Skip to content

Commit

Permalink
nixos.virtualisation.containers: Init common /etc/containers configur…
Browse files Browse the repository at this point in the history
…ation module

What's happening now is that both cri-o and podman are creating
/etc/containers/policy.json.

By splitting out the creation of configuration files we can make the
podman module leaner & compose better with other container software.
  • Loading branch information
adisbladis committed Apr 21, 2020
1 parent 650df70 commit 43f383c
Show file tree
Hide file tree
Showing 4 changed files with 157 additions and 119 deletions.
1 change: 1 addition & 0 deletions nixos/modules/module-list.nix
Original file line number Diff line number Diff line change
Expand Up @@ -983,6 +983,7 @@
./testing/service-runner.nix
./virtualisation/anbox.nix
./virtualisation/container-config.nix
./virtualisation/containers.nix
./virtualisation/nixos-containers.nix
./virtualisation/cri-o.nix
./virtualisation/docker.nix
Expand Down
150 changes: 150 additions & 0 deletions nixos/modules/virtualisation/containers.nix
Original file line number Diff line number Diff line change
@@ -0,0 +1,150 @@
{ config, lib, pkgs, ... }:
let
cfg = config.virtualisation.containers;

inherit (lib) mkOption types;

# Once https://github.com/NixOS/nixpkgs/pull/75584 is merged we can use the TOML generator
toTOML = name: value: pkgs.runCommandNoCC name {
nativeBuildInputs = [ pkgs.remarshal ];
value = builtins.toJSON value;
passAsFile = [ "value" ];
} ''
json2toml "$valuePath" "$out"
'';

# Copy configuration files to avoid having the entire sources in the system closure
copyFile = filePath: pkgs.runCommandNoCC (builtins.unsafeDiscardStringContext (builtins.baseNameOf filePath)) {} ''
cp ${filePath} $out
'';
in
{
meta = {
maintainers = [] ++ lib.teams.podman.members;
};

options.virtualisation.containers = {

enable =
mkOption {
type = types.bool;
default = false;
description = ''
This option enables the common libpod container configuration module.
'';
};

registries = {
search = mkOption {
type = types.listOf types.str;
default = [ "docker.io" "quay.io" ];
description = ''
List of repositories to search.
'';
};

insecure = mkOption {
default = [];
type = types.listOf types.str;
description = ''
List of insecure repositories.
'';
};

block = mkOption {
default = [];
type = types.listOf types.str;
description = ''
List of blocked repositories.
'';
};
};

policy = mkOption {
default = {};
type = types.attrs;
example = lib.literalExample ''
{
default = [ { type = "insecureAcceptAnything"; } ];
transports = {
docker-daemon = {
"" = [ { type = "insecureAcceptAnything"; } ];
};
};
}
'';
description = ''
Signature verification policy file.
If this option is empty the default policy file from
<literal>skopeo</literal> will be used.
'';
};

users = mkOption {
default = [];
type = types.listOf types.str;
description = ''
List of users to set up subuid/subgid mappings for.
This is a requirement for running rootless containers.
'';
};

libpod = mkOption {
default = {};
description = "Libpod configuration";
type = types.submodule {
options = {

extraConfig = mkOption {
type = types.lines;
default = "";
description = ''
Extra configuration that should be put in the libpod.conf
configuration file
'';

};
};
};
};

};

config = lib.mkIf cfg.enable {

environment.etc."containers/libpod.conf".text = ''
cni_plugin_dir = ["${pkgs.cni-plugins}/bin/"]
cni_config_dir = "/etc/cni/net.d/"
'' + cfg.libpod.extraConfig;

environment.etc."containers/registries.conf".source = toTOML "registries.conf" {
registries = lib.mapAttrs (n: v: { registries = v; }) cfg.registries;
};

users.extraUsers = builtins.listToAttrs (
(
builtins.foldl' (
acc: user: {
values = acc.values ++ [
{
name = user;
value = {
subUidRanges = [ { startUid = acc.offset; count = 65536; } ];
subGidRanges = [ { startGid = acc.offset; count = 65536; } ];
};
}
];
offset = acc.offset + 65536;
}
)
{ values = []; offset = 100000; } (lib.unique cfg.users)
).values
);

environment.etc."containers/policy.json".source =
if cfg.policy != {} then pkgs.writeText "policy.json" (builtins.toJSON cfg.policy)
else copyFile "${pkgs.skopeo.src}/default-policy.json";
};

}
7 changes: 4 additions & 3 deletions nixos/modules/virtualisation/cri-o.nix
Original file line number Diff line number Diff line change
Expand Up @@ -62,9 +62,7 @@ in
log_level = "${cfg.logLevel}"
manage_network_ns_lifecycle = true
'';
environment.etc."containers/policy.json".text = ''
{"default": [{"type": "insecureAcceptAnything"}]}
'';

environment.etc."cni/net.d/20-cri-o-bridge.conf".text = ''
{
"cniVersion": "0.3.1",
Expand All @@ -83,6 +81,9 @@ in
}
'';

# Enable common container configuration, this will create policy.json
virtualisation.containers.enable = true;

systemd.services.crio = {
description = "Container Runtime Interface for OCI (CRI-O)";
documentation = [ "https://github.com/cri-o/cri-o" ];
Expand Down
118 changes: 2 additions & 116 deletions nixos/modules/virtualisation/podman.nix
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,6 @@ let

inherit (lib) mkOption types;


# Provides a fake "docker" binary mapping to podman
dockerCompat = pkgs.runCommandNoCC "${pkgs.podman.pname}-docker-compat-${pkgs.podman.version}" {
outputs = [ "out" "bin" "man" ];
Expand All @@ -22,19 +21,11 @@ let
done
'';

# Once https://github.com/NixOS/nixpkgs/pull/75584 is merged we can use the TOML generator
toTOML = name: value: pkgs.runCommandNoCC name {
nativeBuildInputs = [ pkgs.remarshal ];
value = builtins.toJSON value;
passAsFile = [ "value" ];
} ''
json2toml "$valuePath" "$out"
'';

# Copy configuration files to avoid having the entire sources in the system closure
copyFile = filePath: pkgs.runCommandNoCC (builtins.unsafeDiscardStringContext (builtins.baseNameOf filePath)) {} ''
cp ${filePath} $out
'';

in
{
meta = {
Expand Down Expand Up @@ -63,80 +54,6 @@ in
'';
};

registries = {
search = mkOption {
type = types.listOf types.str;
default = [ "docker.io" "quay.io" ];
description = ''
List of repositories to search.
'';
};

insecure = mkOption {
default = [];
type = types.listOf types.str;
description = ''
List of insecure repositories.
'';
};

block = mkOption {
default = [];
type = types.listOf types.str;
description = ''
List of blocked repositories.
'';
};
};

policy = mkOption {
default = {};
type = types.attrs;
example = lib.literalExample ''
{
default = [ { type = "insecureAcceptAnything"; } ];
transports = {
docker-daemon = {
"" = [ { type = "insecureAcceptAnything"; } ];
};
};
}
'';
description = ''
Signature verification policy file.
If this option is empty the default policy file from
<literal>skopeo</literal> will be used.
'';
};

users = mkOption {
default = [];
type = types.listOf types.str;
description = ''
List of users to set up subuid/subgid mappings for.
This is a requirement for running containers in rootless mode.
'';
};

libpod = mkOption {
default = {};
description = "Libpod configuration";
type = types.submodule {
options = {

extraConfig = mkOption {
type = types.lines;
default = "";
description = ''
Extra configuration that should be put in the libpod.conf
configuration file
'';

};
};
};
};

};

config = lib.mkIf cfg.enable {
Expand All @@ -154,41 +71,10 @@ in
]
++ lib.optional cfg.dockerCompat dockerCompat;

environment.etc."containers/libpod.conf".text = ''
cni_plugin_dir = ["${pkgs.cni-plugins}/bin/"]
cni_config_dir = "/etc/cni/net.d/"
${cfg.libpod.extraConfig}
'';

environment.etc."cni/net.d/87-podman-bridge.conflist".source = copyFile "${pkgs.podman.src}/cni/87-podman-bridge.conflist";

environment.etc."containers/registries.conf".source = toTOML "registries.conf" {
registries = lib.mapAttrs (n: v: { registries = v; }) cfg.registries;
};
virtualisation.containers.enable = true;

users.extraUsers = builtins.listToAttrs (
(
builtins.foldl' (
acc: user: {
values = acc.values ++ [
{
name = user;
value = {
subUidRanges = [ { startUid = acc.offset; count = 65536; } ];
subGidRanges = [ { startGid = acc.offset; count = 65536; } ];
};
}
];
offset = acc.offset + 65536;
}
)
{ values = []; offset = 100000; } (lib.unique cfg.users)
).values
);

environment.etc."containers/policy.json".source =
if cfg.policy != {} then pkgs.writeText "policy.json" (builtins.toJSON cfg.policy)
else copyFile "${pkgs.skopeo.src}/default-policy.json";
};

}

0 comments on commit 43f383c

Please sign in to comment.