public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

nixos/podman: Add dockerSocket.enable

Browse Source 
(cherry picked from commit ff4d83a66727ad13da0f51d00db4eda8a8c50590)
This commit is contained in:
Robert Hensing 2021-05-25 10:26:28 +02:00
parent db05ed8b0d
commit 0c5e6d0bea
2 changed files with 60 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
nixos/modules/virtualisation/podman.nix
View File

@ -46,6 +46,20 @@ in
''; '';
}; };
dockerSocket.enable = mkOption {
type = types.bool;
default = false;
description = ''
Make the Podman socket available in place of the Docker socket, so
Docker tools can find the Podman socket.
Podman implements the Docker API.
Users must be in the <code>podman</code> group in order to connect. As
with Docker, members of this group can gain root access.
'';
};
dockerCompat = mkOption { dockerCompat = mkOption {
type = types.bool; type = types.bool;
default = false; default = false;
@ -123,6 +137,11 @@ in
>$out/lib/tmpfiles.d/podman.conf >$out/lib/tmpfiles.d/podman.conf
'') ]; '') ];
systemd.tmpfiles.rules =
lib.optionals cfg.dockerSocket.enable [
"L! /run/docker.sock - - - - /run/podman/podman.sock"
];
users.groups.podman = {}; users.groups.podman = {};
assertions = [ assertions = [
@ -130,6 +149,12 @@ in
assertion = cfg.dockerCompat -> !config.virtualisation.docker.enable; assertion = cfg.dockerCompat -> !config.virtualisation.docker.enable;
message = "Option dockerCompat conflicts with docker"; message = "Option dockerCompat conflicts with docker";
} }
{
assertion = cfg.dockerSocket.enable -> !config.virtualisation.docker.enable;
message = ''
The options virtualisation.podman.dockerSocket.enable and virtualisation.docker.enable conflict, because only one can serve the socket.
'';
}
]; ];
} }
]); ]);

37
nixos/tests/podman.nix
View File

@ -13,10 +13,23 @@ import ./make-test-python.nix (
{ {
virtualisation.podman.enable = true; virtualisation.podman.enable = true;
# To test docker socket support
virtualisation.podman.dockerSocket.enable = true;
environment.systemPackages = [
pkgs.docker-client
];
users.users.alice = { users.users.alice = {
isNormalUser = true; isNormalUser = true;
home = "/home/alice"; home = "/home/alice";
description = "Alice Foobar"; description = "Alice Foobar";
extraGroups = [ "podman" ];
};
users.users.mallory = {
isNormalUser = true;
home = "/home/mallory";
description = "Mallory Foobar";
}; };
}; };
@ -26,9 +39,9 @@ import ./make-test-python.nix (
import shlex import shlex
def su_cmd(cmd): def su_cmd(cmd, user = "alice"):
cmd = shlex.quote(cmd) cmd = shlex.quote(cmd)
return f"su alice -l -c {cmd}" return f"su {user} -l -c {cmd}"
podman.wait_for_unit("sockets.target") podman.wait_for_unit("sockets.target")
@ -105,6 +118,26 @@ import ./make-test-python.nix (
assert pid == "1" assert pid == "1"
pid = podman.succeed("podman run --rm --init busybox readlink /proc/self").strip() pid = podman.succeed("podman run --rm --init busybox readlink /proc/self").strip()
assert pid == "2" assert pid == "2"
with subtest("A podman member can use the docker cli"):
podman.succeed(su_cmd("docker version"))
with subtest("Run container via docker cli"):
podman.succeed("docker network create default")
podman.succeed("tar cv --files-from /dev/null | podman import - scratchimg")
podman.succeed(
"docker run -d --name=sleeping -v /nix/store:/nix/store -v /run/current-system/sw/bin:/bin scratchimg /bin/sleep 10"
)
podman.succeed("docker ps | grep sleeping")
podman.succeed("podman ps | grep sleeping")
podman.succeed("docker stop sleeping")
podman.succeed("docker rm sleeping")
with subtest("A podman non-member can not use the docker cli"):
podman.fail(su_cmd("docker version", user="mallory"))
# TODO: add docker-compose test
''; '';
} }
) )