[Fix GCP plugin] Introduce public GCE Bootstrap Image

[tewfik-ghariani]

Background

After reading some docs related to running NixOs on GCE, I've seen that we currently have to bootstrap our own image from an object publicly shared in GS according to this : https://nixos.wiki/wiki/Install_NixOS_on_GCE

And at this time, the nixops-gcp plugin is deemed broken specifically due to this particular 'bootstrap-image' resource

Proposed Solution

However, according to the GCP docs, we can actually just bake some images in a given GCP account, and then make the images public. https://cloud.google.com/compute/docs/images/managing-access-custom-images#share-images-publicly

Even better, we may create image families to allow better flexibility to manage single images. No need to specify the machine name per say but just the family. And under the hood, the maintainer may deprecate old ones and keep the 'latest' up-to-date.

Validation

I started by testing the whole scenario using gcloud commands and it worked like a charm!

Building an image from source

$ gcloud compute images create nixos-18091228a4c4cbb613c-x86-64-linux  \
              --source-uri gs://nixos-cloud-images/nixos-image-18.09.1228.a4c4cbb613c-x86_64-linux.raw.tar.gz \
              --family=nixos-1809

Making the image public

$ gcloud compute images  add-iam-policy-binding nixos-18091228a4c4cbb613c-x86-64-linux \
             --member='allAuthenticatedUsers'                                                                              \
             --role='roles/compute.imageUser' 

And then that image may be used publicly so that all nixops users won't have the need to provision their own 'bootstrap-image' resource for every deployment.

$ gcloud compute instances create test-nixos-18  \
             --image-family=nixos-1809                        \
             --zone=europe-west1-c                             \
             --image-project=predictix-operations

Implementation

Implemented the change described above in this codebase and the gce plugins should be working fine now.

The way it works

• Extract the public image based on family name and project
• Create a volume out of that image [ No need to copy it in every deployment]
• Proceed naturally and use that volume as bootDisk

A summary of what has been achieved overall

• Deprecated the automatic provisioning of gce-image resource.
• Introduced bootstrap images as public image families.
• Added 'publicImageProject' option for blockDeviceMapping and gceDisk to specify the project from which publicly available image families are retrieved from.
• Controlled the exceptions and error messages

Small Additions

• Display GCE volume size in 'nixops-info'
• Remove Uniqueness condition on fileSystemsOption
• Update some GCP documentation links

ToDo

• Update the 'image-family' to point to the 'gce-images.nix' file under nixpkgs

  image-family = import ./gce-images.nix;
  # To be changed to
  # image-family = import <nixpkgs/nixos/modules/virtualisation/gce-images.nix>;

• Prepare the images in the nixOs GCP account : https://github.com/NixOS/nixos-org-configurations/issues/110
• Update the 'project' variable in the 'gce-images.nix'

---

Please let me know what do you think about this. If you have any suggestions or recommendations, feel free to share them. cc @PsyanticY @AmineChikhaoui

cc @rbvermaa Can we consider this as part of https://github.com/NixOS/nixpkgs/issues/6991

[adisbladis]

@AmineChikhaoui Could you check this PR?

[tewfik-ghariani]

Hello again :))

As a result of the meeting with @AmineChikhaoui and based on his remarks, updated the code in a way to make it more intuitive to create root disks or separate disks from a public image.

The usage syntax shall be as simple as the following :

machine = {
  deployment.gce = {
    bootstrapImage = {    
      name = "base-image-bootstrap";
      family = null;
      project = "nixos-org";
    };
  };
}

resources.gceDisks.main-volume = {
  image = {
    name = null;
    family = "super-family";
    project = "another-project";
  };
};

I've completed my work based on the new changes related to types and options per #7

Change log

• Added an example of Machines + GCE Disks.
• Introduced imageOptions and defined it as submodule.

  The imageOptions contains the following :

  • image : either image-resource or the name of an existing image
  • family : the image family to be used
  • project : the parent project containing the image/imageFamily

Note that we have to specify either name or family. Default value = {} Then adjusted the image option to inherit from the imageOptions submodule in

• gceDiskOptions in gce.nix
• gce-disk.nix Finally, updated the bootstrapImage gce option accordingly
• Created a new common retrieve_gce_image method to fetch the GCENodeImage object.
• Removed the publicImageProject attribute
• Upgraded libcloud
• Ignored libcloud mypy annotations

Full list of changes : https://github.com/nix-community/nixops-gce/compare/master...tewfik-ghariani:gcp-plugin

cc @AmineChikhaoui , @adisbladis can you review please? Or do you prefer if I create a new PR?

[tewfik-ghariani]

For some reason, the changes are no longer visible and the commit log has gotten confusing. Maybe it's because the second PR containing the original changes was already merged and this branch was re-based of master

In any case, I will be closing this PR and creating a new one

Cheers :))

[nixos-discourse]

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/nixops-flake-gce/22355/2