nixpkgs/nixos/modules/virtualisation/docker.nix

# Systemd services for docker.

{ config, lib, pkgs, ... }:

with lib;

let

  cfg = config.virtualisation.docker;
  proxy_env = config.networking.proxy.envVars;

in

{
  ###### interface

  options.virtualisation.docker = {
    enable =
      mkOption {
        type = types.bool;
        default = false;
        description =
          ''
            This option enables docker, a daemon that manages
            linux containers. Users in the "docker" group can interact with
            the daemon (e.g. to start or stop containers) using the
            <command>docker</command> command line tool.
          '';
      };

    listenOptions =
      mkOption {
        type = types.listOf types.str;
        default = ["/var/run/docker.sock"];
        description =
          ''
            A list of unix and tcp docker should listen to. The format follows
            ListenStream as described in systemd.socket(5).
          '';
      };

    enableOnBoot =
      mkOption {
        type = types.bool;
        default = true;
        description =
          ''
            When enabled dockerd is started on boot. This is required for
            container, which are created with the
            <literal>--restart=always</literal> flag, to work. If this option is
            disabled, docker might be started on demand by socket activation.
          '';
      };

    liveRestore =
      mkOption {
        type = types.bool;
        default = true;
        description =
          ''
            Allow dockerd to be restarted without affecting running container.
            This option is incompatible with docker swarm.
          '';
      };

    storageDriver =
      mkOption {
        type = types.nullOr (types.enum ["aufs" "btrfs" "devicemapper" "overlay" "overlay2" "zfs"]);
        default = null;
        description =
          ''
            This option determines which Docker storage driver to use. By default
            it let's docker automatically choose preferred storage driver.
          '';
      };

    logDriver =
      mkOption {
        type = types.enum ["none" "json-file" "syslog" "journald" "gelf" "fluentd" "awslogs" "splunk" "etwlogs" "gcplogs"];
        default = "journald";
        description =
          ''
            This option determines which Docker log driver to use.
          '';
      };

    extraOptions =
      mkOption {
        type = types.separatedString " ";
        default = "";
        description =
          ''
            The extra command-line options to pass to
            <command>docker</command> daemon.
          '';
      };

    autoPrune = {
      enable = mkOption {
        type = types.bool;
        default = false;
        description = ''
          Whether to periodically prune Docker resources. If enabled, a
          systemd timer will run <literal>docker system prune -f</literal>
          as specified by the <literal>dates</literal> option.
        '';
      };

      flags = mkOption {
        type = types.listOf types.str;
        default = [];
        example = [ "--all" ];
        description = ''
          Any additional flags passed to <command>docker system prune</command>.
        '';
      };

      dates = mkOption {
        default = "weekly";
        type = types.str;
        description = ''
          Specification (in the format described by
          <citerefentry><refentrytitle>systemd.time</refentrytitle>
          <manvolnum>7</manvolnum></citerefentry>) of the time at
          which the prune will occur.
        '';
      };
    };
  };

  ###### implementation

  config = mkIf cfg.enable (mkMerge [{
      environment.systemPackages = [ pkgs.docker ];
      users.extraGroups.docker.gid = config.ids.gids.docker;
      systemd.packages = [ pkgs.docker ];

      systemd.services.docker = {
        wantedBy = optional cfg.enableOnBoot "multi-user.target";
        environment = proxy_env;
        serviceConfig = {
          ExecStart = [
            ""
            ''
              ${pkgs.docker}/bin/dockerd \
                --group=docker \
                --host=fd:// \
                --log-driver=${cfg.logDriver} \
                ${optionalString (cfg.storageDriver != null) "--storage-driver=${cfg.storageDriver}"} \
                ${optionalString cfg.liveRestore "--live-restore" } \
                ${cfg.extraOptions}
            ''];
          ExecReload=[
            ""
            "${pkgs.procps}/bin/kill -s HUP $MAINPID"
          ];
        };

        path = [ pkgs.kmod ] ++ (optional (cfg.storageDriver == "zfs") pkgs.zfs);
      };

      systemd.sockets.docker = {
        description = "Docker Socket for the API";
        wantedBy = [ "sockets.target" ];
        socketConfig = {
          ListenStream = cfg.listenOptions;
          SocketMode = "0660";
          SocketUser = "root";
          SocketGroup = "docker";
        };
      };


      systemd.services.docker-prune = {
        description = "Prune docker resources";

        restartIfChanged = false;
        unitConfig.X-StopOnRemoval = false;

        serviceConfig.Type = "oneshot";

        script = ''
          ${pkgs.docker}/bin/docker system prune -f ${toString cfg.autoPrune.flags}
        '';

        startAt = optional cfg.autoPrune.enable cfg.autoPrune.dates;
      };
    }
  ]);

  imports = [
    (mkRemovedOptionModule ["virtualisation" "docker" "socketActivation"] "This option was removed in favor of starting docker at boot")
  ];

}
Upgrade docker to 1.1.2 and add docker module This version of module has disabled socketActivation, because until nixos upgrade systemd to at least 214, systemd does not support SocketGroup. So socket is created with "root" group when socketActivation enabled. Should be fixed as soon as systemd upgraded. Includes changes from #3015 and supersedes #3028 2014-07-28 01:00:59 +03:00			`# Systemd services for docker.`

			`{ config, lib, pkgs, ... }:`

			`with lib;`

			`let`

			`cfg = config.virtualisation.docker;`
docker: pass all proxy variables to docker daemon This makes things as noProxy work too. 2017-04-26 16:55:36 +02:00			`proxy_env = config.networking.proxy.envVars;`
Upgrade docker to 1.1.2 and add docker module This version of module has disabled socketActivation, because until nixos upgrade systemd to at least 214, systemd does not support SocketGroup. So socket is created with "root" group when socketActivation enabled. Should be fixed as soon as systemd upgraded. Includes changes from #3015 and supersedes #3028 2014-07-28 01:00:59 +03:00
			`in`

			`{`
			`###### interface`

			`options.virtualisation.docker = {`
			`enable =`
			`mkOption {`
			`type = types.bool;`
			`default = false;`
			`description =`
			`''`
			`This option enables docker, a daemon that manages`
			`linux containers. Users in the "docker" group can interact with`
			`the daemon (e.g. to start or stop containers) using the`
			`<command>docker</command> command line tool.`
			`'';`
			`};`
docker: update service units from upstream All the new options in detail: Enable docker in multi-user.target make container created with restart=always to start. We still want socket activation as it decouples dependencies between the existing of /var/run/docker.sock and the docker daemon. This means that services can rely on the availability of this socket. Fixes #11478 #21303 wantedBy = ["multi-user.target"]; This allows us to remove the postStart hack, as docker reports on its own when it is ready. Type=notify The following will set unset some limits because overhead in kernel's ressource accounting was observed. Note that these limit only apply to containerd. Containers will have their own limit set. LimitNPROC=infinity LimitCORE=infinity TasksMax=infinity Upgrades may require schema migrations. This can delay the startup of dockerd. TimeoutStartSec=0 Allows docker to create its own cgroup subhierarchy to apply ressource limits on containers. Delegate=true When dockerd is killed, container should be not affected to allow `live restore` to work. KillMode=process 2016-12-20 23:24:17 +01:00
			`listenOptions =`
			`mkOption {`
			`type = types.listOf types.str;`
			`default = ["/var/run/docker.sock"];`
			`description =`
			`''`
			`A list of unix and tcp docker should listen to. The format follows`
			`ListenStream as described in systemd.socket(5).`
			`'';`
			`};`

			`enableOnBoot =`
Upgrade docker to 1.1.2 and add docker module This version of module has disabled socketActivation, because until nixos upgrade systemd to at least 214, systemd does not support SocketGroup. So socket is created with "root" group when socketActivation enabled. Should be fixed as soon as systemd upgraded. Includes changes from #3015 and supersedes #3028 2014-07-28 01:00:59 +03:00			`mkOption {`
			`type = types.bool;`
nixos/docker: enable socketActivation by default 2015-11-20 23:01:33 +01:00			`default = true;`
Upgrade docker to 1.1.2 and add docker module This version of module has disabled socketActivation, because until nixos upgrade systemd to at least 214, systemd does not support SocketGroup. So socket is created with "root" group when socketActivation enabled. Should be fixed as soon as systemd upgraded. Includes changes from #3015 and supersedes #3028 2014-07-28 01:00:59 +03:00			`description =`
			`''`
docker: update service units from upstream All the new options in detail: Enable docker in multi-user.target make container created with restart=always to start. We still want socket activation as it decouples dependencies between the existing of /var/run/docker.sock and the docker daemon. This means that services can rely on the availability of this socket. Fixes #11478 #21303 wantedBy = ["multi-user.target"]; This allows us to remove the postStart hack, as docker reports on its own when it is ready. Type=notify The following will set unset some limits because overhead in kernel's ressource accounting was observed. Note that these limit only apply to containerd. Containers will have their own limit set. LimitNPROC=infinity LimitCORE=infinity TasksMax=infinity Upgrades may require schema migrations. This can delay the startup of dockerd. TimeoutStartSec=0 Allows docker to create its own cgroup subhierarchy to apply ressource limits on containers. Delegate=true When dockerd is killed, container should be not affected to allow `live restore` to work. KillMode=process 2016-12-20 23:24:17 +01:00			`When enabled dockerd is started on boot. This is required for`
			`container, which are created with the`
			`<literal>--restart=always</literal> flag, to work. If this option is`
			`disabled, docker might be started on demand by socket activation.`
Upgrade docker to 1.1.2 and add docker module This version of module has disabled socketActivation, because until nixos upgrade systemd to at least 214, systemd does not support SocketGroup. So socket is created with "root" group when socketActivation enabled. Should be fixed as soon as systemd upgraded. Includes changes from #3015 and supersedes #3028 2014-07-28 01:00:59 +03:00			`'';`
			`};`
docker: update service units from upstream All the new options in detail: Enable docker in multi-user.target make container created with restart=always to start. We still want socket activation as it decouples dependencies between the existing of /var/run/docker.sock and the docker daemon. This means that services can rely on the availability of this socket. Fixes #11478 #21303 wantedBy = ["multi-user.target"]; This allows us to remove the postStart hack, as docker reports on its own when it is ready. Type=notify The following will set unset some limits because overhead in kernel's ressource accounting was observed. Note that these limit only apply to containerd. Containers will have their own limit set. LimitNPROC=infinity LimitCORE=infinity TasksMax=infinity Upgrades may require schema migrations. This can delay the startup of dockerd. TimeoutStartSec=0 Allows docker to create its own cgroup subhierarchy to apply ressource limits on containers. Delegate=true When dockerd is killed, container should be not affected to allow `live restore` to work. KillMode=process 2016-12-20 23:24:17 +01:00
			`liveRestore =`
			`mkOption {`
			`type = types.bool;`
			`default = true;`
			`description =`
			`''`
			`Allow dockerd to be restarted without affecting running container.`
			`This option is incompatible with docker swarm.`
			`'';`
			`};`

