From 79e66fce1c2b5a7de3e9a0e75b591ca9552a62ef Mon Sep 17 00:00:00 2001
From: zowoq <59103226+zowoq@users.noreply.github.com>
Date: Thu, 9 Dec 2021 12:10:44 +1000
Subject: nixos/podman: sort files into directories
Makes codeowners, git history, etc. a bit simpler now that podman has expanded beyond the original single file module and test.
---
.github/CODEOWNERS | 4 +-
nixos/modules/module-list.nix | 3 +-
nixos/modules/virtualisation/podman-dnsname.nix | 36 ----
.../podman-network-socket-ghostunnel.nix | 34 ----
.../virtualisation/podman-network-socket.nix | 91 ----------
nixos/modules/virtualisation/podman.nix | 184 ---------------------
nixos/modules/virtualisation/podman/default.nix | 184 +++++++++++++++++++++
nixos/modules/virtualisation/podman/dnsname.nix | 36 ++++
.../podman/network-socket-ghostunnel.nix | 34 ++++
.../virtualisation/podman/network-socket.nix | 95 +++++++++++
nixos/tests/all-tests.nix | 6 +-
nixos/tests/podman-dnsname.nix | 42 -----
nixos/tests/podman-tls-ghostunnel.nix | 150 -----------------
nixos/tests/podman.nix | 144 ----------------
nixos/tests/podman/default.nix | 144 ++++++++++++++++
nixos/tests/podman/dnsname.nix | 42 +++++
nixos/tests/podman/tls-ghostunnel.nix | 150 +++++++++++++++++
17 files changed, 691 insertions(+), 688 deletions(-)
delete mode 100644 nixos/modules/virtualisation/podman-dnsname.nix
delete mode 100644 nixos/modules/virtualisation/podman-network-socket-ghostunnel.nix
delete mode 100644 nixos/modules/virtualisation/podman-network-socket.nix
delete mode 100644 nixos/modules/virtualisation/podman.nix
create mode 100644 nixos/modules/virtualisation/podman/default.nix
create mode 100644 nixos/modules/virtualisation/podman/dnsname.nix
create mode 100644 nixos/modules/virtualisation/podman/network-socket-ghostunnel.nix
create mode 100644 nixos/modules/virtualisation/podman/network-socket.nix
delete mode 100644 nixos/tests/podman-dnsname.nix
delete mode 100644 nixos/tests/podman-tls-ghostunnel.nix
delete mode 100644 nixos/tests/podman.nix
create mode 100644 nixos/tests/podman/default.nix
create mode 100644 nixos/tests/podman/dnsname.nix
create mode 100644 nixos/tests/podman/tls-ghostunnel.nix
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
index 719f61203d2..d85ff2d08a5 100644
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -219,9 +219,9 @@
# Podman, CRI-O modules and related
/nixos/modules/virtualisation/containers.nix @NixOS/podman @zowoq @adisbladis
/nixos/modules/virtualisation/cri-o.nix @NixOS/podman @zowoq @adisbladis
-/nixos/modules/virtualisation/podman.nix @NixOS/podman @zowoq @adisbladis
+/nixos/modules/virtualisation/podman @NixOS/podman @zowoq @adisbladis
/nixos/tests/cri-o.nix @NixOS/podman @zowoq @adisbladis
-/nixos/tests/podman.nix @NixOS/podman @zowoq @adisbladis
+/nixos/tests/podman @NixOS/podman @zowoq @adisbladis
# Docker tools
/pkgs/build-support/docker @roberth @utdemir
diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix
index 8cb7c39005c..c83a6923338 100644
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@@ -1192,8 +1192,7 @@
./virtualisation/kvmgt.nix
./virtualisation/openvswitch.nix
./virtualisation/parallels-guest.nix
- ./virtualisation/podman.nix
- ./virtualisation/podman-network-socket-ghostunnel.nix
+ ./virtualisation/podman/default.nix
./virtualisation/qemu-guest-agent.nix
./virtualisation/railcar.nix
./virtualisation/spice-usb-redirection.nix
diff --git a/nixos/modules/virtualisation/podman-dnsname.nix b/nixos/modules/virtualisation/podman-dnsname.nix
deleted file mode 100644
index beef1975507..00000000000
--- a/nixos/modules/virtualisation/podman-dnsname.nix
+++ /dev/null
@@ -1,36 +0,0 @@
-{ config, lib, pkgs, ... }:
-let
- inherit (lib)
- mkOption
- mkIf
- types
- ;
-
- cfg = config.virtualisation.podman;
-
-in
-{
- options = {
- virtualisation.podman = {
-
- defaultNetwork.dnsname.enable = mkOption {
- type = types.bool;
- default = false;
- description = ''
- Enable DNS resolution in the default podman network.
- '';
- };
-
- };
- };
-
- config = {
- virtualisation.containers.containersConf.cniPlugins = mkIf cfg.defaultNetwork.dnsname.enable [ pkgs.dnsname-cni ];
- virtualisation.podman.defaultNetwork.extraPlugins =
- lib.optional cfg.defaultNetwork.dnsname.enable {
- type = "dnsname";
- domainName = "dns.podman";
- capabilities.aliases = true;
- };
- };
-}
diff --git a/nixos/modules/virtualisation/podman-network-socket-ghostunnel.nix b/nixos/modules/virtualisation/podman-network-socket-ghostunnel.nix
deleted file mode 100644
index a0e7e433164..00000000000
--- a/nixos/modules/virtualisation/podman-network-socket-ghostunnel.nix
+++ /dev/null
@@ -1,34 +0,0 @@
-{ config, lib, pkg, ... }:
-let
- inherit (lib)
- mkOption
- types
- ;
-
- cfg = config.virtualisation.podman.networkSocket;
-
-in
-{
- options.virtualisation.podman.networkSocket = {
- server = mkOption {
- type = types.enum [ "ghostunnel" ];
- };
- };
-
- config = lib.mkIf (cfg.enable && cfg.server == "ghostunnel") {
-
- services.ghostunnel = {
- enable = true;
- servers."podman-socket" = {
- inherit (cfg.tls) cert key cacert;
- listen = "${cfg.listenAddress}:${toString cfg.port}";
- target = "unix:/run/podman/podman.sock";
- allowAll = lib.mkDefault true;
- };
- };
- systemd.services.ghostunnel-server-podman-socket.serviceConfig.SupplementaryGroups = ["podman"];
-
- };
-
- meta.maintainers = lib.teams.podman.members ++ [ lib.maintainers.roberth ];
-}
diff --git a/nixos/modules/virtualisation/podman-network-socket.nix b/nixos/modules/virtualisation/podman-network-socket.nix
deleted file mode 100644
index 1429164630b..00000000000
--- a/nixos/modules/virtualisation/podman-network-socket.nix
+++ /dev/null
@@ -1,91 +0,0 @@
-{ config, lib, pkg, ... }:
-let
- inherit (lib)
- mkOption
- types
- ;
-
- cfg = config.virtualisation.podman.networkSocket;
-
-in
-{
- options.virtualisation.podman.networkSocket = {
- enable = mkOption {
- type = types.bool;
- default = false;
- description = ''
- Make the Podman and Docker compatibility API available over the network
- with TLS client certificate authentication.
-
- This allows Docker clients to connect with the equivalents of the Docker
- CLI -H and --tls* family of options.
-
- For certificate setup, see https://docs.docker.com/engine/security/protect-access/
-
- This option is independent of .
- '';
- };
-
- server = mkOption {
- type = types.enum [];
- description = ''
- Choice of TLS proxy server.
- '';
- example = "ghostunnel";
- };
-
- openFirewall = mkOption {
- type = types.bool;
- default = false;
- description = ''
- Whether to open the port in the firewall.
- '';
- };
-
- tls.cacert = mkOption {
- type = types.path;
- description = ''
- Path to CA certificate to use for client authentication.
- '';
- };
-
- tls.cert = mkOption {
- type = types.path;
- description = ''
- Path to certificate describing the server.
- '';
- };
-
- tls.key = mkOption {
- type = types.path;
- description = ''
- Path to the private key corresponding to the server certificate.
-
- Use a string for this setting. Otherwise it will be copied to the Nix
- store first, where it is readable by any system process.
- '';
- };
-
- port = mkOption {
- type = types.port;
- default = 2376;
- description = ''
- TCP port number for receiving TLS connections.
- '';
- };
- listenAddress = mkOption {
- type = types.str;
- default = "0.0.0.0";
- description = ''
- Interface address for receiving TLS connections.
- '';
- };
- };
-
- config = {
- networking.firewall.allowedTCPPorts =
- lib.optional (cfg.enable && cfg.openFirewall) cfg.port;
- };
-
- meta.maintainers = lib.teams.podman.members ++ [ lib.maintainers.roberth ];
-}
diff --git a/nixos/modules/virtualisation/podman.nix b/nixos/modules/virtualisation/podman.nix
deleted file mode 100644
index 385475c84a1..00000000000
--- a/nixos/modules/virtualisation/podman.nix
+++ /dev/null
@@ -1,184 +0,0 @@
-{ config, lib, pkgs, ... }:
-let
- cfg = config.virtualisation.podman;
- toml = pkgs.formats.toml { };
- json = pkgs.formats.json { };
-
- inherit (lib) mkOption types;
-
- podmanPackage = (pkgs.podman.override { inherit (cfg) extraPackages; });
-
- # Provides a fake "docker" binary mapping to podman
- dockerCompat = pkgs.runCommand "${podmanPackage.pname}-docker-compat-${podmanPackage.version}" {
- outputs = [ "out" "man" ];
- inherit (podmanPackage) meta;
- } ''
- mkdir -p $out/bin
- ln -s ${podmanPackage}/bin/podman $out/bin/docker
-
- mkdir -p $man/share/man/man1
- for f in ${podmanPackage.man}/share/man/man1/*; do
- basename=$(basename $f | sed s/podman/docker/g)
- ln -s $f $man/share/man/man1/$basename
- done
- '';
-
- net-conflist = pkgs.runCommand "87-podman-bridge.conflist" {
- nativeBuildInputs = [ pkgs.jq ];
- extraPlugins = builtins.toJSON cfg.defaultNetwork.extraPlugins;
- jqScript = ''
- . + { "plugins": (.plugins + $extraPlugins) }
- '';
- } ''
- jq <${cfg.package}/etc/cni/net.d/87-podman-bridge.conflist \
- --argjson extraPlugins "$extraPlugins" \
- "$jqScript" \
- >$out
- '';
-
-in
-{
- imports = [
- ./podman-dnsname.nix
- ./podman-network-socket.nix
- (lib.mkRenamedOptionModule [ "virtualisation" "podman" "libpod" ] [ "virtualisation" "containers" "containersConf" ])
- ];
-
- meta = {
- maintainers = lib.teams.podman.members;
- };
-
- options.virtualisation.podman = {
-
- enable =
- mkOption {
- type = types.bool;
- default = false;
- description = ''
- This option enables Podman, a daemonless container engine for
- developing, managing, and running OCI Containers on your Linux System.
-
- It is a drop-in replacement for the docker command.
- '';
- };
-
- dockerSocket.enable = mkOption {
- type = types.bool;
- default = false;
- description = ''
- Make the Podman socket available in place of the Docker socket, so
- Docker tools can find the Podman socket.
-
- Podman implements the Docker API.
-
- Users must be in the podman group in order to connect. As
- with Docker, members of this group can gain root access.
- '';
- };
-
- dockerCompat = mkOption {
- type = types.bool;
- default = false;
- description = ''
- Create an alias mapping docker to podman.
- '';
- };
-
- enableNvidia = mkOption {
- type = types.bool;
- default = false;
- description = ''
- Enable use of NVidia GPUs from within podman containers.
- '';
- };
-
- extraPackages = mkOption {
- type = with types; listOf package;
- default = [ ];
- example = lib.literalExpression ''
- [
- pkgs.gvisor
- ]
- '';
- description = ''
- Extra packages to be installed in the Podman wrapper.
- '';
- };
-
- package = lib.mkOption {
- type = types.package;
- default = podmanPackage;
- internal = true;
- description = ''
- The final Podman package (including extra packages).
- '';
- };
-
- defaultNetwork.extraPlugins = lib.mkOption {
- type = types.listOf json.type;
- default = [];
- description = ''
- Extra CNI plugin configurations to add to podman's default network.
- '';
- };
-
- };
-
- config = lib.mkIf cfg.enable (lib.mkMerge [
- {
- environment.systemPackages = [ cfg.package ]
- ++ lib.optional cfg.dockerCompat dockerCompat;
-
- environment.etc."cni/net.d/87-podman-bridge.conflist".source = net-conflist;
-
- virtualisation.containers = {
- enable = true; # Enable common /etc/containers configuration
- containersConf.settings = lib.optionalAttrs cfg.enableNvidia {
- engine = {
- conmon_env_vars = [ "PATH=${lib.makeBinPath [ pkgs.nvidia-podman ]}" ];
- runtimes.nvidia = [ "${pkgs.nvidia-podman}/bin/nvidia-container-runtime" ];
- };
- };
- };
-
- systemd.packages = [ cfg.package ];
-
- systemd.services.podman.serviceConfig = {
- ExecStart = [ "" "${cfg.package}/bin/podman $LOGGING system service" ];
- };
-
- systemd.sockets.podman.wantedBy = [ "sockets.target" ];
- systemd.sockets.podman.socketConfig.SocketGroup = "podman";
-
- systemd.tmpfiles.packages = [
- # The /run/podman rule interferes with our podman group, so we remove
- # it and let the systemd socket logic take care of it.
- (pkgs.runCommand "podman-tmpfiles-nixos" { package = cfg.package; } ''
- mkdir -p $out/lib/tmpfiles.d/
- grep -v 'D! /run/podman 0700 root root' \
- <$package/lib/tmpfiles.d/podman.conf \
- >$out/lib/tmpfiles.d/podman.conf
- '') ];
-
- systemd.tmpfiles.rules =
- lib.optionals cfg.dockerSocket.enable [
- "L! /run/docker.sock - - - - /run/podman/podman.sock"
- ];
-
- users.groups.podman = {};
-
- assertions = [
- {
- assertion = cfg.dockerCompat -> !config.virtualisation.docker.enable;
- message = "Option dockerCompat conflicts with docker";
- }
- {
- assertion = cfg.dockerSocket.enable -> !config.virtualisation.docker.enable;
- message = ''
- The options virtualisation.podman.dockerSocket.enable and virtualisation.docker.enable conflict, because only one can serve the socket.
- '';
- }
- ];
- }
- ]);
-}
diff --git a/nixos/modules/virtualisation/podman/default.nix b/nixos/modules/virtualisation/podman/default.nix
new file mode 100644
index 00000000000..94fd727a4b5
--- /dev/null
+++ b/nixos/modules/virtualisation/podman/default.nix
@@ -0,0 +1,184 @@
+{ config, lib, pkgs, ... }:
+let
+ cfg = config.virtualisation.podman;
+ toml = pkgs.formats.toml { };
+ json = pkgs.formats.json { };
+
+ inherit (lib) mkOption types;
+
+ podmanPackage = (pkgs.podman.override { inherit (cfg) extraPackages; });
+
+ # Provides a fake "docker" binary mapping to podman
+ dockerCompat = pkgs.runCommand "${podmanPackage.pname}-docker-compat-${podmanPackage.version}" {
+ outputs = [ "out" "man" ];
+ inherit (podmanPackage) meta;
+ } ''
+ mkdir -p $out/bin
+ ln -s ${podmanPackage}/bin/podman $out/bin/docker
+
+ mkdir -p $man/share/man/man1
+ for f in ${podmanPackage.man}/share/man/man1/*; do
+ basename=$(basename $f | sed s/podman/docker/g)
+ ln -s $f $man/share/man/man1/$basename
+ done
+ '';
+
+ net-conflist = pkgs.runCommand "87-podman-bridge.conflist" {
+ nativeBuildInputs = [ pkgs.jq ];
+ extraPlugins = builtins.toJSON cfg.defaultNetwork.extraPlugins;
+ jqScript = ''
+ . + { "plugins": (.plugins + $extraPlugins) }
+ '';
+ } ''
+ jq <${cfg.package}/etc/cni/net.d/87-podman-bridge.conflist \
+ --argjson extraPlugins "$extraPlugins" \
+ "$jqScript" \
+ >$out
+ '';
+
+in
+{
+ imports = [
+ ./dnsname.nix
+ ./network-socket.nix
+ (lib.mkRenamedOptionModule [ "virtualisation" "podman" "libpod" ] [ "virtualisation" "containers" "containersConf" ])
+ ];
+
+ meta = {
+ maintainers = lib.teams.podman.members;
+ };
+
+ options.virtualisation.podman = {
+
+ enable =
+ mkOption {
+ type = types.bool;
+ default = false;
+ description = ''
+ This option enables Podman, a daemonless container engine for
+ developing, managing, and running OCI Containers on your Linux System.
+
+ It is a drop-in replacement for the docker command.
+ '';
+ };
+
+ dockerSocket.enable = mkOption {
+ type = types.bool;
+ default = false;
+ description = ''
+ Make the Podman socket available in place of the Docker socket, so
+ Docker tools can find the Podman socket.
+
+ Podman implements the Docker API.
+
+ Users must be in the podman group in order to connect. As
+ with Docker, members of this group can gain root access.
+ '';
+ };
+
+ dockerCompat = mkOption {
+ type = types.bool;
+ default = false;
+ description = ''
+ Create an alias mapping docker to podman.
+ '';
+ };
+
+ enableNvidia = mkOption {
+ type = types.bool;
+ default = false;
+ description = ''
+ Enable use of NVidia GPUs from within podman containers.
+ '';
+ };
+
+ extraPackages = mkOption {
+ type = with types; listOf package;
+ default = [ ];
+ example = lib.literalExpression ''
+ [
+ pkgs.gvisor
+ ]
+ '';
+ description = ''
+ Extra packages to be installed in the Podman wrapper.
+ '';
+ };
+
+ package = lib.mkOption {
+ type = types.package;
+ default = podmanPackage;
+ internal = true;
+ description = ''
+ The final Podman package (including extra packages).
+ '';
+ };
+
+ defaultNetwork.extraPlugins = lib.mkOption {
+ type = types.listOf json.type;
+ default = [];
+ description = ''
+ Extra CNI plugin configurations to add to podman's default network.
+ '';
+ };
+
+ };
+
+ config = lib.mkIf cfg.enable (lib.mkMerge [
+ {
+ environment.systemPackages = [ cfg.package ]
+ ++ lib.optional cfg.dockerCompat dockerCompat;
+
+ environment.etc."cni/net.d/87-podman-bridge.conflist".source = net-conflist;
+
+ virtualisation.containers = {
+ enable = true; # Enable common /etc/containers configuration
+ containersConf.settings = lib.optionalAttrs cfg.enableNvidia {
+ engine = {
+ conmon_env_vars = [ "PATH=${lib.makeBinPath [ pkgs.nvidia-podman ]}" ];
+ runtimes.nvidia = [ "${pkgs.nvidia-podman}/bin/nvidia-container-runtime" ];
+ };
+ };
+ };
+
+ systemd.packages = [ cfg.package ];
+
+ systemd.services.podman.serviceConfig = {
+ ExecStart = [ "" "${cfg.package}/bin/podman $LOGGING system service" ];
+ };
+
+ systemd.sockets.podman.wantedBy = [ "sockets.target" ];
+ systemd.sockets.podman.socketConfig.SocketGroup = "podman";
+
+ systemd.tmpfiles.packages = [
+ # The /run/podman rule interferes with our podman group, so we remove
+ # it and let the systemd socket logic take care of it.
+ (pkgs.runCommand "podman-tmpfiles-nixos" { package = cfg.package; } ''
+ mkdir -p $out/lib/tmpfiles.d/
+ grep -v 'D! /run/podman 0700 root root' \
+ <$package/lib/tmpfiles.d/podman.conf \
+ >$out/lib/tmpfiles.d/podman.conf
+ '') ];
+
+ systemd.tmpfiles.rules =
+ lib.optionals cfg.dockerSocket.enable [
+ "L! /run/docker.sock - - - - /run/podman/podman.sock"
+ ];
+
+ users.groups.podman = {};
+
+ assertions = [
+ {
+ assertion = cfg.dockerCompat -> !config.virtualisation.docker.enable;
+ message = "Option dockerCompat conflicts with docker";
+ }
+ {
+ assertion = cfg.dockerSocket.enable -> !config.virtualisation.docker.enable;
+ message = ''
+ The options virtualisation.podman.dockerSocket.enable and virtualisation.docker.enable conflict, because only one can serve the socket.
+ '';
+ }
+ ];
+ }
+ ]);
+}
diff --git a/nixos/modules/virtualisation/podman/dnsname.nix b/nixos/modules/virtualisation/podman/dnsname.nix
new file mode 100644
index 00000000000..beef1975507
--- /dev/null
+++ b/nixos/modules/virtualisation/podman/dnsname.nix
@@ -0,0 +1,36 @@
+{ config, lib, pkgs, ... }:
+let
+ inherit (lib)
+ mkOption
+ mkIf
+ types
+ ;
+
+ cfg = config.virtualisation.podman;
+
+in
+{
+ options = {
+ virtualisation.podman = {
+
+ defaultNetwork.dnsname.enable = mkOption {
+ type = types.bool;
+ default = false;
+ description = ''
+ Enable DNS resolution in the default podman network.
+ '';
+ };
+
+ };
+ };
+
+ config = {
+ virtualisation.containers.containersConf.cniPlugins = mkIf cfg.defaultNetwork.dnsname.enable [ pkgs.dnsname-cni ];
+ virtualisation.podman.defaultNetwork.extraPlugins =
+ lib.optional cfg.defaultNetwork.dnsname.enable {
+ type = "dnsname";
+ domainName = "dns.podman";
+ capabilities.aliases = true;
+ };
+ };
+}
diff --git a/nixos/modules/virtualisation/podman/network-socket-ghostunnel.nix b/nixos/modules/virtualisation/podman/network-socket-ghostunnel.nix
new file mode 100644
index 00000000000..a0e7e433164
--- /dev/null
+++ b/nixos/modules/virtualisation/podman/network-socket-ghostunnel.nix
@@ -0,0 +1,34 @@
+{ config, lib, pkg, ... }:
+let
+ inherit (lib)
+ mkOption
+ types
+ ;
+
+ cfg = config.virtualisation.podman.networkSocket;
+
+in
+{
+ options.virtualisation.podman.networkSocket = {
+ server = mkOption {
+ type = types.enum [ "ghostunnel" ];
+ };
+ };
+
+ config = lib.mkIf (cfg.enable && cfg.server == "ghostunnel") {
+
+ services.ghostunnel = {
+ enable = true;
+ servers."podman-socket" = {
+ inherit (cfg.tls) cert key cacert;
+ listen = "${cfg.listenAddress}:${toString cfg.port}";
+ target = "unix:/run/podman/podman.sock";
+ allowAll = lib.mkDefault true;
+ };
+ };
+ systemd.services.ghostunnel-server-podman-socket.serviceConfig.SupplementaryGroups = ["podman"];
+
+ };
+
+ meta.maintainers = lib.teams.podman.members ++ [ lib.maintainers.roberth ];
+}
diff --git a/nixos/modules/virtualisation/podman/network-socket.nix b/nixos/modules/virtualisation/podman/network-socket.nix
new file mode 100644
index 00000000000..94d8da9d2b6
--- /dev/null
+++ b/nixos/modules/virtualisation/podman/network-socket.nix
@@ -0,0 +1,95 @@
+{ config, lib, pkg, ... }:
+let
+ inherit (lib)
+ mkOption
+ types
+ ;
+
+ cfg = config.virtualisation.podman.networkSocket;
+
+in
+{
+ imports = [
+ ./network-socket-ghostunnel.nix
+ ];
+
+ options.virtualisation.podman.networkSocket = {
+ enable = mkOption {
+ type = types.bool;
+ default = false;
+ description = ''
+ Make the Podman and Docker compatibility API available over the network
+ with TLS client certificate authentication.
+
+ This allows Docker clients to connect with the equivalents of the Docker
+ CLI -H and --tls* family of options.
+
+ For certificate setup, see https://docs.docker.com/engine/security/protect-access/
+
+ This option is independent of .
+ '';
+ };
+
+ server = mkOption {
+ type = types.enum [];
+ description = ''
+ Choice of TLS proxy server.
+ '';
+ example = "ghostunnel";
+ };
+
+ openFirewall = mkOption {
+ type = types.bool;
+ default = false;
+ description = ''
+ Whether to open the port in the firewall.
+ '';
+ };
+
+ tls.cacert = mkOption {
+ type = types.path;
+ description = ''
+ Path to CA certificate to use for client authentication.
+ '';
+ };
+
+ tls.cert = mkOption {
+ type = types.path;
+ description = ''
+ Path to certificate describing the server.
+ '';
+ };
+
+ tls.key = mkOption {
+ type = types.path;
+ description = ''
+ Path to the private key corresponding to the server certificate.
+
+ Use a string for this setting. Otherwise it will be copied to the Nix
+ store first, where it is readable by any system process.
+ '';
+ };
+
+ port = mkOption {
+ type = types.port;
+ default = 2376;
+ description = ''
+ TCP port number for receiving TLS connections.
+ '';
+ };
+ listenAddress = mkOption {
+ type = types.str;
+ default = "0.0.0.0";
+ description = ''
+ Interface address for receiving TLS connections.
+ '';
+ };
+ };
+
+ config = {
+ networking.firewall.allowedTCPPorts =
+ lib.optional (cfg.enable && cfg.openFirewall) cfg.port;
+ };
+
+ meta.maintainers = lib.teams.podman.members ++ [ lib.maintainers.roberth ];
+}
diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix
index 63be6789201..a1113ff631e 100644
--- a/nixos/tests/all-tests.nix
+++ b/nixos/tests/all-tests.nix
@@ -369,9 +369,9 @@ in
plikd = handleTest ./plikd.nix {};
plotinus = handleTest ./plotinus.nix {};
podgrab = handleTest ./podgrab.nix {};
- podman = handleTestOn ["x86_64-linux"] ./podman.nix {};
- podman-dnsname = handleTestOn ["x86_64-linux"] ./podman-dnsname.nix {};
- podman-tls-ghostunnel = handleTestOn ["x86_64-linux"] ./podman-tls-ghostunnel.nix {};
+ podman = handleTestOn ["x86_64-linux"] ./podman/default.nix {};
+ podman-dnsname = handleTestOn ["x86_64-linux"] ./podman/dnsname.nix {};
+ podman-tls-ghostunnel = handleTestOn ["x86_64-linux"] ./podman/tls-ghostunnel.nix {};
pomerium = handleTestOn ["x86_64-linux"] ./pomerium.nix {};
postfix = handleTest ./postfix.nix {};
postfix-raise-smtpd-tls-security-level = handleTest ./postfix-raise-smtpd-tls-security-level.nix {};
diff --git a/nixos/tests/podman-dnsname.nix b/nixos/tests/podman-dnsname.nix
deleted file mode 100644
index dd352f754dc..00000000000
--- a/nixos/tests/podman-dnsname.nix
+++ /dev/null
@@ -1,42 +0,0 @@
-import ./make-test-python.nix (
- { pkgs, lib, ... }:
- let
- inherit (pkgs) writeTextDir python3 curl;
- webroot = writeTextDir "index.html" "Hi
";
- in
- {
- name = "podman-dnsname";
- meta = {
- maintainers = with lib.maintainers; [ roberth ] ++ lib.teams.podman.members;
- };
-
- nodes = {
- podman = { pkgs, ... }: {
- virtualisation.podman.enable = true;
- virtualisation.podman.defaultNetwork.dnsname.enable = true;
- };
- };
-
- testScript = ''
- podman.wait_for_unit("sockets.target")
-
- with subtest("DNS works"): # also tests inter-container tcp routing
- podman.succeed("tar cv --files-from /dev/null | podman import - scratchimg")
- podman.succeed(
- "podman run -d --name=webserver -v /nix/store:/nix/store -v /run/current-system/sw/bin:/bin -w ${webroot} scratchimg ${python3}/bin/python -m http.server 8000"
- )
- podman.succeed("podman ps | grep webserver")
- podman.succeed("""
- for i in `seq 0 120`; do
- podman run --rm --name=client -v /nix/store:/nix/store -v /run/current-system/sw/bin:/bin scratchimg ${curl}/bin/curl http://webserver:8000 >/dev/console \
- && exit 0
- sleep 0.5
- done
- exit 1
- """)
- podman.succeed("podman stop webserver")
- podman.succeed("podman rm webserver")
-
- '';
- }
-)
diff --git a/nixos/tests/podman-tls-ghostunnel.nix b/nixos/tests/podman-tls-ghostunnel.nix
deleted file mode 100644
index 0e687b199b2..00000000000
--- a/nixos/tests/podman-tls-ghostunnel.nix
+++ /dev/null
@@ -1,150 +0,0 @@
-/*
- This test runs podman as a backend for the Docker CLI.
- */
-import ./make-test-python.nix (
- { pkgs, lib, ... }:
-
- let gen-ca = pkgs.writeScript "gen-ca" ''
- # Create CA
- PATH="${pkgs.openssl}/bin:$PATH"
- openssl genrsa -out ca-key.pem 4096
- openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -subj '/C=NL/ST=Zuid-Holland/L=The Hague/O=Stevige Balken en Planken B.V./OU=OpSec/CN=Certificate Authority' -out ca.pem
-
- # Create service
- openssl genrsa -out podman-key.pem 4096
- openssl req -subj '/CN=podman' -sha256 -new -key podman-key.pem -out service.csr
- echo subjectAltName = DNS:podman,IP:127.0.0.1 >> extfile.cnf
- echo extendedKeyUsage = serverAuth >> extfile.cnf
- openssl x509 -req -days 365 -sha256 -in service.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out podman-cert.pem -extfile extfile.cnf
-
- # Create client
- openssl genrsa -out client-key.pem 4096
- openssl req -subj '/CN=client' -new -key client-key.pem -out client.csr
- echo extendedKeyUsage = clientAuth > extfile-client.cnf
- openssl x509 -req -days 365 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out client-cert.pem -extfile extfile-client.cnf
-
- # Create CA 2
- PATH="${pkgs.openssl}/bin:$PATH"
- openssl genrsa -out ca-2-key.pem 4096
- openssl req -new -x509 -days 365 -key ca-2-key.pem -sha256 -subj '/C=NL/ST=Zuid-Holland/L=The Hague/O=Stevige Balken en Planken B.V./OU=OpSec/CN=Certificate Authority' -out ca-2.pem
-
- # Create client signed by CA 2
- openssl genrsa -out client-2-key.pem 4096
- openssl req -subj '/CN=client' -new -key client-2-key.pem -out client-2.csr
- echo extendedKeyUsage = clientAuth > extfile-client.cnf
- openssl x509 -req -days 365 -sha256 -in client-2.csr -CA ca-2.pem -CAkey ca-2-key.pem -CAcreateserial -out client-2-cert.pem -extfile extfile-client.cnf
-
- '';
- in
- {
- name = "podman-tls-ghostunnel";
- meta = {
- maintainers = lib.teams.podman.members ++ [ lib.maintainers.roberth ];
- };
-
- nodes = {
- podman =
- { pkgs, ... }:
- {
- virtualisation.podman.enable = true;
- virtualisation.podman.dockerSocket.enable = true;
- virtualisation.podman.networkSocket = {
- enable = true;
- openFirewall = true;
- server = "ghostunnel";
- tls.cert = "/root/podman-cert.pem";
- tls.key = "/root/podman-key.pem";
- tls.cacert = "/root/ca.pem";
- };
-
- environment.systemPackages = [
- pkgs.docker-client
- ];
-
- users.users.alice = {
- isNormalUser = true;
- home = "/home/alice";
- description = "Alice Foobar";
- extraGroups = ["podman"];
- };
-
- };
-
- client = { ... }: {
- environment.systemPackages = [
- # Installs the docker _client_ only
- # Normally, you'd want `virtualisation.docker.enable = true;`.
- pkgs.docker-client
- ];
- environment.variables.DOCKER_HOST = "podman:2376";
- environment.variables.DOCKER_TLS_VERIFY = "1";
- };
- };
-
- testScript = ''
- import shlex
-
-
- def su_cmd(user, cmd):
- cmd = shlex.quote(cmd)
- return f"su {user} -l -c {cmd}"
-
- def cmd(command):
- print(f"+{command}")
- r = os.system(command)
- if r != 0:
- raise Exception(f"Command {command} failed with exit code {r}")
-
- start_all()
- cmd("${gen-ca}")
-
- podman.copy_from_host("ca.pem", "/root/ca.pem")
- podman.copy_from_host("podman-cert.pem", "/root/podman-cert.pem")
- podman.copy_from_host("podman-key.pem", "/root/podman-key.pem")
-
- client.copy_from_host("ca.pem", "/root/.docker/ca.pem")
- # client.copy_from_host("podman-cert.pem", "/root/podman-cert.pem")
- client.copy_from_host("client-cert.pem", "/root/.docker/cert.pem")
- client.copy_from_host("client-key.pem", "/root/.docker/key.pem")
-
- # TODO (ghostunnel): add file watchers so the restart isn't necessary
- podman.succeed("systemctl reset-failed && systemctl restart ghostunnel-server-podman-socket.service")
-
- podman.wait_for_unit("sockets.target")
- podman.wait_for_unit("ghostunnel-server-podman-socket.service")
-
- with subtest("Create default network"):
- podman.succeed("docker network create default")
-
- with subtest("Root docker cli also works"):
- podman.succeed("docker version")
-
- with subtest("A podman member can also still use the docker cli"):
- podman.succeed(su_cmd("alice", "docker version"))
-
- with subtest("Run container remotely via docker cli"):
- client.succeed("docker version")
-
- # via socket would be nicer
- podman.succeed("tar cv --files-from /dev/null | podman import - scratchimg")
-
- client.succeed(
- "docker run -d --name=sleeping -v /nix/store:/nix/store -v /run/current-system/sw/bin:/bin scratchimg /bin/sleep 10"
- )
- client.succeed("docker ps | grep sleeping")
- podman.succeed("docker ps | grep sleeping")
- client.succeed("docker stop sleeping")
- client.succeed("docker rm sleeping")
-
- with subtest("Clients without cert will be denied"):
- client.succeed("rm /root/.docker/{cert,key}.pem")
- client.fail("docker version")
-
- with subtest("Clients with wrong cert will be denied"):
- client.copy_from_host("client-2-cert.pem", "/root/.docker/cert.pem")
- client.copy_from_host("client-2-key.pem", "/root/.docker/key.pem")
- client.fail("docker version")
-
- '';
- }
-)
diff --git a/nixos/tests/podman.nix b/nixos/tests/podman.nix
deleted file mode 100644
index 7eae575fd7f..00000000000
--- a/nixos/tests/podman.nix
+++ /dev/null
@@ -1,144 +0,0 @@
-# This test runs podman and checks if simple container starts
-
-import ./make-test-python.nix (
- { pkgs, lib, ... }: {
- name = "podman";
- meta = {
- maintainers = lib.teams.podman.members;
- };
-
- nodes = {
- podman =
- { pkgs, ... }:
- {
- virtualisation.podman.enable = true;
-
- # To test docker socket support
- virtualisation.podman.dockerSocket.enable = true;
- environment.systemPackages = [
- pkgs.docker-client
- ];
-
- users.users.alice = {
- isNormalUser = true;
- home = "/home/alice";
- description = "Alice Foobar";
- extraGroups = [ "podman" ];
- };
-
- users.users.mallory = {
- isNormalUser = true;
- home = "/home/mallory";
- description = "Mallory Foobar";
- };
-
- };
- };
-
- testScript = ''
- import shlex
-
-
- def su_cmd(cmd, user = "alice"):
- cmd = shlex.quote(cmd)
- return f"su {user} -l -c {cmd}"
-
-
- podman.wait_for_unit("sockets.target")
- start_all()
-
- with subtest("Run container as root with runc"):
- podman.succeed("tar cv --files-from /dev/null | podman import - scratchimg")
- podman.succeed(
- "podman run --runtime=runc -d --name=sleeping -v /nix/store:/nix/store -v /run/current-system/sw/bin:/bin scratchimg /bin/sleep 10"
- )
- podman.succeed("podman ps | grep sleeping")
- podman.succeed("podman stop sleeping")
- podman.succeed("podman rm sleeping")
-
- with subtest("Run container as root with crun"):
- podman.succeed("tar cv --files-from /dev/null | podman import - scratchimg")
- podman.succeed(
- "podman run --runtime=crun -d --name=sleeping -v /nix/store:/nix/store -v /run/current-system/sw/bin:/bin scratchimg /bin/sleep 10"
- )
- podman.succeed("podman ps | grep sleeping")
- podman.succeed("podman stop sleeping")
- podman.succeed("podman rm sleeping")
-
- with subtest("Run container as root with the default backend"):
- podman.succeed("tar cv --files-from /dev/null | podman import - scratchimg")
- podman.succeed(
- "podman run -d --name=sleeping -v /nix/store:/nix/store -v /run/current-system/sw/bin:/bin scratchimg /bin/sleep 10"
- )
- podman.succeed("podman ps | grep sleeping")
- podman.succeed("podman stop sleeping")
- podman.succeed("podman rm sleeping")
-
- # create systemd session for rootless
- podman.succeed("loginctl enable-linger alice")
-
- with subtest("Run container rootless with runc"):
- podman.succeed(su_cmd("tar cv --files-from /dev/null | podman import - scratchimg"))
- podman.succeed(
- su_cmd(
- "podman run --runtime=runc -d --name=sleeping -v /nix/store:/nix/store -v /run/current-system/sw/bin:/bin scratchimg /bin/sleep 10"
- )
- )
- podman.succeed(su_cmd("podman ps | grep sleeping"))
- podman.succeed(su_cmd("podman stop sleeping"))
- podman.succeed(su_cmd("podman rm sleeping"))
-
- with subtest("Run container rootless with crun"):
- podman.succeed(su_cmd("tar cv --files-from /dev/null | podman import - scratchimg"))
- podman.succeed(
- su_cmd(
- "podman run --runtime=crun -d --name=sleeping -v /nix/store:/nix/store -v /run/current-system/sw/bin:/bin scratchimg /bin/sleep 10"
- )
- )
- podman.succeed(su_cmd("podman ps | grep sleeping"))
- podman.succeed(su_cmd("podman stop sleeping"))
- podman.succeed(su_cmd("podman rm sleeping"))
-
- with subtest("Run container rootless with the default backend"):
- podman.succeed(su_cmd("tar cv --files-from /dev/null | podman import - scratchimg"))
- podman.succeed(
- su_cmd(
- "podman run -d --name=sleeping -v /nix/store:/nix/store -v /run/current-system/sw/bin:/bin scratchimg /bin/sleep 10"
- )
- )
- podman.succeed(su_cmd("podman ps | grep sleeping"))
- podman.succeed(su_cmd("podman stop sleeping"))
- podman.succeed(su_cmd("podman rm sleeping"))
-
- with subtest("Run container with init"):
- podman.succeed(
- "tar cv -C ${pkgs.pkgsStatic.busybox} . | podman import - busybox"
- )
- pid = podman.succeed("podman run --rm busybox readlink /proc/self").strip()
- assert pid == "1"
- pid = podman.succeed("podman run --rm --init busybox readlink /proc/self").strip()
- assert pid == "2"
-
- with subtest("A podman member can use the docker cli"):
- podman.succeed(su_cmd("docker version"))
-
- with subtest("Run container via docker cli"):
- podman.succeed("docker network create default")
- podman.succeed("tar cv --files-from /dev/null | podman import - scratchimg")
- podman.succeed(
- "docker run -d --name=sleeping -v /nix/store:/nix/store -v /run/current-system/sw/bin:/bin scratchimg /bin/sleep 10"
- )
- podman.succeed("docker ps | grep sleeping")
- podman.succeed("podman ps | grep sleeping")
- podman.succeed("docker stop sleeping")
- podman.succeed("docker rm sleeping")
- podman.succeed("docker network rm default")
-
- with subtest("A podman non-member can not use the docker cli"):
- podman.fail(su_cmd("docker version", user="mallory"))
-
- # TODO: add docker-compose test
-
- '';
- }
-)
diff --git a/nixos/tests/podman/default.nix b/nixos/tests/podman/default.nix
new file mode 100644
index 00000000000..b52a7f060ad
--- /dev/null
+++ b/nixos/tests/podman/default.nix
@@ -0,0 +1,144 @@
+# This test runs podman and checks if simple container starts
+
+import ../make-test-python.nix (
+ { pkgs, lib, ... }: {
+ name = "podman";
+ meta = {
+ maintainers = lib.teams.podman.members;
+ };
+
+ nodes = {
+ podman =
+ { pkgs, ... }:
+ {
+ virtualisation.podman.enable = true;
+
+ # To test docker socket support
+ virtualisation.podman.dockerSocket.enable = true;
+ environment.systemPackages = [
+ pkgs.docker-client
+ ];
+
+ users.users.alice = {
+ isNormalUser = true;
+ home = "/home/alice";
+ description = "Alice Foobar";
+ extraGroups = [ "podman" ];
+ };
+
+ users.users.mallory = {
+ isNormalUser = true;
+ home = "/home/mallory";
+ description = "Mallory Foobar";
+ };
+
+ };
+ };
+
+ testScript = ''
+ import shlex
+
+
+ def su_cmd(cmd, user = "alice"):
+ cmd = shlex.quote(cmd)
+ return f"su {user} -l -c {cmd}"
+
+
+ podman.wait_for_unit("sockets.target")
+ start_all()
+
+ with subtest("Run container as root with runc"):
+ podman.succeed("tar cv --files-from /dev/null | podman import - scratchimg")
+ podman.succeed(
+ "podman run --runtime=runc -d --name=sleeping -v /nix/store:/nix/store -v /run/current-system/sw/bin:/bin scratchimg /bin/sleep 10"
+ )
+ podman.succeed("podman ps | grep sleeping")
+ podman.succeed("podman stop sleeping")
+ podman.succeed("podman rm sleeping")
+
+ with subtest("Run container as root with crun"):
+ podman.succeed("tar cv --files-from /dev/null | podman import - scratchimg")
+ podman.succeed(
+ "podman run --runtime=crun -d --name=sleeping -v /nix/store:/nix/store -v /run/current-system/sw/bin:/bin scratchimg /bin/sleep 10"
+ )
+ podman.succeed("podman ps | grep sleeping")
+ podman.succeed("podman stop sleeping")
+ podman.succeed("podman rm sleeping")
+
+ with subtest("Run container as root with the default backend"):
+ podman.succeed("tar cv --files-from /dev/null | podman import - scratchimg")
+ podman.succeed(
+ "podman run -d --name=sleeping -v /nix/store:/nix/store -v /run/current-system/sw/bin:/bin scratchimg /bin/sleep 10"
+ )
+ podman.succeed("podman ps | grep sleeping")
+ podman.succeed("podman stop sleeping")
+ podman.succeed("podman rm sleeping")
+
+ # create systemd session for rootless
+ podman.succeed("loginctl enable-linger alice")
+
+ with subtest("Run container rootless with runc"):
+ podman.succeed(su_cmd("tar cv --files-from /dev/null | podman import - scratchimg"))
+ podman.succeed(
+ su_cmd(
+ "podman run --runtime=runc -d --name=sleeping -v /nix/store:/nix/store -v /run/current-system/sw/bin:/bin scratchimg /bin/sleep 10"
+ )
+ )
+ podman.succeed(su_cmd("podman ps | grep sleeping"))
+ podman.succeed(su_cmd("podman stop sleeping"))
+ podman.succeed(su_cmd("podman rm sleeping"))
+
+ with subtest("Run container rootless with crun"):
+ podman.succeed(su_cmd("tar cv --files-from /dev/null | podman import - scratchimg"))
+ podman.succeed(
+ su_cmd(
+ "podman run --runtime=crun -d --name=sleeping -v /nix/store:/nix/store -v /run/current-system/sw/bin:/bin scratchimg /bin/sleep 10"
+ )
+ )
+ podman.succeed(su_cmd("podman ps | grep sleeping"))
+ podman.succeed(su_cmd("podman stop sleeping"))
+ podman.succeed(su_cmd("podman rm sleeping"))
+
+ with subtest("Run container rootless with the default backend"):
+ podman.succeed(su_cmd("tar cv --files-from /dev/null | podman import - scratchimg"))
+ podman.succeed(
+ su_cmd(
+ "podman run -d --name=sleeping -v /nix/store:/nix/store -v /run/current-system/sw/bin:/bin scratchimg /bin/sleep 10"
+ )
+ )
+ podman.succeed(su_cmd("podman ps | grep sleeping"))
+ podman.succeed(su_cmd("podman stop sleeping"))
+ podman.succeed(su_cmd("podman rm sleeping"))
+
+ with subtest("Run container with init"):
+ podman.succeed(
+ "tar cv -C ${pkgs.pkgsStatic.busybox} . | podman import - busybox"
+ )
+ pid = podman.succeed("podman run --rm busybox readlink /proc/self").strip()
+ assert pid == "1"
+ pid = podman.succeed("podman run --rm --init busybox readlink /proc/self").strip()
+ assert pid == "2"
+
+ with subtest("A podman member can use the docker cli"):
+ podman.succeed(su_cmd("docker version"))
+
+ with subtest("Run container via docker cli"):
+ podman.succeed("docker network create default")
+ podman.succeed("tar cv --files-from /dev/null | podman import - scratchimg")
+ podman.succeed(
+ "docker run -d --name=sleeping -v /nix/store:/nix/store -v /run/current-system/sw/bin:/bin scratchimg /bin/sleep 10"
+ )
+ podman.succeed("docker ps | grep sleeping")
+ podman.succeed("podman ps | grep sleeping")
+ podman.succeed("docker stop sleeping")
+ podman.succeed("docker rm sleeping")
+ podman.succeed("docker network rm default")
+
+ with subtest("A podman non-member can not use the docker cli"):
+ podman.fail(su_cmd("docker version", user="mallory"))
+
+ # TODO: add docker-compose test
+
+ '';
+ }
+)
diff --git a/nixos/tests/podman/dnsname.nix b/nixos/tests/podman/dnsname.nix
new file mode 100644
index 00000000000..3768ae79e06
--- /dev/null
+++ b/nixos/tests/podman/dnsname.nix
@@ -0,0 +1,42 @@
+import ../make-test-python.nix (
+ { pkgs, lib, ... }:
+ let
+ inherit (pkgs) writeTextDir python3 curl;
+ webroot = writeTextDir "index.html" "Hi
";
+ in
+ {
+ name = "podman-dnsname";
+ meta = {
+ maintainers = with lib.maintainers; [ roberth ] ++ lib.teams.podman.members;
+ };
+
+ nodes = {
+ podman = { pkgs, ... }: {
+ virtualisation.podman.enable = true;
+ virtualisation.podman.defaultNetwork.dnsname.enable = true;
+ };
+ };
+
+ testScript = ''
+ podman.wait_for_unit("sockets.target")
+
+ with subtest("DNS works"): # also tests inter-container tcp routing
+ podman.succeed("tar cv --files-from /dev/null | podman import - scratchimg")
+ podman.succeed(
+ "podman run -d --name=webserver -v /nix/store:/nix/store -v /run/current-system/sw/bin:/bin -w ${webroot} scratchimg ${python3}/bin/python -m http.server 8000"
+ )
+ podman.succeed("podman ps | grep webserver")
+ podman.succeed("""
+ for i in `seq 0 120`; do
+ podman run --rm --name=client -v /nix/store:/nix/store -v /run/current-system/sw/bin:/bin scratchimg ${curl}/bin/curl http://webserver:8000 >/dev/console \
+ && exit 0
+ sleep 0.5
+ done
+ exit 1
+ """)
+ podman.succeed("podman stop webserver")
+ podman.succeed("podman rm webserver")
+
+ '';
+ }
+)
diff --git a/nixos/tests/podman/tls-ghostunnel.nix b/nixos/tests/podman/tls-ghostunnel.nix
new file mode 100644
index 00000000000..c0bc47cc40b
--- /dev/null
+++ b/nixos/tests/podman/tls-ghostunnel.nix
@@ -0,0 +1,150 @@
+/*
+ This test runs podman as a backend for the Docker CLI.
+ */
+import ../make-test-python.nix (
+ { pkgs, lib, ... }:
+
+ let gen-ca = pkgs.writeScript "gen-ca" ''
+ # Create CA
+ PATH="${pkgs.openssl}/bin:$PATH"
+ openssl genrsa -out ca-key.pem 4096
+ openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -subj '/C=NL/ST=Zuid-Holland/L=The Hague/O=Stevige Balken en Planken B.V./OU=OpSec/CN=Certificate Authority' -out ca.pem
+
+ # Create service
+ openssl genrsa -out podman-key.pem 4096
+ openssl req -subj '/CN=podman' -sha256 -new -key podman-key.pem -out service.csr
+ echo subjectAltName = DNS:podman,IP:127.0.0.1 >> extfile.cnf
+ echo extendedKeyUsage = serverAuth >> extfile.cnf
+ openssl x509 -req -days 365 -sha256 -in service.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out podman-cert.pem -extfile extfile.cnf
+
+ # Create client
+ openssl genrsa -out client-key.pem 4096
+ openssl req -subj '/CN=client' -new -key client-key.pem -out client.csr
+ echo extendedKeyUsage = clientAuth > extfile-client.cnf
+ openssl x509 -req -days 365 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out client-cert.pem -extfile extfile-client.cnf
+
+ # Create CA 2
+ PATH="${pkgs.openssl}/bin:$PATH"
+ openssl genrsa -out ca-2-key.pem 4096
+ openssl req -new -x509 -days 365 -key ca-2-key.pem -sha256 -subj '/C=NL/ST=Zuid-Holland/L=The Hague/O=Stevige Balken en Planken B.V./OU=OpSec/CN=Certificate Authority' -out ca-2.pem
+
+ # Create client signed by CA 2
+ openssl genrsa -out client-2-key.pem 4096
+ openssl req -subj '/CN=client' -new -key client-2-key.pem -out client-2.csr
+ echo extendedKeyUsage = clientAuth > extfile-client.cnf
+ openssl x509 -req -days 365 -sha256 -in client-2.csr -CA ca-2.pem -CAkey ca-2-key.pem -CAcreateserial -out client-2-cert.pem -extfile extfile-client.cnf
+
+ '';
+ in
+ {
+ name = "podman-tls-ghostunnel";
+ meta = {
+ maintainers = lib.teams.podman.members ++ [ lib.maintainers.roberth ];
+ };
+
+ nodes = {
+ podman =
+ { pkgs, ... }:
+ {
+ virtualisation.podman.enable = true;
+ virtualisation.podman.dockerSocket.enable = true;
+ virtualisation.podman.networkSocket = {
+ enable = true;
+ openFirewall = true;
+ server = "ghostunnel";
+ tls.cert = "/root/podman-cert.pem";
+ tls.key = "/root/podman-key.pem";
+ tls.cacert = "/root/ca.pem";
+ };
+
+ environment.systemPackages = [
+ pkgs.docker-client
+ ];
+
+ users.users.alice = {
+ isNormalUser = true;
+ home = "/home/alice";
+ description = "Alice Foobar";
+ extraGroups = ["podman"];
+ };
+
+ };
+
+ client = { ... }: {
+ environment.systemPackages = [
+ # Installs the docker _client_ only
+ # Normally, you'd want `virtualisation.docker.enable = true;`.
+ pkgs.docker-client
+ ];
+ environment.variables.DOCKER_HOST = "podman:2376";
+ environment.variables.DOCKER_TLS_VERIFY = "1";
+ };
+ };
+
+ testScript = ''
+ import shlex
+
+
+ def su_cmd(user, cmd):
+ cmd = shlex.quote(cmd)
+ return f"su {user} -l -c {cmd}"
+
+ def cmd(command):
+ print(f"+{command}")
+ r = os.system(command)
+ if r != 0:
+ raise Exception(f"Command {command} failed with exit code {r}")
+
+ start_all()
+ cmd("${gen-ca}")
+
+ podman.copy_from_host("ca.pem", "/root/ca.pem")
+ podman.copy_from_host("podman-cert.pem", "/root/podman-cert.pem")
+ podman.copy_from_host("podman-key.pem", "/root/podman-key.pem")
+
+ client.copy_from_host("ca.pem", "/root/.docker/ca.pem")
+ # client.copy_from_host("podman-cert.pem", "/root/podman-cert.pem")
+ client.copy_from_host("client-cert.pem", "/root/.docker/cert.pem")
+ client.copy_from_host("client-key.pem", "/root/.docker/key.pem")
+
+ # TODO (ghostunnel): add file watchers so the restart isn't necessary
+ podman.succeed("systemctl reset-failed && systemctl restart ghostunnel-server-podman-socket.service")
+
+ podman.wait_for_unit("sockets.target")
+ podman.wait_for_unit("ghostunnel-server-podman-socket.service")
+
+ with subtest("Create default network"):
+ podman.succeed("docker network create default")
+
+ with subtest("Root docker cli also works"):
+ podman.succeed("docker version")
+
+ with subtest("A podman member can also still use the docker cli"):
+ podman.succeed(su_cmd("alice", "docker version"))
+
+ with subtest("Run container remotely via docker cli"):
+ client.succeed("docker version")
+
+ # via socket would be nicer
+ podman.succeed("tar cv --files-from /dev/null | podman import - scratchimg")
+
+ client.succeed(
+ "docker run -d --name=sleeping -v /nix/store:/nix/store -v /run/current-system/sw/bin:/bin scratchimg /bin/sleep 10"
+ )
+ client.succeed("docker ps | grep sleeping")
+ podman.succeed("docker ps | grep sleeping")
+ client.succeed("docker stop sleeping")
+ client.succeed("docker rm sleeping")
+
+ with subtest("Clients without cert will be denied"):
+ client.succeed("rm /root/.docker/{cert,key}.pem")
+ client.fail("docker version")
+
+ with subtest("Clients with wrong cert will be denied"):
+ client.copy_from_host("client-2-cert.pem", "/root/.docker/cert.pem")
+ client.copy_from_host("client-2-key.pem", "/root/.docker/key.pem")
+ client.fail("docker version")
+
+ '';
+ }
+)
--
cgit 1.4.1