pkgs/posh: change userns and $HOME handling, switch to crun runtime

Since version 0.10.4 [0] the crun runtime understands an annotation to keep the original groups of the user who runs the container. [0]: https://github.com/containers/crun/releases/tag/0.10.4
2019-12-13 20:52:14 +01:00 · 2019-12-13 20:52:14 +01:00 · 14d496811c
commit 14d496811c
parent 99ed0a4e82
1 changed files with 17 additions and 39 deletions
--- a/nix/pkgs/posh.nix
+++ b/nix/pkgs/posh.nix
@ -51,37 +51,13 @@ let
    # Default transport method for pulling and pushing for images
    image_default_transport = "docker://"

-    # Paths to search for the Conmon container manager binary
-    runtime_path = [
-      "${pkgs.runc}/bin/runc"
-    ]
-
-
-    # Paths to look for the Conmon container manager binary
-    conmon_path = [
-      "${pkgs.conmon}/bin/conmon"
-    ]
-
-
    # Environment variables to pass into conmon
    conmon_env_vars = [
-      # "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
    ]

    # CGroup Manager - valid values are "systemd" and "cgroupfs"
-    cgroup_manager = "systemd"
-
-    # Container init binary
-    #init_path = "/usr/libexec/podman/catatonit"
-
-    # Directory for persistent libpod files (database, etc)
-    # By default, this will be configured relative to where containers/storage
-    # stores containers
-    # Uncomment to change location from this default
-    #static_dir = "/var/lib/containers/storage/libpod"
-
-    # Directory for temporary files. Must be tmpfs (wiped after reboot)
-    # tmp_dir = "/var/run/libpod"
+    # cgroup_manager = "systemd"
+    cgroup_manager = "cgroupfs"

    # Maximum size of log files (in bytes)
    # -1 is unlimited
@ -91,14 +67,13 @@ let
    no_pivot_root = false

    # Directory containing CNI plugin configuration files
-    # cni_config_dir = "${cniConfigDir}"
+    cni_config_dir = "${cniConfigDir}"

    # Directories where the CNI plugin binaries may be located
    cni_plugin_dir = [
      "${pkgs.cni-plugins}/bin"
    ]

-
    # Default CNI network for libpod.
    # If multiple CNI network configs are present, libpod will use the network with
    # the name given here for containers unless explicitly overridden.
@ -128,17 +103,10 @@ let
    # they cannot be reused by other programs on the host. However, this can cause
    # significant memory usage if a container has many ports forwarded to it.
    # Disabling this can save memory.
-    #enable_port_reservation = true
+    enable_port_reservation = true

    # Default libpod support for container labeling
    # label=true
-
-    # Paths to look for a valid OCI runtime (runc, runv, etc)
-    # FIXME: this doesn't seem to take effect
-    [runtimes]
-    runc = [
-      "${pkgs.runc}/bin/runc"
-    ]
  '';

  policy-json = pkgs.writeText "policy.json" ''
@ -160,7 +128,9 @@ let

 in

-{ image, pull ? "always", global_args ? "", run_args ? "" }:
+{ image, pull ? "always", global_args ? "", run_args ? ""
+, userns ? "keep-id"
+}:

 (pkgs.writeScriptBin "posh" ''
  #! ${pkgs.bash}/bin/bash
@ -186,10 +156,18 @@ in
  test -d $HOME_CONTAINERS_CONFIGIDR || mkdir $HOME_CONTAINERS_CONFIGIDR
  ln -sf ${policy-json} $HOME_POLICY_JSON

+
+  set -x
  exec ${pkgs.podman}/bin/podman \
-    ${global_args} run --rm -i $tty $ssh -v ~/:/root -w /root --network host --pull=''${POSH_PULL} \
-    --conmon ${pkgs.conmon}/bin/conmon --runtime ${pkgs.runc}/bin/runc \
+    --cgroup-manager=cgroupfs \
+    ${global_args} \
+    run \
+    --annotation=io.crun.keep_original_groups=1 \
    --config ${podmanConfig} \
+    --conmon ${pkgs.conmon}/bin/conmon --runtime ${pkgs.crun}/bin/crun \
+    --rm -i --network host --pull=''${POSH_PULL} \
+    $tty $ssh -e HOME -v $HOME:$HOME -w $HOME \
+    ${if userns != null then "--userns="+userns else ""} \
    ${run_args} \
    ''${POSH_IMAGE} /usr/bin/env bash -l "''${cmd[@]}"
 '')