nixos.virtualisation.containers: Init common /etc/containers configuration module

What's happening now is that both cri-o and podman are creating /etc/containers/policy.json. By splitting out the creation of configuration files we can make the podman module leaner & compose better with other container software.
4 years ago · 43f383c464
parent 650df709fb
commit 43f383c464
4 changed files with 157 additions and 119 deletions
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@ -983,6 +983,7 @@
  ./testing/service-runner.nix
  ./virtualisation/anbox.nix
  ./virtualisation/container-config.nix
+  ./virtualisation/containers.nix
  ./virtualisation/nixos-containers.nix
  ./virtualisation/cri-o.nix
  ./virtualisation/docker.nix
--- a/nixos/modules/virtualisation/containers.nix
+++ b/nixos/modules/virtualisation/containers.nix
@ -0,0 +1,150 @@
+{ config, lib, pkgs, ... }:
+let
+  cfg = config.virtualisation.containers;
+
+  inherit (lib) mkOption types;
+
+  # Once https://github.com/NixOS/nixpkgs/pull/75584 is merged we can use the TOML generator
+  toTOML = name: value: pkgs.runCommandNoCC name {
+    nativeBuildInputs = [ pkgs.remarshal ];
+    value = builtins.toJSON value;
+    passAsFile = [ "value" ];
+  } ''
+    json2toml "$valuePath" "$out"
+  '';
+
+  # Copy configuration files to avoid having the entire sources in the system closure
+  copyFile = filePath: pkgs.runCommandNoCC (builtins.unsafeDiscardStringContext (builtins.baseNameOf filePath)) {} ''
+    cp ${filePath} $out
+  '';
+in
+{
+  meta = {
+    maintainers = [] ++ lib.teams.podman.members;
+  };
+
+  options.virtualisation.containers = {
+
+    enable =
+      mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          This option enables the common libpod container configuration module.
+        '';
+      };
+
+    registries = {
+      search = mkOption {
+        type = types.listOf types.str;
+        default = [ "docker.io" "quay.io" ];
+        description = ''
+          List of repositories to search.
+        '';
+      };
+
+      insecure = mkOption {
+        default = [];
+        type = types.listOf types.str;
+        description = ''
+          List of insecure repositories.
+        '';
+      };
+
+      block = mkOption {
+        default = [];
+        type = types.listOf types.str;
+        description = ''
+          List of blocked repositories.
+        '';
+      };
+    };
+
+    policy = mkOption {
+      default = {};
+      type = types.attrs;
+      example = lib.literalExample ''
+        {
+          default = [ { type = "insecureAcceptAnything"; } ];
+          transports = {
+            docker-daemon = {
+              "" = [ { type = "insecureAcceptAnything"; } ];
+            };
+          };
+        }
+      '';
+      description = ''
+        Signature verification policy file.
+        If this option is empty the default policy file from
+        <literal>skopeo</literal> will be used.
+      '';
+    };
+
+    users = mkOption {
+      default = [];
+      type = types.listOf types.str;
+      description = ''
+        List of users to set up subuid/subgid mappings for.
+        This is a requirement for running rootless containers.
+      '';
+    };
+
+    libpod = mkOption {
+      default = {};
+      description = "Libpod configuration";
+      type = types.submodule {
+        options = {
+
+          extraConfig = mkOption {
+            type = types.lines;
+            default = "";
+            description = ''
+              Extra configuration that should be put in the libpod.conf
+              configuration file
+            '';
+
+          };
+        };
+      };
+    };
+
+  };
+
+  config = lib.mkIf cfg.enable {
+
+    environment.etc."containers/libpod.conf".text = ''
+      cni_plugin_dir = ["${pkgs.cni-plugins}/bin/"]
+      cni_config_dir = "/etc/cni/net.d/"
+
+    '' + cfg.libpod.extraConfig;
+
+    environment.etc."containers/registries.conf".source = toTOML "registries.conf" {
+      registries = lib.mapAttrs (n: v: { registries = v; }) cfg.registries;
+    };
+
+    users.extraUsers = builtins.listToAttrs (
+      (
+        builtins.foldl' (
+          acc: user: {
+            values = acc.values ++ [
+              {
+                name = user;
+                value = {
+                  subUidRanges = [ { startUid = acc.offset; count = 65536; } ];
+                  subGidRanges = [ { startGid = acc.offset; count = 65536; } ];
+                };
+              }
+            ];
+            offset = acc.offset + 65536;
+          }
+        )
+        { values = []; offset = 100000; } (lib.unique cfg.users)
+      ).values
+    );
+
+    environment.etc."containers/policy.json".source =
+      if cfg.policy != {} then pkgs.writeText "policy.json" (builtins.toJSON cfg.policy)
+      else copyFile "${pkgs.skopeo.src}/default-policy.json";
+  };
+
+}
--- a/nixos/modules/virtualisation/cri-o.nix
+++ b/nixos/modules/virtualisation/cri-o.nix
@ -62,9 +62,7 @@ in
      log_level = "${cfg.logLevel}"
      manage_network_ns_lifecycle = true
    '';
-    environment.etc."containers/policy.json".text = ''
-      {"default": [{"type": "insecureAcceptAnything"}]}
-    '';
+
    environment.etc."cni/net.d/20-cri-o-bridge.conf".text = ''
      {
        "cniVersion": "0.3.1",
@ -83,6 +81,9 @@ in
      }
    '';

+    # Enable common container configuration, this will create policy.json
+    virtualisation.containers.enable = true;
+
    systemd.services.crio = {
      description = "Container Runtime Interface for OCI (CRI-O)";
      documentation = [ "https://github.com/cri-o/cri-o" ];
--- a/nixos/modules/virtualisation/podman.nix
+++ b/nixos/modules/virtualisation/podman.nix
@ -4,7 +4,6 @@ let

  inherit (lib) mkOption types;

-
  # Provides a fake "docker" binary mapping to podman
  dockerCompat = pkgs.runCommandNoCC "${pkgs.podman.pname}-docker-compat-${pkgs.podman.version}" {
    outputs = [ "out" "bin" "man" ];
@ -22,19 +21,11 @@ let
    done
  '';

-  # Once https://github.com/NixOS/nixpkgs/pull/75584 is merged we can use the TOML generator
-  toTOML = name: value: pkgs.runCommandNoCC name {
-    nativeBuildInputs = [ pkgs.remarshal ];
-    value = builtins.toJSON value;
-    passAsFile = [ "value" ];
-  } ''
-    json2toml "$valuePath" "$out"
-  '';
-
  # Copy configuration files to avoid having the entire sources in the system closure
  copyFile = filePath: pkgs.runCommandNoCC (builtins.unsafeDiscardStringContext (builtins.baseNameOf filePath)) {} ''
    cp ${filePath} $out
  '';
+
 in
 {
  meta = {
@ -63,80 +54,6 @@ in
      '';
    };

-    registries = {
-      search = mkOption {
-        type = types.listOf types.str;
-        default = [ "docker.io" "quay.io" ];
-        description = ''
-          List of repositories to search.
-        '';
-      };
-
-      insecure = mkOption {
-        default = [];
-        type = types.listOf types.str;
-        description = ''
-          List of insecure repositories.
-        '';
-      };
-
-      block = mkOption {
-        default = [];
-        type = types.listOf types.str;
-        description = ''
-          List of blocked repositories.
-        '';
-      };
-    };
-
-    policy = mkOption {
-      default = {};
-      type = types.attrs;
-      example = lib.literalExample ''
-        {
-          default = [ { type = "insecureAcceptAnything"; } ];
-          transports = {
-            docker-daemon = {
-              "" = [ { type = "insecureAcceptAnything"; } ];
-            };
-          };
-        }
-      '';
-      description = ''
-        Signature verification policy file.
-        If this option is empty the default policy file from
-        <literal>skopeo</literal> will be used.
-      '';
-    };
-
-    users = mkOption {
-      default = [];
-      type = types.listOf types.str;
-      description = ''
-        List of users to set up subuid/subgid mappings for.
-        This is a requirement for running containers in rootless mode.
-      '';
-    };
-
-    libpod = mkOption {
-      default = {};
-      description = "Libpod configuration";
-      type = types.submodule {
-        options = {
-
-          extraConfig = mkOption {
-            type = types.lines;
-            default = "";
-            description = ''
-              Extra configuration that should be put in the libpod.conf
-              configuration file
-            '';
-
-          };
-        };
-      };
-    };
-
  };

  config = lib.mkIf cfg.enable {
@ -154,41 +71,10 @@ in
    ]
    ++ lib.optional cfg.dockerCompat dockerCompat;

-    environment.etc."containers/libpod.conf".text = ''
-      cni_plugin_dir = ["${pkgs.cni-plugins}/bin/"]
-      cni_config_dir = "/etc/cni/net.d/"
-      ${cfg.libpod.extraConfig}
-    '';
-
    environment.etc."cni/net.d/87-podman-bridge.conflist".source = copyFile "${pkgs.podman.src}/cni/87-podman-bridge.conflist";

-    environment.etc."containers/registries.conf".source = toTOML "registries.conf" {
-      registries = lib.mapAttrs (n: v: { registries = v; }) cfg.registries;
-    };
+    virtualisation.containers.enable = true;

-    users.extraUsers = builtins.listToAttrs (
-      (
-        builtins.foldl' (
-          acc: user: {
-            values = acc.values ++ [
-              {
-                name = user;
-                value = {
-                  subUidRanges = [ { startUid = acc.offset; count = 65536; } ];
-                  subGidRanges = [ { startGid = acc.offset; count = 65536; } ];
-                };
-              }
-            ];
-            offset = acc.offset + 65536;
-          }
-        )
-        { values = []; offset = 100000; } (lib.unique cfg.users)
-      ).values
-    );
-
-    environment.etc."containers/policy.json".source =
-      if cfg.policy != {} then pkgs.writeText "policy.json" (builtins.toJSON cfg.policy)
-      else copyFile "${pkgs.skopeo.src}/default-policy.json";
  };

 }