nixos-modules/microvm/options: add microvm.volumes readOnly option

astro · astro · commit 3374f725bc87 · 2024-12-05T19:34:03.000+01:00
diff --git a/lib/runners/alioth.nix b/lib/runners/alioth.nix
@@ -29,14 +29,19 @@ in {
         "--blk" (lib.escapeShellArg "path=${storeDisk},readonly=true")
       ]
       ++
-      builtins.concatMap ({ image, serial, direct, ... }:
+      builtins.concatMap ({ image, serial, direct, readOnly, ... }:
         lib.warnIf (serial != null) ''
           Volume serial is not supported for alioth
         ''
         lib.warnIf direct ''
           Volume direct IO is not supported for alioth
         ''
-        [ "--blk" (lib.escapeShellArg image) ]
+          [
+            "--blk"
+            (lib.escapeShellArg "path=${image},readOnly=${
+              lib.boolToString readOnly
+            }")
+          ]
       ) volumes
       ++
       builtins.concatMap ({ proto, socket, tag, ... }:
diff --git a/lib/runners/cloud-hypervisor.nix b/lib/runners/cloud-hypervisor.nix
@@ -163,13 +163,17 @@ in {
           readonly = "on";
         } // mqOps))
         ++
-        map ({ image, serial, direct, ... }:
+        map ({ image, serial, direct, readOnly, ... }:
           opsMapped (
             {
               path = toString image;
               direct =
-                if direct == null then null
-                else if direct then "on"
+                if direct
+                then "on"
+                else "off";
+              readonly =
+                if readOnly
+                then "on"
                 else "off";
             } //
             lib.optionalAttrs (serial != null) {
diff --git a/lib/runners/crosvm.nix b/lib/runners/crosvm.nix
@@ -92,10 +92,12 @@ in {
         "-s" socket
       ]
       ++
-      builtins.concatMap ({ image, direct, serial, ... }:
+      builtins.concatMap ({ image, direct, serial, readOnly, ... }:
         [ "--block"
           "${image},o_direct=${
-            if direct then "true" else "false"
+            lib.boolToString direct
+          },ro=${
+            lib.boolToString readOnly
           }${
             lib.optionalString (serial != null) ",id=${serial}"
           }"
diff --git a/lib/runners/firecracker.nix b/lib/runners/firecracker.nix
@@ -37,7 +37,7 @@ let
       is_root_device = false;
       is_read_only = true;
       io_engine = "Async";
-    } ] ++ map ({ image, serial, direct, ... }:
+    } ] ++ map ({ image, serial, direct, readOnly, ... }:
       lib.warnIf (serial != null) ''
         Volume serial is not supported for firecracker
       ''
@@ -47,7 +47,7 @@ let
         drive_id = image;
         path_on_host = image;
         is_root_device = false;
-        is_read_only = false;
+        is_read_only = readOnly;
         io_engine = "Async";
       }) volumes;
     network-interfaces = map ({ type, id, mac, ... }:
diff --git a/lib/runners/kvmtool.nix b/lib/runners/kvmtool.nix
@@ -38,13 +38,15 @@ in {
       ++
       lib.optionals (balloonMem > 0) [ "--balloon" ]
       ++
-      builtins.concatMap ({ image, serial, direct, ... }:
+      builtins.concatMap ({ image, serial, direct, readOnly, ... }:
         lib.warnIf (serial != null) ''
           Volume serial is not supported for kvmtool
         ''
         [ "-d"
           (lib.escapeShellArg "image${
             lib.optionalString direct ",direct"
+          }${
+            lib.optionalString readOnly ",ro"
           }")
         ]
       ) volumes
diff --git a/lib/runners/qemu.nix b/lib/runners/qemu.nix
@@ -208,11 +208,11 @@ lib.warnIf (mem == 2048) ''
     lib.optionals (user != null) [ "-user" user ] ++
     lib.optionals (socket != null) [ "-qmp" "unix:${socket},server,nowait" ] ++
     lib.optionals (balloonMem > 0) [ "-device" "virtio-balloon" ] ++
-    builtins.concatMap ({ image, letter, serial, direct, ... }:
+    builtins.concatMap ({ image, letter, serial, direct, readOnly, ... }:
       [ "-drive"
         "id=vd${letter},format=raw,file=${image},if=none,aio=io_uring,discard=unmap${
           lib.optionalString (direct != null) ",cache=none"
-        }"
+        },read-only=${if readOnly then "on" else "off"}"
         "-device"
         "virtio-blk-${devType},drive=vd${letter}${
           lib.optionalString (serial != null) ",serial=${serial}"
diff --git a/lib/runners/stratovirt.nix b/lib/runners/stratovirt.nix
@@ -92,14 +92,16 @@ in {
       "-device" "virtio-blk-${devType 2},drive=store,id=blk_store"
     ] ++
     lib.optionals (socket != null) [ "-qmp" "unix:${socket},server,nowait" ] ++
-    builtins.concatMap ({ index, image, letter, serial, direct, ... }: [
+    builtins.concatMap ({ index, image, letter, serial, direct, readOnly, ... }: [
       "-drive"
       "id=vd${
         letter
       },format=raw,if=none,aio=io_uring,file=${
         image
       },direct=${
         if direct then "on" else "off"
+      },readonly=${
+        if readOnly then "on" else "off"
       }"
       "-device"
       "virtio-blk-${
diff --git a/nixos-modules/microvm/options.nix b/nixos-modules/microvm/options.nix
@@ -194,6 +194,11 @@ in
             default = false;
             description = "Whether to set O_DIRECT on the disk.";
           };
+          readOnly = mkOption {
+            type = bool;
+            default = false;
+            description = "Turn off write access";
+          };
           label = mkOption {
             type = nullOr str;
             default = null;
