nix/os,steveej-t480s-work: add podman and dependencies

2019-01-27 00:27:32 +01:00 · 2019-01-27 00:27:32 +01:00 · 9f807aa838
commit 9f807aa838
parent b50f4ebd73
4 changed files with 240 additions and 0 deletions
--- a/nix/os/devices/steveej-t480s-work/configuration.nix
+++ b/nix/os/devices/steveej-t480s-work/configuration.nix
@ -15,5 +15,7 @@
    ./system.nix
    ./hw.nix
    ./pkg.nix
+
+    ../../profiles/podman/configuration.nix
  ];
 }
--- a/nix/os/profiles/podman/configuration.nix
+++ b/nix/os/profiles/podman/configuration.nix
@ -0,0 +1,187 @@
+{ config, pkgs, ... }:
+
+{
+  environment.systemPackages = with pkgs; [
+    podman
+    runc
+    conmon
+    cni
+    cni-plugins
+    slirp4netns
+  ];
+
+  environment.etc."containers/registries.conf".text = ''
+    # This is a system-wide configuration file used to
+    # keep track of registries for various container backends.
+    # It adheres to TOML format and does not support recursive
+    # lists of registries.
+
+    [registries.search]
+    registries = [ 'docker.io'
+      , 'registry.fedoraproject.org'
+      , 'registry.access.redhat.com'
+      , 'quay.io'
+    ]
+
+    # If you need to access insecure registries, add the registry's fully-qualified name.
+    # An insecure registry is one that does not have a valid SSL certificate or only does HTTP.
+    [registries.insecure]
+    registries = ['localhost:5000']
+  '';
+
+  environment.etc."containers/policy.json".text = ''
+    {
+        "default": [
+            {
+                "type": "insecureAcceptAnything"
+            }
+        ],
+        "transports":
+            {
+                "docker-daemon":
+                    {
+                        "": [{"type":"insecureAcceptAnything"}]
+                    }
+            }
+    }
+  '';
+
+  environment.etc."cni/net.d/00-loopback.conf".text = ''
+  {
+      "cniVersion": "0.3.0",
+      "type": "loopback"
+  }
+  '';
+
+  environment.etc."cni/net.d/87-podman-bridge.conflist".text = ''
+    {
+        "cniVersion": "0.3.0",
+        "name": "podman",
+        "plugins": [
+          {
+            "type": "bridge",
+            "bridge": "cni0",
+            "isGateway": true,
+            "ipMasq": true,
+            "ipam": {
+                "type": "host-local",
+                "subnet": "10.88.0.0/16",
+                "routes": [
+                    { "dst": "0.0.0.0/0" }
+                ]
+            }
+          },
+          {
+            "type": "portmap",
+            "capabilities": {
+              "portMappings": true
+            }
+          }
+        ]
+    }
+  '';
+
+  environment.etc."containers/libpod.conf".text = ''
+    # libpod.conf is the default configuration file for all tools using libpod to
+    # manage containers
+
+    # Default transport method for pulling and pushing for images
+    image_default_transport = "docker://"
+
+    # Paths to search for the Conmon container manager binary
+    runtime_path = [
+      "${pkgs.runc}/bin/runc"
+    ]
+
+
+    # Paths to look for the Conmon container manager binary
+    conmon_path = [
+      "${pkgs.conmon}/bin/conmon"
+    ]
+
+
+    # Environment variables to pass into conmon
+    conmon_env_vars = [
+      # "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+    ]
+
+    # CGroup Manager - valid values are "systemd" and "cgroupfs"
+    cgroup_manager = "systemd"
+
+    # Container init binary
+    #init_path = "/usr/libexec/podman/catatonit"
+
+    # Directory for persistent libpod files (database, etc)
+    # By default, this will be configured relative to where containers/storage
+    # stores containers
+    # Uncomment to change location from this default
+    #static_dir = "/var/lib/containers/storage/libpod"
+
+    # Directory for temporary files. Must be tmpfs (wiped after reboot)
+    tmp_dir = "/var/run/libpod"
+
+    # Maximum size of log files (in bytes)
+    # -1 is unlimited
+    max_log_size = -1
+
+    # Whether to use chroot instead of pivot_root in the runtime
+    no_pivot_root = false
+
+    # Directory containing CNI plugin configuration files
+    cni_config_dir = "/etc/cni/net.d/"
+
+    # Directories where the CNI plugin binaries may be located
+    cni_plugin_dir = [
+      "${pkgs.cni-plugins}/bin"
+    ]
+
+
+    # Default CNI network for libpod.
+    # If multiple CNI network configs are present, libpod will use the network with
+    # the name given here for containers unless explicitly overridden.
+    # The default here is set to the name we set in the
+    # 87-podman-bridge.conflist included in the repository.
+    # Not setting this, or setting it to the empty string, will use normal CNI
+    # precedence rules for selecting between multiple networks.
+    cni_default_network = "podman"
+
+    # Default libpod namespace
+    # If libpod is joined to a namespace, it will see only containers and pods
+    # that were created in the same namespace, and will create new containers and
+    # pods in that namespace.
+    # The default namespace is "", which corresponds to no namespace. When no
+    # namespace is set, all containers and pods are visible.
+    #namespace = ""
+
+    # Default pause image name for pod pause containers
+    pause_image = "k8s.gcr.io/pause:3.1"
+
+    # Default command to run the pause container
+    pause_command = "/pause"
+
+    # Determines whether libpod will reserve ports on the host when they are
+    # forwarded to containers. When enabled, when ports are forwarded to containers,
+    # they are held open by conmon as long as the container is running, ensuring that
+    # they cannot be reused by other programs on the host. However, this can cause
+    # significant memory usage if a container has many ports forwarded to it.
+    # Disabling this can save memory.
+    #enable_port_reservation = true
+
+    # Default libpod support for container labeling
+    # label=true
+
+    # Paths to look for a valid OCI runtime (runc, runv, etc)
+    # FIXME: this doesn't seem to take effect
+    [runtimes]
+    runc = [
+      "${pkgs.runc}/bin/runc"
+    ]
+'';
+
+  environment.etc."subuid".text = ''
+    steveej:10000:65536
+  '';
+  environment.etc."subgid".text = ''
+    steveej:10000:65536
+  '';
+}
--- a/nix/overlay.nix
+++ b/nix/overlay.nix
@ -6,10 +6,12 @@ let

 in self: super: {
  podman = nixpkgs-master.podman;
+  conmon = nixpkgs-master.conmon;

  duplicacy = super.callPackage ./pkgs/duplicacy {};
  just = super.callPackage ./pkgs/just.nix {};
  mfcl3770cdw = super.callPackage ./pkgs/mfcl3770cdw.nix {};
+  slirp4netns = super.callPackage ./pkgs/slirp4netns.nix {};
  staruml = super.callPackage ./pkgs/staruml.nix { inherit (super.gnome2) GConf; libgcrypt = super.libgcrypt_1_5; };

  busyboxStatic =  super.busybox.override {
--- a/nix/pkgs/slirp4netns.nix
+++ b/nix/pkgs/slirp4netns.nix
@ -0,0 +1,49 @@
+{ stdenv
+, fetchFromGitHub
+, autoconf
+, automake
+, libtool
+, gnumake
+, gcc
+}:
+
+stdenv.mkDerivation rec {
+  name = "slirp4netns-${version}";
+  version = "v0.2.1";
+
+  src = fetchFromGitHub {
+    owner = "rootless-containers";
+    repo = "slirp4netns";
+    rev = "${version}";
+    sha256 = "0kqncza4kgqkqiki569j7ym9pvp7879i6q2z0djvda9y0i6b80w4";
+  };
+
+  buildInputs = [
+    autoconf
+    automake
+    libtool
+    gnumake
+    gcc
+  ];
+    
+  configurePhase = ''
+    ./autogen.sh
+    ./configure --prefix=""
+  '';
+
+  buildPhase = ''
+	make
+  '';
+
+  installPhase = ''
+    make DESTDIR="$out" install
+  '';
+
+  meta = with stdenv.lib; {
+    description = "User-mode networking for unprivileged network namespaces";
+    homepage = https://github.com/rootless-containers/slirp4netns;
+    license = null;
+    maintainers = [ maintainers.steveej ];
+    platforms = platforms.all;
+  };
+}