178 lines
5.5 KiB
Nix
178 lines
5.5 KiB
Nix
# posh makes use of podman to run an encapsulated shell session
|
|
{pkgs, ...}: let
|
|
cniConfigDir = let
|
|
loopback = pkgs.writeText "00-loopback.conf" ''
|
|
{
|
|
"cniVersion": "0.3.0",
|
|
"type": "loopback"
|
|
}
|
|
'';
|
|
|
|
podman-bridge = pkgs.writeText "87-podman-bridge.conflist" ''
|
|
{
|
|
"cniVersion": "0.3.0",
|
|
"name": "podman",
|
|
"plugins": [
|
|
{
|
|
"type": "bridge",
|
|
"bridge": "cni0",
|
|
"isGateway": true,
|
|
"ipMasq": true,
|
|
"ipam": {
|
|
"type": "host-local",
|
|
"subnet": "10.88.0.0/16",
|
|
"routes": [
|
|
{ "dst": "0.0.0.0/0" }
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"type": "portmap",
|
|
"capabilities": {
|
|
"portMappings": true
|
|
}
|
|
}
|
|
]
|
|
}
|
|
'';
|
|
in
|
|
pkgs.runCommand "cniConfig" {} ''
|
|
set -x
|
|
mkdir $out;
|
|
ln -s ${loopback} $out/${loopback.name}
|
|
ln -s ${podman-bridge} $out/${podman-bridge.name}
|
|
'';
|
|
|
|
podmanConfig = pkgs.writeText "libpod.conf" ''
|
|
# libpod.conf is the default configuration file for all tools using libpod to
|
|
# manage containers
|
|
|
|
# Default transport method for pulling and pushing for images
|
|
image_default_transport = "docker://"
|
|
|
|
# Environment variables to pass into conmon
|
|
conmon_env_vars = [
|
|
]
|
|
|
|
# CGroup Manager - valid values are "systemd" and "cgroupfs"
|
|
# cgroup_manager = "systemd"
|
|
cgroup_manager = "cgroupfs"
|
|
|
|
# Maximum size of log files (in bytes)
|
|
# -1 is unlimited
|
|
max_log_size = -1
|
|
|
|
# Whether to use chroot instead of pivot_root in the runtime
|
|
no_pivot_root = false
|
|
|
|
# Directory containing CNI plugin configuration files
|
|
cni_config_dir = "${cniConfigDir}"
|
|
|
|
# Directories where the CNI plugin binaries may be located
|
|
cni_plugin_dir = [
|
|
"${pkgs.cni-plugins}/bin"
|
|
]
|
|
|
|
# Default CNI network for libpod.
|
|
# If multiple CNI network configs are present, libpod will use the network with
|
|
# the name given here for containers unless explicitly overridden.
|
|
# The default here is set to the name we set in the
|
|
# 87-podman-bridge.conflist included in the repository.
|
|
# Not setting this, or setting it to the empty string, will use normal CNI
|
|
# precedence rules for selecting between multiple networks.
|
|
cni_default_network = "podman"
|
|
|
|
# Default libpod namespace
|
|
# If libpod is joined to a namespace, it will see only containers and pods
|
|
# that were created in the same namespace, and will create new containers and
|
|
# pods in that namespace.
|
|
# The default namespace is "", which corresponds to no namespace. When no
|
|
# namespace is set, all containers and pods are visible.
|
|
#namespace = ""
|
|
|
|
# Default pause image name for pod pause containers
|
|
pause_image = "k8s.gcr.io/pause:3.1"
|
|
|
|
# Default command to run the pause container
|
|
pause_command = "/pause"
|
|
|
|
# Determines whether libpod will reserve ports on the host when they are
|
|
# forwarded to containers. When enabled, when ports are forwarded to containers,
|
|
# they are held open by conmon as long as the container is running, ensuring that
|
|
# they cannot be reused by other programs on the host. However, this can cause
|
|
# significant memory usage if a container has many ports forwarded to it.
|
|
# Disabling this can save memory.
|
|
enable_port_reservation = true
|
|
|
|
# Default libpod support for container labeling
|
|
# label=true
|
|
'';
|
|
|
|
policy-json = pkgs.writeText "policy.json" ''
|
|
{
|
|
"default": [
|
|
{
|
|
"type": "insecureAcceptAnything"
|
|
}
|
|
],
|
|
"transports":
|
|
{
|
|
"docker-daemon":
|
|
{
|
|
"": [{"type":"insecureAcceptAnything"}]
|
|
}
|
|
}
|
|
}
|
|
'';
|
|
in
|
|
{
|
|
image,
|
|
pull ? "always",
|
|
global_args ? "",
|
|
run_args ? "",
|
|
userns ? "keep-id",
|
|
}:
|
|
(pkgs.writeScriptBin "posh" ''
|
|
#! ${pkgs.bash}/bin/bash
|
|
source /etc/profile
|
|
|
|
test -S "$SSH_AUTH_SOCK" && ssh="-v $SSH_AUTH_SOCK:$SSH_AUTH_SOCK -e SSH_AUTH_SOCK"
|
|
tty -s && tty="-t" entrypoint=--entrypoint='["/usr/bin/env","bash","-il"]' || quiet="-q"
|
|
|
|
# define these as variables so we can override them at runtime
|
|
POSH_IMAGE=${image}
|
|
POSH_PULL=${pull}
|
|
|
|
if [ "$1" == "-c" ]; then
|
|
# We've most likely been spawned by sshd and are interested in $2 whitch contains the command string
|
|
shift
|
|
# TODO parse the beginning of the command for POSH_* overrides
|
|
fi
|
|
|
|
test "$@" && cmd=( -c "$@")
|
|
|
|
HOME_CONTAINERS_CONFIGDIR="$HOME/.config/containers"
|
|
HOME_POLICY_JSON="$HOME_CONTAINERS_CONFIGDIR/policy.json"
|
|
test -d $HOME_CONTAINERS_CONFIGIDR || mkdir $HOME_CONTAINERS_CONFIGIDR
|
|
ln -sf ${policy-json} $HOME_POLICY_JSON
|
|
|
|
|
|
set -x
|
|
exec ${pkgs.podman}/bin/podman \
|
|
--cgroup-manager=cgroupfs \
|
|
${global_args} \
|
|
run \
|
|
--annotation=io.crun.keep_original_groups=1 \
|
|
--config ${podmanConfig} \
|
|
--conmon ${pkgs.conmon}/bin/conmon --runtime ${pkgs.crun}/bin/crun \
|
|
--rm -i --network host --pull=''${POSH_PULL} \
|
|
$tty $ssh -e HOME -v $HOME:$HOME -w $HOME \
|
|
${
|
|
if userns != null
|
|
then "--userns=" + userns
|
|
else ""
|
|
} \
|
|
${run_args} \
|
|
''${POSH_IMAGE} /usr/bin/env bash -l "''${cmd[@]}"
|
|
'')
|
|
.overrideAttrs (attrs: attrs // {passthru = {shellPath = "/bin/posh";};})
|