diff --git a/maintainers/maintainer-list.nix b/maintainers/maintainer-list.nix
index 202e166443a..e979e9efcf5 100644
--- a/maintainers/maintainer-list.nix
+++ b/maintainers/maintainer-list.nix
@@ -6587,6 +6587,16 @@
githubId = 1387206;
name = "Mike Sperber";
};
+ mikroskeem = {
+ email = "mikroskeem@mikroskeem.eu";
+ github = "mikroskeem";
+ githubId = 3490861;
+ name = "Mark Vainomaa";
+ keys = [{
+ longkeyid = "rsa4096/0xDA015B05B5A11B22";
+ fingerprint = "DB43 2895 CF68 F0CE D4B7 EF60 DA01 5B05 B5A1 1B22";
+ }];
+ };
milesbreslin = {
email = "milesbreslin@gmail.com";
github = "milesbreslin";
diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix
index 7a0a90f4bd2..326428b95c3 100644
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@@ -1111,6 +1111,7 @@
./virtualisation/openvswitch.nix
./virtualisation/parallels-guest.nix
./virtualisation/podman.nix
+ ./virtualisation/podman-network-socket-ghostunnel.nix
./virtualisation/qemu-guest-agent.nix
./virtualisation/railcar.nix
./virtualisation/spice-usb-redirection.nix
diff --git a/nixos/modules/virtualisation/containers.nix b/nixos/modules/virtualisation/containers.nix
index 3974caf2233..45d4f877ae5 100644
--- a/nixos/modules/virtualisation/containers.nix
+++ b/nixos/modules/virtualisation/containers.nix
@@ -48,6 +48,23 @@ in
description = "containers.conf configuration";
};
+ containersConf.cniPlugins = mkOption {
+ type = types.listOf types.package;
+ defaultText = ''
+ [
+ pkgs.cni-plugins
+ ]
+ '';
+ example = lib.literalExample ''
+ [
+ pkgs.cniPlugins.dnsname
+ ]
+ '';
+ description = ''
+ CNI plugins to install on the system.
+ '';
+ };
+
registries = {
search = mkOption {
type = types.listOf types.str;
@@ -97,8 +114,11 @@ in
};
config = lib.mkIf cfg.enable {
+
+ virtualisation.containers.containersConf.cniPlugins = [ pkgs.cni-plugins ];
+
virtualisation.containers.containersConf.settings = {
- network.cni_plugin_dirs = [ "${pkgs.cni-plugins}/bin/" ];
+ network.cni_plugin_dirs = map (p: "${lib.getBin p}/bin") cfg.containersConf.cniPlugins;
engine = {
init_path = "${pkgs.catatonit}/bin/catatonit";
} // lib.optionalAttrs cfg.ociSeccompBpfHook.enable {
diff --git a/nixos/modules/virtualisation/podman-dnsname.nix b/nixos/modules/virtualisation/podman-dnsname.nix
new file mode 100644
index 00000000000..beef1975507
--- /dev/null
+++ b/nixos/modules/virtualisation/podman-dnsname.nix
@@ -0,0 +1,36 @@
+{ config, lib, pkgs, ... }:
+let
+ inherit (lib)
+ mkOption
+ mkIf
+ types
+ ;
+
+ cfg = config.virtualisation.podman;
+
+in
+{
+ options = {
+ virtualisation.podman = {
+
+ defaultNetwork.dnsname.enable = mkOption {
+ type = types.bool;
+ default = false;
+ description = ''
+ Enable DNS resolution in the default podman network.
