Closed romner-set closed 3 months ago
To poke at the underlying issue, could you experiment with virtiofsd flags --no-announce-submounts
, --cache
, --no-readdirplus
, --inode-file-handles
? The last one is already implemented as option microvm.virtiofsd.inodeFileHandles in the host module.
You can build with a local microvm.nix checkout using nix ... --override-input microvm git+file:///...
Apologies for not responding earlier, but I've just tried a few things (--no-announce-submounts --no-readdirplus
, --cache=always
, --inode-file-handles=mandatory
and combinations thereof) and none of those made any discernible difference.
I did however find sops-nix's keepGenerations
option, and setting that to 0 (i.e. stopping sops-nix from ever removing old generations in /run/secrets.d/
) seems to have fixed the issue completely, even though the shares still point to the /run/secrets
symlink. It does cause a minor memory leak of sorts since each nixos-rebuild switch
adds a new (in my case) ~100kB dir into RAM, but it's quite manageable.
I think the problem may be that virtiofsd reads the /run/secrets
symlink and gets pointed to e.g. /run/secrets.d/3
, which is what it then actually shares with the guest, and once sops-nix makes /run/secrets
point to /run/secrets.d/4
and deletes /3
, virtiofsd doesn't re-read the symlink and still tries to share /run/secrets.d/3
.
Thank you for posting a workaround! I've added a blurb to the FAQ in 917b08d. Feel free to open a PR if you think that additional details should be mentioned.
Title. When mounting
sops-nix
secrets in VMs, rebuilding the system config remounts them on the host which makes the mounted dir appear empty on the guest. It wouldn't be an issue if it only happened on manual changes, but auto-updates also trigger this...I don't think it's an inherent issue in microvm.nix, I'm just looking for solutions and I think this is the best place to ask. So far I came up with:
sops-nix
'srestartUnits
optionsops-nix
not remount anything if the secrets aren't changed, not sure how practical this is as it seems to use a generations-like system where each rebuild makes a whole new dir in /run/secrets.d/3 or 4 would likely be the best solutions, though I'm not sure how hard either would be to implement. Any other ideas?