Merge branch 'pr/nuc-sgx-permissions' into 'master'
steveej-nuc7pjyh-work: manage /dev/sgx devices via a sgx group & adapt posh to handle groups See merge request steveeJ/infra!31
This commit is contained in:
commit
0ab8b8ca16
4 changed files with 37 additions and 41 deletions
|
|
@ -2,6 +2,8 @@
|
||||||
|
|
||||||
let
|
let
|
||||||
in {
|
in {
|
||||||
|
services.udev.extraRules = ''SUBSYSTEM=="sgx", MODE="0660", GROUP="sgx"'';
|
||||||
|
users.groups.sgx = {};
|
||||||
networking.hostName = "steveej-nuc7pjyh-work"; # Define your hostname.
|
networking.hostName = "steveej-nuc7pjyh-work"; # Define your hostname.
|
||||||
boot.kernelPackages = lib.mkForce pkgs.linuxPackages_sgx_latest;
|
boot.kernelPackages = lib.mkForce pkgs.linuxPackages_sgx_latest;
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -12,8 +12,9 @@ in {
|
||||||
uid = 1001;
|
uid = 1001;
|
||||||
openssh.authorizedKeys.keys = keys.users.steveej.openssh;
|
openssh.authorizedKeys.keys = keys.users.steveej.openssh;
|
||||||
shell = pkgs.posh { image = "quay.io/enarx/fedora"; run_args = "-v /dev/sgx:/dev/sgx"; };
|
shell = pkgs.posh { image = "quay.io/enarx/fedora"; run_args = "-v /dev/sgx:/dev/sgx"; };
|
||||||
|
extraGroups = [ "sgx" ];
|
||||||
|
|
||||||
subUidRanges = [{ startUid = 100000; count = 100000; }];
|
subUidRanges = [{ startUid = 100000; count = 65536; }];
|
||||||
subGidRanges = [{ startGid = 100000; count = 100000; }];
|
subGidRanges = [{ startGid = 100000; count = 65536; }];
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -2,7 +2,19 @@ self: super:
|
||||||
|
|
||||||
let
|
let
|
||||||
nixpkgs-master = import <nixpkgs-master> {};
|
nixpkgs-master = import <nixpkgs-master> {};
|
||||||
|
|
||||||
|
inherit (nixpkgs-master) crun;
|
||||||
|
crun_10_6_0 = crun.overrideAttrs (oldAttrs: rec {
|
||||||
|
version = "0.10.6";
|
||||||
|
src = super.fetchgit {
|
||||||
|
inherit (crun.src) url;
|
||||||
|
rev = version;
|
||||||
|
sha256 = "0v1hrlpnln0c976fb0k2ig4jv11qbyzf95z0wy92fd8r8in16rc1";
|
||||||
|
};
|
||||||
|
});
|
||||||
|
|
||||||
in {
|
in {
|
||||||
inherit (nixpkgs-master) podman conmon slirp4netns;
|
inherit (nixpkgs-master) podman conmon slirp4netns;
|
||||||
|
crun = crun_10_6_0;
|
||||||
posh = self.callPackage ../pkgs/posh.nix {};
|
posh = self.callPackage ../pkgs/posh.nix {};
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -51,37 +51,13 @@ let
|
||||||
# Default transport method for pulling and pushing for images
|
# Default transport method for pulling and pushing for images
|
||||||
image_default_transport = "docker://"
|
image_default_transport = "docker://"
|
||||||
|
|
||||||
# Paths to search for the Conmon container manager binary
|
|
||||||
runtime_path = [
|
|
||||||
"${pkgs.runc}/bin/runc"
|
|
||||||
]
|
|
||||||
|
|
||||||
|
|
||||||
# Paths to look for the Conmon container manager binary
|
|
||||||
conmon_path = [
|
|
||||||
"${pkgs.conmon}/bin/conmon"
|
|
||||||
]
|
|
||||||
|
|
||||||
|
|
||||||
# Environment variables to pass into conmon
|
# Environment variables to pass into conmon
|
||||||
conmon_env_vars = [
|
conmon_env_vars = [
|
||||||
# "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
|
|
||||||
]
|
]
|
||||||
|
|
||||||
# CGroup Manager - valid values are "systemd" and "cgroupfs"
|
# CGroup Manager - valid values are "systemd" and "cgroupfs"
|
||||||
cgroup_manager = "systemd"
|
# cgroup_manager = "systemd"
|
||||||
|
cgroup_manager = "cgroupfs"
|
||||||
# Container init binary
|
|
||||||
#init_path = "/usr/libexec/podman/catatonit"
|
|
||||||
|
|
||||||
# Directory for persistent libpod files (database, etc)
|
|
||||||
# By default, this will be configured relative to where containers/storage
|
|
||||||
# stores containers
|
|
||||||
# Uncomment to change location from this default
|
|
||||||
#static_dir = "/var/lib/containers/storage/libpod"
|
|
||||||
|
|
||||||
# Directory for temporary files. Must be tmpfs (wiped after reboot)
|
|
||||||
# tmp_dir = "/var/run/libpod"
|
|
||||||
|
|
||||||
# Maximum size of log files (in bytes)
|
# Maximum size of log files (in bytes)
|
||||||
# -1 is unlimited
|
# -1 is unlimited
|
||||||
|
|
@ -91,14 +67,13 @@ let
|
||||||
no_pivot_root = false
|
no_pivot_root = false
|
||||||
|
|
||||||
# Directory containing CNI plugin configuration files
|
# Directory containing CNI plugin configuration files
|
||||||
# cni_config_dir = "${cniConfigDir}"
|
cni_config_dir = "${cniConfigDir}"
|
||||||
|
|
||||||
# Directories where the CNI plugin binaries may be located
|
# Directories where the CNI plugin binaries may be located
|
||||||
cni_plugin_dir = [
|
cni_plugin_dir = [
|
||||||
"${pkgs.cni-plugins}/bin"
|
"${pkgs.cni-plugins}/bin"
|
||||||
]
|
]