+ '';
+ };
+
+ };
+ };
+
+ config = {
+ virtualisation.containers.containersConf.cniPlugins = mkIf cfg.defaultNetwork.dnsname.enable [ pkgs.dnsname-cni ];
+ virtualisation.podman.defaultNetwork.extraPlugins =
+ lib.optional cfg.defaultNetwork.dnsname.enable {
+ type = "dnsname";
+ domainName = "dns.podman";
+ capabilities.aliases = true;
+ };
+ };
+}
diff --git a/nixos/modules/virtualisation/podman-network-socket-ghostunnel.nix b/nixos/modules/virtualisation/podman-network-socket-ghostunnel.nix
new file mode 100644
index 00000000000..a0e7e433164
--- /dev/null
+++ b/nixos/modules/virtualisation/podman-network-socket-ghostunnel.nix
@@ -0,0 +1,34 @@
+{ config, lib, pkg, ... }:
+let
+ inherit (lib)
+ mkOption
+ types
+ ;
+
+ cfg = config.virtualisation.podman.networkSocket;
+
+in
+{
+ options.virtualisation.podman.networkSocket = {
+ server = mkOption {
+ type = types.enum [ "ghostunnel" ];
+ };
+ };
+
+ config = lib.mkIf (cfg.enable && cfg.server == "ghostunnel") {
+
+ services.ghostunnel = {
+ enable = true;
+ servers."podman-socket" = {
+ inherit (cfg.tls) cert key cacert;
+ listen = "${cfg.listenAddress}:${toString cfg.port}";
+ target = "unix:/run/podman/podman.sock";
+ allowAll = lib.mkDefault true;
+ };
+ };
+ systemd.services.ghostunnel-server-podman-socket.serviceConfig.SupplementaryGroups = ["podman"];
+
+ };
+
+ meta.maintainers = lib.teams.podman.members ++ [ lib.maintainers.roberth ];
+}
diff --git a/nixos/modules/virtualisation/podman-network-socket.nix b/nixos/modules/virtualisation/podman-network-socket.nix
new file mode 100644
index 00000000000..1429164630b
--- /dev/null
+++ b/nixos/modules/virtualisation/podman-network-socket.nix
@@ -0,0 +1,91 @@
+{ config, lib, pkg, ... }:
+let
+ inherit (lib)
+ mkOption
+ types
+ ;
+
+ cfg = config.virtualisation.podman.networkSocket;
+
+in
+{
+ options.virtualisation.podman.networkSocket = {
+ enable = mkOption {
+ type = types.bool;
+ default = false;
+ description = ''
+ Make the Podman and Docker compatibility API available over the network
+ with TLS client certificate authentication.
+
+ This allows Docker clients to connect with the equivalents of the Docker
+ CLI -H and --tls* family of options.
+
+ For certificate setup, see https://docs.docker.com/engine/security/protect-access/
+
+ This option is independent of .
+ '';
+ };
+
+ server = mkOption {
+ type = types.enum [];
+ description = ''
+ Choice of TLS proxy server.
+ '';
+ example = "ghostunnel";
+ };
+
+ openFirewall = mkOption {
+ type = types.bool;
+ default = false;
+ description = ''
+ Whether to open the port in the firewall.
+ '';
+ };
+
+ tls.cacert = mkOption {
+ type = types.path;
+ description = ''
+ Path to CA certificate to use for client authentication.
+ '';
+ };
+
+ tls.cert = mkOption {
+ type = types.path;
+ description = ''
+ Path to certificate describing the server.
+ '';
+ };
+
+ tls.key = mkOption {
+ type = types.path;
+ description = ''
+ Path to the private key corresponding to the server certificate.
+
+ Use a string for this setting. Otherwise it will be copied to the Nix
+ store first, where it is readable by any system process.
+ '';
+ };
+
+ port = mkOption {
+ type = types.port;
+ default = 2376;
+ description = ''
+ TCP port number for receiving TLS connections.
+ '';
+ };
+ listenAddress = mkOption {
+ type = types.str;
+ default = "0.0.0.0";
+ description = ''
+ Interface address for receiving TLS connections.
+ '';
+ };
+ };
+
+ config = {
+ networking.firewall.allowedTCPPorts =
+ lib.optional (cfg.enable && cfg.openFirewall) cfg.port;
+ };
+
+ meta.maintainers = lib.teams.podman.members ++ [ lib.maintainers.roberth ];
+}
diff --git a/nixos/modules/virtualisation/podman.nix b/nixos/modules/virtualisation/podman.nix
index d6421d488b8..e245004e04a 100644
--- a/nixos/modules/virtualisation/podman.nix
+++ b/nixos/modules/virtualisation/podman.nix
@@ -1,7 +1,8 @@
-{ config, lib, pkgs, utils, ... }:
+{ config, lib, pkgs, ... }:
let
cfg = config.virtualisation.podman;
toml = pkgs.formats.toml { };
+ json = pkgs.formats.json { };
inherit (lib) mkOption types;
@@ -22,9 +23,24 @@ let
done
'';
+ net-conflist = pkgs.runCommand "87-podman-bridge.conflist" {
+ nativeBuildInputs = [ pkgs.jq ];
+ extraPlugins = builtins.toJSON cfg.defaultNetwork.extraPlugins;
+ jqScript = ''
+ . + { "plugins": (.plugins + $extraPlugins) }
+ '';
+ } ''
+ jq <${cfg.package}/etc/cni/net.d/87-podman-bridge.conflist \
+ --argjson extraPlugins "$extraPlugins" \
+ "$jqScript" \
+ >$out
+ '';
+
in
{
imports = [
+ ./podman-dnsname.nix
+ ./podman-network-socket.nix
(lib.mkRenamedOptionModule [ "virtualisation" "podman" "libpod" ] [ "virtualisation" "containers" "containersConf" ])
];
@@ -46,6 +62,20 @@ in
'';
};
+ dockerSocket.enable = mkOption {
+ type = types.bool;
+ default = false;
+ description = ''
+ Make the Podman socket available in place of the Docker socket, so
+ Docker tools can find the Podman socket.
