From 52801cd9dfcd0ebd6ddd6f3f2cb5d203cc3d5516 Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Fri, 13 Dec 2019 20:49:15 +0100 Subject: [PATCH 1/5] devices/steveej-nuc7pjyh-work: change size of sub{u,g}uid ranges --- nix/os/devices/steveej-nuc7pjyh-work/user.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nix/os/devices/steveej-nuc7pjyh-work/user.nix b/nix/os/devices/steveej-nuc7pjyh-work/user.nix index a1a6481..eecba37 100644 --- a/nix/os/devices/steveej-nuc7pjyh-work/user.nix +++ b/nix/os/devices/steveej-nuc7pjyh-work/user.nix @@ -13,7 +13,7 @@ in { openssh.authorizedKeys.keys = keys.users.steveej.openssh; shell = pkgs.posh { image = "quay.io/enarx/fedora"; run_args = "-v /dev/sgx:/dev/sgx"; }; - subUidRanges = [{ startUid = 100000; count = 100000; }]; - subGidRanges = [{ startGid = 100000; count = 100000; }]; + subUidRanges = [{ startUid = 100000; count = 65536; }]; + subGidRanges = [{ startGid = 100000; count = 65536; }]; }; } From 44acf1fe443af43ad7e15027510d85bda2070bd8 Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Fri, 13 Dec 2019 20:50:33 +0100 Subject: [PATCH 2/5] nix/overlay/posh: add crun 0.10.6 --- nix/overlays/posh.nix | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/nix/overlays/posh.nix b/nix/overlays/posh.nix index 441922d..6c8905d 100644 --- a/nix/overlays/posh.nix +++ b/nix/overlays/posh.nix @@ -2,7 +2,19 @@ self: super: let nixpkgs-master = import {}; + + inherit (nixpkgs-master) crun; + crun_10_6_0 = crun.overrideAttrs (oldAttrs: rec { + version = "0.10.6"; + src = super.fetchgit { + inherit (crun.src) url; + rev = version; + sha256 = "0v1hrlpnln0c976fb0k2ig4jv11qbyzf95z0wy92fd8r8in16rc1"; + }; + }); + in { inherit (nixpkgs-master) podman conmon slirp4netns; + crun = crun_10_6_0; posh = self.callPackage ../pkgs/posh.nix {}; } From 99ed0a4e82b60453e1fc5cc3590c9638e5e312cb Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Fri, 13 Dec 2019 20:51:13 +0100 Subject: [PATCH 3/5] steveej-nuc7pjyh-work: sgx group for accessing /dev/sgx --- nix/os/devices/steveej-nuc7pjyh-work/system.nix | 2 ++ nix/os/devices/steveej-nuc7pjyh-work/user.nix | 1 + 2 files changed, 3 insertions(+) diff --git a/nix/os/devices/steveej-nuc7pjyh-work/system.nix b/nix/os/devices/steveej-nuc7pjyh-work/system.nix index b04ec58..8d673ba 100644 --- a/nix/os/devices/steveej-nuc7pjyh-work/system.nix +++ b/nix/os/devices/steveej-nuc7pjyh-work/system.nix @@ -2,6 +2,8 @@ let in { + services.udev.extraRules = ''SUBSYSTEM=="sgx", MODE="0660", GROUP="sgx"''; + users.groups.sgx = {}; networking.hostName = "steveej-nuc7pjyh-work"; # Define your hostname. boot.kernelPackages = lib.mkForce pkgs.linuxPackages_sgx_latest; } diff --git a/nix/os/devices/steveej-nuc7pjyh-work/user.nix b/nix/os/devices/steveej-nuc7pjyh-work/user.nix index eecba37..05a9670 100644 --- a/nix/os/devices/steveej-nuc7pjyh-work/user.nix +++ b/nix/os/devices/steveej-nuc7pjyh-work/user.nix @@ -12,6 +12,7 @@ in { uid = 1001; openssh.authorizedKeys.keys = keys.users.steveej.openssh; shell = pkgs.posh { image = "quay.io/enarx/fedora"; run_args = "-v /dev/sgx:/dev/sgx"; }; + extraGroups = [ "sgx" ]; subUidRanges = [{ startUid = 100000; count = 65536; }]; subGidRanges = [{ startGid = 100000; count = 65536; }]; From 14d496811c57e59971abc31f47295fd82d8ae356 Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Fri, 13 Dec 2019 20:52:14 +0100 Subject: [PATCH 4/5] pkgs/posh: change userns and $HOME handling, switch to crun runtime Since version 0.10.4 [0] the crun runtime understands an annotation to keep the original groups of the user who runs the container. [0]: https://github.com/containers/crun/releases/tag/0.10.4 --- nix/pkgs/posh.nix | 56 ++++++++++++++--------------------------------- 1 file changed, 17 insertions(+), 39 deletions(-) diff --git a/nix/pkgs/posh.nix