public
/
nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #125341 from hercules-ci/backport-podman-improvements 

[Backport release-21.05] podman improvements
This commit is contained in:
Robert Hensing 2021-06-02 18:23:15 +02:00 committed by GitHub
parent 68e821b051 0684f78698
commit 297970378b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
16 changed files with 552 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
maintainers/maintainer-list.nix
View File

@ -6587,6 +6587,16 @@
githubId = 1387206; githubId = 1387206;
name = "Mike Sperber"; name = "Mike Sperber";
}; };
mikroskeem = {
email = "mikroskeem@mikroskeem.eu";
github = "mikroskeem";
githubId = 3490861;
name = "Mark Vainomaa";
keys = [{
longkeyid = "rsa4096/0xDA015B05B5A11B22";
fingerprint = "DB43 2895 CF68 F0CE D4B7 EF60 DA01 5B05 B5A1 1B22";
}];
};
milesbreslin = { milesbreslin = {
email = "milesbreslin@gmail.com"; email = "milesbreslin@gmail.com";
github = "milesbreslin"; github = "milesbreslin";

1
nixos/modules/module-list.nix
View File

@ -1111,6 +1111,7 @@
./virtualisation/openvswitch.nix ./virtualisation/openvswitch.nix
./virtualisation/parallels-guest.nix ./virtualisation/parallels-guest.nix
./virtualisation/podman.nix ./virtualisation/podman.nix
./virtualisation/podman-network-socket-ghostunnel.nix
./virtualisation/qemu-guest-agent.nix ./virtualisation/qemu-guest-agent.nix
./virtualisation/railcar.nix ./virtualisation/railcar.nix
./virtualisation/spice-usb-redirection.nix ./virtualisation/spice-usb-redirection.nix

22
nixos/modules/virtualisation/containers.nix
View File

@ -48,6 +48,23 @@ in
description = "containers.conf configuration"; description = "containers.conf configuration";
}; };
containersConf.cniPlugins = mkOption {
type = types.listOf types.package;
defaultText = ''
[
pkgs.cni-plugins
]
'';
example = lib.literalExample ''
[
pkgs.cniPlugins.dnsname
]
'';
description = ''
CNI plugins to install on the system.
'';
};
registries = { registries = {
search = mkOption { search = mkOption {
type = types.listOf types.str; type = types.listOf types.str;
@ -97,8 +114,11 @@ in
}; };
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
virtualisation.containers.containersConf.cniPlugins = [ pkgs.cni-plugins ];
virtualisation.containers.containersConf.settings = { virtualisation.containers.containersConf.settings = {
network.cni_plugin_dirs = [ "${pkgs.cni-plugins}/bin/" ]; network.cni_plugin_dirs = map (p: "${lib.getBin p}/bin") cfg.containersConf.cniPlugins;
engine = { engine = {
init_path = "${pkgs.catatonit}/bin/catatonit"; init_path = "${pkgs.catatonit}/bin/catatonit";
} // lib.optionalAttrs cfg.ociSeccompBpfHook.enable { } // lib.optionalAttrs cfg.ociSeccompBpfHook.enable {

36
nixos/modules/virtualisation/podman-dnsname.nix Normal file
View File

@ -0,0 +1,36 @@
{ config, lib, pkgs, ... }:
let
inherit (lib)
mkOption
mkIf
types
;
cfg = config.virtualisation.podman;
in
{
options = {
virtualisation.podman = {
defaultNetwork.dnsname.enable = mkOption {
type = types.bool;
default = false;
description = ''
Enable DNS resolution in the default podman network.
'';
};
};
};
config = {
virtualisation.containers.containersConf.cniPlugins = mkIf cfg.defaultNetwork.dnsname.enable [ pkgs.dnsname-cni ];
virtualisation.podman.defaultNetwork.extraPlugins =
lib.optional cfg.defaultNetwork.dnsname.enable {
type = "dnsname";
domainName = "dns.podman";
capabilities.aliases = true;
};
};
}

34
nixos/modules/virtualisation/podman-network-socket-ghostunnel.nix Normal file
View File

@ -0,0 +1,34 @@
{ config, lib, pkg, ... }:
let
inherit (lib)
mkOption
types
;
cfg = config.virtualisation.podman.networkSocket;
in
{
options.virtualisation.podman.networkSocket = {
server = mkOption {
type = types.enum [ "ghostunnel" ];
};
};
config = lib.mkIf (cfg.enable && cfg.server == "ghostunnel") {
services.ghostunnel = {
enable = true;
servers."podman-socket" = {
inherit (cfg.tls) cert key cacert;
listen = "${cfg.listenAddress}:${toString cfg.port}";
target = "unix:/run/podman/podman.sock";
allowAll = lib.mkDefault true;
};
};
systemd.services.ghostunnel-server-podman-socket.serviceConfig.SupplementaryGroups = ["podman"];
};
meta.maintainers = lib.teams.podman.members ++ [ lib.maintainers.roberth ];
}

91
nixos/modules/virtualisation/podman-network-socket.nix Normal file
View File

@ -0,0 +1,91 @@
{ config, lib, pkg, ... }:
let
inherit (lib)
mkOption
types
;
cfg = config.virtualisation.podman.networkSocket;
in
{
options.virtualisation.podman.networkSocket = {
enable = mkOption {
type = types.bool;
default = false;
description = ''
Make the Podman and Docker compatibility API available over the network
with TLS client certificate authentication.
This allows Docker clients to connect with the equivalents of the Docker
CLI <code>-H</code> and <code>--tls*</code> family of options.
For certificate setup, see https://docs.docker.com/engine/security/protect-access/
This option is independent of <xref linkend="opt-virtualisation.podman.dockerSocket.enable"/>.
'';
};
server = mkOption {
type = types.enum [];
description = ''
Choice of TLS proxy server.
'';
example = "ghostunnel";
};
openFirewall = mkOption {
type = types.bool;
default = false;
description = ''
Whether to open the port in the firewall.
'';
};
tls.cacert = mkOption {
type = types.path;
description = ''
Path to CA certificate to use for client authentication.
'';
};
tls.cert = mkOption {
type = types.path;
description = ''
Path to certificate describing the server.
'';
};
tls.key = mkOption {
type = types.path;
description = ''
Path to the private key corresponding to the server certificate.
Use a string for this setting. Otherwise it will be copied to the Nix
store first, where it is readable by any system process.
'';
};
port = mkOption {
type = types.port;
default = 2376;
description = ''
TCP port number for receiving TLS connections.
'';
};
listenAddress = mkOption {
type = types.str;
default = "0.0.0.0";
description = ''
Interface address for receiving TLS connections.
'';
};
};
config = {
networking.firewall.allowedTCPPorts =
lib.optional (cfg.enable && cfg.openFirewall) cfg.port;
};
meta.maintainers = lib.teams.podman.members ++ [ lib.maintainers.roberth ];
}

65
nixos/modules/virtualisation/podman.nix
View File

@ -1,7 +1,8 @@
{ config, lib, pkgs, utils, ... }: { config, lib, pkgs, ... }:
let let
cfg = config.virtualisation.podman; cfg = config.virtualisation.podman;
toml = pkgs.formats.toml { }; toml = pkgs.formats.toml { };
json = pkgs.formats.json { };
inherit (lib) mkOption types; inherit (lib) mkOption types;
@ -22,9 +23,24 @@ let
done done
''; '';
net-conflist = pkgs.runCommand "87-podman-bridge.conflist" {
nativeBuildInputs = [ pkgs.jq ];
extraPlugins = builtins.toJSON cfg.defaultNetwork.extraPlugins;
jqScript = ''
. + { "plugins": (.plugins + $extraPlugins) }
'';
} ''
jq <${cfg.package}/etc/cni/net.d/87-podman-bridge.conflist \
--argjson extraPlugins "$extraPlugins" \
"$jqScript" \
>$out
'';
in in
{ {
imports = [ imports = [
./podman-dnsname.nix
./podman-network-socket.nix
(lib.mkRenamedOptionModule [ "virtualisation" "podman" "libpod" ] [ "virtualisation" "containers" "containersConf" ]) (lib.mkRenamedOptionModule [ "virtualisation" "podman" "libpod" ] [ "virtualisation" "containers" "containersConf" ])
]; ];
@ -46,6 +62,20 @@ in
''; '';
}; };
dockerSocket.enable = mkOption {
type = types.bool;
default = false;
description = ''
Make the Podman socket available in place of the Docker socket, so
Docker tools can find the Podman socket.
Podman implements the Docker API.
Users must be in the <code>podman</code> group in order to connect. As
with Docker, members of this group can gain root access.
'';
};
dockerCompat = mkOption { dockerCompat = mkOption {
type = types.bool; type = types.bool;
default = false; default = false;
@ -84,6 +114,13 @@ in
''; '';
}; };
defaultNetwork.extraPlugins = lib.mkOption {
type = types.listOf json.type;
default = [];
description = ''
Extra CNI plugin configurations to add to podman's default network.
'';
};
}; };
@ -92,7 +129,7 @@ in
environment.systemPackages = [ cfg.package ] environment.systemPackages = [ cfg.package ]
++ lib.optional cfg.dockerCompat dockerCompat; ++ lib.optional cfg.dockerCompat dockerCompat;
environment.etc."cni/net.d/87-podman-bridge.conflist".source = utils.copyFile "${pkgs.podman-unwrapped.src}/cni/87-podman-bridge.conflist"; environment.etc."cni/net.d/87-podman-bridge.conflist".source = net-conflist;
virtualisation.containers = { virtualisation.containers = {
enable = true; # Enable common /etc/containers configuration enable = true; # Enable common /etc/containers configuration
@ -111,14 +148,36 @@ in
}; };
systemd.sockets.podman.wantedBy = [ "sockets.target" ]; systemd.sockets.podman.wantedBy = [ "sockets.target" ];
systemd.sockets.podman.socketConfig.SocketGroup = "podman";
systemd.tmpfiles.packages = [ cfg.package ]; systemd.tmpfiles.packages = [
# The /run/podman rule interferes with our podman group, so we remove
# it and let the systemd socket logic take care of it.
(pkgs.runCommand "podman-tmpfiles-nixos" { package = cfg.package; } ''
mkdir -p $out/lib/tmpfiles.d/
grep -v 'D! /run/podman 0700 root root' \
<$package/lib/tmpfiles.d/podman.conf \
>$out/lib/tmpfiles.d/podman.conf
'') ];
systemd.tmpfiles.rules =
lib.optionals cfg.dockerSocket.enable [
"L! /run/docker.sock - - - - /run/podman/podman.sock"
];
users.groups.podman = {};
assertions = [ assertions = [
{ {
assertion = cfg.dockerCompat -> !config.virtualisation.docker.enable; assertion = cfg.dockerCompat -> !config.virtualisation.docker.enable;
message = "Option dockerCompat conflicts with docker"; message = "Option dockerCompat conflicts with docker";
} }
{
assertion = cfg.dockerSocket.enable -> !config.virtualisation.docker.enable;
message = ''
The options virtualisation.podman.dockerSocket.enable and virtualisation.docker.enable conflict, because only one can serve the socket.
'';
}
]; ];
} }
]); ]);

2
nixos/tests/all-tests.nix
View File

@ -334,6 +334,8 @@ in
plotinus = handleTest ./plotinus.nix {}; plotinus = handleTest ./plotinus.nix {};
podgrab = handleTest ./podgrab.nix {}; podgrab = handleTest ./podgrab.nix {};
podman = handleTestOn ["x86_64-linux"] ./podman.nix {}; podman = handleTestOn ["x86_64-linux"] ./podman.nix {};
podman-dnsname = handleTestOn ["x86_64-linux"] ./podman-dnsname.nix {};
podman-tls-ghostunnel = handleTestOn ["x86_64-linux"] ./podman-tls-ghostunnel.nix {};
pomerium = handleTestOn ["x86_64-linux"] ./pomerium.nix {}; pomerium = handleTestOn ["x86_64-linux"] ./pomerium.nix {};
postfix = handleTest ./postfix.nix {}; postfix = handleTest ./postfix.nix {};
postfix-raise-smtpd-tls-security-level = handleTest ./postfix-raise-smtpd-tls-security-level.nix {}; postfix-raise-smtpd-tls-security-level = handleTest ./postfix-raise-smtpd-tls-security-level.nix {};

42
nixos/tests/podman-dnsname.nix Normal file
View File

@ -0,0 +1,42 @@
import ./make-test-python.nix (
{ pkgs, lib, ... }:
let
inherit (pkgs) writeTextDir python3 curl;
webroot = writeTextDir "index.html" "<h1>Hi</h1>";
in
{
name = "podman-dnsname";
meta = {
maintainers = with lib.maintainers; [ roberth ] ++ lib.teams.podman.members;
};
nodes = {
podman = { pkgs, ... }: {
virtualisation.podman.enable = true;
virtualisation.podman.defaultNetwork.dnsname.enable = true;
};
};
testScript = ''
podman.wait_for_unit("sockets.target")
with subtest("DNS works"): # also tests inter-container tcp routing
podman.succeed("tar cv --files-from /dev/null | podman import - scratchimg")
podman.succeed(
"podman run -d --name=webserver -v /nix/store:/nix/store -v /run/current-system/sw/bin:/bin -w ${webroot} scratchimg ${python3}/bin/python -m http.server 8000"
)
podman.succeed("podman ps | grep webserver")
podman.succeed("""
for i in `seq 0 120`; do
podman run --rm --name=client -v /nix/store:/nix/store -v /run/current-system/sw/bin:/bin scratchimg ${curl}/bin/curl http://webserver:8000 >/dev/console \
&& exit 0
sleep 0.5
done
exit 1
""")
podman.succeed("podman stop webserver")
podman.succeed("podman rm webserver")
'';
}
)

150
nixos/tests/podman-tls-ghostunnel.nix Normal file
View File

@ -0,0 +1,150 @@
/*
This test runs podman as a backend for the Docker CLI.
*/
import ./make-test-python.nix (
{ pkgs, lib, ... }:
let gen-ca = pkgs.writeScript "gen-ca" ''
# Create CA
PATH="${pkgs.openssl}/bin:$PATH"
openssl genrsa -out ca-key.pem 4096
openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -subj '/C=NL/ST=Zuid-Holland/L=The Hague/O=Stevige Balken en Planken B.V./OU=OpSec/CN=Certificate Authority' -out ca.pem
# Create service
openssl genrsa -out podman-key.pem 4096
openssl req -subj '/CN=podman' -sha256 -new -key podman-key.pem -out service.csr
echo subjectAltName = DNS:podman,IP:127.0.0.1 >> extfile.cnf
echo extendedKeyUsage = serverAuth >> extfile.cnf
openssl x509 -req -days 365 -sha256 -in service.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out podman-cert.pem -extfile extfile.cnf
# Create client
openssl genrsa -out client-key.pem 4096
openssl req -subj '/CN=client' -new -key client-key.pem -out client.csr
echo extendedKeyUsage = clientAuth > extfile-client.cnf
openssl x509 -req -days 365 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out client-cert.pem -extfile extfile-client.cnf
# Create CA 2
PATH="${pkgs.openssl}/bin:$PATH"
openssl genrsa -out ca-2-key.pem 4096
openssl req -new -x509 -days 365 -key ca-2-key.pem -sha256 -subj '/C=NL/ST=Zuid-Holland/L=The Hague/O=Stevige Balken en Planken B.V./OU=OpSec/CN=Certificate Authority' -out ca-2.pem
# Create client signed by CA 2
openssl genrsa -out client-2-key.pem 4096
openssl req -subj '/CN=client' -new -key client-2-key.pem -out client-2.csr
echo extendedKeyUsage = clientAuth > extfile-client.cnf
openssl x509 -req -days 365 -sha256 -in client-2.csr -CA ca-2.pem -CAkey ca-2-key.pem -CAcreateserial -out client-2-cert.pem -extfile extfile-client.cnf
'';
in
{
name = "podman-tls-ghostunnel";
meta = {
maintainers = lib.teams.podman.members ++ [ lib.maintainers.roberth ];
};
nodes = {
podman =
{ pkgs, ... }:
{
virtualisation.podman.enable = true;
virtualisation.podman.dockerSocket.enable = true;
virtualisation.podman.networkSocket = {
enable = true;
openFirewall = true;
server = "ghostunnel";
tls.cert = "/root/podman-cert.pem";
tls.key = "/root/podman-key.pem";
tls.cacert = "/root/ca.pem";
};
environment.systemPackages = [
pkgs.docker-client
];
users.users.alice = {
isNormalUser = true;
home = "/home/alice";
description = "Alice Foobar";
extraGroups = ["podman"];
};
};
client = { ... }: {
environment.systemPackages = [
# Installs the docker _client_ only
# Normally, you'd want `virtualisation.docker.enable = true;`.
pkgs.docker-client
];
environment.variables.DOCKER_HOST = "podman:2376";
environment.variables.DOCKER_TLS_VERIFY = "1";
};
};
testScript = ''
import shlex
def su_cmd(user, cmd):
cmd = shlex.quote(cmd)
return f"su {user} -l -c {cmd}"
def cmd(command):
print(f"+{command}")
r = os.system(command)
if r != 0:
raise Exception(f"Command {command} failed with exit code {r}")
start_all()
cmd("${gen-ca}")
podman.copy_from_host("ca.pem", "/root/ca.pem")
podman.copy_from_host("podman-cert.pem", "/root/podman-cert.pem")
podman.copy_from_host("podman-key.pem", "/root/podman-key.pem")
client.copy_from_host("ca.pem", "/root/.docker/ca.pem")
# client.copy_from_host("podman-cert.pem", "/root/podman-cert.pem")
client.copy_from_host("client-cert.pem", "/root/.docker/cert.pem")
client.copy_from_host("client-key.pem", "/root/.docker/key.pem")
# TODO (ghostunnel): add file watchers so the restart isn't necessary
podman.succeed("systemctl reset-failed && systemctl restart ghostunnel-server-podman-socket.service")
podman.wait_for_unit("sockets.target")
podman.wait_for_unit("ghostunnel-server-podman-socket.service")
with subtest("Create default network"):
podman.succeed("docker network create default")
with subtest("Root docker cli also works"):
podman.succeed("docker version")
with subtest("A podman member can also still use the docker cli"):
podman.succeed(su_cmd("alice", "docker version"))
with subtest("Run container remotely via docker cli"):
client.succeed("docker version")
# via socket would be nicer
podman.succeed("tar cv --files-from /dev/null | podman import - scratchimg")
client.succeed(
"docker run -d --name=sleeping -v /nix/store:/nix/store -v /run/current-system/sw/bin:/bin scratchimg /bin/sleep 10"
)
client.succeed("docker ps | grep sleeping")
podman.succeed("docker ps | grep sleeping")
client.succeed("docker stop sleeping")
client.succeed("docker rm sleeping")
with subtest("Clients without cert will be denied"):
client.succeed("rm /root/.docker/{cert,key}.pem")
client.fail("docker version")
with subtest("Clients with wrong cert will be denied"):
client.copy_from_host("client-2-cert.pem", "/root/.docker/cert.pem")
client.copy_from_host("client-2-key.pem", "/root/.docker/key.pem")
client.fail("docker version")
'';
}
)

38
nixos/tests/podman.nix
View File

@ -13,10 +13,23 @@ import ./make-test-python.nix (
{ {
virtualisation.podman.enable = true; virtualisation.podman.enable = true;
# To test docker socket support
virtualisation.podman.dockerSocket.enable = true;
environment.systemPackages = [
pkgs.docker-client
];
users.users.alice = { users.users.alice = {
isNormalUser = true; isNormalUser = true;
home = "/home/alice"; home = "/home/alice";
description = "Alice Foobar"; description = "Alice Foobar";
extraGroups = [ "podman" ];
};
users.users.mallory = {
isNormalUser = true;
home = "/home/mallory";
description = "Mallory Foobar";
}; };
}; };
@ -26,9 +39,9 @@ import ./make-test-python.nix (
import shlex import shlex
def su_cmd(cmd): def su_cmd(cmd, user = "alice"):
cmd = shlex.quote(cmd) cmd = shlex.quote(cmd)
return f"su alice -l -c {cmd}" return f"su {user} -l -c {cmd}"
podman.wait_for_unit("sockets.target") podman.wait_for_unit("sockets.target")
@ -105,6 +118,27 @@ import ./make-test-python.nix (
assert pid == "1" assert pid == "1"
pid = podman.succeed("podman run --rm --init busybox readlink /proc/self").strip() pid = podman.succeed("podman run --rm --init busybox readlink /proc/self").strip()
assert pid == "2" assert pid == "2"
with subtest("A podman member can use the docker cli"):
podman.succeed(su_cmd("docker version"))
with subtest("Run container via docker cli"):
podman.succeed("docker network create default")
podman.succeed("tar cv --files-from /dev/null | podman import - scratchimg")
podman.succeed(
"docker run -d --name=sleeping -v /nix/store:/nix/store -v /run/current-system/sw/bin:/bin scratchimg /bin/sleep 10"
)
podman.succeed("docker ps | grep sleeping")
podman.succeed("podman ps | grep sleeping")
podman.succeed("docker stop sleeping")
podman.succeed("docker rm sleeping")
podman.succeed("docker network rm default")
with subtest("A podman non-member can not use the docker cli"):
podman.fail(su_cmd("docker version", user="mallory"))
# TODO: add docker-compose test
''; '';
} }
) )

42
pkgs/applications/networking/cluster/dnsname-cni/default.nix Normal file
View File

@ -0,0 +1,42 @@
{
buildGoModule,
dnsmasq,
fetchFromGitHub,
lib,
nixosTests,
makeWrapper,
}:
buildGoModule rec {
pname = "cni-plugin-dnsname";
version = "1.1.1";
src = fetchFromGitHub {
owner = "containers";
repo = "dnsname";
rev = "v${version}";
sha256 = "090kpq2ppan9ayajdk5vwbvww30nphylgajn2p3441d4jg2nvsm3";
};
nativeBuildInputs = [ makeWrapper ];
postInstall = ''
wrapProgram $out/bin/dnsname --prefix PATH : ${lib.makeBinPath [ dnsmasq ]}
'';
vendorSha256 = null;
subPackages = [ "plugins/meta/dnsname" ];
doCheck = false; # NOTE: requires root privileges
passthru.tests = {
inherit (nixosTests) podman-dnsname;
};
meta = with lib; {
description = "DNS name resolution for containers";
homepage = "https://github.com/containers/dnsname";
license = licenses.asl20;
platforms = platforms.linux;
maintainers = with maintainers; [ mikroskeem ];
};
}

9
pkgs/applications/virtualization/docker/default.nix
View File

@ -17,6 +17,7 @@ rec {
, btrfs-progs, iptables, e2fsprogs, xz, util-linux, xfsprogs, git , btrfs-progs, iptables, e2fsprogs, xz, util-linux, xfsprogs, git
, procps, libseccomp , procps, libseccomp
, nixosTests , nixosTests
, clientOnly ? !stdenv.isLinux
}: }:
let let
docker-runc = runc.overrideAttrs (oldAttrs: { docker-runc = runc.overrideAttrs (oldAttrs: {
@ -116,7 +117,7 @@ rec {
++ optional (libseccomp != null) "seccomp"; ++ optional (libseccomp != null) "seccomp";
}); });
in in
buildGoPackage ((optionalAttrs (stdenv.isLinux) { buildGoPackage ((optionalAttrs (!clientOnly) {
inherit docker-runc docker-containerd docker-proxy docker-tini moby; inherit docker-runc docker-containerd docker-proxy docker-tini moby;
@ -137,7 +138,7 @@ rec {
nativeBuildInputs = [ nativeBuildInputs = [
makeWrapper pkg-config go-md2man go libtool installShellFiles makeWrapper pkg-config go-md2man go libtool installShellFiles
]; ];
buildInputs = optionals (stdenv.isLinux) [ buildInputs = optionals (!clientOnly) [
sqlite lvm2 btrfs-progs systemd libseccomp sqlite lvm2 btrfs-progs systemd libseccomp
] ++ optionals (buildxSupport) [ docker-buildx ]; ] ++ optionals (buildxSupport) [ docker-buildx ];
@ -177,7 +178,7 @@ rec {
makeWrapper $out/libexec/docker/docker $out/bin/docker \ makeWrapper $out/libexec/docker/docker $out/bin/docker \
--prefix PATH : "$out/libexec/docker:$extraPath" --prefix PATH : "$out/libexec/docker:$extraPath"
'' + optionalString (stdenv.isLinux) '' '' + optionalString (!clientOnly) ''
# symlink docker daemon to docker cli derivation # symlink docker daemon to docker cli derivation
ln -s ${moby}/bin/dockerd $out/bin/dockerd ln -s ${moby}/bin/dockerd $out/bin/dockerd
@ -204,7 +205,7 @@ rec {
installManPage man/*/*.[1-9] installManPage man/*/*.[1-9]
''; '';
passthru.tests = { inherit (nixosTests) docker; }; passthru.tests = lib.optionals (!clientOnly) { inherit (nixosTests) docker; };
meta = { meta = {
homepage = "https://www.docker.com/"; homepage = "https://www.docker.com/";

15
pkgs/applications/virtualization/podman/default.nix
View File

@ -69,13 +69,26 @@ buildGoModule rec {
installShellCompletion --zsh completions/zsh/* installShellCompletion --zsh completions/zsh/*
MANDIR=$man/share/man make install.man-nobuild MANDIR=$man/share/man make install.man-nobuild
'' + lib.optionalString stdenv.isLinux '' '' + lib.optionalString stdenv.isLinux ''
install -Dm644 cni/87-podman-bridge.conflist -t $out/etc/cni/net.d
install -Dm644 contrib/tmpfile/podman.conf -t $out/lib/tmpfiles.d install -Dm644 contrib/tmpfile/podman.conf -t $out/lib/tmpfiles.d
install -Dm644 contrib/systemd/system/podman.{socket,service} -t $out/lib/systemd/system install -Dm644 contrib/systemd/system/podman.{socket,service} -t $out/lib/systemd/system
'' + '' '' + ''
runHook postInstall runHook postInstall
''; '';
passthru.tests = { inherit (nixosTests) podman; }; postFixup = lib.optionalString stdenv.isLinux ''
RPATH=$(patchelf --print-rpath $out/bin/podman)
patchelf --set-rpath "${lib.makeLibraryPath [ systemd ]}":$RPATH $out/bin/podman
'';
passthru.tests = {
inherit (nixosTests) podman;
# related modules
inherit (nixosTests)
podman-tls-ghostunnel
podman-dnsname
;
};
meta = with lib; { meta = with lib; {
homepage = "https://podman.io/"; homepage = "https://podman.io/";

3
pkgs/applications/virtualization/podman/wrapper.nix
View File

@ -12,6 +12,7 @@
, util-linux # nsenter , util-linux # nsenter
, cni-plugins # not added to path , cni-plugins # not added to path
, iptables , iptables
, iproute2
}: }:
let let
@ -25,6 +26,7 @@ let
fuse-overlayfs fuse-overlayfs
util-linux util-linux
iptables iptables
iproute2
] ++ extraPackages); ] ++ extraPackages);
in runCommand podman.name { in runCommand podman.name {
@ -48,6 +50,7 @@ in runCommand podman.name {
ln -s ${podman.man} $man ln -s ${podman.man} $man
mkdir -p $out/bin mkdir -p $out/bin
ln -s ${podman-unwrapped}/etc $out/etc
ln -s ${podman-unwrapped}/lib $out/lib ln -s ${podman-unwrapped}/lib $out/lib
ln -s ${podman-unwrapped}/share $out/share ln -s ${podman-unwrapped}/share $out/share
makeWrapper ${podman-unwrapped}/bin/podman $out/bin/podman \ makeWrapper ${podman-unwrapped}/bin/podman $out/bin/podman \

3
pkgs/top-level/all-packages.nix
View File

@ -22849,6 +22849,8 @@ in
cni = callPackage ../applications/networking/cluster/cni {}; cni = callPackage ../applications/networking/cluster/cni {};
cni-plugins = callPackage ../applications/networking/cluster/cni/plugins.nix {}; cni-plugins = callPackage ../applications/networking/cluster/cni/plugins.nix {};
dnsname-cni = callPackage ../applications/networking/cluster/dnsname-cni {};
cntr = callPackage ../applications/virtualization/cntr { }; cntr = callPackage ../applications/virtualization/cntr { };
communi = libsForQt5.callPackage ../applications/networking/irc/communi { }; communi = libsForQt5.callPackage ../applications/networking/irc/communi { };
@ -23018,6 +23020,7 @@ in
docker = docker_20_10; docker = docker_20_10;
docker-edge = docker_20_10; docker-edge = docker_20_10;
docker-client = docker.override { clientOnly = true; };
docker-proxy = callPackage ../applications/virtualization/docker/proxy.nix { }; docker-proxy = callPackage ../applications/virtualization/docker/proxy.nix { };