+
+ Podman implements the Docker API.
+
+ Users must be in the podman group in order to connect. As
+ with Docker, members of this group can gain root access.
+ '';
+ };
+
dockerCompat = mkOption {
type = types.bool;
default = false;
@@ -84,6 +114,13 @@ in
'';
};
+ defaultNetwork.extraPlugins = lib.mkOption {
+ type = types.listOf json.type;
+ default = [];
+ description = ''
+ Extra CNI plugin configurations to add to podman's default network.
+ '';
+ };
};
@@ -92,7 +129,7 @@ in
environment.systemPackages = [ cfg.package ]
++ lib.optional cfg.dockerCompat dockerCompat;
- environment.etc."cni/net.d/87-podman-bridge.conflist".source = utils.copyFile "${pkgs.podman-unwrapped.src}/cni/87-podman-bridge.conflist";
+ environment.etc."cni/net.d/87-podman-bridge.conflist".source = net-conflist;
virtualisation.containers = {
enable = true; # Enable common /etc/containers configuration
@@ -111,14 +148,36 @@ in
};
systemd.sockets.podman.wantedBy = [ "sockets.target" ];
+ systemd.sockets.podman.socketConfig.SocketGroup = "podman";
- systemd.tmpfiles.packages = [ cfg.package ];
+ systemd.tmpfiles.packages = [
+ # The /run/podman rule interferes with our podman group, so we remove
+ # it and let the systemd socket logic take care of it.
+ (pkgs.runCommand "podman-tmpfiles-nixos" { package = cfg.package; } ''
+ mkdir -p $out/lib/tmpfiles.d/
+ grep -v 'D! /run/podman 0700 root root' \
+ <$package/lib/tmpfiles.d/podman.conf \
+ >$out/lib/tmpfiles.d/podman.conf
+ '') ];
+
+ systemd.tmpfiles.rules =
+ lib.optionals cfg.dockerSocket.enable [
+ "L! /run/docker.sock - - - - /run/podman/podman.sock"
+ ];
+
+ users.groups.podman = {};
assertions = [
{
assertion = cfg.dockerCompat -> !config.virtualisation.docker.enable;
message = "Option dockerCompat conflicts with docker";
}
+ {
+ assertion = cfg.dockerSocket.enable -> !config.virtualisation.docker.enable;
+ message = ''
+ The options virtualisation.podman.dockerSocket.enable and virtualisation.docker.enable conflict, because only one can serve the socket.
