diff options
| author | adisbladis <adisbladis@gmail.com> | 2020-04-21 10:22:20 +0100 |
|---|---|---|
| committer | adisbladis <adisbladis@gmail.com> | 2020-04-21 10:38:39 +0100 |
| commit | 43f383c46472f3284d8ebe9b61f779270ffd1f78 (patch) | |
| tree | 4b3d594edcefff0bb60966b165ec7a52d6326c13 /nixos | |
| parent | 650df709fb9312ec2128ba6a0600d6fb55af0084 (diff) | |
| download | nixpkgs-43f383c46472f3284d8ebe9b61f779270ffd1f78.tar nixpkgs-43f383c46472f3284d8ebe9b61f779270ffd1f78.tar.gz nixpkgs-43f383c46472f3284d8ebe9b61f779270ffd1f78.tar.bz2 nixpkgs-43f383c46472f3284d8ebe9b61f779270ffd1f78.tar.lz nixpkgs-43f383c46472f3284d8ebe9b61f779270ffd1f78.tar.xz nixpkgs-43f383c46472f3284d8ebe9b61f779270ffd1f78.tar.zst nixpkgs-43f383c46472f3284d8ebe9b61f779270ffd1f78.zip | |
nixos.virtualisation.containers: Init common /etc/containers configuration module
What's happening now is that both cri-o and podman are creating /etc/containers/policy.json. By splitting out the creation of configuration files we can make the podman module leaner & compose better with other container software.
Diffstat (limited to 'nixos')
| -rw-r--r-- | nixos/modules/module-list.nix | 1 | ||||
| -rw-r--r-- | nixos/modules/virtualisation/containers.nix | 150 | ||||
| -rw-r--r-- | nixos/modules/virtualisation/cri-o.nix | 7 | ||||
| -rw-r--r-- | nixos/modules/virtualisation/podman.nix | 118 |
4 files changed, 157 insertions, 119 deletions
diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 58f4b05c546..7244a7e0a89 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -983,6 +983,7 @@ ./testing/service-runner.nix ./virtualisation/anbox.nix ./virtualisation/container-config.nix + ./virtualisation/containers.nix ./virtualisation/nixos-containers.nix ./virtualisation/cri-o.nix ./virtualisation/docker.nix diff --git a/nixos/modules/virtualisation/containers.nix b/nixos/modules/virtualisation/containers.nix new file mode 100644 index 00000000000..e6127e28486 --- /dev/null +++ b/nixos/modules/virtualisation/containers.nix @@ -0,0 +1,150 @@ +{ config, lib, pkgs, ... }: +let + cfg = config.virtualisation.containers; + + inherit (lib) mkOption types; + + # Once https://github.com/NixOS/nixpkgs/pull/75584 is merged we can use the TOML generator + toTOML = name: value: pkgs.runCommandNoCC name { + nativeBuildInputs = [ pkgs.remarshal ]; + value = builtins.toJSON value; + passAsFile = [ "value" ]; + } '' + json2toml "$valuePath" "$out" + ''; + + # Copy configuration files to avoid having the entire sources in the system closure + copyFile = filePath: pkgs.runCommandNoCC (builtins.unsafeDiscardStringContext (builtins.baseNameOf filePath)) {} '' + cp ${filePath} $out + ''; +in +{ + meta = { + maintainers = [] ++ lib.teams.podman.members; + }; + + options.virtualisation.containers = { + + enable = + mkOption { + type = types.bool; + default = false; + description = '' + This option enables the common libpod container configuration module. + ''; + }; + + registries = { + search = mkOption { + type = types.listOf types.str; + default = [ "docker.io" "quay.io" ]; + description = '' + List of repositories to search. + ''; + }; + + insecure = mkOption { + default = []; + type = types.listOf types.str; + description = '' + List of insecure repositories. + ''; + }; + + block = mkOption { + default = []; + type = types.listOf types.str; + description = '' + List of blocked repositories. + ''; + }; + }; + + policy = mkOption { + default = {}; + type = types.attrs; + example = lib.literalExample '' + { + default = [ { type = "insecureAcceptAnything"; } ]; + transports = { + docker-daemon = { + "" = [ { type = "insecureAcceptAnything"; } ]; + }; + }; + } + ''; + description = '' + Signature verification policy file. + If this option is empty the default policy file from + <literal>skopeo</literal> will be used. + ''; + }; + + users = mkOption { + default = []; + type = types.listOf types.str; + description = '' + List of users to set up subuid/subgid mappings for. + This is a requirement for running rootless containers. + ''; + }; + + libpod = mkOption { + default = {}; + description = "Libpod configuration"; + type = types.submodule { + options = { + + extraConfig = mkOption { + type = types.lines; + default = ""; + description = '' + Extra configuration that should be put in the libpod.conf + configuration file + ''; + + }; + }; + }; + }; + + }; + + config = lib.mkIf cfg.enable { + + environment.etc."containers/libpod.conf".text = '' + cni_plugin_dir = ["${pkgs.cni-plugins}/bin/"] + cni_config_dir = "/etc/cni/net.d/" + + '' + cfg.libpod.extraConfig; + + environment.etc."containers/registries.conf".source = toTOML "registries.conf" { + registries = lib.mapAttrs (n: v: { registries = v; }) cfg.registries; + }; + + users.extraUsers = builtins.listToAttrs ( + ( + builtins.foldl' ( + acc: user: { + values = acc.values ++ [ + { + name = user; + value = { + subUidRanges = [ { startUid = acc.offset; count = 65536; } ]; + subGidRanges = [ { startGid = acc.offset; count = 65536; } ]; + }; + } + ]; + offset = acc.offset + 65536; + } + ) + { values = []; offset = 100000; } (lib.unique cfg.users) + ).values + ); + + environment.etc."containers/policy.json".source = + if cfg.policy != {} then pkgs.writeText "policy.json" (builtins.toJSON cfg.policy) + else copyFile "${pkgs.skopeo.src}/default-policy.json"; + }; + +} diff --git a/nixos/modules/virtualisation/cri-o.nix b/nixos/modules/virtualisation/cri-o.nix index 14a435f6c8b..7882b7fc19d 100644 --- a/nixos/modules/virtualisation/cri-o.nix +++ b/nixos/modules/virtualisation/cri-o.nix @@ -62,9 +62,7 @@ in log_level = "${cfg.logLevel}" manage_network_ns_lifecycle = true ''; - environment.etc."containers/policy.json".text = '' - {"default": [{"type": "insecureAcceptAnything"}]} - ''; + environment.etc."cni/net.d/20-cri-o-bridge.conf".text = '' { "cniVersion": "0.3.1", @@ -83,6 +81,9 @@ in } ''; + # Enable common container configuration, this will create policy.json + virtualisation.containers.enable = true; + systemd.services.crio = { description = "Container Runtime Interface for OCI (CRI-O)"; documentation = [ "https://github.com/cri-o/cri-o" ]; diff --git a/nixos/modules/virtualisation/podman.nix b/nixos/modules/virtualisation/podman.nix index aa4846837c4..2ec45fa18a4 100644 --- a/nixos/modules/virtualisation/podman.nix +++ b/nixos/modules/virtualisation/podman.nix @@ -4,7 +4,6 @@ let inherit (lib) mkOption types; - # Provides a fake "docker" binary mapping to podman dockerCompat = pkgs.runCommandNoCC "${pkgs.podman.pname}-docker-compat-${pkgs.podman.version}" { outputs = [ "out" "bin" "man" ]; @@ -22,19 +21,11 @@ let done ''; - # Once https://github.com/NixOS/nixpkgs/pull/75584 is merged we can use the TOML generator - toTOML = name: value: pkgs.runCommandNoCC name { - nativeBuildInputs = [ pkgs.remarshal ]; - value = builtins.toJSON value; - passAsFile = [ "value" ]; - } '' - json2toml "$valuePath" "$out" - ''; - # Copy configuration files to avoid having the entire sources in the system closure copyFile = filePath: pkgs.runCommandNoCC (builtins.unsafeDiscardStringContext (builtins.baseNameOf filePath)) {} '' cp ${filePath} $out ''; + in { meta = { @@ -63,80 +54,6 @@ in ''; }; - registries = { - search = mkOption { - type = types.listOf types.str; - default = [ "docker.io" "quay.io" ]; - description = '' - List of repositories to search. - ''; - }; - - insecure = mkOption { - default = []; - type = types.listOf types.str; - description = '' - List of insecure repositories. - ''; - }; - - block = mkOption { - default = []; - type = types.listOf types.str; - description = '' - List of blocked repositories. - ''; - }; - }; - - policy = mkOption { - default = {}; - type = types.attrs; - example = lib.literalExample '' - { - default = [ { type = "insecureAcceptAnything"; } ]; - transports = { - docker-daemon = { - "" = [ { type = "insecureAcceptAnything"; } ]; - }; - }; - } - ''; - description = '' - Signature verification policy file. - If this option is empty the default policy file from - <literal>skopeo</literal> will be used. - ''; - }; - - users = mkOption { - default = []; - type = types.listOf types.str; - description = '' - List of users to set up subuid/subgid mappings for. - This is a requirement for running containers in rootless mode. - ''; - }; - - libpod = mkOption { - default = {}; - description = "Libpod configuration"; - type = types.submodule { - options = { - - extraConfig = mkOption { - type = types.lines; - default = ""; - description = '' - Extra configuration that should be put in the libpod.conf - configuration file - ''; - - }; - }; - }; - }; - }; config = lib.mkIf cfg.enable { @@ -154,41 +71,10 @@ in ] ++ lib.optional cfg.dockerCompat dockerCompat; - environment.etc."containers/libpod.conf".text = '' - cni_plugin_dir = ["${pkgs.cni-plugins}/bin/"] - cni_config_dir = "/etc/cni/net.d/" - ${cfg.libpod.extraConfig} - ''; - environment.etc."cni/net.d/87-podman-bridge.conflist".source = copyFile "${pkgs.podman.src}/cni/87-podman-bridge.conflist"; - environment.etc."containers/registries.conf".source = toTOML "registries.conf" { - registries = lib.mapAttrs (n: v: { registries = v; }) cfg.registries; - }; + virtualisation.containers.enable = true; - users.extraUsers = builtins.listToAttrs ( - ( - builtins.foldl' ( - acc: user: { - values = acc.values ++ [ - { - name = user; - value = { - subUidRanges = [ { startUid = acc.offset; count = 65536; } ]; - subGidRanges = [ { startGid = acc.offset; count = 65536; } ]; - }; - } - ]; - offset = acc.offset + 65536; - } - ) - { values = []; offset = 100000; } (lib.unique cfg.users) - ).values - ); - - environment.etc."containers/policy.json".source = - if cfg.policy != {} then pkgs.writeText "policy.json" (builtins.toJSON cfg.policy) - else copyFile "${pkgs.skopeo.src}/default-policy.json"; }; } |