70 lines
2.3 KiB
Plaintext
70 lines
2.3 KiB
Plaintext
|
startup=0
|
||
|
gpu_passthrough_intel=1
|
||
|
gpu_passthrough_nvidia=0
|
||
|
|
||
|
# Use macvlan networking to provide an isolated network namespace,
|
||
|
# so incus can manage firewall rules
|
||
|
# Alternatively use --network-bridge=br1 instead of --network-macvlan
|
||
|
# Ensure to change eno1/br1 to the interface name you want to use
|
||
|
# You may want to add additional options here, e.g. bind mounts
|
||
|
# TODO: don't use --capability=all but specify only the required capabilities
|
||
|
systemd_nspawn_user_args=--network-macvlan=eno1
|
||
|
--resolv-conf=bind-host
|
||
|
--capability=all
|
||
|
--bind=/dev/fuse
|
||
|
--bind=/dev/kvm
|
||
|
--bind=/dev/vsock
|
||
|
--bind=/dev/vhost-vsock
|
||
|
|
||
|
# Script to run on the HOST before starting the jail
|
||
|
# Load kernel module and config kernel settings required for incus
|
||
|
pre_start_hook=#!/usr/bin/bash
|
||
|
echo 'PRE_START_HOOK'
|
||
|
echo 1 > /proc/sys/net/ipv4/ip_forward
|
||
|
modprobe br_netfilter
|
||
|
echo 1 > /proc/sys/net/bridge/bridge-nf-call-iptables
|
||
|
echo 1 > /proc/sys/net/bridge/bridge-nf-call-ip6tables
|
||
|
modprobe vhost_vsock
|
||
|
|
||
|
# Install incus according to:
|
||
|
# https://github.com/zabbly/incus#installation
|
||
|
# NOTE: this script will run in the host networking namespace and ignores
|
||
|
# all systemd_nspawn_user_args such as bind mounts
|
||
|
initial_setup=#!/usr/bin/bash
|
||
|
mkdir -p /etc/apt/keyrings/
|
||
|
curl -fsSL https://pkgs.zabbly.com/key.asc -o /etc/apt/keyrings/zabbly.asc
|
||
|
sh -c 'cat <<EOF > /etc/apt/sources.list.d/zabbly-incus-stable.sources
|
||
|
Enabled: yes
|
||
|
Types: deb
|
||
|
URIs: https://pkgs.zabbly.com/incus/stable
|
||
|
Suites: $(. /etc/os-release && echo ${VERSION_CODENAME})
|
||
|
Components: main
|
||
|
Architectures: $(dpkg --print-architecture)
|
||
|
Signed-By: /etc/apt/keyrings/zabbly.asc
|
||
|
|
||
|
EOF'
|
||
|
apt-get update
|
||
|
apt-get -y install incus incus-ui-canonical
|
||
|
|
||
|
# You generally will not need to change the options below
|
||
|
systemd_run_default_args=--property=KillMode=mixed
|
||
|
--property=Type=notify
|
||
|
--property=RestartForceExitStatus=133
|
||
|
--property=SuccessExitStatus=133
|
||
|
--property=Delegate=yes
|
||
|
--property=TasksMax=infinity
|
||
|
--collect
|
||
|
--setenv=SYSTEMD_NSPAWN_LOCK=0
|
||
|
# TODO: check if the below 2 are required
|
||
|
# --setenv=SYSTEMD_SECCOMP=0
|
||
|
# --property=DevicePolicy=auto
|
||
|
# TODO: add and use privileged flag?
|
||
|
|
||
|
systemd_nspawn_default_args=--keep-unit
|
||
|
--quiet
|
||
|
--boot
|
||
|
--bind-ro=/sys/module
|
||
|
--inaccessible=/sys/module/apparmor
|
||
|
|
||
|
# Used by jlmkr create
|
||
|
initial_rootfs_image=debian bookworm
|