testing: firecracker --no-api --config-file /etc/containerd/firecracker-vmconfig.json
    environment.etc."containerd/firecracker-vmconfig.json".source = writeJson "vmconfig.json" vmConfigBase;

    # Example network configuration
    # sudo ip tuntap add tap0 mode tap user $USER
    # sudo ip addr add 172.16.0.1/24 dev tap0
    # sudo ip link set tap0 up
    environment.etc."containerd/firecracker-vmconfig-net.json".source = writeJson "vmconfig-net.json" vmConfigNet;
    environment.etc."containerd/firecracker-runtime.json".source = writeJson "config.json" cfg.extraRuntimeConfig;

    environment.systemPackages = [
      firecracker-ctr
      pkgs.firecracker
    ];
    services.firecracker-containerd.extraConfig = {
      disabled_plugins = [ "cri" ];
      root = "/var/lib/firecracker-containerd/containerd";
      state = "/run/firecracker-containerd";
      grpc.address = socket;
      plugins.devmapper = {
        pool_name = poolName;
        base_image_size = "10GB";
        root_path = devmapperDir;
      };

      debug.level = "debug";
    };
    services.firecracker-containerd.extraRuntimeConfig = {
      firecracker_binary_path = "${pkgs.firecracker}/bin/firecracker";
      kernel_image_path = "${pkgs.firecracker-kernel}/vmlinux";
      kernel_args = "console=ttyS0 noapic reboot=k panic=1 pci=off nomodules ro systemd.journald.forward_to_console systemd.unit=firecracker.target init=/sbin/overlay-init";
      root_drive = pkgs.firecracker-rootfs.override ({
        imageFilesystem = "ext4";
      });
      cpu_template = "";
      log_levels = [ "debug" ];
    };

    systemd.services.firecracker-containerd = {
      wantedBy = [ "multi-user.target" ];
      after = [ "network.target" ];
      path = [
        pkgs.bc
        pkgs.util-linux
        pkgs.firecracker
        pkgs.firecracker-containerd
        pkgs.lvm2
        pkgs.e2fsprogs
        pkgs.pigz
        # for runc
        pkgs.containerd
        pkgs.runc
      ];
      preStart = ''
        set -eux -o pipefail
        DATADEV="/dev/zvol/zroot/thinpool-data"
        METADEV="/dev/zvol/zroot/thinpool-metadata"
        if [[ ! -L $DATADEV ]]; then
          ${pkgs.zfs}/bin/zfs create -V 100GB zroot/thinpool-data
        fi
        if [[ ! -L $METADEV ]]; then
          ${pkgs.zfs}/bin/zfs create -V 2GB zroot/thinpool-metadata
        fi

        SECTORSIZE=512
        DATASIZE="$(blockdev --getsize64 -q $DATADEV)"
        LENGTH_SECTORS=$(bc <<< "$DATASIZE/$SECTORSIZE")
        DATA_BLOCK_SIZE=128
        LOW_WATER_MARK=32768
        THINP_TABLE="0 $LENGTH_SECTORS thin-pool $METADEV $DATADEV $DATA_BLOCK_SIZE $LOW_WATER_MARK 1 skip_block_zeroing"
        echo "$THINP_TABLE"

        if ! $(dmsetup reload "${poolName}" --table "$THINP_TABLE"); then
            dmsetup create "${poolName}" --table "$THINP_TABLE"
        fi
      '';
      serviceConfig.ExecStart = "${pkgs.firecracker-containerd}/bin/containerd --config /etc/containerd/config.toml";
    };
  };
}