I have the following nspawn container block:
containers.test = {
autoStart = true;
privateNetwork = true;
config = { config, pkgs, ... }: {
system.stateVersion = "23.11";
fileSystems."/mnt/cgroup_net_cls" = {
device = "net_cls";
fsType = "cgroup";
options = [ "net_cls" ];
};
};
};
On my desktop running NixOS, the container boots successfully, and the net_cls cgroup gets mounted correctly to /mnt/cgroup_net_cls. However, I have two other machines running NixOS that I deploy to using colmena. For both of those machines, the container boot fails because the mount fails:
[root@test:~]# systemctl status mnt-cgroup_net_cls.mountnet_cls.mount
WARNING: terminal is not fully functional
Press RETURN to continue
× mnt-cgroup_net_cls.mount - /mnt/cgroup_net_cls
Loaded: loaded (/etc/fstab; generated)
Active: failed (Result: exit-code) since Sun 2024-01-28 10:52:51 PST; 1h 40min ago
Where: /mnt/cgroup_net_cls
What: net_cls
Docs: man:fstab(5)
man:systemd-fstab-generator(8)
CPU: 1ms
Jan 28 10:52:51 test systemd[1]: Mounting /mnt/cgroup_net_cls...
Jan 28 10:52:51 test mount[139]: mount: /mnt/cgroup_net_cls: permission denied.
Jan 28 10:52:51 test mount[139]: dmesg(1) may have more information after failed mount system call.
Jan 28 10:52:51 test systemd[1]: mnt-cgroup_net_cls.mount: Mount process exited, code=exited, status=32/n/a
Jan 28 10:52:51 test systemd[1]: mnt-cgroup_net_cls.mount: Failed with result 'exit-code'.
Jan 28 10:52:51 test systemd[1]: Failed to mount /mnt/cgroup_net_cls.
As far as I can tell, the host configuration is identical across all three machines. If I sudo nixos-container root-login test on either failing machine and run mount /mnt/cgroup_net_cls, that succeeds. It’s just the systemd unit that fails to mount it. I’m at my wit’s end about why the systemd unit fails. dmesg | grep mount did not have anything about net_cls.
If it matters, the reason I’m trying to mount net_cls via cgroup v1 is for mullvad, which specifically seems to need cgroup and not cgroup2.