Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add a programs.podman module #54925

Closed
wants to merge 1 commit into from
Closed

Add a programs.podman module #54925

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
1 change: 1 addition & 0 deletions nixos/modules/module-list.nix
View file
Open in desktop
Expand Up @@ -113,6 +113,7 @@
./programs/npm.nix
./programs/oblogout.nix
./programs/plotinus.nix
./programs/podman.nix
./programs/qt5ct.nix
./programs/screen.nix
./programs/sedutil.nix
Expand Down
110 changes: 110 additions & 0 deletions nixos/modules/programs/podman.nix
View file
Open in desktop
@@ -0,0 +1,110 @@
{ config, lib, pkgs, ... }:

with lib;

let

cfg = config.programs.podman;

in

{
###### interface
options = {
programs.podman = {
enable = mkOption {
default = false;
description = ''
Whether to configure podman
'';
type = types.bool;
};
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can mkEnableOption be used?

-enable = mkOption {
-  default = false;
-  description = ''
-    Whether to configure podman
-  '';
-  type = types.bool;
-};
+enable = mkEnableOption "podman";

package = mkOption {
default = pkgs.podman;
description = "podman package to be used";
type = types.package;
};
runcPackage = mkOption {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Imho it's better to wrap the podman binary in the derivation to add these dependencies, podman is also useful on non-nixos.

default = pkgs.runc;
description = "runc package to be used";
type = types.package;
};
conmonPackage = mkOption {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same, in fact same for all packages. It's better to wrap them.

default = pkgs.conmon;
description = "conmon package to be used";
type = types.package;
};
cniPackage = mkOption {
default = pkgs.cni;
description = "cni package to be used";
type = types.package;
};
cniPluginsPackage = mkOption {
default = pkgs.cni-plugins;
description = "cni-plugins package to be used";
type = types.package;
};
};
};

###### implementation
config = mkIf cfg.enable {

environment.etc."containers/libpod.conf".text = ''
image_default_transport = "docker://"
runtime_path = ["${cfg.runcPackage}/bin/runc"]
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This can be now inferred from $PATH

conmon_path = ["${cfg.conmonPackage}/bin/conmon"]
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This too. :)

cni_plugin_dir = ["${cfg.cniPluginsPackage}/bin/"]
cgroup_manager = "systemd"
cni_config_dir = "/etc/cni/net.d/"
cni_default_network = "podman"
# pause
pause_image = "k8s.gcr.io/pause:3.1"
pause_command = "/pause"
'';

environment.etc."containers/registries.conf".text = ''
[registries.search]
registries = ['docker.io', 'registry.fedoraproject.org', 'quay.io', 'registry.access.redhat.com', 'registry.centos.org']
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think users need all of these registries by default. Maybe docker.io would be sufficient.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just to add, this should be a config option.

'';

environment.etc."containers/policy.json".text = ''
{
"default": [
{ "type": "insecureAcceptAnything" }
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think we use this insecure kind of value by default. Could you remove it?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also, what about using builtins.toJSON to make the file typo-free, as syntax would at least be checked at compile time.

]
}
'';

environment.etc."cni/net.d/87-podman-bridge.conflist".text = ''
{
"cniVersion": "0.3.0",
"name": "podman",
"plugins": [
{
"type": "bridge",
"bridge": "cni0",
"isGateway": true,
"ipMasq": true,
"ipam": {
"type": "host-local",
"subnet": "10.88.0.0/16",
"routes": [
{ "dst": "0.0.0.0/0" }
]
}
},
{
"type": "portmap",
"capabilities": {
"portMappings": true
}
}
]
}
'';

environment.systemPackages = with pkgs; [ cfg.package cfg.conmonPackage cfg.runcPackage ];
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I also added slirp4netns here, other wise I get the following error when running prodman run in rootless mode:

ERRO[0000] could not find slirp4netns, the network namespace won't be configured: exec: "slirp4netns": executable file not found in $PATH

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CNI would be needed here too, or how does it work in conjunction with the configured CNI package?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To be honest I'm currently only running a container with host network. So I probably haven't really used most the CNI stuff.


};
}