From 6f06311c042cdfd6937b8281fdbb22a86a472fd4 Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Fri, 6 Dec 2019 16:07:37 +0100 Subject: [PATCH 1/2] posh: don't depend on system config or packages This adds a comprehensive libpod-configuration to posh to make it indepdent of the system's one. --- nix/pkgs/posh.nix | 167 +++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 166 insertions(+), 1 deletion(-) diff --git a/nix/pkgs/posh.nix b/nix/pkgs/posh.nix index 043895b..7d7fdf1 100644 --- a/nix/pkgs/posh.nix +++ b/nix/pkgs/posh.nix @@ -1,8 +1,166 @@ # posh makes use of podman to run an encapsulated shell session { pkgs, ... }: -{ image, pull ? "always", global_args ? "", run_args ? "" }: +let + cniConfigDir = let + loopback = pkgs.writeText "00-loopback.conf" '' + { + "cniVersion": "0.3.0", + "type": "loopback" + } + ''; + podman-bridge = pkgs.writeText "87-podman-bridge.conflist" '' + { + "cniVersion": "0.3.0", + "name": "podman", + "plugins": [ + { + "type": "bridge", + "bridge": "cni0", + "isGateway": true, + "ipMasq": true, + "ipam": { + "type": "host-local", + "subnet": "10.88.0.0/16", + "routes": [ + { "dst": "0.0.0.0/0" } + ] + } + }, + { + "type": "portmap", + "capabilities": { + "portMappings": true + } + } + ] + } + ''; + in pkgs.runCommand "cniConfig" {} '' + set -x + mkdir $out; + ln -s ${loopback} $out/${loopback.name} + ln -s ${podman-bridge} $out/${podman-bridge.name} + ''; + + podmanConfig = pkgs.writeText "libpod.conf" '' + # libpod.conf is the default configuration file for all tools using libpod to + # manage containers + + # Default transport method for pulling and pushing for images + image_default_transport = "docker://" + + # Paths to search for the Conmon container manager binary + runtime_path = [ + "${pkgs.runc}/bin/runc" + ] + + + # Paths to look for the Conmon container manager binary + conmon_path = [ + "${pkgs.conmon}/bin/conmon" + ] + + + # Environment variables to pass into conmon + conmon_env_vars = [ + # "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" + ] + + # CGroup Manager - valid values are "systemd" and "cgroupfs" + cgroup_manager = "systemd" + + # Container init binary + #init_path = "/usr/libexec/podman/catatonit" + + # Directory for persistent libpod files (database, etc) + # By default, this will be configured relative to where containers/storage + # stores containers + # Uncomment to change location from this default + #static_dir = "/var/lib/containers/storage/libpod" + + # Directory for temporary files. Must be tmpfs (wiped after reboot) + # tmp_dir = "/var/run/libpod" + + # Maximum size of log files (in bytes) + # -1 is unlimited + max_log_size = -1 + + # Whether to use chroot instead of pivot_root in the runtime + no_pivot_root = false + + # Directory containing CNI plugin configuration files + # cni_config_dir = "${cniConfigDir}" + + # Directories where the CNI plugin binaries may be located + cni_plugin_dir = [ + "${pkgs.cni-plugins}/bin" + ] + + + # Default CNI network for libpod. + # If multiple CNI network configs are present, libpod will use the network with + # the name given here for containers unless explicitly overridden. + # The default here is set to the name we set in the + # 87-podman-bridge.conflist included in the repository. + # Not setting this, or setting it to the empty string, will use normal CNI + # precedence rules for selecting between multiple networks. + cni_default_network = "podman" + + # Default libpod namespace + # If libpod is joined to a namespace, it will see only containers and pods + # that were created in the same namespace, and will create new containers and + # pods in that namespace. + # The default namespace is "", which corresponds to no namespace. When no + # namespace