Setting security.nesting "true" using a profile at instance creation

Peter_Goodall · July 13, 2021, 1:33am

Greetings,

If I want to install nix-os shell into an ubuntu:focal container, I have to set security.nesting "true" to allow the install script to work https://github.com/NixOS/nix/issues/2649.

I have tried using this profile to set-up. Everything seems to work except setting security.nesting from the launch profile.

config:
  nvidia.driver.capabilities: compute, utility
  nvidia.runtime: "true"
  security.nesting: "true"
  user.user-data: |
    #cloud-config
    package_upgrade: true
    locale: en_AU.UTF-8
    timezone: Australia/Sydney
    ssh_authorized_keys:
       - ssh-rsa <...>
description: nix-shell profile
devices:
  gpu:
    type: gpu
name: nix-profile
used_by:
- /1.0/instances/j1

I can set lxc config set $c1 security.nesting true successfully from the command line. It is never set true from the launch profile.

% lxc launch ubuntu:focal --profile default --profile nix-profile j1

help appreciated - thanks…

stgraber · July 13, 2021, 4:33am

What’s the lxc config show --expanded j1 output?

stgraber · July 13, 2021, 3:25pm

Does lxc config get --expanded get you the right value?

Basically lxc config show and lxc config get without --expanded only show the local config of an instance, not the part of the config which was inherited from a profile.

Peter_Goodall · July 13, 2021, 9:47pm

Hi Stephane,
Yes I do get the expected value when I use the --expanded option.
The nix install works fine in new instances created with my profile.
Thanks very much!

Now to struggle with nix configuration

–PG

% lxc config get j2 security.nesting --expanded                           
true