Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add a programs.podman module #54925

Open
wants to merge 1 commit into
base: master
from

Conversation

@vdemeester
Copy link
Member

vdemeester commented Jan 30, 2019

Motivation for this change

podman requires some configuration files, and system package available. This allows to do that by just using programs.podman.enable = true in a nixos configuration.
(it's a port of my own module)

/cc @nlewo @Mic92

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nox --run "nox-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Assured whether relevant documentation is up to date
  • Fits CONTRIBUTING.md.

`podman` requires some configuration files, and system package
available. This allows to do that by just using
`programs.podman.enable = true` in a nixos configuration.

Signed-off-by: Vincent Demeester <vincent@sbr.pm>
@nlewo

This comment has been minimized.

Copy link
Member

nlewo commented Feb 5, 2019

@vdemeester is it supposed to be used with a non root user?
Because with my user, it fails with

podman run alpine
error creating libpod runtime: could not find a working binary (configured options: [/usr/bin/runc /usr/sbin/runc /usr/local/bin/runc /usr/local/sbin/runc /sbin/runc /bin/runc /usr/lib/cri-o-runc/sbin/runc]): invalid argument

while it downloads the alpine image if I run it with the root account.

It would also be nice to add a really simple test that could be used to easily check this module is working. Something similar to https://github.com/NixOS/nixpkgs/blob/master/nixos/tests/yabar.nix.

@vdemeester

This comment has been minimized.

Copy link
Member Author

vdemeester commented Feb 5, 2019

@nlewo right it won't work for a non root user, this is the "main" problem I've got so far. When running as a user podman doesn't seem to read /etc/containers/* files (this is why I have a module for my user too).

I'll look into tests 😉

@nlewo

This comment has been minimized.

Copy link
Member

nlewo commented Feb 5, 2019

Works as expected with a root account.

Copy link
Member

nlewo left a comment

Even if we don't have a test, I think we could merge it :) Mainly because it would make podman easily usable in NixOS.

environment.etc."containers/policy.json".text = ''
{
"default": [
{ "type": "insecureAcceptAnything" }

This comment has been minimized.

Copy link
@nlewo

nlewo Feb 10, 2019

Member

I don't think we use this insecure kind of value by default. Could you remove it?

This comment has been minimized.

Copy link
@MartinPotier

MartinPotier Dec 11, 2019

Also, what about using builtins.toJSON to make the file typo-free, as syntax would at least be checked at compile time.


environment.etc."containers/registries.conf".text = ''
[registries.search]
registries = ['docker.io', 'registry.fedoraproject.org', 'quay.io', 'registry.access.redhat.com', 'registry.centos.org']

This comment has been minimized.

Copy link
@nlewo

nlewo Feb 10, 2019

Member

I don't think users need all of these registries by default. Maybe docker.io would be sufficient.

This comment has been minimized.

Copy link
@adisbladis

adisbladis Nov 28, 2019

Member

Just to add, this should be a config option.

@benley

This comment has been minimized.

Copy link
Member

benley commented Apr 15, 2019

Once this is ready, it would be great to use podman as a backend for the docker-containers module for nicer systemd integration

@bachp
bachp approved these changes May 4, 2019
Copy link
Contributor

bachp left a comment

Running as root works without issue.

Rootless mode seems to have additional issues with version 1.2.0 then the ones already described.

I get the following two errors when trying to pull an image:

cannot find mappings for user pascal: No subuid ranges found for user "pascal" in /etc/subuid
and
using rootless single mapping into the namespace. This might break some images. Check /etc/subuid and /etc/subgid for adding subids

But I think we can look into rootles mode in a separate PR.

@Infinisil

This comment has been minimized.

Copy link
Member

Infinisil commented May 15, 2019

Um, so this is a pretty much fully hard-coded configuration? Relevant for NixOS/rfcs#42

@vdemeester

This comment has been minimized.

