From 9f807aa83808e9d48e13321a960a3dd5f7ccdb92 Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Sun, 27 Jan 2019 00:27:32 +0100 Subject: [PATCH] nix/os,steveej-t480s-work: add podman and dependencies --- .../steveej-t480s-work/configuration.nix | 2 + nix/os/profiles/podman/configuration.nix | 187 ++++++++++++++++++ nix/overlay.nix | 2 + nix/pkgs/slirp4netns.nix | 49 +++++ 4 files changed, 240 insertions(+) create mode 100644 nix/os/profiles/podman/configuration.nix create mode 100644 nix/pkgs/slirp4netns.nix diff --git a/nix/os/devices/steveej-t480s-work/configuration.nix b/nix/os/devices/steveej-t480s-work/configuration.nix index a7700f1..17a021d 100644 --- a/nix/os/devices/steveej-t480s-work/configuration.nix +++ b/nix/os/devices/steveej-t480s-work/configuration.nix @@ -15,5 +15,7 @@ ./system.nix ./hw.nix ./pkg.nix + + ../../profiles/podman/configuration.nix ]; } diff --git a/nix/os/profiles/podman/configuration.nix b/nix/os/profiles/podman/configuration.nix new file mode 100644 index 0000000..3d2b3a7 --- /dev/null +++ b/nix/os/profiles/podman/configuration.nix @@ -0,0 +1,187 @@ +{ config, pkgs, ... }: + +{ + environment.systemPackages = with pkgs; [ + podman + runc + conmon + cni + cni-plugins + slirp4netns + ]; + + environment.etc."containers/registries.conf".text = '' + # This is a system-wide configuration file used to + # keep track of registries for various container backends. + # It adheres to TOML format and does not support recursive + # lists of registries. + + [registries.search] + registries = [ 'docker.io' + , 'registry.fedoraproject.org' + , 'registry.access.redhat.com' + , 'quay.io' + ] + + # If you need to access insecure registries, add the registry's fully-qualified name. + # An insecure registry is one that does not have a valid SSL certificate or only does HTTP. + [registries.insecure] + registries = ['localhost:5000'] + ''; + + environment.etc."containers/policy.json".text = '' + { + "default": [ + { + "type": "insecureAcceptAnything" + } + ], + "transports": + { + "docker-daemon": + { + "": [{"type":"insecureAcceptAnything"}] + } + } + } + ''; + + environment.etc."cni/net.d/00-loopback.conf".text = '' + { + "cniVersion": "0.3.0", + "type": "loopback" + } + ''; + + environment.etc."cni/net.d/87-podman-bridge.conflist".text = '' + { + "cniVersion": "0.3.0", + "name": "podman", + "plugins": [ + { + "type": "bridge", + "bridge": "cni0", + "isGateway": true, + "ipMasq": true, + "ipam": { + "type": "host-local", + "subnet": "10.88.0.0/16", + "routes": [ + { "dst": "0.0.0.0/0" } + ] + } + }, + { + "type": "portmap", + "capabilities": { + "portMappings": true + } + } + ] + } + ''; + + environment.etc."containers/libpod.conf".text = '' + # libpod.conf is the default configuration file for all tools using libpod to + # manage containers + + # Default transport method for pulling and pushing for images + image_default_transport = "docker://" + + # Paths to search for the Conmon container manager binary + runtime_path = [ + "${pkgs.runc}/bin/runc" + ] + + + # Paths to look for the Conmon container manager binary + conmon_path = [ + "${pkgs.conmon}/bin/conmon" + ] + + + # Environment variables to pass into conmon + conmon_env_vars = [ + # "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" + ] + + # CGroup Manager - valid values are "systemd" and "cgroupfs" + cgroup_manager = "systemd" + + # Container init binary + #init_path = "/usr/libexec/podman/catatonit" + + # Directory for persistent libpod files (database, etc) + # By default, this will be configured relative to where containers/storage + # stores containers + # Uncomment to change location from this default + #static_dir = "/var/lib/containers/storage/libpod" + + # Directory for temporary files. Must be tmpfs (wiped after reboot) + tmp_dir = "/var/run/libpod" + + # Maximum size of log files (in bytes) + # -1 is unlimited + max_log_size = -1 + + # Whether to use chroot instead of pivot_root in the runtime + no_pivot_root = false + + # Directory containing CNI plugin configuration files + cni_config_dir = "/etc/cni/net.d/" + + # Directories where the CNI plugin binaries may be located + cni_plugin_dir = [ + "${pkgs.cni-plugins}/bin" + ] + + + # Default CNI network for libpod. + # If multiple CNI network configs are present, libpod will use the network with + # the name given here for containers unless explicitly overridden. + # The default here is set to the name we set in the + # 87-podman-bridge.conflist included in the repository. + # Not setting this, or setting it to the empty string, will use normal CNI + # precedence rules for selecting between multiple networks. + cni_default_network = "podman" + + # Default libpod namespace + # If libpod is joined to a namespace, it will see only containers and pods + # that were created in the same namespace, and will create new containers and + # pods in that namespace. + # The default namespace is "", which corresponds to no namespace. When no + # namespace is set, all containers and pods are visible. + #namespace = "" + + # Default pause image name for pod pause containers + pause_image = "k8s.gcr.io/pause:3.1" + + # Default command to run the pause container + pause_command = "/pause" + + # Determines whether libpod will reserve ports on the host when they are + # forwarded to containers. When enabled, when ports are forwarded to containers, + # they are held open by conmon as long as the container is running, ensuring that + # they cannot be reused by other programs on the host. However, this can cause + # significant memory usage if a container has many ports forwarded to it. + # Disabling this can save memory. + #enable_port_reservation = true + + # Default libpod support for container labeling + # label=true + + # Paths to look for a valid OCI runtime (runc, runv, etc) + # FIXME: this doesn't seem to take effect + [runtimes] + runc = [ + "${pkgs.runc}/bin/runc" + ] +''; + + environment.etc."subuid".text = '' + steveej:10000:65536 + ''; + environment.etc."subgid".text = '' + steveej:10000:65536 + ''; +} diff --git a/nix/overlay.nix b/nix/overlay.nix index 0306421..ff97c8b 100644 --- a/nix/overlay.nix +++ b/nix/overlay.nix @@ -6,10 +6,12 @@ let in self: super: { podman = nixpkgs-master.podman; + conmon = nixpkgs-master.conmon; duplicacy = super.callPackage ./pkgs/duplicacy {}; just = super.callPackage ./pkgs/just.nix {}; mfcl3770cdw = super.callPackage ./pkgs/mfcl3770cdw.nix {}; + slirp4netns = super.callPackage ./pkgs/slirp4netns.nix {}; staruml = super.callPackage ./pkgs/staruml.nix { inherit (super.gnome2) GConf; libgcrypt = super.libgcrypt_1_5; }; busyboxStatic = super.busybox.override { diff --git a/nix/pkgs/slirp4netns.nix b/nix/pkgs/slirp4netns.nix new file mode 100644 index 0000000..8d456d6 --- /dev/null +++ b/nix/pkgs/slirp4netns.nix @@ -0,0 +1,49 @@ +{ stdenv +, fetchFromGitHub +, autoconf +, automake +, libtool +, gnumake +, gcc +}: + +stdenv.mkDerivation rec { + name = "slirp4netns-${version}"; + version = "v0.2.1"; + + src = fetchFromGitHub { + owner = "rootless-containers"; + repo = "slirp4netns"; + rev = "${version}"; + sha256 = "0kqncza4kgqkqiki569j7ym9pvp7879i6q2z0djvda9y0i6b80w4"; + }; + + buildInputs = [ + autoconf + automake + libtool + gnumake + gcc + ]; + + configurePhase = '' + ./autogen.sh + ./configure --prefix="" + ''; + + buildPhase = '' + make + ''; + + installPhase = '' + make DESTDIR="$out" install + ''; + + meta = with stdenv.lib; { + description = "User-mode networking for unprivileged network namespaces"; + homepage = https://github.com/rootless-containers/slirp4netns; + license = null; + maintainers = [ maintainers.steveej ]; + platforms = platforms.all; + }; +}