From ac776695313a2da0ee99ba328da474f606a7a9d9 Mon Sep 17 00:00:00 2001 From: Yueh-Shun Li Date: Tue, 22 Aug 2023 18:05:31 +0800 Subject: [PATCH] apptainer, singularity: make LOCALSTATEDIR internal by default Use "$out/var/lib" as LOCALSTATEDIR configuration value by default intsead of "/var/lib" as a way toward top-level-directory independent runtime. Add input argument externalLocalStateDir to optionally specify the path to external LOCALSTATEDIR if not null. Add NixOS module option programs.singularity.enableExternalLocalStateDir (default to true) to use "/var/lib" as LOCALSTATEDIR. --- .../manual/release-notes/rl-2311.section.md | 4 ++++ nixos/modules/programs/singularity.nix | 18 ++++++++++++++++-- .../virtualization/singularity/generic.nix | 5 ++++- 3 files changed, 24 insertions(+), 3 deletions(-) diff --git a/nixos/doc/manual/release-notes/rl-2311.section.md b/nixos/doc/manual/release-notes/rl-2311.section.md index 825b1c5bd407..4d34a5315ab9 100644 --- a/nixos/doc/manual/release-notes/rl-2311.section.md +++ b/nixos/doc/manual/release-notes/rl-2311.section.md @@ -177,6 +177,10 @@ - A new option was added to the virtualisation module that enables specifying explicitly named network interfaces in QEMU VMs. The existing `virtualisation.vlans` is still supported for cases where the name of the network interface is irrelevant. +- Apptainer/Singularity now defaults to using `"$out/var/lib"` for the `LOCALSTATEDIR` configuration option instead of the top-level `"/var/lib"`. This change impacts the `SESSIONDIR` (container-run-time mount point) configuration, which is set to `$LOCALSTATEDIR//mnt/session`. This detaches the packages from the top-level directory, rendering the NixOS module optional. + + The default behavior of the NixOS module `programs.singularity` stays unchanged. We add a new option `programs.singularity.enableExternalSysConfDir` (default to `true`) to specify whether to set the top-level `"/var/lib"` as `LOCALSTATEDIR` or not. + - DocBook option documentation is no longer supported, all module documentation now uses markdown. - `buildGoModule` `go-modules` attrs have been renamed to `goModules`. diff --git a/nixos/modules/programs/singularity.nix b/nixos/modules/programs/singularity.nix index 2e2074654715..79695b29beca 100644 --- a/nixos/modules/programs/singularity.nix +++ b/nixos/modules/programs/singularity.nix @@ -45,6 +45,18 @@ in Use `lib.mkForce` to forcefully specify the overridden package. ''; }; + enableExternalLocalStateDir = mkOption { + type = types.bool; + default = true; + example = false; + description = mdDoc '' + Whether to use top-level directories as LOCALSTATEDIR + instead of the store path ones. + This affects the SESSIONDIR of Apptainer/Singularity. + If set to true, the SESSIONDIR will become + `/var/lib/''${projectName}/mnt/session`. + ''; + }; enableFakeroot = mkOption { type = types.bool; default = true; @@ -65,7 +77,9 @@ in config = mkIf cfg.enable { programs.singularity.packageOverriden = (cfg.package.override ( - optionalAttrs cfg.enableFakeroot { + optionalAttrs cfg.enableExternalLocalStateDir { + externalLocalStateDir = "/var/lib"; + } // optionalAttrs cfg.enableFakeroot { newuidmapPath = "/run/wrappers/bin/newuidmap"; newgidmapPath = "/run/wrappers/bin/newgidmap"; } // optionalAttrs cfg.enableSuid { @@ -80,7 +94,7 @@ in group = "root"; source = "${cfg.packageOverriden}/libexec/${cfg.packageOverriden.projectName}/bin/starter-suid.orig"; }; - systemd.tmpfiles.rules = [ + systemd.tmpfiles.rules = mkIf cfg.enableExternalLocalStateDir [ "d /var/lib/${cfg.packageOverriden.projectName}/mnt/session 0770 root root -" ]; }; diff --git a/pkgs/applications/virtualization/singularity/generic.nix b/pkgs/applications/virtualization/singularity/generic.nix index 2e4d589d158e..7451bcf6b96f 100644 --- a/pkgs/applications/virtualization/singularity/generic.nix +++ b/pkgs/applications/virtualization/singularity/generic.nix @@ -71,6 +71,8 @@ in , newuidmapPath ? null # Path to SUID-ed newgidmap executable , newgidmapPath ? null + # External LOCALSTATEDIR +, externalLocalStateDir ? null # Remove the symlinks to `singularity*` when projectName != "singularity" , removeCompat ? false # Workaround #86349 @@ -106,6 +108,7 @@ in inherit enableSeccomp enableSuid + externalLocalStateDir projectName removeCompat starterSuidPath @@ -141,7 +144,7 @@ in configureScript = "./mconfig"; configureFlags = [ - "--localstatedir=/var/lib" + "--localstatedir=${if externalLocalStateDir != null then externalLocalStateDir else "${placeholder "out"}/var/lib"}" "--runstatedir=/var/run" ] ++ lib.optional (!enableSeccomp) "--without-seccomp"