Copy link
Member Author

vdemeester commented May 16, 2019

@Infinisil yeah 😓 I need to update this to add more options and the possibility to bring you own configuration 👼

}
'';

environment.systemPackages = with pkgs; [ cfg.package cfg.conmonPackage cfg.runcPackage ];

This comment has been minimized.

Copy link
@bachp

bachp Jun 22, 2019

Contributor

I also added slirp4netns here, other wise I get the following error when running prodman run in rootless mode:

ERRO[0000] could not find slirp4netns, the network namespace won't be configured: exec: "slirp4netns": executable file not found in $PATH

This comment has been minimized.

Copy link
@saschagrunert

saschagrunert Aug 18, 2019

Member

CNI would be needed here too, or how does it work in conjunction with the configured CNI package?

This comment has been minimized.

Copy link
@bachp

bachp Aug 19, 2019

Contributor

To be honest I'm currently only running a container with host network. So I probably haven't really used most the CNI stuff.

@bachp

This comment has been minimized.

Copy link
Contributor

bachp commented Jun 22, 2019

I think I got rootless to work on my system. The two things I needed to do was:

  1. Add subuids and subgids to my user via:
subUidRanges = [{ startUid = 100000; count = 65536; }];
subGidRanges = [{ startGid = 100000; count = 65536; }];
  1. Install slirp4netns
Copy link
Member

saschagrunert left a comment

I really like that. I think it might be necessary to add a wrapper for containers/storage and containers/image based configurations, which then can be used by podman, buildah, slopes and CRI-O. WDYT?

}
'';

environment.systemPackages = with pkgs; [ cfg.package cfg.conmonPackage cfg.runcPackage ];

This comment has been minimized.

Copy link
@saschagrunert

saschagrunert Aug 18, 2019

Member

CNI would be needed here too, or how does it work in conjunction with the configured CNI package?


environment.etc."containers/libpod.conf".text = ''
image_default_transport = "docker://"
runtime_path = ["${cfg.runcPackage}/bin/runc"]

This comment has been minimized.

Copy link
@saschagrunert

saschagrunert Aug 18, 2019

Member

This can be now inferred from $PATH

environment.etc."containers/libpod.conf".text = ''
image_default_transport = "docker://"
runtime_path = ["${cfg.runcPackage}/bin/runc"]
conmon_path = ["${cfg.conmonPackage}/bin/conmon"]

This comment has been minimized.

Copy link
@saschagrunert

saschagrunert Aug 18, 2019

Member

This too. :)

@siers

This comment has been minimized.

Copy link
Member

siers commented Nov 28, 2019

These configs let me run podman currently, so even without serious changes to the PR, I think this is useful already.

Whether to configure podman
'';
type = types.bool;
};

This comment has been minimized.

Copy link
@filalex77

filalex77 Nov 28, 2019

Contributor

Can mkEnableOption be used?

-enable = mkOption {
-  default = false;
-  description = ''
-    Whether to configure podman
-  '';
-  type = types.bool;
-};
+enable = mkEnableOption "podman";
description = "podman package to be used";
type = types.package;
};
runcPackage = mkOption {

This comment has been minimized.

Copy link
@adisbladis

adisbladis Nov 28, 2019

Member

Imho it's better to wrap the podman binary in the derivation to add these dependencies, podman is also useful on non-nixos.

description = "runc package to be used";
type = types.package;
};
conmonPackage = mkOption {

This comment has been minimized.

Copy link
@adisbladis

adisbladis Nov 28, 2019

Member

Same, in fact same for all packages. It's better to wrap them.


environment.etc."containers/registries.conf".text = ''
[registries.search]
registries = ['docker.io', 'registry.fedoraproject.org', 'quay.io', 'registry.access.redhat.com', 'registry.centos.org']

This comment has been minimized.

Copy link
@adisbladis

adisbladis Nov 28, 2019

Member

Just to add, this should be a config option.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

You can’t perform that action at this time.