nixos/podman: Add docker socket support

[roberth]

Motivation for this change

Podman supports the Docker API.
Enable more compatibility options to use podman as a docker replacement.

• Make the Podman socket usable via podman group
• Add option to symlink from Docker to Podman socket
• Add options for networked socket with TLS client certificate authentication

I've successfully deployed with docker-compose via these Docker interfaces all the way to the Podman socket.
It's a promising solution since Podman promises systemd container support and Docker has regressed in this regard.

cc @NixOS/podman

Things done

• Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
• Built on platform(s)
  • NixOS
  • macOS
  • other Linux distributions
• Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
• Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
• Tested execution of all binary files (usually in ./result/bin/)
• Determined the impact on package closure size (by running nix path-info -S before and after)
• Ensured that relevant documentation is up to date
• Fits CONTRIBUTING.md.

[roberth]

@GrahamcOfBorg test podman podman-tls-ghostunnel

[zowoq]

Two quick comments:

Can we test docker compose?

Can you add yourself as a maintainer for the podman compat test (or add yourself to the podman team)?

I'll be able to do a proper review later today.

[roberth]

Can we test docker compose?

That will be a nice addition. I have to do more (unplanned) work on arion as well, so let's not delay this PR.

Can you add yourself as a maintainer for the podman compat test

Done.

(or add yourself to the podman team)?

Thanks, but sadly I'm not in a position to commit to more maintenance responsibilities.

[zowoq]

Why is the ghostunnel stuff here and in the test, seems odd to add have the implementation of a specific proxy in the podman module. Can't it live somewhere else?

[roberth]

Why is the ghostunnel stuff here

Good point. I've moved it into a separate module and it's much cleaner now.
I've also added myself as a maintainer there.

and in the test

I'm a hesitant to split the tests up further, because of the VM startup overhead. I'm not too concerned about Hydra (It's like 10 to 20 seconds perhaps) but about running the tests locally.
I did create a new test for the socket-based compatibility stuff, because the "core" podman tests in nixosTests.podman must work without the compatibility stuff.

seems odd to add have the implementation of a specific proxy in the podman module. Can't it live somewhere else?

Having a module make an implementation choice isn't anything new. For instance, we have acme modules and options that are implemented by the lego client. In other words, it's ok for a module to be opinionated. I don't care about the choice of TLS server and I don't think swapping it out would cause any issues.

[zowoq]

Sorry but that isn't what I meant. Why can't this be handled by generic method via ghostunnel without the needing a podman.networksocket option?

[roberth]

Sorry but that isn't what I meant. Why can't this be handled by generic method via ghostunnel without the needing a podman.networksocket option?

It adds value. You don't have to look up the details of where the socket is, how the ghostunnel syntax works, etc. It provides a single open source solution for this small problem. It also makes the possibility of exposing Podman via TLS discoverable in the NixOS option docs.

[zowoq]

I'm a strong no on this as it is, sorry. I don't agree with the opinionated config and having this much of the implementation under the podman module.

[cpcloud]

Is there some way the networkSocket option can allow for a different proxy, defaulting to ghostunnel, so we can have the best of both worlds (sane defaults and optionality with respect to the choice of proxy)?

[roberth]

Is there some way the networkSocket option can allow for a different proxy, defaulting to ghostunnel, so we can have the best of both worlds (sane defaults and optionality with respect to the choice of proxy)?

That's possible. You could even use the module system's type merging to make it open for extension. I'd lay it out as follows:

• podman-network-socket.nix, declaring the options, including a new enum option virtualization.podman.networkSocket.server
• podman-network-socket-ghostunnel.nix, extending the server type with "ghostunnel" and conditionally providing the implementation. mkIf (cfg.server == "ghostunnel") etc.

Providing other server integrations will be a matter of adding another module similar to the -ghostunnel.nix one.

If that sounds ok to you, I'll implement it that way.

[cpcloud]

That sounds reasonable to me. @zowoq How does that sound?

[zowoq]

I'd lay it out as follows ...

This sound okay if the networkSocket.server enum option defaults to null so that ghostunnel needs to be explicitly selected, this would make it reasonably clear that it's a third party package/module and not podman itself.

I'll also ask that the test be split so that the core / first-party local socket be tested separately from the non-core / third party network socket. I'm fine with the local tests being added to the current core podman tests, we should also add a TODO for including docker compose test as part of the core tests as well.

[roberth]

if the networkSocket.server enum option defaults to null so that ghostunnel needs to be explicitly selected,

Done, but the default is unset rather than null. This has the same effect, but won't let people set null, because that is not a server.

[zowoq]

Couple of nits but otherwise this looks okay, thanks for making the changes. I would like to wait a couple of days before we merge to allow the other podman maintainers a chance to comment.

Also, could you please clean up the history on this branch before this is merged? With this spread over eleven commits it's adding a bit of unnecessary noise to these files.

[zowoq]

Opened #124561 so we can use a client only package.

[zowoq]

One question, feel free to merge after it's resolved.

Edit: Needs to be rebased as well, sorry.

[zowoq]

Can we change this to pkgs.docker-client?

[roberth]

🎉 Thank you so much @zowoq!

[buckley310]

@roberth Do you happen to recall why the tmpfiles rule is configured to only run on boot? (L! vs L)
Just checking that there's a reason. If so, I may do a PR to mention in the option description so people know to reboot.

[roberth]

@buckley310

only run on boot? (L! vs L)

I don't recall and it may well be a mistake.