b/nix/pkgs/posh.nix index fe6c60a..127d430 100644 --- a/nix/pkgs/posh.nix +++ b/nix/pkgs/posh.nix @@ -51,37 +51,13 @@ let # Default transport method for pulling and pushing for images image_default_transport = "docker://" - # Paths to search for the Conmon container manager binary - runtime_path = [ - "${pkgs.runc}/bin/runc" - ] - - - # Paths to look for the Conmon container manager binary - conmon_path = [ - "${pkgs.conmon}/bin/conmon" - ] - - # Environment variables to pass into conmon conmon_env_vars = [ - # "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" ] # CGroup Manager - valid values are "systemd" and "cgroupfs" - cgroup_manager = "systemd" - - # Container init binary - #init_path = "/usr/libexec/podman/catatonit" - - # Directory for persistent libpod files (database, etc) - # By default, this will be configured relative to where containers/storage - # stores containers - # Uncomment to change location from this default - #static_dir = "/var/lib/containers/storage/libpod" - - # Directory for temporary files. Must be tmpfs (wiped after reboot) - # tmp_dir = "/var/run/libpod" + # cgroup_manager = "systemd" + cgroup_manager = "cgroupfs" # Maximum size of log files (in bytes) # -1 is unlimited @@ -91,14 +67,13 @@ let no_pivot_root = false # Directory containing CNI plugin configuration files - # cni_config_dir = "${cniConfigDir}" + cni_config_dir = "${cniConfigDir}" # Directories where the CNI plugin binaries may be located cni_plugin_dir = [ "${pkgs.cni-plugins}/bin" ] - # Default CNI network for libpod. # If multiple CNI network configs are present, libpod will use the network with # the name given here for containers unless explicitly overridden. @@ -128,17 +103,10 @@ let # they cannot be reused by other programs on the host. However, this can cause # significant memory usage if a container has many ports forwarded to it. # Disabling this can save memory. - #enable_port_reservation = true + enable_port_reservation = true # Default libpod support for container labeling # label=true - - # Paths to look for a valid OCI runtime (runc, runv, etc) - # FIXME: this doesn't seem to take effect - [runtimes] - runc = [ - "${pkgs.runc}/bin/runc" - ] ''; policy-json = pkgs.writeText "policy.json" '' @@ -160,7 +128,9 @@ let in -{ image, pull ? "always", global_args ? "", run_args ? "" }: +{ image, pull ? "always", global_args ? "", run_args ? "" +, userns ? "keep-id" +}: (pkgs.writeScriptBin "posh" '' #! ${pkgs.bash}/bin/bash @@ -186,10 +156,18 @@ in test -d $HOME_CONTAINERS_CONFIGIDR || mkdir $HOME_CONTAINERS_CONFIGIDR ln -sf ${policy-json} $HOME_POLICY_JSON + + set -x exec ${pkgs.podman}/bin/podman \ - ${global_args} run --rm -i $tty $ssh -v ~/:/root -w /root --network host --pull=''${POSH_PULL} \ - --conmon ${pkgs.conmon}/bin/conmon --runtime ${pkgs.runc}/bin/runc \ + --cgroup-manager=cgroupfs \ + ${global_args} \ + run \ + --annotation=io.crun.keep_original_groups=1 \ --config ${podmanConfig} \ + --conmon ${pkgs.conmon}/bin/conmon --runtime ${pkgs.crun}/bin/crun \ + --rm -i --network host --pull=''${POSH_PULL} \ + $tty $ssh -e HOME -v $HOME:$HOME -w $HOME \ + ${if userns != null then "--userns="+userns else ""} \ ${run_args} \ ''${POSH_IMAGE} /usr/bin/env bash -l "''${cmd[@]}" '') From 7d18610b2f7a377c04e43bf2376fecd160c5c8e0 Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Fri, 13 Dec 2019 20:59:27 +0100 Subject: [PATCH 5/5] posh: minor syntactic change --- nix/pkgs/posh.nix | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/nix/pkgs/posh.nix b/nix/pkgs/posh.nix index 127d430..488a31e 100644 --- a/nix/pkgs/posh.nix +++ b/nix/pkgs/posh.nix @@ -128,7 +128,10 @@ let in -{ image, pull ? "always", global_args ? "", run_args ? "" +{ image +, pull ? "always" +, global_args ? "" +, run_args ? "" , userns ? "keep-id" }: