New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add a programs.podman module #54925
Add a programs.podman module #54925
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,110 @@ | ||
{ config, lib, pkgs, ... }: | ||
|
||
with lib; | ||
|
||
let | ||
|
||
cfg = config.programs.podman; | ||
|
||
in | ||
|
||
{ | ||
###### interface | ||
options = { | ||
programs.podman = { | ||
enable = mkOption { | ||
default = false; | ||
description = '' | ||
Whether to configure podman | ||
''; | ||
type = types.bool; | ||
}; | ||
package = mkOption { | ||
default = pkgs.podman; | ||
description = "podman package to be used"; | ||
type = types.package; | ||
}; | ||
runcPackage = mkOption { | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Imho it's better to wrap the podman binary in the derivation to add these dependencies, podman is also useful on non-nixos. |
||
default = pkgs.runc; | ||
description = "runc package to be used"; | ||
type = types.package; | ||
}; | ||
conmonPackage = mkOption { | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Same, in fact same for all packages. It's better to wrap them. |
||
default = pkgs.conmon; | ||
description = "conmon package to be used"; | ||
type = types.package; | ||
}; | ||
cniPackage = mkOption { | ||
default = pkgs.cni; | ||
description = "cni package to be used"; | ||
type = types.package; | ||
}; | ||
cniPluginsPackage = mkOption { | ||
default = pkgs.cni-plugins; | ||
description = "cni-plugins package to be used"; | ||
type = types.package; | ||
}; | ||
}; | ||
}; | ||
|
||
###### implementation | ||
config = mkIf cfg.enable { | ||
|
||
environment.etc."containers/libpod.conf".text = '' | ||
image_default_transport = "docker://" | ||
runtime_path = ["${cfg.runcPackage}/bin/runc"] | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This can be now inferred from |
||
conmon_path = ["${cfg.conmonPackage}/bin/conmon"] | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This too. :) |
||
cni_plugin_dir = ["${cfg.cniPluginsPackage}/bin/"] | ||
cgroup_manager = "systemd" | ||
cni_config_dir = "/etc/cni/net.d/" | ||
cni_default_network = "podman" | ||
# pause | ||
pause_image = "k8s.gcr.io/pause:3.1" | ||
pause_command = "/pause" | ||
''; | ||
|
||
environment.etc."containers/registries.conf".text = '' | ||
[registries.search] | ||
registries = ['docker.io', 'registry.fedoraproject.org', 'quay.io', 'registry.access.redhat.com', 'registry.centos.org'] | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I don't think users need all of these registries by default. Maybe There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Just to add, this should be a config option. |
||
''; | ||
|
||
environment.etc."containers/policy.json".text = '' | ||
{ | ||
"default": [ | ||
{ "type": "insecureAcceptAnything" } | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I don't think we use this insecure kind of value by default. Could you remove it? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Also, what about using |
||
] | ||
} | ||
''; | ||
|
||
environment.etc."cni/net.d/87-podman-bridge.conflist".text = '' | ||
{ | ||
"cniVersion": "0.3.0", | ||
"name": "podman", | ||
"plugins": [ | ||
{ | ||
"type": "bridge", | ||
"bridge": "cni0", | ||
"isGateway": true, | ||
"ipMasq": true, | ||
"ipam": { | ||
"type": "host-local", | ||
"subnet": "10.88.0.0/16", | ||
"routes": [ | ||
{ "dst": "0.0.0.0/0" } | ||
] | ||
} | ||
}, | ||
{ | ||
"type": "portmap", | ||
"capabilities": { | ||
"portMappings": true | ||
} | ||
} | ||
] | ||
} | ||
''; | ||
|
||
environment.systemPackages = with pkgs; [ cfg.package cfg.conmonPackage cfg.runcPackage ]; | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I also added
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. CNI would be needed here too, or how does it work in conjunction with the configured CNI package? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. To be honest I'm currently only running a container with host network. So I probably haven't really used most the CNI stuff. |
||
|
||
}; | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can
mkEnableOption
be used?