is set, all containers and pods are visible. + #namespace = "" + + # Default pause image name for pod pause containers + pause_image = "k8s.gcr.io/pause:3.1" + + # Default command to run the pause container + pause_command = "/pause" + + # Determines whether libpod will reserve ports on the host when they are + # forwarded to containers. When enabled, when ports are forwarded to containers, + # they are held open by conmon as long as the container is running, ensuring that + # they cannot be reused by other programs on the host. However, this can cause + # significant memory usage if a container has many ports forwarded to it. + # Disabling this can save memory. + #enable_port_reservation = true + + # Default libpod support for container labeling + # label=true + + # Paths to look for a valid OCI runtime (runc, runv, etc) + # FIXME: this doesn't seem to take effect + [runtimes] + runc = [ + "${pkgs.runc}/bin/runc" + ] + ''; + + policy-json = pkgs.writeText "policy.json" '' + { + "default": [ + { + "type": "insecureAcceptAnything" + } + ], + "transports": + { + "docker-daemon": + { + "": [{"type":"insecureAcceptAnything"}] + } + } + } + ''; + +in + +{ image, pull ? "always", global_args ? "", run_args ? "" }: (pkgs.writeScriptBin "posh" '' #! ${pkgs.bash}/bin/bash @@ -21,8 +179,15 @@ # TODO parse the beginning of the command for POSH_* overrides fi + HOME_CONTAINERS_CONFIGDIR="$HOME/.config/containers" + HOME_POLICY_JSON="$HOME_CONTAINERS_CONFIGDIR/policy.json" + test -d $HOME_CONTAINERS_CONFIGIDR || mkdir $HOME_CONTAINERS_CONFIGIDR + ln -sf ${policy-json} $HOME_POLICY_JSON + exec ${pkgs.podman}/bin/podman \ ${global_args} run --rm -i $tty $ssh -v ~/:/root -w /root --network host --pull=''${POSH_PULL} \ + --conmon ${pkgs.conmon}/bin/conmon --runtime ${pkgs.runc}/bin/runc \ + --config ${podmanConfig} \ ${run_args} ''${POSH_IMAGE} $@ '') .overrideAttrs(attrs: attrs // { From 5e998992a50de8bf15036f8bebb35602674ee6ba Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Fri, 6 Dec 2019 16:11:21 +0100 Subject: [PATCH 2/2] steveej-nuc7pjyh-work: use kernel from pkgs, enable extra users with posh --- .../steveej-nuc7pjyh-work/configuration.nix | 1 + .../devices/steveej-nuc7pjyh-work/system.nix | 24 +------------------ 2 files changed, 2 insertions(+), 23 deletions(-) diff --git a/nix/os/devices/steveej-nuc7pjyh-work/configuration.nix b/nix/os/devices/steveej-nuc7pjyh-work/configuration.nix index 2bf3a41..40aeaeb 100644 --- a/nix/os/devices/steveej-nuc7pjyh-work/configuration.nix +++ b/nix/os/devices/steveej-nuc7pjyh-work/configuration.nix @@ -8,6 +8,7 @@ ./system.nix ./hw.nix + ./user.nix ../../profiles/removable-medium/pkg.nix ]; } diff --git a/nix/os/devices/steveej-nuc7pjyh-work/system.nix b/nix/os/devices/steveej-nuc7pjyh-work/system.nix index fe22876..b04ec58 100644 --- a/nix/os/devices/steveej-nuc7pjyh-work/system.nix +++ b/nix/os/devices/steveej-nuc7pjyh-work/system.nix @@ -1,29 +1,7 @@ { pkgs, lib, ... }: let - sgx_linuxpackages = let - linux_sgx_pkg = { fetchurl, buildLinux, ... } @ args: - - buildLinux (args // rec { - version = "5.4.0-rc3"; - modDirVersion = version; - - src = fetchurl { - url = "https://github.com/jsakkine-intel/linux-sgx/archive/v23.tar.gz"; - sha256 = "11rwlwv7s071ia889dk1dgrxprxiwgi7djhg47vi56dj81jgib20"; - }; - kernelPatches = []; - - extraConfig = '' - INTEL_SGX y - ''; - - extraMeta.branch = "5.4"; - } // (args.argsOverride or {})); - linux_sgx = pkgs.callPackage linux_sgx_pkg{}; - in - pkgs.recurseIntoAttrs (pkgs.linuxPackagesFor linux_sgx); in { networking.hostName = "steveej-nuc7pjyh-work"; # Define your hostname. - boot.kernelPackages = lib.mkForce sgx_linuxpackages; + boot.kernelPackages = lib.mkForce pkgs.linuxPackages_sgx_latest; }