Merge branch 'pr/nuc-sgx-permissions' into 'master'
steveej-nuc7pjyh-work: manage /dev/sgx devices via a sgx group & adapt posh to handle groups See merge request steveeJ/infra!31
This commit is contained in:
commit
0ab8b8ca16
4 changed files with 37 additions and 41 deletions
|
|
@ -2,6 +2,8 @@
|
|||
|
||||
let
|
||||
in {
|
||||
services.udev.extraRules = ''SUBSYSTEM=="sgx", MODE="0660", GROUP="sgx"'';
|
||||
users.groups.sgx = {};
|
||||
networking.hostName = "steveej-nuc7pjyh-work"; # Define your hostname.
|
||||
boot.kernelPackages = lib.mkForce pkgs.linuxPackages_sgx_latest;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -12,8 +12,9 @@ in {
|
|||
uid = 1001;
|
||||
openssh.authorizedKeys.keys = keys.users.steveej.openssh;
|
||||
shell = pkgs.posh { image = "quay.io/enarx/fedora"; run_args = "-v /dev/sgx:/dev/sgx"; };
|
||||
extraGroups = [ "sgx" ];
|
||||
|
||||
subUidRanges = [{ startUid = 100000; count = 100000; }];
|
||||
subGidRanges = [{ startGid = 100000; count = 100000; }];
|
||||
subUidRanges = [{ startUid = 100000; count = 65536; }];
|
||||
subGidRanges = [{ startGid = 100000; count = 65536; }];
|
||||
};
|
||||
}
|
||||
|
|
|
|||
|
|
@ -2,7 +2,19 @@ self: super:
|
|||
|
||||
let
|
||||
nixpkgs-master = import <nixpkgs-master> {};
|
||||
|
||||
inherit (nixpkgs-master) crun;
|
||||
crun_10_6_0 = crun.overrideAttrs (oldAttrs: rec {
|
||||
version = "0.10.6";
|
||||
src = super.fetchgit {
|
||||
inherit (crun.src) url;
|
||||
rev = version;
|
||||
sha256 = "0v1hrlpnln0c976fb0k2ig4jv11qbyzf95z0wy92fd8r8in16rc1";
|
||||
};
|
||||
});
|
||||
|
||||
in {
|
||||
inherit (nixpkgs-master) podman conmon slirp4netns;
|
||||
crun = crun_10_6_0;
|
||||
posh = self.callPackage ../pkgs/posh.nix {};
|
||||
}
|
||||
|
|
|
|||
|
|
@ -51,37 +51,13 @@ let
|
|||
# Default transport method for pulling and pushing for images
|
||||
image_default_transport = "docker://"
|
||||
|
||||
# Paths to search for the Conmon container manager binary
|
||||
runtime_path = [
|
||||
"${pkgs.runc}/bin/runc"
|
||||
]
|
||||
|
||||
|
||||
# Paths to look for the Conmon container manager binary
|
||||
conmon_path = [
|
||||
"${pkgs.conmon}/bin/conmon"
|
||||
]
|
||||
|
||||
|
||||
# Environment variables to pass into conmon
|
||||
conmon_env_vars = [
|
||||
# "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
|
||||
]
|
||||
|
||||
# CGroup Manager - valid values are "systemd" and "cgroupfs"
|
||||
cgroup_manager = "systemd"
|
||||
|
||||
# Container init binary
|
||||
#init_path = "/usr/libexec/podman/catatonit"
|
||||
|
||||
# Directory for persistent libpod files (database, etc)
|
||||
# By default, this will be configured relative to where containers/storage
|
||||
# stores containers
|
||||
# Uncomment to change location from this default
|
||||
#static_dir = "/var/lib/containers/storage/libpod"
|
||||
|
||||
# Directory for temporary files. Must be tmpfs (wiped after reboot)
|
||||
# tmp_dir = "/var/run/libpod"
|
||||
# cgroup_manager = "systemd"
|
||||
cgroup_manager = "cgroupfs"
|
||||
|
||||
# Maximum size of log files (in bytes)
|
||||
# -1 is unlimited
|
||||
|
|
@ -91,14 +67,13 @@ let
|
|||
no_pivot_root = false
|
||||
|
||||
# Directory containing CNI plugin configuration files
|
||||
# cni_config_dir = "${cniConfigDir}"
|
||||
cni_config_dir = "${cniConfigDir}"
|
||||
|
||||
# Directories where the CNI plugin binaries may be located
|
||||
cni_plugin_dir = [
|
||||
"${pkgs.cni-plugins}/bin"
|
||||
]
|
||||
|
||||
|
||||
# Default CNI network for libpod.
|
||||
# If multiple CNI network configs are present, libpod will use the network with
|
||||
# the name given here for containers unless explicitly overridden.
|
||||
|
|
@ -128,17 +103,10 @@ let
|
|||
# they cannot be reused by other programs on the host. However, this can cause
|
||||
# significant memory usage if a container has many ports forwarded to it.
|
||||
# Disabling this can save memory.
|
||||
#enable_port_reservation = true
|
||||
enable_port_reservation = true
|
||||
|
||||
# Default libpod support for container labeling
|
||||
# label=true
|
||||
|
||||
# Paths to look for a valid OCI runtime (runc, runv, etc)
|
||||
# FIXME: this doesn't seem to take effect
|
||||
[runtimes]
|
||||
runc = [
|
||||
"${pkgs.runc}/bin/runc"
|
||||
]
|
||||
'';
|
||||
|
||||
policy-json = pkgs.writeText "policy.json" ''
|
||||
|
|
@ -160,7 +128,12 @@ let
|
|||
|
||||
in
|
||||
|
||||
{ image, pull ? "always", global_args ? "", run_args ? "" }:
|
||||
{ image
|
||||
, pull ? "always"
|
||||
, global_args ? ""
|
||||
, run_args ? ""
|
||||
, userns ? "keep-id"
|
||||
}:
|
||||
|
||||
(pkgs.writeScriptBin "posh" ''
|
||||
#! ${pkgs.bash}/bin/bash
|
||||
|
|
@ -186,10 +159,18 @@ in
|
|||
test -d $HOME_CONTAINERS_CONFIGIDR || mkdir $HOME_CONTAINERS_CONFIGIDR
|
||||
ln -sf ${policy-json} $HOME_POLICY_JSON
|
||||
|
||||
|
||||
set -x
|
||||
exec ${pkgs.podman}/bin/podman \
|
||||
${global_args} run --rm -i $tty $ssh -v ~/:/root -w /root --network host --pull=''${POSH_PULL} \
|
||||
--conmon ${pkgs.conmon}/bin/conmon --runtime ${pkgs.runc}/bin/runc \
|
||||
--cgroup-manager=cgroupfs \
|
||||
${global_args} \
|
||||
run \
|
||||
--annotation=io.crun.keep_original_groups=1 \
|
||||
--config ${podmanConfig} \
|
||||
--conmon ${pkgs.conmon}/bin/conmon --runtime ${pkgs.crun}/bin/crun \
|
||||
--rm -i --network host --pull=''${POSH_PULL} \
|
||||
$tty $ssh -e HOME -v $HOME:$HOME -w $HOME \
|
||||
${if userns != null then "--userns="+userns else ""} \
|
||||
${run_args} \
|
||||
''${POSH_IMAGE} /usr/bin/env bash -l "''${cmd[@]}"
|
||||
'')
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue