Merge branch 'pr/posh-system-independent' into 'master'

make posh (podman shell) system independent

See merge request steveeJ/infra!26

nix/os/devices/steveej-nuc7pjyh-work/configuration.nix

@@ -8,6 +8,7 @@
 
     ./system.nix
     ./hw.nix
+    ./user.nix
     ../../profiles/removable-medium/pkg.nix
   ];
 }

nix/os/devices/steveej-nuc7pjyh-work/system.nix

@@ -1,29 +1,7 @@
 { pkgs, lib, ... }:
 
 let
-  sgx_linuxpackages = let
-      linux_sgx_pkg = { fetchurl, buildLinux, ... } @ args:
-
-        buildLinux (args // rec {
-          version = "5.4.0-rc3";
-          modDirVersion = version;
-
-          src = fetchurl {
-            url = "https://github.com/jsakkine-intel/linux-sgx/archive/v23.tar.gz";
-            sha256 = "11rwlwv7s071ia889dk1dgrxprxiwgi7djhg47vi56dj81jgib20";
-          };
-          kernelPatches = [];
-
-          extraConfig = ''
-            INTEL_SGX y
-          '';
-
-          extraMeta.branch = "5.4";
-        } // (args.argsOverride or {}));
-      linux_sgx = pkgs.callPackage linux_sgx_pkg{};
-    in 
-      pkgs.recurseIntoAttrs (pkgs.linuxPackagesFor linux_sgx);
 in {
   networking.hostName = "steveej-nuc7pjyh-work"; # Define your hostname.
-  boot.kernelPackages = lib.mkForce sgx_linuxpackages;
+  boot.kernelPackages = lib.mkForce pkgs.linuxPackages_sgx_latest;
 }

nix/pkgs/posh.nix

@@ -1,8 +1,166 @@
 # posh makes use of podman to run an encapsulated shell session
 { pkgs, ... }:
 
-{ image, pull ? "always", global_args ? "", run_args ? "" }:
+let
+  cniConfigDir = let
+      loopback = pkgs.writeText "00-loopback.conf" ''
+        {
+          "cniVersion": "0.3.0",
+          "type": "loopback"
+        }
+      '';
 
+      podman-bridge = pkgs.writeText "87-podman-bridge.conflist" ''
+        {
+            "cniVersion": "0.3.0",
+            "name": "podman",
+            "plugins": [
+              {
+                "type": "bridge",
+                "bridge": "cni0",
+                "isGateway": true,
+                "ipMasq": true,
+                "ipam": {
+                    "type": "host-local",
+                    "subnet": "10.88.0.0/16",
+                    "routes": [
+                        { "dst": "0.0.0.0/0" }
+                    ]
+                }
+              },
+              {
+                "type": "portmap",
+                "capabilities": {
+                  "portMappings": true
+                }
+              }
+            ]
+        }
+      '';
+    in pkgs.runCommand "cniConfig" {} ''
+      set -x
+      mkdir $out;
+      ln -s ${loopback} $out/${loopback.name}
+      ln -s ${podman-bridge} $out/${podman-bridge.name}
+    '';
+
+  podmanConfig = pkgs.writeText "libpod.conf" ''
+    # libpod.conf is the default configuration file for all tools using libpod to
+    # manage containers
+
+    # Default transport method for pulling and pushing for images
+    image_default_transport = "docker://"
+
+    # Paths to search for the Conmon container manager binary
+    runtime_path = [
+      "${pkgs.runc}/bin/runc"
+    ]
+
+
+    # Paths to look for the Conmon container manager binary
+    conmon_path = [
+      "${pkgs.conmon}/bin/conmon"
+    ]
+
+
+    # Environment variables to pass into conmon
+    conmon_env_vars = [
+      # "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+    ]
+
+    # CGroup Manager - valid values are "systemd" and "cgroupfs"
+    cgroup_manager = "systemd"
+
+    # Container init binary
+    #init_path = "/usr/libexec/podman/catatonit"
+
+    # Directory for persistent libpod files (database, etc)
+    # By default, this will be configured relative to where containers/storage
+    # stores containers
+    # Uncomment to change location from this default
+    #static_dir = "/var/lib/containers/storage/libpod"
+
+    # Directory for temporary files. Must be tmpfs (wiped after reboot)
+    # tmp_dir = "/var/run/libpod"
+
+    # Maximum size of log files (in bytes)
+    # -1 is unlimited
+    max_log_size = -1
+
+    # Whether to use chroot instead of pivot_root in the runtime
+    no_pivot_root = false
+
+    # Directory containing CNI plugin configuration files
+    # cni_config_dir = "${cniConfigDir}"
+
+    # Directories where the CNI plugin binaries may be located
+    cni_plugin_dir = [
+      "${pkgs.cni-plugins}/bin"
+    ]
+
+
+    # Default CNI network for libpod.
+    # If multiple CNI network configs are present, libpod will use the network with
+    # the name given here for containers unless explicitly overridden.
+    # The default here is set to the name we set in the
+    # 87-podman-bridge.conflist included in the repository.
+    # Not setting this, or setting it to the empty string, will use normal CNI
+    # precedence rules for selecting between multiple networks.
+    cni_default_network = "podman"
+
+    # Default libpod namespace
+    # If libpod is joined to a namespace, it will see only containers and pods
+    # that were created in the same namespace, and will create new containers and
+    # pods in that namespace.
+    # The default namespace is "", which corresponds to no namespace. When no
+    # namespace is set, all containers and pods are visible.
+    #namespace = ""
+
+    # Default pause image name for pod pause containers
+    pause_image = "k8s.gcr.io/pause:3.1"
+
+    # Default command to run the pause container
+    pause_command = "/pause"
+
+    # Determines whether libpod will reserve ports on the host when they are
+    # forwarded to containers. When enabled, when ports are forwarded to containers,
+    # they are held open by conmon as long as the container is running, ensuring that
+    # they cannot be reused by other programs on the host. However, this can cause
+    # significant memory usage if a container has many ports forwarded to it.
+    # Disabling this can save memory.
+    #enable_port_reservation = true
+
+    # Default libpod support for container labeling
+    # label=true
+
+    # Paths to look for a valid OCI runtime (runc, runv, etc)
+    # FIXME: this doesn't seem to take effect
+    [runtimes]
+    runc = [
+      "${pkgs.runc}/bin/runc"
+    ]
+  '';
+
+  policy-json = pkgs.writeText "policy.json" ''
+    {
+        "default": [
+            {
+                "type": "insecureAcceptAnything"
+            }
+        ],
+        "transports":
+            {
+                "docker-daemon":
+                    {
+                        "": [{"type":"insecureAcceptAnything"}]
+                    }
+            }
+    }
+  '';
+
+in
+
+{ image, pull ? "always", global_args ? "", run_args ? "" }:
 
 (pkgs.writeScriptBin "posh" ''
   #! ${pkgs.bash}/bin/bash
@@ -21,8 +179,15 @@
     # TODO parse the beginning of the command for POSH_* overrides
   fi
 
+  HOME_CONTAINERS_CONFIGDIR="$HOME/.config/containers"
+  HOME_POLICY_JSON="$HOME_CONTAINERS_CONFIGDIR/policy.json"
+  test -d $HOME_CONTAINERS_CONFIGIDR || mkdir $HOME_CONTAINERS_CONFIGIDR
+  ln -sf ${policy-json} $HOME_POLICY_JSON
+
   exec ${pkgs.podman}/bin/podman \
     ${global_args} run --rm -i $tty $ssh -v ~/:/root -w /root --network host --pull=''${POSH_PULL} \
+    --conmon ${pkgs.conmon}/bin/conmon --runtime ${pkgs.runc}/bin/runc \
+    --config ${podmanConfig} \
     ${run_args} ''${POSH_IMAGE} $@
 '')
 .overrideAttrs(attrs: attrs // {