Get nixos test containers building in Hydra

[jfly]

The new nixos test container infrastructure requires a few tweaks to our machines:

• https://github.com/NixOS/nixpkgs/blob/master/nixos/doc/manual/development/running-nixos-tests.section.md#system-requirements-sec-running-nixos-tests-requirements
• nixos/doc: note that /dev/net is required for nspawn↔qemu networking nixpkgs#503006

We ran into issues in the past with cgroups: NixOS/nix#13135

We are unsure if it's safe to expose /dev/net in the build sandbox. This is only required for nspawn <-> qemu communication, so we could disable just those tests (nixosTests.nixos-test-driver.containers) while still allow for tests that are purely nspawn containers (such as nixosTests.test-containers-bittorrent).

[jfly]

FYI, @kmein @tfc. Tests that rely upon /dev/net are currently disabled in hydra. I've added this to the infra team's list of topics to discuss this week. Edit: busy meeting this week, we will discuss next time.

[jfly]

Discussed in today's team meeting with @mweinelt. It doesn't sound like exposing /dev/net into the build sandbox is a good idea. That's fine, though, as we don't actually have any interesting tests that do communication between qemu and nspawn containers (we just have a proof of concept test).

Let's make sure we have a warning about this.

Edit: we do have a warning: https://github.com/NixOS/nixpkgs/blob/c86aab74f391d7393f420a0ac7f97e5ba3067cbc/nixos/modules/virtualisation/nspawn-container/run-nspawn/src/run_nspawn/__init__.py#L93-L96, unfortunately, it shows up even for tests that don't use qemu machines.

Edit edit: I'm exploring getting rid of the /dev/net/tun requirement entirely: NixOS/nixpkgs#512268