+ '';
+ }
];
}
]);
diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix
index e3f92ce451c..917d2f54efe 100644
--- a/nixos/tests/all-tests.nix
+++ b/nixos/tests/all-tests.nix
@@ -334,6 +334,8 @@ in
plotinus = handleTest ./plotinus.nix {};
podgrab = handleTest ./podgrab.nix {};
podman = handleTestOn ["x86_64-linux"] ./podman.nix {};
+ podman-dnsname = handleTestOn ["x86_64-linux"] ./podman-dnsname.nix {};
+ podman-tls-ghostunnel = handleTestOn ["x86_64-linux"] ./podman-tls-ghostunnel.nix {};
pomerium = handleTestOn ["x86_64-linux"] ./pomerium.nix {};
postfix = handleTest ./postfix.nix {};
postfix-raise-smtpd-tls-security-level = handleTest ./postfix-raise-smtpd-tls-security-level.nix {};
diff --git a/nixos/tests/podman-dnsname.nix b/nixos/tests/podman-dnsname.nix
new file mode 100644
index 00000000000..dd352f754dc
--- /dev/null
+++ b/nixos/tests/podman-dnsname.nix
@@ -0,0 +1,42 @@
+import ./make-test-python.nix (
+ { pkgs, lib, ... }:
+ let
+ inherit (pkgs) writeTextDir python3 curl;
+ webroot = writeTextDir "index.html" "Hi
";
+ in
+ {
+ name = "podman-dnsname";
+ meta = {
+ maintainers = with lib.maintainers; [ roberth ] ++ lib.teams.podman.members;
+ };
+
+ nodes = {
+ podman = { pkgs, ... }: {
+ virtualisation.podman.enable = true;
+ virtualisation.podman.defaultNetwork.dnsname.enable = true;
+ };
+ };
+
+ testScript = ''
+ podman.wait_for_unit("sockets.target")
+
+ with subtest("DNS works"): # also tests inter-container tcp routing
+ podman.succeed("tar cv --files-from /dev/null | podman import - scratchimg")
+ podman.succeed(
+ "podman run -d --name=webserver -v /nix/store:/nix/store -v /run/current-system/sw/bin:/bin -w ${webroot} scratchimg ${python3}/bin/python -m http.server 8000"
+ )
+ podman.succeed("podman ps | grep webserver")
+ podman.succeed("""
+ for i in `seq 0 120`; do
+ podman run --rm --name=client -v /nix/store:/nix/store -v /run/current-system/sw/bin:/bin scratchimg ${curl}/bin/curl http://webserver:8000 >/dev/console \
+ && exit 0
+ sleep 0.5
+ done
+ exit 1
+ """)
+ podman.succeed("podman stop webserver")
+ podman.succeed("podman rm webserver")
+
+ '';
+ }
+)
diff --git a/nixos/tests/podman-tls-ghostunnel.nix b/nixos/tests/podman-tls-ghostunnel.nix
new file mode 100644
index 00000000000..0e687b199b2
--- /dev/null
+++ b/nixos/tests/podman-tls-ghostunnel.nix
@@ -0,0 +1,150 @@
+/*
+ This test runs podman as a backend for the Docker CLI.
+ */
+import ./make-test-python.nix (
+ { pkgs, lib, ... }:
+
+ let gen-ca = pkgs.writeScript "gen-ca" ''
+ # Create CA
+ PATH="${pkgs.openssl}/bin:$PATH"
+ openssl genrsa -out ca-key.pem 4096
+ openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -subj '/C=NL/ST=Zuid-Holland/L=The Hague/O=Stevige Balken en Planken B.V./OU=OpSec/CN=Certificate Authority' -out ca.pem
+
+ # Create service
+ openssl genrsa -out podman-key.pem 4096
+ openssl req -subj '/CN=podman' -sha256 -new -key podman-key.pem -out service.csr
+ echo subjectAltName = DNS:podman,IP:127.0.0.1 >> extfile.cnf
+ echo extendedKeyUsage = serverAuth >> extfile.cnf
+ openssl x509 -req -days 365 -sha256 -in service.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out podman-cert.pem -extfile extfile.cnf
+
+ # Create client
+ openssl genrsa -out client-key.pem 4096
+ openssl req -subj '/CN=client' -new -key client-key.pem -out client.csr
+ echo extendedKeyUsage = clientAuth > extfile-client.cnf
+ openssl x509 -req -days 365 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out client-cert.pem -extfile extfile-client.cnf
+
+ # Create CA 2
+ PATH="${pkgs.openssl}/bin:$PATH"
+ openssl genrsa -out ca-2-key.pem 4096
+ openssl req -new -x509 -days 365 -key ca-2-key.pem -sha256 -subj '/C=NL/ST=Zuid-Holland/L=The Hague/O=Stevige Balken en Planken B.V./OU=OpSec/CN=Certificate Authority' -out ca-2.pem
+
+ # Create client signed by CA 2
+ openssl genrsa -out client-2-key.pem 4096
+ openssl req -subj '/CN=client' -new -key client-2-key.pem -out client-2.csr
+ echo extendedKeyUsage = clientAuth > extfile-client.cnf
+ openssl x509 -req -days 365 -sha256 -in client-2.csr -CA ca-2.pem -CAkey ca-2-key.pem -CAcreateserial -out client-2-cert.pem -extfile extfile-client.cnf
+
+ '';
+ in
+ {
+ name = "podman-tls-ghostunnel";
+ meta = {
+ maintainers = lib.teams.podman.members ++ [ lib.maintainers.roberth ];
+ };
+
+ nodes = {
+ podman =
+ { pkgs, ... }:
+ {
+ virtualisation.podman.enable = true;
+ virtualisation.podman.dockerSocket.enable = true;
+ virtualisation.podman.networkSocket = {
+ enable = true;
+ openFirewall = true;
+ server = "ghostunnel";
+ tls.cert = "/root/podman-cert.pem";
+ tls.key = "/root/podman-key.pem";
+ tls.cacert = "/root/ca.pem";
+ };
+
+ environment.systemPackages = [
+ pkgs.docker-client
+ ];
+
+ users.users.alice = {
+ isNormalUser = true;
+ home = "/home/alice";
+ description = "Alice Foobar";
+ extraGroups = ["podman"];
+ };
+
+ };
+
+ client = { ... }: {
+ environment.systemPackages = [
+ # Installs the docker _client_ only
+ # Normally, you'd want `virtualisation.docker.enable = true;`.
