nixpkgs/nixos/modules/virtualisation/cri-o.nix

{ config, lib, pkgs, ... }:

with lib;

let
  cfg = config.virtualisation.cri-o;
in
{
  options.virtualisation.cri-o = {
    enable = mkEnableOption "Container Runtime Interface for OCI (CRI-O)";

    storageDriver = mkOption {
      type = types.enum ["btrfs" "overlay" "vfs"];
      default = "overlay";
      description = "Storage driver to be used";
    };

    logLevel = mkOption {
      type = types.enum ["trace" "debug" "info" "warn" "error" "fatal"];
      default = "info";
      description = "Log level to be used";
    };

    pauseImage = mkOption {
      type = types.str;
      default = "k8s.gcr.io/pause:3.1";
      description = "Pause image for pod sandboxes to be used";
    };

    pauseCommand = mkOption {
      type = types.str;
      default = "/pause";
      description = "Pause command to be executed";
    };

    registries = mkOption {
      type = types.listOf types.str;
      default = [ "docker.io" "quay.io" ];
      description = "Registries to be configured for unqualified image pull";
    };
  };

  config = mkIf cfg.enable {
    environment.systemPackages = with pkgs;
      [ cri-o cri-tools conmon cni-plugins iptables runc utillinux ];
    environment.etc."crictl.yaml".text = ''
      runtime-endpoint: unix:///var/run/crio/crio.sock
    '';
    environment.etc."crio/crio.conf".text = ''
      [crio]
      storage_driver = "${cfg.storageDriver}"

      [crio.image]
      pause_image = "${cfg.pauseImage}"
      pause_command = "${cfg.pauseCommand}"
      registries = [
        ${concatMapStringsSep ", " (x: "\"" + x + "\"") cfg.registries}
      ]

      [crio.runtime]
      conmon = "${pkgs.conmon}/bin/conmon"
      log_level = "${cfg.logLevel}"
      manage_network_ns_lifecycle = true
    '';
    environment.etc."containers/policy.json".text = ''
      {"default": [{"type": "insecureAcceptAnything"}]}
    '';
    environment.etc."cni/net.d/20-cri-o-bridge.conf".text = ''
      {
        "cniVersion": "0.3.1",
        "name": "crio-bridge",
        "type": "bridge",
        "bridge": "cni0",
        "isGateway": true,
        "ipMasq": true,
        "ipam": {
          "type": "host-local",
          "subnet": "10.88.0.0/16",
          "routes": [
              { "dst": "0.0.0.0/0" }
          ]
        }
      }
    '';

    systemd.services.crio = {
      description = "Container Runtime Interface for OCI (CRI-O)";
      documentation = [ "https://github.com/cri-o/cri-o" ];
      wantedBy = [ "multi-user.target" ];
      after = [ "network.target" ];
      path = [ pkgs.utillinux pkgs.runc pkgs.iptables ];
      serviceConfig = {
        Type = "notify";
        ExecStart = "${pkgs.cri-o}/bin/crio";
        ExecReload = "/bin/kill -s HUP $MAINPID";
        TasksMax = "infinity";
        LimitNOFILE = "1048576";
        LimitNPROC = "1048576";
        LimitCORE = "infinity";
        OOMScoreAdjust = "-999";
        TimeoutStartSec = "0";
        Restart = "on-abnormal";
      };
    };
  };
}
Add cri-o service to modules (#68153) Signed-off-by: Sascha Grunert <sgrunert@suse.com> 2019-09-21 16:18:42 +02:00			`{ config, lib, pkgs, ... }:`

			`with lib;`

			`let`
			`cfg = config.virtualisation.cri-o;`
			`in`
			`{`
			`options.virtualisation.cri-o = {`
			`enable = mkEnableOption "Container Runtime Interface for OCI (CRI-O)";`

			`storageDriver = mkOption {`
			`type = types.enum ["btrfs" "overlay" "vfs"];`
			`default = "overlay";`
			`description = "Storage driver to be used";`
			`};`

			`logLevel = mkOption {`
			`type = types.enum ["trace" "debug" "info" "warn" "error" "fatal"];`
			`default = "info";`
			`description = "Log level to be used";`
			`};`

			`pauseImage = mkOption {`
			`type = types.str;`
			`default = "k8s.gcr.io/pause:3.1";`
			`description = "Pause image for pod sandboxes to be used";`
			`};`

			`pauseCommand = mkOption {`
			`type = types.str;`
			`default = "/pause";`
			`description = "Pause command to be executed";`
			`};`

			`registries = mkOption {`
			`type = types.listOf types.str;`
			`default = [ "docker.io" "quay.io" ];`
			`description = "Registries to be configured for unqualified image pull";`
			`};`
			`};`

			`config = mkIf cfg.enable {`
			`environment.systemPackages = with pkgs;`
			`[ cri-o cri-tools conmon cni-plugins iptables runc utillinux ];`
			`environment.etc."crictl.yaml".text = ''`
			`runtime-endpoint: unix:///var/run/crio/crio.sock`
			`'';`
			`environment.etc."crio/crio.conf".text = ''`
			`[crio]`
			`storage_driver = "${cfg.storageDriver}"`

			`[crio.image]`
			`pause_image = "${cfg.pauseImage}"`
			`pause_command = "${cfg.pauseCommand}"`
			`registries = [`
			`${concatMapStringsSep ", " (x: "\"" + x + "\"") cfg.registries}`
			`]`

			`[crio.runtime]`
			`conmon = "${pkgs.conmon}/bin/conmon"`
			`log_level = "${cfg.logLevel}"`
			`manage_network_ns_lifecycle = true`
			`'';`
			`environment.etc."containers/policy.json".text = ''`
			`{"default": [{"type": "insecureAcceptAnything"}]}`
			`'';`
			`environment.etc."cni/net.d/20-cri-o-bridge.conf".text = ''`
			`{`
			`"cniVersion": "0.3.1",`
			`"name": "crio-bridge",`
			`"type": "bridge",`
			`"bridge": "cni0",`
			`"isGateway": true,`
			`"ipMasq": true,`
			`"ipam": {`
			`"type": "host-local",`
			`"subnet": "10.88.0.0/16",`
			`"routes": [`
			`{ "dst": "0.0.0.0/0" }`
			`]`
			`}`
			`}`
			`'';`

			`systemd.services.crio = {`
			`description = "Container Runtime Interface for OCI (CRI-O)";`
			`documentation = [ "https://github.com/cri-o/cri-o" ];`
			`wantedBy = [ "multi-user.target" ];`
			`after = [ "network.target" ];`
			`path = [ pkgs.utillinux pkgs.runc pkgs.iptables ];`
			`serviceConfig = {`
			`Type = "notify";`
			`ExecStart = "${pkgs.cri-o}/bin/crio";`
			`ExecReload = "/bin/kill -s HUP $MAINPID";`
			`TasksMax = "infinity";`
			`LimitNOFILE = "1048576";`
			`LimitNPROC = "1048576";`
			`LimitCORE = "infinity";`
			`OOMScoreAdjust = "-999";`
			`TimeoutStartSec = "0";`
			`Restart = "on-abnormal";`
			`};`
			`};`
			`};`
			`}`