nixos/virtualisation.podman: Init module

2020-04-20 09:37:53 +01:00 · 2020-04-20 09:37:53 +01:00 · b512a788a4
parent 22a3bf9fb9
commit b512a788a4
5 changed files with 229 additions and 0 deletions
--- a/nixos/doc/manual/release-notes/rl-2009.xml
+++ b/nixos/doc/manual/release-notes/rl-2009.xml
@ -40,6 +40,11 @@
     make use of these new options instead.
    </para>
   </listitem>
   <listitem>
    <para>
     There is a new module for Podman(<varname>virtualisation.podman</varname>), a drop-in replacement for the Docker command line.
    </para>
   </listitem>
  </itemizedlist>
 </section>
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@ -997,6 +997,7 @@
  ./virtualisation/kvmgt.nix
  ./virtualisation/openvswitch.nix
  ./virtualisation/parallels-guest.nix
  ./virtualisation/podman.nix
  ./virtualisation/qemu-guest-agent.nix
  ./virtualisation/railcar.nix
  ./virtualisation/rkt.nix
--- a/nixos/modules/virtualisation/podman.nix
+++ b/nixos/modules/virtualisation/podman.nix
@ -0,0 +1,192 @@
 { config, lib, pkgs, ... }:
 let
  cfg = config.virtualisation.podman;
  inherit (lib) mkOption types;
  # Provides a fake "docker" binary mapping to podman
  dockerCompat = pkgs.runCommandNoCC "${pkgs.podman.pname}-docker-compat-${pkgs.podman.version}" {
    outputs = [ "out" "bin" "man" ];
    inherit (pkgs.podman) meta;
  } ''
    mkdir $out
    mkdir -p $bin/bin
    ln -s ${pkgs.podman.bin}/bin/podman $bin/bin/docker
    mkdir -p $man/share/man/man1
    for f in ${pkgs.podman.man}/share/man/man1/*; do
      basename=$(basename $f | sed s/podman/docker/g)
      ln -s $f $man/share/man/man1/$basename
    done
  '';
  # Once https://github.com/NixOS/nixpkgs/pull/75584 is merged we can use the TOML generator
  toTOML = name: value: pkgs.runCommandNoCC name {
    nativeBuildInputs = [ pkgs.remarshal ];
    value = builtins.toJSON value;
    passAsFile = [ "value" ];
  } ''
    json2toml "$valuePath" "$out"
  '';
  # Copy configuration files to avoid having the entire sources in the system closure
  copyFile = filePath: pkgs.runCommandNoCC (builtins.unsafeDiscardStringContext (builtins.baseNameOf filePath)) {} ''
    cp ${filePath} $out
  '';
 in
 {
  options.virtualisation.podman = {
    enable =
      mkOption {
        type = types.bool;
        default = false;
        description = ''
          This option enables Podman, a daemonless container engine for
          developing, managing, and running OCI Containers on your Linux System.
          It is a drop-in replacement for the <command>docker</command> command.
        '';
      };
    dockerCompat = mkOption {
      type = types.bool;
      default = false;
      description = ''
        Create an alias mapping <command>docker</command> to <command>podman</command>.
      '';
    };
    registries = {
      search = mkOption {
        type = types.listOf types.str;
        default = [ "docker.io" "quay.io" ];
        description = ''
          List of repositories to search.
        '';
      };
      insecure = mkOption {
        default = [];
        type = types.listOf types.str;
        description = ''
          List of insecure repositories.
        '';
      };
      block = mkOption {
        default = [];
        type = types.listOf types.str;
        description = ''
          List of blocked repositories.
        '';
      };
    };
    policy = mkOption {
      default = {};
      type = types.attrs;
      example = lib.literalExample ''
        {
          default = [ { type = "insecureAcceptAnything"; } ];
          transports = {
            docker-daemon = {
              "" = [ { type = "insecureAcceptAnything"; } ];
            };
          };
        }
      '';
      description = ''
        Signature verification policy file.
        If this option is empty the default policy file from
        <literal>skopeo</literal> will be used.
      '';
    };
    users = mkOption {
      default = [];
      type = types.listOf types.str;
      description = ''
        List of users to set up subuid/subgid mappings for.
        This is a requirement for running containers in rootless mode.
      '';
    };
    libpod = mkOption {
      default = {};
      description = "Libpod configuration";
      type = types.submodule {
        options = {
          extraConfig = mkOption {
            type = types.lines;
            default = "";
            description = ''
              Extra configuration that should be put in the libpod.conf
              configuration file
            '';
          };
        };
      };
    };
  };
  config = lib.mkIf cfg.enable {
    environment.systemPackages = [
      pkgs.podman # Docker compat
      pkgs.runc # Default container runtime
      pkgs.crun # Default container runtime (cgroups v2)
      pkgs.conmon # Container runtime monitor
      pkgs.skopeo # Interact with container registry
      pkgs.slirp4netns # User-mode networking for unprivileged namespaces
      pkgs.fuse-overlayfs # CoW for images, much faster than default vfs
      pkgs.utillinux # nsenter
      pkgs.cni-plugins # Networking plugins
      pkgs.iptables
    ]
    ++ lib.optional cfg.dockerCompat dockerCompat;
    environment.etc."containers/libpod.conf".text = ''
      cni_plugin_dir = ["${pkgs.cni-plugins}/bin/"]
      cni_config_dir = "/etc/cni/net.d/"
      ${cfg.libpod.extraConfig}
    '';
    environment.etc."cni/net.d/87-podman-bridge.conflist".source = copyFile "${pkgs.podman.src}/cni/87-podman-bridge.conflist";
    environment.etc."containers/registries.conf".source = toTOML "registries.conf" {
      registries = lib.mapAttrs (n: v: { registries = v; }) cfg.registries;
    };
    users.extraUsers = builtins.listToAttrs (
      (
        builtins.foldl' (
          acc: user: {
            values = acc.values ++ [
              {
                name = user;
                value = {
                  subUidRanges = [ { startUid = acc.offset; count = 65536; } ];
                  subGidRanges = [ { startGid = acc.offset; count = 65536; } ];
                };
              }
            ];
            offset = acc.offset + 65536;
          }
        )
          { values = []; offset = 100000; } cfg.users
      ).values
    );
    environment.etc."containers/policy.json".source =
      if cfg.policy != {} then pkgs.writeText "policy.json" (builtins.toJSON cfg.policy)
      else copyFile "${pkgs.skopeo.src}/default-policy.json";
  };
 }
--- a/nixos/tests/all-tests.nix
+++ b/nixos/tests/all-tests.nix
@ -248,6 +248,7 @@ in
  php = handleTest ./php {};
  plasma5 = handleTest ./plasma5.nix {};
  plotinus = handleTest ./plotinus.nix {};
  podman = handleTest ./podman.nix {};
  postgis = handleTest ./postgis.nix {};
  postgresql = handleTest ./postgresql.nix {};
  postgresql-wal-receiver = handleTest ./postgresql-wal-receiver.nix {};
--- a/nixos/tests/podman.nix
+++ b/nixos/tests/podman.nix
@ -0,0 +1,30 @@
 # This test runs podman and checks if simple container starts
 import ./make-test-python.nix (
  { pkgs, ... }: {
    name = "podman";
    meta = with pkgs.stdenv.lib.maintainers; {
      maintainers = [ adisbladis ];
    };
    nodes = {
      podman =
        { pkgs, ... }:
          {
            virtualisation.podman.enable = true;
          };
    };
    testScript = ''
      start_all()
      podman.wait_for_unit("sockets.target")
      podman.succeed("tar cv --files-from /dev/null | podman import - scratchimg")
      podman.succeed(
          "podman run -d --name=sleeping -v /nix/store:/nix/store -v /run/current-system/sw/bin:/bin scratchimg /bin/sleep 10"
      )
      podman.succeed("podman ps | grep sleeping")
      podman.succeed("podman stop sleeping")
    '';
  }
 )