lima-bin: init binary derivation at 0.14.2

[tricktron]

Description of changes

Adds lima binary derivation.

Why?

Lima added support for Apple's Virtualization.framework aka vz in 0.14.0 which needs the apple sdk 13 to build it from source. In nixpkgs, we are currently on sdk 11 and I tried to make it work with sdk11 but failed. See #206285 (comment).

Instead, it makes more sense to provide the lima binary, which this pr does.

Things done

• Built on platform(s)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandbox = true set in nix.conf? (See Nix manual)
• Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• [] Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
• Tested basic functionality of all binary files (usually in ./result/bin/)
• 23.05 Release Notes (or backporting 22.11 Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
  • (Release notes changes) Ran nixos/doc/manual/md-to-db.sh to update generated release notes
• Fits CONTRIBUTING.md.

[roblabla]

Should colima be updated to depend on lima-bin? It currently pulls lima, which doesn't support vz.

[tricktron]

@roblabla Yes, that is my plan.

[dhess]

Should colima be updated to depend on lima-bin? It currently pulls lima, which doesn't support vz.

Probably only on aarch64-darwin and x86_64-darwin, though. There's no reason for Linux users to prefer the binary version of lima.

[tricktron]

Probably only on aarch64-darwin and x86_64-darwin, though. There's no reason for Linux users to prefer the binary version of lima.

Good point. So should I then only provide darwin as binaries?

[jbgosselin]

I think we can provide all available platforms as binaries. If users want to use them on linux they could override.

[tricktron]

@dennajort @roblabla @dhess
The pr is now ready for review.

[roblabla]

lima is complaining to not have the vz entitlements:

{"level":"fatal","msg":"Error Domain=VZErrorDomain Code=2 Description=\"Invalid virtual machine configuration. The process doesn’t have the “com.apple.security.virtualization” entitlement.\" UserInfo={\n    NSLocalizedFailure = \"Invalid virtual machine configuration.\";\n    NSLocalizedFailureReason = \"The process doesn\\U2019t have the \\U201ccom.apple.security.virtualization\\U201d entitlement.\";\n}","time":"2023-01-09T15:56:52+01:00"}

[dhess]

Are you using it via colima? If so, you need to replace the lima derivation that colima is using, as well.

I've ginned something up here in our overlay, and it works with vz in colima, which I've verified by creating --vmtype vz containers with colima 0.5.2:

https://github.com/hackworthltd/hacknix/blob/7bfc5c68c04f81f7cdef608eda668e1ed55832c1/nix/overlays/200-lima.nix

[tricktron]

lima is complaining to not have the vz entitlements:

{"level":"fatal","msg":"Error Domain=VZErrorDomain Code=2 Description=\"Invalid virtual machine configuration. The process doesn’t have the “com.apple.security.virtualization” entitlement.\" UserInfo={\n    NSLocalizedFailure = \"Invalid virtual machine configuration.\";\n    NSLocalizedFailureReason = \"The process doesn\\U2019t have the \\U201ccom.apple.security.virtualization\\U201d entitlement.\";\n}","time":"2023-01-09T15:56:52+01:00"}

@roblabla What command did you run?

[roblabla]

@roblabla What command did you run?

limactl start colima

---

I think I've found the source of the problem. If I add dontStrip = true; to the derivation, it works. I suppose strip is removing the entitlements from the binary.

[tricktron]

@roblabla I cannot reproduce this. Works on my machine:

result/bin/limactl start colima
INFO[0000] Using the existing instance "colima"
INFO[0000] [hostagent] Starting QEMU (hint: to watch the boot progress, see "/Users/tricktron/.lima/colima/serial.log")
INFO[0000] SSH Local Port: 61892
INFO[0000] [hostagent] Waiting for the essential requirement 1 of 5: "ssh"
INFO[0010] [hostagent] Waiting for the essential requirement 1 of 5: "ssh"
INFO[0020] [hostagent] Waiting for the essential requirement 1 of 5: "ssh"
INFO[0020] [hostagent] The essential requirement 1 of 5 is satisfied
INFO[0020] [hostagent] Waiting for the essential requirement 2 of 5: "user session is ready for ssh"
INFO[0020] [hostagent] The essential requirement 2 of 5 is satisfied
INFO[0020] [hostagent] Waiting for the essential requirement 3 of 5: "sshfs binary to be installed"
INFO[0020] [hostagent] The essential requirement 3 of 5 is satisfied
INFO[0020] [hostagent] Waiting for the essential requirement 4 of 5: "/etc/fuse.conf (/etc/fuse3.conf) to contain \"user_allow_other\""
INFO[0020] [hostagent] The essential requirement 4 of 5 is satisfied
INFO[0020] [hostagent] Waiting for the essential requirement 5 of 5: "the guest agent to be running"
INFO[0020] [hostagent] The essential requirement 5 of 5 is satisfied
INFO[0020] [hostagent] Mounting "/Users/tricktron" on "/Users/tricktron"
INFO[0020] [hostagent] Mounting "/tmp/colima" on "/tmp/colima"
INFO[0020] [hostagent] Waiting for the final requirement 1 of 1: "boot scripts must have finished"
INFO[0020] [hostagent] Forwarding "/var/run/docker.sock" (guest) to "/Users/tricktron/.colima/default/docker.sock" (host)
INFO[0020] [hostagent] Forwarding "/var/run/docker.sock" (guest) to "/Users/tricktron/.colima/docker.sock" (host)
INFO[0020] [hostagent] Forwarding "/run/lima-guestagent.sock" (guest) to "/Users/tricktron/.lima/colima/ga.sock" (host)
INFO[0021] [hostagent] The final requirement 1 of 1 is satisfied
INFO[0021] READY. Run `limactl shell colima` to open the shell.

[roblabla]

So I checked the .limactl-wrapped binary, and indeed, I can see that there are no entitlements embedded in the binary:

$ codesign -d --entitlements :- result-nostrip/bin/.limactl-wrapped
Executable=/nix/store/xhi9zmhwqjsjghb9dafajd2igx39rk4p-lima-0.14.2/bin/.limactl-wrapped
Warning: Specifying ':' in the path is deprecated and will not work in a future release
$ codesign -d --entitlements :- result/bin/.limactl-wrapped
Executable=/nix/store/ridj9qx1y39i9m34dzgr0wxp1zws7qgk-lima-0.14.2/bin/.limactl-wrapped
Warning: Specifying ':' in the path is deprecated and will not work in a future release
<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "https://www.apple.com/DTDs/PropertyList-1.0.dtd"><plist version="1.0"><dict><key>com.apple.security.network.client</key><true/><key>com.apple.security.network.server</key><true/><key>com.apple.security.virtualization</key><true/></dict></plist>

The former was generated using nix build .#lima-bin, while the later was generated similarly, but adding dontStrip = true to the derivation. Both were done on the tip of this PR (d5e7c6c6bed9db97323a90361646d1d28a85bff2).

I'm running this on a macos13 installation. Not sure what I can do to find what's different between our environments.

[roblabla]

@tricktron your VM is running qemu

INFO[0000] [hostagent] Starting QEMU (hint: to watch the boot progress, see "/Users/tricktron/.lima/colima/serial.log")

That works on my end too. But I'm trying to get a VZ VM to run, which requires the entitlement. You have to set vmType: vz in the configuration YAML (~/.lima/default/default.yaml)

[roblabla]

for an easier reproducer: limactl start --name vz template://experimental/vz should create a vz-based VM, and fail:

