nixos.virtualisation.containers: Init common /etc/containers configuration module
What's happening now is that both cri-o and podman are creating /etc/containers/policy.json. By splitting out the creation of configuration files we can make the podman module leaner & compose better with other container software.
This commit is contained in:
parent
650df709fb
commit
43f383c464
4 changed files with 157 additions and 119 deletions
|
@ -983,6 +983,7 @@
|
|||
./testing/service-runner.nix
|
||||
./virtualisation/anbox.nix
|
||||
./virtualisation/container-config.nix
|
||||
./virtualisation/containers.nix
|
||||
./virtualisation/nixos-containers.nix
|
||||
./virtualisation/cri-o.nix
|
||||
./virtualisation/docker.nix
|
||||
|
|
150
nixos/modules/virtualisation/containers.nix
Normal file
150
nixos/modules/virtualisation/containers.nix
Normal file
|
@ -0,0 +1,150 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
let
|
||||
cfg = config.virtualisation.containers;
|
||||
|
||||
inherit (lib) mkOption types;
|
||||
|
||||
# Once https://github.com/NixOS/nixpkgs/pull/75584 is merged we can use the TOML generator
|
||||
toTOML = name: value: pkgs.runCommandNoCC name {
|
||||
nativeBuildInputs = [ pkgs.remarshal ];
|
||||
value = builtins.toJSON value;
|
||||
passAsFile = [ "value" ];
|
||||
} ''
|
||||
json2toml "$valuePath" "$out"
|
||||
'';
|
||||
|
||||
# Copy configuration files to avoid having the entire sources in the system closure
|
||||
copyFile = filePath: pkgs.runCommandNoCC (builtins.unsafeDiscardStringContext (builtins.baseNameOf filePath)) {} ''
|
||||
cp ${filePath} $out
|
||||
'';
|
||||
in
|
||||
{
|
||||
meta = {
|
||||
maintainers = [] ++ lib.teams.podman.members;
|
||||
};
|
||||
|
||||
options.virtualisation.containers = {
|
||||
|
||||
enable =
|
||||
mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = ''
|
||||
This option enables the common libpod container configuration module.
|
||||
'';
|
||||
};
|
||||
|
||||
registries = {
|
||||
search = mkOption {
|
||||
type = types.listOf types.str;
|
||||
default = [ "docker.io" "quay.io" ];
|
||||
description = ''
|
||||
List of repositories to search.
|
||||
'';
|
||||
};
|
||||
|
||||
insecure = mkOption {
|
||||
default = [];
|
||||
type = types.listOf types.str;
|
||||
description = ''
|
||||
List of insecure repositories.
|
||||
'';
|
||||
};
|
||||
|
||||
block = mkOption {
|
||||
default = [];
|
||||
type = types.listOf types.str;
|
||||
description = ''
|
||||
List of blocked repositories.
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
policy = mkOption {
|
||||
default = {};
|
||||
type = types.attrs;
|
||||
example = lib.literalExample ''
|
||||
{
|
||||
default = [ { type = "insecureAcceptAnything"; } ];
|
||||
transports = {
|
||||
docker-daemon = {
|
||||
"" = [ { type = "insecureAcceptAnything"; } ];
|
||||
};
|
||||
};
|
||||
}
|
||||
'';
|
||||
description = ''
|
||||
Signature verification policy file.
|
||||
If this option is empty the default policy file from
|
||||
<literal>skopeo</literal> will be used.
|
||||
'';
|
||||
};
|
||||
|
||||
users = mkOption {
|
||||
default = [];
|
||||
type = types.listOf types.str;
|
||||
description = ''
|
||||
List of users to set up subuid/subgid mappings for.
|
||||
This is a requirement for running rootless containers.