|
||||||
|
|
||||||
|
|
||||||
# Default CNI network for libpod.
|
# Default CNI network for libpod.
|
||||||
# If multiple CNI network configs are present, libpod will use the network with
|
# If multiple CNI network configs are present, libpod will use the network with
|
||||||
# the name given here for containers unless explicitly overridden.
|
# the name given here for containers unless explicitly overridden.
|
||||||
|
|
@ -128,17 +103,10 @@ let
|
||||||
# they cannot be reused by other programs on the host. However, this can cause
|
# they cannot be reused by other programs on the host. However, this can cause
|
||||||
# significant memory usage if a container has many ports forwarded to it.
|
# significant memory usage if a container has many ports forwarded to it.
|
||||||
# Disabling this can save memory.
|
# Disabling this can save memory.
|
||||||
#enable_port_reservation = true
|
enable_port_reservation = true
|
||||||
|
|
||||||
# Default libpod support for container labeling
|
# Default libpod support for container labeling
|
||||||
# label=true
|
# label=true
|
||||||
|
|
||||||
# Paths to look for a valid OCI runtime (runc, runv, etc)
|
|
||||||
# FIXME: this doesn't seem to take effect
|
|
||||||
[runtimes]
|
|
||||||
runc = [
|
|
||||||
"${pkgs.runc}/bin/runc"
|
|
||||||
]
|
|
||||||
'';
|
'';
|
||||||
|
|
||||||
policy-json = pkgs.writeText "policy.json" ''
|
policy-json = pkgs.writeText "policy.json" ''
|
||||||
|
|
@ -160,7 +128,12 @@ let
|
||||||
|
|
||||||
in
|
in
|
||||||
|
|
||||||
{ image, pull ? "always", global_args ? "", run_args ? "" }:
|
{ image
|
||||||
|
, pull ? "always"
|
||||||
|
, global_args ? ""
|
||||||
|
, run_args ? ""
|
||||||
|
, userns ? "keep-id"
|
||||||
|
}:
|
||||||
|
|
||||||
(pkgs.writeScriptBin "posh" ''
|
(pkgs.writeScriptBin "posh" ''
|
||||||
#! ${pkgs.bash}/bin/bash
|
#! ${pkgs.bash}/bin/bash
|
||||||
|
|
@ -186,10 +159,18 @@ in
|
||||||
test -d $HOME_CONTAINERS_CONFIGIDR || mkdir $HOME_CONTAINERS_CONFIGIDR
|
test -d $HOME_CONTAINERS_CONFIGIDR || mkdir $HOME_CONTAINERS_CONFIGIDR
|
||||||
ln -sf ${policy-json} $HOME_POLICY_JSON
|
ln -sf ${policy-json} $HOME_POLICY_JSON
|
||||||
|
|
||||||
|
|
||||||
|
set -x
|
||||||
exec ${pkgs.podman}/bin/podman \
|
exec ${pkgs.podman}/bin/podman \
|
||||||
${global_args} run --rm -i $tty $ssh -v ~/:/root -w /root --network host --pull=''${POSH_PULL} \
|
--cgroup-manager=cgroupfs \
|
||||||
--conmon ${pkgs.conmon}/bin/conmon --runtime ${pkgs.runc}/bin/runc \
|
${global_args} \
|
||||||
|
run \
|
||||||
|
--annotation=io.crun.keep_original_groups=1 \
|
||||||
--config ${podmanConfig} \
|
--config ${podmanConfig} \
|
||||||
|
--conmon ${pkgs.conmon}/bin/conmon --runtime ${pkgs.crun}/bin/crun \
|
||||||
|
--rm -i --network host --pull=''${POSH_PULL} \
|
||||||
|
$tty $ssh -e HOME -v $HOME:$HOME -w $HOME \
|
||||||
|
${if userns != null then "--userns="+userns else ""} \
|
||||||
${run_args} \
|
${run_args} \
|
||||||
''${POSH_IMAGE} /usr/bin/env bash -l "''${cmd[@]}"
|
''${POSH_IMAGE} /usr/bin/env bash -l "''${cmd[@]}"
|
||||||
'')
|
'')
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue