diff options
| author | Sascha Grunert <sgrunert@suse.com> | 2020-08-31 14:35:45 +0200 |
|---|---|---|
| committer | zowoq <59103226+zowoq@users.noreply.github.com> | 2020-09-02 21:53:37 +1000 |
| commit | 27b0c4b15155ede4e42975a8e4c4a68b85b86f9d (patch) | |
| tree | 97de7187660b6c2c8297aaad9b01977a151ae9b5 /nixos/modules/virtualisation/containers.nix | |
| parent | ee0d559dae1bd2bdf3591b3efc5ce832ebbf2b1d (diff) | |
| download | nixpkgs-27b0c4b15155ede4e42975a8e4c4a68b85b86f9d.tar nixpkgs-27b0c4b15155ede4e42975a8e4c4a68b85b86f9d.tar.gz nixpkgs-27b0c4b15155ede4e42975a8e4c4a68b85b86f9d.tar.bz2 nixpkgs-27b0c4b15155ede4e42975a8e4c4a68b85b86f9d.tar.lz nixpkgs-27b0c4b15155ede4e42975a8e4c4a68b85b86f9d.tar.xz nixpkgs-27b0c4b15155ede4e42975a8e4c4a68b85b86f9d.tar.zst nixpkgs-27b0c4b15155ede4e42975a8e4c4a68b85b86f9d.zip | |
nixos/containers: add oci-seccomp-bpf-hook
Signed-off-by: Sascha Grunert <sgrunert@suse.com>
Diffstat (limited to 'nixos/modules/virtualisation/containers.nix')
| -rw-r--r-- | nixos/modules/virtualisation/containers.nix | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/nixos/modules/virtualisation/containers.nix b/nixos/modules/virtualisation/containers.nix index 3a6767d84a9..de97ba3f7bb 100644 --- a/nixos/modules/virtualisation/containers.nix +++ b/nixos/modules/virtualisation/containers.nix @@ -43,6 +43,12 @@ in ''; }; + ociSeccompBpfHook.enable = mkOption { + type = types.bool; + default = false; + description = "Enable the OCI seccomp BPF hook"; + }; + containersConf = mkOption { default = {}; description = "containers.conf configuration"; @@ -116,6 +122,12 @@ in [network] cni_plugin_dirs = ["${pkgs.cni-plugins}/bin/"] + ${lib.optionalString (cfg.ociSeccompBpfHook.enable == true) '' + [engine] + hooks_dir = [ + "${config.boot.kernelPackages.oci-seccomp-bpf-hook}", + ] + ''} '' + cfg.containersConf.extraConfig; environment.etc."containers/registries.conf".source = toTOML "registries.conf" { |