|
||||
'';
|
||||
};
|
||||
|
||||
libpod = mkOption {
|
||||
default = {};
|
||||
description = "Libpod configuration";
|
||||
type = types.submodule {
|
||||
options = {
|
||||
|
||||
extraConfig = mkOption {
|
||||
type = types.lines;
|
||||
default = "";
|
||||
description = ''
|
||||
Extra configuration that should be put in the libpod.conf
|
||||
configuration file
|
||||
'';
|
||||
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
|
||||
environment.etc."containers/libpod.conf".text = ''
|
||||
cni_plugin_dir = ["${pkgs.cni-plugins}/bin/"]
|
||||
cni_config_dir = "/etc/cni/net.d/"
|
||||
|
||||
'' + cfg.libpod.extraConfig;
|
||||
|
||||
environment.etc."containers/registries.conf".source = toTOML "registries.conf" {
|
||||
registries = lib.mapAttrs (n: v: { registries = v; }) cfg.registries;
|
||||
};
|
||||
|
||||
users.extraUsers = builtins.listToAttrs (
|
||||
(
|
||||
builtins.foldl' (
|
||||
acc: user: {
|
||||
values = acc.values ++ [
|
||||
{
|
||||
name = user;
|
||||
value = {
|
||||
subUidRanges = [ { startUid = acc.offset; count = 65536; } ];
|
||||
subGidRanges = [ { startGid = acc.offset; count = 65536; } ];
|
||||
};
|
||||
}
|
||||
];
|
||||
offset = acc.offset + 65536;
|
||||
}
|
||||
)
|
||||
{ values = []; offset = 100000; } (lib.unique cfg.users)
|
||||
).values
|
||||
);
|
||||
|
||||
environment.etc."containers/policy.json".source =
|
||||
if cfg.policy != {} then pkgs.writeText "policy.json" (builtins.toJSON cfg.policy)
|
||||
else copyFile "${pkgs.skopeo.src}/default-policy.json";
|
||||
};
|
||||
|
||||
}
|
|
@ -62,9 +62,7 @@ in
|
|||
log_level = "${cfg.logLevel}"
|
||||
manage_network_ns_lifecycle = true
|
||||
'';
|
||||
environment.etc."containers/policy.json".text = ''
|
||||
{"default": [{"type": "insecureAcceptAnything"}]}
|
||||
'';
|
||||
|
||||
environment.etc."cni/net.d/20-cri-o-bridge.conf".text = ''
|
||||
{
|
||||
"cniVersion": "0.3.1",
|
||||
|
@ -83,6 +81,9 @@ in
|
|||
}
|
||||
'';
|
||||
|
||||
# Enable common container configuration, this will create policy.json
|
||||
virtualisation.containers.enable = true;
|
||||
|
||||
systemd.services.crio = {
|
||||
description = "Container Runtime Interface for OCI (CRI-O)";
|
||||
documentation = [ "https://github.com/cri-o/cri-o" ];
|
||||
|
|
|
@ -4,7 +4,6 @@ let
|
|||
|
||||
inherit (lib) mkOption types;
|
||||
|
||||
|
||||
# Provides a fake "docker" binary mapping to podman
|
||||
dockerCompat = pkgs.runCommandNoCC "${pkgs.podman.pname}-docker-compat-${pkgs.podman.version}" {
|
||||
outputs = [ "out" "bin" "man" ];
|
||||
|
@ -22,19 +21,11 @@ let
|
|||
done
|
||||
'';
|
||||
|
||||
# Once https://github.com/NixOS/nixpkgs/pull/75584 is merged we can use the TOML generator
|
||||
toTOML = name: value: pkgs.runCommandNoCC name {
|
||||
nativeBuildInputs = [ pkgs.remarshal ];
|
||||
value = builtins.toJSON value;
|
||||
passAsFile = [ "value" ];
|
||||
} ''
|
||||
json2toml "$valuePath" "$out"
|
||||
'';
|
||||
|
||||
# Copy configuration files to avoid having the entire sources in the system closure
|
||||
copyFile = filePath: pkgs.runCommandNoCC (builtins.unsafeDiscardStringContext (builtins.baseNameOf filePath)) {} ''
|
||||
cp ${filePath} $out
|
||||
'';
|
||||
|
||||
in
|
||||
{
|
||||
meta = {
|
||||
|
@ -63,80 +54,6 @@ in
|
|||
'';
|
||||
};
|
||||
|
||||
registries = {
|
||||
search = mkOption {
|
||||
type = types.listOf types.str;
|
||||
default = [ "docker.io" "quay.io" ];
|
||||
description = ''
|
||||
List of repositories to search.