$ limactl start --name vz template://experimental/vz
? Creating an instance "vz" Proceed with the current configuration
INFO[0001] Attempting to download the image from "https://cloud-images.ubuntu.com/releases/22.04/release/ubuntu-22.04-server-cloudimg-arm64.img"  digest=
613.88 MiB / 613.88 MiB [----------------------------------] 100.00% 51.60 MiB/s
INFO[0013] Downloaded the image from "https://cloud-images.ubuntu.com/releases/22.04/release/ubuntu-22.04-server-cloudimg-arm64.img"
INFO[0016] Attempting to download the nerdctl archive from "https://github.com/containerd/nerdctl/releases/download/v1.1.0/nerdctl-full-1.1.0-linux-arm64.tar.gz"  digest="sha256:3b613a1be5a24460c44bb93a3609b790ada94e06efd1a86467d45bec7da8b449"
190.14 MiB / 190.14 MiB [----------------------------------] 100.00% 15.34 MiB/s
INFO[0029] Downloaded the nerdctl archive from "https://github.com/containerd/nerdctl/releases/download/v1.1.0/nerdctl-full-1.1.0-linux-arm64.tar.gz"
INFO[0030] [hostagent] Starting VZ (hint: to watch the boot progress, see "/Users/roblabla/.lima/vz/serial.log")
INFO[0030] [hostagent] Setting up Rosetta share
FATA[0031] exiting, status={Running:false Degraded:false Exiting:true Errors:[] SSHLocalPort:0} (hint: see "/Users/roblabla/.lima/vz/ha.stderr.log")

And here's the ha.stderr.log:

$ cat ~/.lima/vz/ha.stderr.log
{"level":"debug","msg":"Creating iso file /Users/roblabla/.lima/vz/cidata.iso","time":"2023-01-09T16:30:21+01:00"}
{"level":"debug","msg":"Using /var/folders/p7/cywn8zl53tn4_97kfys4lxc00000gn/T/diskfs_iso2028567672 as workspace","time":"2023-01-09T16:30:21+01:00"}
{"level":"debug","msg":"OpenSSH version 9.1.1 detected","time":"2023-01-09T16:30:21+01:00"}
{"level":"debug","msg":"AES accelerator seems available, prioritizing [email protected] and [email protected]","time":"2023-01-09T16:30:21+01:00"}
{"level":"info","msg":"Starting VZ (hint: to watch the boot progress, see \"/Users/roblabla/.lima/vz/serial.log\")","time":"2023-01-09T16:30:21+01:00"}
{"level":"debug","msg":"Start tcp server listening on: 127.0.0.1:49858","time":"2023-01-09T16:30:21+01:00"}
{"level":"debug","msg":"Start udp server listening on: 127.0.0.1:49693","time":"2023-01-09T16:30:21+01:00"}
{"level":"info","msg":"Setting up Rosetta share","time":"2023-01-09T16:30:21+01:00"}
{"level":"fatal","msg":"Error Domain=VZErrorDomain Code=2 Description=\"Invalid virtual machine configuration. The process doesn’t have the “com.apple.security.virtualization” entitlement.\" UserInfo={\n    NSLocalizedFailure = \"Invalid virtual machine configuration.\";\n    NSLocalizedFailureReason = \"The process doesn\\U2019t have the \\U201ccom.apple.security.virtualization\\U201d entitlement.\";\n}","time":"2023-01-09T16:30:21+01:00"}

[tricktron]

@roblabla Great catch. I could reproduce it and disabled the stripping to fix it.

Thank you for the precise testing!

[tricktron]

Maybe we should only disable stripping on darwin because the entitlements are only in the darwin binaries?

[jbgosselin]

This is what I added on my PR for the non binary version of lima https://github.com/NixOS/nixpkgs/pull/206285/files#diff-adecdcf421866f9b6153fa6fa3608ee1e62ef5a5518ff91ef7fecf4a8908ce23R37

[tricktron]

This is what I added on my PR for the non binary version of lima https://github.com/NixOS/nixpkgs/pull/206285/files#diff-adecdcf421866f9b6153fa6fa3608ee1e62ef5a5518ff91ef7fecf4a8908ce23R37

Great stuff. Thanks for the hint!

[jbgosselin]

@tricktron you have merge conflicts (maybe due to my changes on lima that are now merged).

[tricktron]

@dennajort Thanks for the heads-up. I resolved the merge conflict.

[nixos-discourse]

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/prs-already-reviewed/2617/815

[pecigonzalo]

Awesome! We should update Colima to reference this version as well.

[tricktron]

@pecigonzalo

Awesome! We should update Colima to reference this version as well.

Here you go: #212980.