3
0
Fork 0
forked from mirrors/nixpkgs
nixpkgs/nixos/modules/virtualisation/virtualbox-host.nix

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

169 lines
5.7 KiB
Nix
Raw Normal View History

{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.virtualisation.virtualbox.host;
virtualbox = cfg.package.override {
inherit (cfg) enableHardening headless enableWebService;
extensionPack = if cfg.enableExtensionPack then pkgs.virtualboxExtpack else null;
};
kernelModules = config.boot.kernelPackages.virtualbox.override {
inherit virtualbox;
};
in
{
options.virtualisation.virtualbox.host = {
enable = mkEnableOption "VirtualBox" // {
description = ''
Whether to enable VirtualBox.
<note><para>
In order to pass USB devices from the host to the guests, the user
needs to be in the <literal>vboxusers</literal> group.
</para></note>
'';
};
enableExtensionPack = mkEnableOption "VirtualBox extension pack" // {
description = ''
Whether to install the Oracle Extension Pack for VirtualBox.
<important><para>
You must set <literal>nixpkgs.config.allowUnfree = true</literal> in
order to use this. This requires you accept the VirtualBox PUEL.
</para></important>
'';
};
package = mkOption {
type = types.package;
default = pkgs.virtualbox;
defaultText = literalExpression "pkgs.virtualbox";
description = ''
Which VirtualBox package to use.
'';
};
addNetworkInterface = mkOption {
type = types.bool;
default = true;
description = ''
Automatically set up a vboxnet0 host-only network interface.
'';
};
enableHardening = mkOption {
type = types.bool;
default = true;
description = ''
Enable hardened VirtualBox, which ensures that only the binaries in the
system path get access to the devices exposed by the kernel modules
instead of all users in the vboxusers group.
<important><para>
Disabling this can put your system's security at risk, as local users
in the vboxusers group can tamper with the VirtualBox device files.
</para></important>
'';
};
headless = mkOption {
type = types.bool;
default = false;
description = ''
Use VirtualBox installation without GUI and Qt dependency. Useful to enable on servers
and when virtual machines are controlled only via SSH.
'';
};
enableWebService = mkOption {
type = types.bool;
default = false;
description = ''
Build VirtualBox web service tool (vboxwebsrv) to allow managing VMs via other webpage frontend tools. Useful for headless servers.
'';
};
};
config = mkIf cfg.enable (mkMerge [{
warnings = mkIf (config.nixpkgs.config.virtualbox.enableExtensionPack or false)
["'nixpkgs.virtualbox.enableExtensionPack' has no effect, please use 'virtualisation.virtualbox.host.enableExtensionPack'"];
boot.kernelModules = [ "vboxdrv" "vboxnetadp" "vboxnetflt" ];
boot.extraModulePackages = [ kernelModules ];
environment.systemPackages = [ virtualbox ];
2017-01-29 07:58:12 +00:00
security.wrappers = let
mkSuid = program: {
source = "${virtualbox}/libexec/virtualbox/${program}";
owner = "root";
group = "vboxusers";
setuid = true;
};
in mkIf cfg.enableHardening
(builtins.listToAttrs (map (x: { name = x; value = mkSuid x; }) [
"VBoxHeadless"
"VBoxNetAdpCtl"
"VBoxNetDHCP"
"VBoxNetNAT"
"VBoxSDL"
"VBoxVolInfo"
virtualbox: 5.2.28 -> 6.0.6 Quite some fixing was needed to get this to work. Changes in VirtualBox and additions: - VirtualBox is no longer officially supported on 32-bit hosts so i686-linux is removed from platforms for VirtualBox and the extension pack. 32-bit additions still work. - There was a refactoring of kernel module makefiles and two resulting bugs affected us which had to be patched. These bugs were reported to the bug tracker (see comments near patches). - The Qt5X11Extras makefile patch broke. Fixed it to apply again, making the libraries logic simpler and more correct (it just uses a different base path instead of always linking to Qt5X11Extras). - Added a patch to remove "test1" and "test2" kernel messages due to forgotten debugging code. - virtualbox-host NixOS module: the VirtualBoxVM executable should be setuid not VirtualBox. This matches how the official installer sets it up. - Additions: replaced a for loop for installing kernel modules with just a "make install", which seems to work without any of the things done in the previous code. - Additions: The package defined buildCommand which resulted in phases not running, including RUNPATH stripping in fixupPhase, and installPhase was defined which was not even run. Fixed this by refactoring using phases. Had to set dontStrip otherwise binaries were broken by stripping. The libdbus path had to be added later in fixupPhase because it is used via dlopen not directly linked. - Additions: Added zlib and libc to patchelf, otherwise runtime library errors result from some binaries. For some reason the missing libc only manifested itself for mount.vboxsf when included in the initrd. Changes in nixos/tests/virtualbox: - Update the simple-gui test to send the right keys to start the VM. With VirtualBox 5 it was enough to just send "return", but with 6 the Tools thing may be selected by default. Send "home" to reliably select Tools, "down" to move to the VM and "return" to start it. - Disable the VirtualBox UART by default because it causes a crash due to a regression in VirtualBox (specific to software virtualization and serial port usage). It can still be enabled using an option but there is an assert that KVM nested virtualization is enabled, which works around the problem (see below). - Add an option to enable nested KVM virtualization, allowing VirtualBox to use hardware virtualization. This works around the UART problem and also allows using 64-bit guests, but requires a kernel module parameter. - Add an option to run 64-bit guests. Tested that the tests pass with that. As mentioned this requires KVM nested virtualization.
2019-05-04 15:18:39 +01:00
"VirtualBoxVM"
]));
users.groups.vboxusers.gid = config.ids.gids.vboxusers;
services.udev.extraRules =
''
KERNEL=="vboxdrv", OWNER="root", GROUP="vboxusers", MODE="0660", TAG+="systemd"
KERNEL=="vboxdrvu", OWNER="root", GROUP="root", MODE="0666", TAG+="systemd"
KERNEL=="vboxnetctl", OWNER="root", GROUP="vboxusers", MODE="0660", TAG+="systemd"
SUBSYSTEM=="usb_device", ACTION=="add", RUN+="${virtualbox}/libexec/virtualbox/VBoxCreateUSBNode.sh $major $minor $attr{bDeviceClass}"
SUBSYSTEM=="usb", ACTION=="add", ENV{DEVTYPE}=="usb_device", RUN+="${virtualbox}/libexec/virtualbox/VBoxCreateUSBNode.sh $major $minor $attr{bDeviceClass}"
SUBSYSTEM=="usb_device", ACTION=="remove", RUN+="${virtualbox}/libexec/virtualbox/VBoxCreateUSBNode.sh --remove $major $minor"
SUBSYSTEM=="usb", ACTION=="remove", ENV{DEVTYPE}=="usb_device", RUN+="${virtualbox}/libexec/virtualbox/VBoxCreateUSBNode.sh --remove $major $minor"
'';
2017-01-29 04:48:03 +00:00
# Since we lack the right setuid/setcap binaries, set up a host-only network by default.
} (mkIf cfg.addNetworkInterface {
2019-08-13 22:52:01 +01:00
systemd.services.vboxnet0 =
{ description = "VirtualBox vboxnet0 Interface";
requires = [ "dev-vboxnetctl.device" ];
after = [ "dev-vboxnetctl.device" ];
wantedBy = [ "network.target" "sys-subsystem-net-devices-vboxnet0.device" ];
path = [ virtualbox ];
serviceConfig.RemainAfterExit = true;
serviceConfig.Type = "oneshot";
serviceConfig.PrivateTmp = true;
environment.VBOX_USER_HOME = "/tmp";
script =
''
if ! [ -e /sys/class/net/vboxnet0 ]; then
VBoxManage hostonlyif create
cat /tmp/VBoxSVC.log >&2
fi
'';
postStop =
''
VBoxManage hostonlyif remove vboxnet0
'';
};
networking.interfaces.vboxnet0.ipv4.addresses = [{ address = "192.168.56.1"; prefixLength = 24; }];
# Make sure NetworkManager won't assume this interface being up
# means we have internet access.
networking.networkmanager.unmanaged = ["vboxnet0"];
}) (mkIf config.networking.useNetworkd {
systemd.network.networks."40-vboxnet0".extraConfig = ''
[Link]
RequiredForOnline=no
'';
})
]);
}