docker: Minor improvements, fix failing test - Replace usage of deprecated CLI flag `--daemon` - Introduce `storageDriver` option for module - Fix failing test by using `overlay` storage driver 2015-09-04 00:18:19 +01:00			`storageDriver =`
			`mkOption {`
docker module: updates - logDriver option, use journald for logging by default - keep storage driver intact by default, as docker has sane defaults - do not choose storage driver in tests, docker will choose by itself - use dockerd binary as "docker daemon" command is deprecated and will be removed - add overlay2 to list of storage drivers 2016-09-10 12:55:46 +02:00			`type = types.nullOr (types.enum ["aufs" "btrfs" "devicemapper" "overlay" "overlay2" "zfs"]);`
			`default = null;`
docker: Minor improvements, fix failing test - Replace usage of deprecated CLI flag `--daemon` - Introduce `storageDriver` option for module - Fix failing test by using `overlay` storage driver 2015-09-04 00:18:19 +01:00			`description =`
			`''`
docker module: updates - logDriver option, use journald for logging by default - keep storage driver intact by default, as docker has sane defaults - do not choose storage driver in tests, docker will choose by itself - use dockerd binary as "docker daemon" command is deprecated and will be removed - add overlay2 to list of storage drivers 2016-09-10 12:55:46 +02:00			`This option determines which Docker storage driver to use. By default`
			`it let's docker automatically choose preferred storage driver.`
docker: Minor improvements, fix failing test - Replace usage of deprecated CLI flag `--daemon` - Introduce `storageDriver` option for module - Fix failing test by using `overlay` storage driver 2015-09-04 00:18:19 +01:00			`'';`
			`};`
docker module: updates - logDriver option, use journald for logging by default - keep storage driver intact by default, as docker has sane defaults - do not choose storage driver in tests, docker will choose by itself - use dockerd binary as "docker daemon" command is deprecated and will be removed - add overlay2 to list of storage drivers 2016-09-10 12:55:46 +02:00
			`logDriver =`
			`mkOption {`
			`type = types.enum ["none" "json-file" "syslog" "journald" "gelf" "fluentd" "awslogs" "splunk" "etwlogs" "gcplogs"];`
			`default = "journald";`
			`description =`
			`''`
			`This option determines which Docker log driver to use.`
			`'';`
			`};`

Upgrade docker to 1.1.2 and add docker module This version of module has disabled socketActivation, because until nixos upgrade systemd to at least 214, systemd does not support SocketGroup. So socket is created with "root" group when socketActivation enabled. Should be fixed as soon as systemd upgraded. Includes changes from #3015 and supersedes #3028 2014-07-28 01:00:59 +03:00			`extraOptions =`
			`mkOption {`
nixos/docker: set extraOptions to separatedString type This change is needed if you want to pass extraOptions to docker in multiple nixos modules. 2015-04-25 15:25:15 +02:00			`type = types.separatedString " ";`
Upgrade docker to 1.1.2 and add docker module This version of module has disabled socketActivation, because until nixos upgrade systemd to at least 214, systemd does not support SocketGroup. So socket is created with "root" group when socketActivation enabled. Should be fixed as soon as systemd upgraded. Includes changes from #3015 and supersedes #3028 2014-07-28 01:00:59 +03:00			`default = "";`
			`description =`
			`''`
			`The extra command-line options to pass to`
			`<command>docker</command> daemon.`
			`'';`
			`};`
docker service: add option to do automatic pruning This allows to run the prune job periodically on a machine. By default the if enabled the job is run once a week. The structure is similar to how system.autoUpgrade works. 2017-07-19 18:20:46 +02:00
			`autoPrune = {`
			`enable = mkOption {`
			`type = types.bool;`
			`default = false;`
			`description = ''`
docker module: fix autoPrune.enable description cc #27503 2017-07-21 16:53:50 +02:00			`Whether to periodically prune Docker resources. If enabled, a`
			`systemd timer will run <literal>docker system prune -f</literal>`
			`as specified by the <literal>dates</literal> option.`
docker service: add option to do automatic pruning This allows to run the prune job periodically on a machine. By default the if enabled the job is run once a week. The structure is similar to how system.autoUpgrade works. 2017-07-19 18:20:46 +02:00			`'';`
			`};`

			`flags = mkOption {`
			`type = types.listOf types.str;`
			`default = [];`
			`example = [ "--all" ];`
			`description = ''`
			`Any additional flags passed to <command>docker system prune</command>.`
			`'';`
			`};`