+ pkgs.docker-client
+ ];
+ environment.variables.DOCKER_HOST = "podman:2376";
+ environment.variables.DOCKER_TLS_VERIFY = "1";
+ };
+ };
+
+ testScript = ''
+ import shlex
+
+
+ def su_cmd(user, cmd):
+ cmd = shlex.quote(cmd)
+ return f"su {user} -l -c {cmd}"
+
+ def cmd(command):
+ print(f"+{command}")
+ r = os.system(command)
+ if r != 0:
+ raise Exception(f"Command {command} failed with exit code {r}")
+
+ start_all()
+ cmd("${gen-ca}")
+
+ podman.copy_from_host("ca.pem", "/root/ca.pem")
+ podman.copy_from_host("podman-cert.pem", "/root/podman-cert.pem")
+ podman.copy_from_host("podman-key.pem", "/root/podman-key.pem")
+
+ client.copy_from_host("ca.pem", "/root/.docker/ca.pem")
+ # client.copy_from_host("podman-cert.pem", "/root/podman-cert.pem")
+ client.copy_from_host("client-cert.pem", "/root/.docker/cert.pem")
+ client.copy_from_host("client-key.pem", "/root/.docker/key.pem")
+
+ # TODO (ghostunnel): add file watchers so the restart isn't necessary
+ podman.succeed("systemctl reset-failed && systemctl restart ghostunnel-server-podman-socket.service")
+
+ podman.wait_for_unit("sockets.target")
+ podman.wait_for_unit("ghostunnel-server-podman-socket.service")
+
+ with subtest("Create default network"):
+ podman.succeed("docker network create default")
+
+ with subtest("Root docker cli also works"):
+ podman.succeed("docker version")
+
+ with subtest("A podman member can also still use the docker cli"):
+ podman.succeed(su_cmd("alice", "docker version"))
+
+ with subtest("Run container remotely via docker cli"):
+ client.succeed("docker version")
+
+ # via socket would be nicer
+ podman.succeed("tar cv --files-from /dev/null | podman import - scratchimg")
+
+ client.succeed(
+ "docker run -d --name=sleeping -v /nix/store:/nix/store -v /run/current-system/sw/bin:/bin scratchimg /bin/sleep 10"
+ )
+ client.succeed("docker ps | grep sleeping")
+ podman.succeed("docker ps | grep sleeping")
+ client.succeed("docker stop sleeping")
+ client.succeed("docker rm sleeping")
+
+ with subtest("Clients without cert will be denied"):
+ client.succeed("rm /root/.docker/{cert,key}.pem")
+ client.fail("docker version")
+
+ with subtest("Clients with wrong cert will be denied"):
+ client.copy_from_host("client-2-cert.pem", "/root/.docker/cert.pem")
+ client.copy_from_host("client-2-key.pem", "/root/.docker/key.pem")
+ client.fail("docker version")
+
+ '';
+ }
+)
diff --git a/nixos/tests/podman.nix b/nixos/tests/podman.nix
index 6078a936ede..7eae575fd7f 100644
--- a/nixos/tests/podman.nix
+++ b/nixos/tests/podman.nix
@@ -13,10 +13,23 @@ import ./make-test-python.nix (
{
virtualisation.podman.enable = true;
+ # To test docker socket support
+ virtualisation.podman.dockerSocket.enable = true;
+ environment.systemPackages = [
+ pkgs.docker-client
+ ];
+
users.users.alice = {
isNormalUser = true;
home = "/home/alice";
description = "Alice Foobar";
+ extraGroups = [ "podman" ];
+ };
+
+ users.users.mallory = {
+ isNormalUser = true;
+ home = "/home/mallory";
+ description = "Mallory Foobar";
};
};
@@ -26,9 +39,9 @@ import ./make-test-python.nix (
import shlex
- def su_cmd(cmd):
+ def su_cmd(cmd, user = "alice"):
cmd = shlex.quote(cmd)
- return f"su alice -l -c {cmd}"
+ return f"su {user} -l -c {cmd}"
podman.wait_for_unit("sockets.target")
@@ -105,6 +118,27 @@ import ./make-test-python.nix (
assert pid == "1"
pid = podman.succeed("podman run --rm --init busybox readlink /proc/self").strip()
assert pid == "2"
+
+ with subtest("A podman member can use the docker cli"):
+ podman.succeed(su_cmd("docker version"))
+
+ with subtest("Run container via docker cli"):
+ podman.succeed("docker network create default")
+ podman.succeed("tar cv --files-from /dev/null | podman import - scratchimg")
+ podman.succeed(
+ "docker run -d --name=sleeping -v /nix/store:/nix/store -v /run/current-system/sw/bin:/bin scratchimg /bin/sleep 10"
+ )
+ podman.succeed("docker ps | grep sleeping")
+ podman.succeed("podman ps | grep sleeping")
+ podman.succeed("docker stop sleeping")
+ podman.succeed("docker rm sleeping")
+ podman.succeed("docker network rm default")
+
+ with subtest("A podman non-member can not use the docker cli"):
+ podman.fail(su_cmd("docker version", user="mallory"))
+
+ # TODO: add docker-compose test
+
'';
}
)
diff --git a/pkgs/applications/networking/cluster/dnsname-cni/default.nix b/pkgs/applications/networking/cluster/dnsname-cni/default.nix
new file mode 100644
index 00000000000..27b37fdee0c
--- /dev/null
+++ b/pkgs/applications/networking/cluster/dnsname-cni/default.nix
@@ -0,0 +1,42 @@
+{
+ buildGoModule,
+ dnsmasq,
+ fetchFromGitHub,
+ lib,
+ nixosTests,
+ makeWrapper,
+}:
+
+buildGoModule rec {
+ pname = "cni-plugin-dnsname";
+ version = "1.1.1";
+
+ src = fetchFromGitHub {
+ owner = "containers";
+ repo = "dnsname";
+ rev = "v${version}";
+ sha256 = "090kpq2ppan9ayajdk5vwbvww30nphylgajn2p3441d4jg2nvsm3";
+ };
+
+ nativeBuildInputs = [ makeWrapper ];
+ postInstall = ''
+ wrapProgram $out/bin/dnsname --prefix PATH : ${lib.makeBinPath [ dnsmasq ]}
+ '';
+
+ vendorSha256 = null;
+ subPackages = [ "plugins/meta/dnsname" ];
+
+ doCheck = false; # NOTE: requires root privileges
+
+ passthru.tests = {
+ inherit (nixosTests) podman-dnsname;
+ };
+
+ meta = with lib; {
+ description = "DNS name resolution for containers";
+ homepage = "https://github.com/containers/dnsname";
+ license = licenses.asl20;
+ platforms = platforms.linux;
+ maintainers = with maintainers; [ mikroskeem ];
+ };
+}
diff --git a/pkgs/applications/virtualization/docker/default.nix b/pkgs/applications/virtualization/docker/default.nix
index 954404e5268..6b72653c347 100644
--- a/pkgs/applications/virtualization/docker/default.nix
+++ b/pkgs/applications/virtualization/docker/default.nix
@@ -17,6 +17,7 @@ rec {
, btrfs-progs, iptables, e2fsprogs, xz, util-linux, xfsprogs, git
, procps, libseccomp
, nixosTests
+ , clientOnly ? !stdenv.isLinux
}:
let
docker-runc = runc.overrideAttrs (oldAttrs: {
@@ -116,7 +117,7 @@ rec {
++ optional (libseccomp != null) "seccomp";
});
in
- buildGoPackage ((optionalAttrs (stdenv.isLinux) {
+ buildGoPackage ((optionalAttrs (!clientOnly) {
inherit docker-runc docker-containerd docker-proxy docker-tini moby;
@@ -137,7 +138,7 @@ rec {
nativeBuildInputs = [
makeWrapper pkg-config go-md2man go libtool installShellFiles
];
- buildInputs = optionals (stdenv.isLinux) [
+ buildInputs = optionals (!clientOnly) [
sqlite lvm2 btrfs-progs systemd libseccomp
] ++ optionals (buildxSupport) [ docker-buildx ];
@@ -177,7 +178,7 @@ rec {
makeWrapper $out/libexec/docker/docker $out/bin/docker \
--prefix PATH : "$out/libexec/docker:$extraPath"
- '' + optionalString (stdenv.isLinux) ''
+ '' + optionalString (!clientOnly) ''
# symlink docker daemon to docker cli derivation
ln -s ${moby}/bin/dockerd $out/bin/dockerd
@@ -204,7 +205,7 @@ rec {
installManPage man/*/*.[1-9]
'';
- passthru.tests = { inherit (nixosTests) docker; };
+ passthru.tests = lib.optionals (!clientOnly) { inherit (nixosTests) docker; };
meta = {
homepage = "https://www.docker.com/";
diff --git a/pkgs/applications/virtualization/podman/default.nix b/pkgs/applications/virtualization/podman/default.nix
index c8b8467def5..10a6d726aef 100644
--- a/pkgs/applications/virtualization/podman/default.nix
+++ b/pkgs/applications/virtualization/podman/default.nix
@@ -69,13 +69,26 @@ buildGoModule rec {
installShellCompletion --zsh completions/zsh/*
MANDIR=$man/share/man make install.man-nobuild
'' + lib.optionalString stdenv.isLinux ''
+ install -Dm644 cni/87-podman-bridge.conflist -t $out/etc/cni/net.d
install -Dm644 contrib/tmpfile/podman.conf -t $out/lib/tmpfiles.d
install -Dm644 contrib/systemd/system/podman.{socket,service} -t $out/lib/systemd/system
'' + ''
runHook postInstall
'';
- passthru.tests = { inherit (nixosTests) podman; };
+ postFixup = lib.optionalString stdenv.isLinux ''
+ RPATH=$(patchelf --print-rpath $out/bin/podman)
+ patchelf --set-rpath "${lib.makeLibraryPath [ systemd ]}":$RPATH $out/bin/podman
+ '';
+
+ passthru.tests = {
+ inherit (nixosTests) podman;
+ # related modules
+ inherit (nixosTests)
+ podman-tls-ghostunnel
+ podman-dnsname
+ ;
+ };
meta = with lib; {
homepage = "https://podman.io/";
diff --git a/pkgs/applications/virtualization/podman/wrapper.nix b/pkgs/applications/virtualization/podman/wrapper.nix
index ae163583e69..c9ec18593df 100644
--- a/pkgs/applications/virtualization/podman/wrapper.nix
+++ b/pkgs/applications/virtualization/podman/wrapper.nix
@@ -12,6 +12,7 @@
, util-linux # nsenter
, cni-plugins # not added to path
, iptables
+, iproute2
}:
let
@@ -25,6 +26,7 @@ let
fuse-overlayfs
util-linux
iptables
+ iproute2
] ++ extraPackages);
in runCommand podman.name {
@@ -48,6 +50,7 @@ in runCommand podman.name {
ln -s ${podman.man} $man
mkdir -p $out/bin
+ ln -s ${podman-unwrapped}/etc $out/etc
ln -s ${podman-unwrapped}/lib $out/lib
ln -s ${podman-unwrapped}/share $out/share
makeWrapper ${podman-unwrapped}/bin/podman $out/bin/podman \
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index bd387a47638..59ccdefe724 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -22849,6 +22849,8 @@ in
cni = callPackage ../applications/networking/cluster/cni {};
cni-plugins = callPackage ../applications/networking/cluster/cni/plugins.nix {};
+ dnsname-cni = callPackage ../applications/networking/cluster/dnsname-cni {};
+
cntr = callPackage ../applications/virtualization/cntr { };
communi = libsForQt5.callPackage ../applications/networking/irc/communi { };
@@ -23018,6 +23020,7 @@ in
docker = docker_20_10;
docker-edge = docker_20_10;
+ docker-client = docker.override { clientOnly = true; };
docker-proxy = callPackage ../applications/virtualization/docker/proxy.nix { };