New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
oci-seccomp-bpf-hook: move to linuxPackages #96892
Conversation
Thank you for the draft: I tried to run it in a nixos-shell like this vm.nix: { pkgs, ... }:
{
boot.kernelPackages = pkgs.linuxPackages_latest;
virtualisation = {
podman.enable = true;
containers.containersConf.extraConfig = ''
[engine]
hooks_dir = [
"${pkgs.linuxPackages.oci-seccomp-bpf-hook}",
]
'';
};
}
When applying the patch from #96761 (comment), then it sill complains to lookup the old kernel sources on runtime:
If we do not change the kernel packages and remove the boot.kernelPackages = pkgs.linuxPackages_latest; from vm.nix, then it works as expected. |
I think this should work: { config, pkgs, ... }:
{
boot.kernelPackages = pkgs.linuxPackages_latest;
virtualisation = {
podman.enable = true;
containers.containersConf.extraConfig = ''
[engine]
hooks_dir = [
"${config.boot.kernelPackages.oci-seccomp-bpf-hook}",
]
'';
};
} |
Yep, this works! Thank you again I'll update my PR to use the new config. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
@saschagrunert Does this have a minimum kernel version that we need to set? |
I think so, but I'm not sure which one exactly. For sake of security we could go with the current NixOS 20.03 default. This one should at least work. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
Motivation for this change
Needs to be built against the system kernel.
Things done
sandbox
innix.conf
on non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
./result/bin/
)nix path-info -S
before and after)