			`dates = mkOption {`
			`default = "weekly";`
			`type = types.str;`
			`description = ''`
			`Specification (in the format described by`
			`<citerefentry><refentrytitle>systemd.time</refentrytitle>`
			`<manvolnum>7</manvolnum></citerefentry>) of the time at`
			`which the prune will occur.`
			`'';`
			`};`
			`};`
Upgrade docker to 1.1.2 and add docker module This version of module has disabled socketActivation, because until nixos upgrade systemd to at least 214, systemd does not support SocketGroup. So socket is created with "root" group when socketActivation enabled. Should be fixed as soon as systemd upgraded. Includes changes from #3015 and supersedes #3028 2014-07-28 01:00:59 +03:00			`};`

			`###### implementation`

docker: use upstream service file from package 2016-12-24 01:44:10 +01:00			`config = mkIf cfg.enable (mkMerge [{`
			`environment.systemPackages = [ pkgs.docker ];`
nixos: docker, create docker group 2014-09-03 21:22:20 +02:00			`users.extraGroups.docker.gid = config.ids.gids.docker;`
docker: use upstream service file from package 2016-12-24 01:44:10 +01:00			`systemd.packages = [ pkgs.docker ];`

Upgrade docker to 1.1.2 and add docker module This version of module has disabled socketActivation, because until nixos upgrade systemd to at least 214, systemd does not support SocketGroup. So socket is created with "root" group when socketActivation enabled. Should be fixed as soon as systemd upgraded. Includes changes from #3015 and supersedes #3028 2014-07-28 01:00:59 +03:00			`systemd.services.docker = {`
docker: update service units from upstream All the new options in detail: Enable docker in multi-user.target make container created with restart=always to start. We still want socket activation as it decouples dependencies between the existing of /var/run/docker.sock and the docker daemon. This means that services can rely on the availability of this socket. Fixes #11478 #21303 wantedBy = ["multi-user.target"]; This allows us to remove the postStart hack, as docker reports on its own when it is ready. Type=notify The following will set unset some limits because overhead in kernel's ressource accounting was observed. Note that these limit only apply to containerd. Containers will have their own limit set. LimitNPROC=infinity LimitCORE=infinity TasksMax=infinity Upgrades may require schema migrations. This can delay the startup of dockerd. TimeoutStartSec=0 Allows docker to create its own cgroup subhierarchy to apply ressource limits on containers. Delegate=true When dockerd is killed, container should be not affected to allow `live restore` to work. KillMode=process 2016-12-20 23:24:17 +01:00			`wantedBy = optional cfg.enableOnBoot "multi-user.target";`
docker: pass all proxy variables to docker daemon This makes things as noProxy work too. 2017-04-26 16:55:36 +02:00			`environment = proxy_env;`
Upgrade docker to 1.1.2 and add docker module This version of module has disabled socketActivation, because until nixos upgrade systemd to at least 214, systemd does not support SocketGroup. So socket is created with "root" group when socketActivation enabled. Should be fixed as soon as systemd upgraded. Includes changes from #3015 and supersedes #3028 2014-07-28 01:00:59 +03:00			`serviceConfig = {`
docker: use upstream service file from package 2016-12-24 01:44:10 +01:00			`ExecStart = [`
			`""`
			`''`
			`${pkgs.docker}/bin/dockerd \`
			`--group=docker \`
			`--host=fd:// \`
			`--log-driver=${cfg.logDriver} \`
			`${optionalString (cfg.storageDriver != null) "--storage-driver=${cfg.storageDriver}"} \`
			`${optionalString cfg.liveRestore "--live-restore" } \`
			`${cfg.extraOptions}`
			`''];`
			`ExecReload=[`
			`""`
			`"${pkgs.procps}/bin/kill -s HUP $MAINPID"`
			`];`
docker: pass all proxy variables to docker daemon This makes things as noProxy work too. 2017-04-26 16:55:36 +02:00			`};`
Upgrade docker to 1.1.2 and add docker module This version of module has disabled socketActivation, because until nixos upgrade systemd to at least 214, systemd does not support SocketGroup. So socket is created with "root" group when socketActivation enabled. Should be fixed as soon as systemd upgraded. Includes changes from #3015 and supersedes #3028 2014-07-28 01:00:59 +03:00
modprobe service: drop kmod wrapper 2016-08-14 13:00:52 +03:00			`path = [ pkgs.kmod ] ++ (optional (cfg.storageDriver == "zfs") pkgs.zfs);`
docker module: fix kernel module loading The docker module used different code for socket-activated docker daemon than for the non-socket activated daemon. In particular, if the socket-activated daemon is used, then modprobe wasn't set up to be usable and in PATH for the docker daemon, which resulted in a failure to start the daemon with overlayfs as storageDriver if the `overlay` kernel module wasn't already loaded. This commit fixes that bug (which only appears if socket activation is used), and also reduces the duplication between code paths so that it's easier to keep both in sync in future. 2015-12-24 12:07:45 +01:00			`};`
docker: fix socket permissions Docker socket is world writable. This means any user on the system is able to invoke docker command. (Which is equal to having a root access to the machine.) This commit makes socket group-writable and owned by docker group. Inspired by https://github.com/docker/docker/blob/master/contrib/init/systemd/docker.socket 2017-03-27 16:11:44 +03:00
			`systemd.sockets.docker = {`
			`description = "Docker Socket for the API";`
			`wantedBy = [ "sockets.target" ];`
			`socketConfig = {`
			`ListenStream = cfg.listenOptions;`
			`SocketMode = "0660";`
			`SocketUser = "root";`
			`SocketGroup = "docker";`
			`};`
			`};`
docker service: add option to do automatic pruning This allows to run the prune job periodically on a machine. By default the if enabled the job is run once a week. The structure is similar to how system.autoUpgrade works. 2017-07-19 18:20:46 +02:00

			`systemd.services.docker-prune = {`
			`description = "Prune docker resources";`

			`restartIfChanged = false;`
			`unitConfig.X-StopOnRemoval = false;`

			`serviceConfig.Type = "oneshot";`

			`script = ''`
			`${pkgs.docker}/bin/docker system prune -f ${toString cfg.autoPrune.flags}`
			`'';`

			`startAt = optional cfg.autoPrune.enable cfg.autoPrune.dates;`
			`};`
docker: update service units from upstream All the new options in detail: Enable docker in multi-user.target make container created with restart=always to start. We still want socket activation as it decouples dependencies between the existing of /var/run/docker.sock and the docker daemon. This means that services can rely on the availability of this socket. Fixes #11478 #21303 wantedBy = ["multi-user.target"]; This allows us to remove the postStart hack, as docker reports on its own when it is ready. Type=notify The following will set unset some limits because overhead in kernel's ressource accounting was observed. Note that these limit only apply to containerd. Containers will have their own limit set. LimitNPROC=infinity LimitCORE=infinity TasksMax=infinity Upgrades may require schema migrations. This can delay the startup of dockerd. TimeoutStartSec=0 Allows docker to create its own cgroup subhierarchy to apply ressource limits on containers. Delegate=true When dockerd is killed, container should be not affected to allow `live restore` to work. KillMode=process 2016-12-20 23:24:17 +01:00			`}`
Upgrade docker to 1.1.2 and add docker module This version of module has disabled socketActivation, because until nixos upgrade systemd to at least 214, systemd does not support SocketGroup. So socket is created with "root" group when socketActivation enabled. Should be fixed as soon as systemd upgraded. Includes changes from #3015 and supersedes #3028 2014-07-28 01:00:59 +03:00			`]);`

docker: deprecate socketActivation option 2017-01-01 09:01:03 +01:00			`imports = [`
			`(mkRemovedOptionModule ["virtualisation" "docker" "socketActivation"] "This option was removed in favor of starting docker at boot")`
			`];`

Upgrade docker to 1.1.2 and add docker module This version of module has disabled socketActivation, because until nixos upgrade systemd to at least 214, systemd does not support SocketGroup. So socket is created with "root" group when socketActivation enabled. Should be fixed as soon as systemd upgraded. Includes changes from #3015 and supersedes #3028 2014-07-28 01:00:59 +03:00			`}`