|
||||
'';
|
||||
};
|
||||
|
||||
insecure = mkOption {
|
||||
default = [];
|
||||
type = types.listOf types.str;
|
||||
description = ''
|
||||
List of insecure repositories.
|
||||
'';
|
||||
};
|
||||
|
||||
block = mkOption {
|
||||
default = [];
|
||||
type = types.listOf types.str;
|
||||
description = ''
|
||||
List of blocked repositories.
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
policy = mkOption {
|
||||
default = {};
|
||||
type = types.attrs;
|
||||
example = lib.literalExample ''
|
||||
{
|
||||
default = [ { type = "insecureAcceptAnything"; } ];
|
||||
transports = {
|
||||
docker-daemon = {
|
||||
"" = [ { type = "insecureAcceptAnything"; } ];
|
||||
};
|
||||
};
|
||||
}
|
||||
'';
|
||||
description = ''
|
||||
Signature verification policy file.
|
||||
If this option is empty the default policy file from
|
||||
<literal>skopeo</literal> will be used.
|
||||
'';
|
||||
};
|
||||
|
||||
users = mkOption {
|
||||
default = [];
|
||||
type = types.listOf types.str;
|
||||
description = ''
|
||||
List of users to set up subuid/subgid mappings for.
|
||||
This is a requirement for running containers in rootless mode.
|
||||
'';
|
||||
};
|
||||
|
||||
libpod = mkOption {
|
||||
default = {};
|
||||
description = "Libpod configuration";
|
||||
type = types.submodule {
|
||||
options = {
|
||||
|
||||
extraConfig = mkOption {
|
||||
type = types.lines;
|
||||
default = "";
|
||||
description = ''
|
||||
Extra configuration that should be put in the libpod.conf
|
||||
configuration file
|
||||
'';
|
||||
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
|
@ -154,41 +71,10 @@ in
|
|||
]
|
||||
++ lib.optional cfg.dockerCompat dockerCompat;
|
||||
|
||||
environment.etc."containers/libpod.conf".text = ''
|
||||
cni_plugin_dir = ["${pkgs.cni-plugins}/bin/"]
|
||||
cni_config_dir = "/etc/cni/net.d/"
|
||||
${cfg.libpod.extraConfig}
|
||||
'';
|
||||
|
||||
environment.etc."cni/net.d/87-podman-bridge.conflist".source = copyFile "${pkgs.podman.src}/cni/87-podman-bridge.conflist";
|
||||
|
||||
environment.etc."containers/registries.conf".source = toTOML "registries.conf" {
|
||||
registries = lib.mapAttrs (n: v: { registries = v; }) cfg.registries;
|
||||
};
|
||||
virtualisation.containers.enable = true;
|
||||
|
||||
users.extraUsers = builtins.listToAttrs (
|
||||
(
|
||||
builtins.foldl' (
|
||||
acc: user: {
|
||||
values = acc.values ++ [
|
||||
{
|
||||
name = user;
|
||||
value = {
|
||||
subUidRanges = [ { startUid = acc.offset; count = 65536; } ];
|
||||
subGidRanges = [ { startGid = acc.offset; count = 65536; } ];
|
||||
};
|
||||
}
|
||||
];
|
||||
offset = acc.offset + 65536;
|
||||
}
|
||||
)
|
||||
{ values = []; offset = 100000; } (lib.unique cfg.users)
|
||||
).values
|
||||
);
|
||||
|
||||
environment.etc."containers/policy.json".source =
|
||||
if cfg.policy != {} then pkgs.writeText "policy.json" (builtins.toJSON cfg.policy)
|
||||
else copyFile "${pkgs.skopeo.src}/default-policy.json";
|
||||
};
|
||||
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue