Merge pull request #117 from hercules-ci/nixos-21.05-podman-preparation

NixOS 21.05/podman preparation

CHANGELOG.md

@@ -2,13 +2,28 @@
 
 ## Next
 
+### Changed
+
+* `useHostStore` now uses an image derived from the `image.*` options. You may
+  need to enable `enableRecommendedContents` because with this change, files
+  like `/bin/sh` aren't added by default anymore.
+
+* Drop obsolete NixOS 19.03, 19.09 and 20.03 from CI.
+
+### Added
+
+* NixOS-based containers can now run on Podman when it is configured to provide a docker socket. See the [installation docs](https://docs.hercules-ci.com/arion/#_nixos).
+
 * Support `service.dns`, for overriding the DNS servers used by containers.
 
 * Support `service.labels`, which is useful for autodiscovery among other things.
 
 * Add a tested example for Traefik with label-based routing.
 
-* Drop obsolete NixOS 19.09 and 20.03 support. It may still be usable there.
+* Add a `flake.nix` and an experimental flake example
+
+* Add a warning when systemd `DynamicUser` is used but not available to the
+  container.
 
 ## 0.1.2.0 -- 2020-03-05
 

docs/modules/ROOT/pages/index.adoc

@@ -39,6 +39,12 @@ Arion allows to compose containers with different granularity:
   * <<NixOS: run full OS>>
   * <<Docker image from DockerHub>>
 
+Full NixOS is supported on
+ * docker-compose + podman with docker socket (NixOS >= 21.05)
+ * docker-compose + docker, before cgroupsv2 (NixOS < 21.05)
+
+`podman-compose` support is currently WIP on a separate branch.
+
 == Installation
 
 === Nix
@@ -52,10 +58,17 @@ $ nix-env -iA arion -f https://github.com/hercules-ci/arion/tarball/master
 Add this module to your NixOS configuration:
 
 ```nix
-{ ... }: {
-  environment.systemPackages = [ (import (builtins.fetchTarball https://github.com/hercules-ci/arion/tarball/master) {}).arion ];
-  virtualisation.docker.enable = true;
-  users.extraUsers.myuser.extraGroups = ["docker"];
+{ pkgs, ... }: {
+  environment.systemPackages = [
+    pkgs.arion
+    pkgs.docker # docker CLI will use podman socket
+  ];
+  virtualisation.docker.enable = false;
+  virtualisation.podman.enable = true;
+  virtualisation.podman.dockerSocket.enable = true;
+
+  # Use your username instead of `myuser`
+  users.extraUsers.myuser.extraGroups = ["podman"];
 }
 ```
 

docs/modules/ROOT/partials/NixOSOptions.adoc

@@ -197,6 +197,25 @@ Default::
 ----
 
 
+No Example:: {blank}
+
+== services.<name>.image.enableRecommendedContents
+
+Add the `/bin/sh` and `/usr/bin/env` symlinks and some lightweight
+files.
+
+
+[discrete]
+=== details
+
+Type:: boolean
+Default::
++
+----
+false
+----
+
+
 No Example:: {blank}
 
 == services.<name>.image.name

examples/full-nixos/arion-compose.nix

@@ -4,6 +4,8 @@
     nixos.configuration.boot.tmpOnTmpfs = true;
     nixos.configuration.services.nginx.enable = true;
     nixos.configuration.services.nginx.virtualHosts.localhost.root = "${pkgs.nix.doc}/share/doc/nix/manual";
+    nixos.configuration.services.nscd.enable = false;
+    nixos.configuration.system.nssModules = lib.mkForce [];
     nixos.configuration.systemd.services.nginx.serviceConfig.AmbientCapabilities = 
       lib.mkForce [ "CAP_NET_BIND_SERVICE" ];
     service.useHostStore = true;

examples/minimal/arion-compose.nix

@@ -4,6 +4,7 @@
   config.services = {
 
     webserver = {
+      image.enableRecommendedContents = true;
       service.useHostStore = true;
       service.command = [ "sh" "-c" ''
                   cd "$$WEB_ROOT"

nix/ci.nix

@@ -5,26 +5,20 @@ let
 in
 
 dimension "Nixpkgs version" {
-    "nixos-19_03" = {
-      # flyingcircus.io latest long-term support is based off 19.03
-      # https://flyingcircus.io/doc/
-      # It is nice to have some level of support for their platform,
-      # but we don't guarantee any support.
-      nixpkgsSource = "nixos-19.03";
-      enableDoc = false;
-      nixosTestIsPerl = true;
-    };
     "nixos-20_09" = {
       nixpkgsSource = "nixos-20.09";
       isReferenceNixpkgs = true;
       enableDoc = true;
+      dockerSupportsSystemd = true;
+      nixosHasPodmanDockerSocket = false;
     };
     "nixos-unstable" = {
       nixpkgsSource = "nixos-unstable";
       enableDoc = true;
     };
   } (
-    _name: { nixpkgsSource, isReferenceNixpkgs ? false, enableDoc ? true, nixosTestIsPerl ? false }:
+    _name: { nixpkgsSource, isReferenceNixpkgs ? false, enableDoc ? true,
+             dockerSupportsSystemd ? false, nixosHasPodmanDockerSocket ? true }:
 
 
       dimension "System" {
@@ -34,7 +28,7 @@ dimension "Nixpkgs version" {
         system: { isReferenceTarget ? false, enableNixOSTests ? true }:
           let
             pkgs = import ./. {
-              inherit system nixosTestIsPerl;
+              inherit system dockerSupportsSystemd nixosHasPodmanDockerSocket;
               nixpkgsSrc = sources.${nixpkgsSource};
             };
           in

nix/default.nix

@@ -2,7 +2,8 @@
 , nixpkgsName ? "nixos-unstable"
 , nixpkgsSrc ? sources.${nixpkgsName}
 , system ? builtins.currentSystem
-, nixosTestIsPerl ? false
+, dockerSupportsSystemd ? false
+, nixosHasPodmanDockerSocket ? true
 , ...
 }:
 
@@ -11,8 +12,11 @@ import nixpkgsSrc ({
   config = {
   };
   overlays = [
-    # all the packages are defined there:
-    (_: _: { inherit nixosTestIsPerl; })
+    (_: _: {
+      arionTestingFlags = {
+        inherit dockerSupportsSystemd nixosHasPodmanDockerSocket;
+      };
+    })
     (import ./overlay.nix)
   ];
   inherit system;

nix/sources.json

@@ -11,18 +11,6 @@
         "url": "https://github.com/nmattia/niv/archive/fad2a6cbfb2e7cdebb7cb0ad2f5cc91e2c9bc06b.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
-    "nixos-19.03": {
-        "branch": "nixos-19.03",
-        "description": "A read-only mirror of NixOS/nixpkgs tracking the released channels. Send issues and PRs to",
-        "homepage": "https://github.com/NixOS/nixpkgs",
-        "owner": "NixOS",
-        "repo": "nixpkgs-channels",
-        "rev": "34c7eb7545d155cc5b6f499b23a7cb1c96ab4d59",
-        "sha256": "11z6ajj108fy2q5g8y4higlcaqncrbjm3dnv17pvif6avagw4mcb",
-        "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs-channels/archive/34c7eb7545d155cc5b6f499b23a7cb1c96ab4d59.tar.gz",
-        "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
-    },
     "nixos-20.09": {
         "branch": "nixos-20.09",
         "description": "Nix Packages collection",
@@ -36,15 +24,15 @@
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "nixos-unstable": {
-        "branch": "nixos-unstable",
+        "branch": "master",
         "description": "A read-only mirror of NixOS/nixpkgs tracking the released channels. Send issues and PRs to",
         "homepage": "https://github.com/NixOS/nixpkgs",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "296793637b22bdb4d23b479879eba0a71c132a66",
-        "sha256": "0j09yih9693w5vjx64ikfxyja1ha7pisygrwrpg3wfz3sssglg69",
+        "rev": "97c3d70a39070547a8342f7ee6f5c4a560282179",
+        "sha256": "1pkagmf42n3v4bjk8jr23hcwpa5qy21w0psi0jbdrbsgpp6rchqa",
         "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/296793637b22bdb4d23b479879eba0a71c132a66.tar.gz",
+        "url": "https://github.com/NixOS/nixpkgs/archive/97c3d70a39070547a8342f7ee6f5c4a560282179.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz",
         "version": ""
     },