forked from mirrors/nixpkgs
Merge pull request #123841 from hercules-ci/podman-socket
nixos/podman: Add docker socket support
This commit is contained in:
commit
774fe1878b
|
@ -1113,6 +1113,7 @@
|
|||
./virtualisation/openvswitch.nix
|
||||
./virtualisation/parallels-guest.nix
|
||||
./virtualisation/podman.nix
|
||||
./virtualisation/podman-network-socket-ghostunnel.nix
|
||||
./virtualisation/qemu-guest-agent.nix
|
||||
./virtualisation/railcar.nix
|
||||
./virtualisation/spice-usb-redirection.nix
|
||||
|
|
|
@ -0,0 +1,34 @@
|
|||
{ config, lib, pkg, ... }:
|
||||
let
|
||||
inherit (lib)
|
||||
mkOption
|
||||
types
|
||||
;
|
||||
|
||||
cfg = config.virtualisation.podman.networkSocket;
|
||||
|
||||
in
|
||||
{
|
||||
options.virtualisation.podman.networkSocket = {
|
||||
server = mkOption {
|
||||
type = types.enum [ "ghostunnel" ];
|
||||
};
|
||||
};
|
||||
|
||||
config = {
|
||||
|
||||
services.ghostunnel = lib.mkIf (cfg.enable && cfg.server == "ghostunnel") {
|
||||
enable = true;
|
||||
servers."podman-socket" = {
|
||||
inherit (cfg.tls) cert key cacert;
|
||||
listen = "${cfg.listenAddress}:${toString cfg.port}";
|
||||
target = "unix:/run/podman/podman.sock";
|
||||
allowAll = lib.mkDefault true;
|
||||
};
|
||||
};
|
||||
systemd.services.ghostunnel-server-podman-socket.serviceConfig.SupplementaryGroups = ["podman"];
|
||||
|
||||
};
|
||||
|
||||
meta.maintainers = lib.teams.podman.members ++ [ lib.maintainers.roberth ];
|
||||
}
|
91
nixos/modules/virtualisation/podman-network-socket.nix
Normal file
91
nixos/modules/virtualisation/podman-network-socket.nix
Normal file
|
@ -0,0 +1,91 @@
|
|||
{ config, lib, pkg, ... }:
|
||||
let
|
||||
inherit (lib)
|
||||
mkOption
|
||||
types
|
||||
;
|
||||
|
||||
cfg = config.virtualisation.podman.networkSocket;
|
||||
|
||||
in
|
||||
{
|
||||
options.virtualisation.podman.networkSocket = {
|
||||
enable = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = ''
|
||||
Make the Podman and Docker compatibility API available over the network
|
||||
with TLS client certificate authentication.
|
||||
|
||||
This allows Docker clients to connect with the equivalents of the Docker
|
||||
CLI <code>-H</code> and <code>--tls*</code> family of options.
|
||||
|
||||
For certificate setup, see https://docs.docker.com/engine/security/protect-access/
|
||||
|
||||
This option is independent of <xref linkend="opt-virtualisation.podman.dockerSocket.enable"/>.
|
||||
'';
|
||||
};
|
||||
|
||||
server = mkOption {
|
||||
type = types.enum [];
|
||||
description = ''
|
||||
Choice of TLS proxy server.
|
||||
'';
|
||||
example = "ghostunnel";
|
||||
};
|
||||
|
||||
openFirewall = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = ''
|
||||
Whether to open the port in the firewall.
|
||||
'';
|
||||
};
|
||||
|
||||
tls.cacert = mkOption {
|
||||
type = types.path;
|
||||
description = ''
|
||||
Path to CA certificate to use for client authentication.
|
||||
'';
|
||||
};
|
||||
|
||||
tls.cert = mkOption {
|
||||
type = types.path;
|
||||
description = ''
|
||||
Path to certificate describing the server.
|
||||
'';
|
||||
};
|
||||
|
||||
tls.key = mkOption {
|
||||
type = types.path;
|
||||
description = ''
|
||||
Path to the private key corresponding to the server certificate.
|
||||
|
||||
Use a string for this setting. Otherwise it will be copied to the Nix
|
||||
store first, where it is readable by any system process.
|
||||
'';
|
||||
};
|
||||
|
||||
port = mkOption {
|
||||
type = types.port;
|
||||
default = 2376;
|
||||
description = ''
|
||||
TCP port number for receiving TLS connections.
|
||||
'';
|
||||
};
|
||||
listenAddress = mkOption {
|
||||
type = types.str;
|
||||
default = "0.0.0.0";
|
||||
description = ''
|
||||
Interface address for receiving TLS connections.
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
config = {
|
||||
networking.firewall.allowedTCPPorts =
|
||||
lib.optional (cfg.enable && cfg.openFirewall) cfg.port;
|
||||
};
|
||||
|
||||
meta.maintainers = lib.teams.podman.members ++ [ lib.maintainers.roberth ];
|
||||
}
|
|
@ -25,6 +25,7 @@ let
|
|||
in
|
||||
{
|
||||
imports = [
|
||||
./podman-network-socket.nix
|
||||
(lib.mkRenamedOptionModule [ "virtualisation" "podman" "libpod" ] [ "virtualisation" "containers" "containersConf" ])
|
||||
];
|
||||
|
||||
|
@ -46,6 +47,20 @@ in
|
|||
'';
|
||||
};
|
||||
|
||||
dockerSocket.enable = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = ''
|
||||
Make the Podman socket available in place of the Docker socket, so
|
||||
Docker tools can find the Podman socket.
|
||||
|
||||
Podman implements the Docker API.
|
||||
|
||||
Users must be in the <code>podman</code> group in order to connect. As
|
||||
with Docker, members of this group can gain root access.
|
||||
'';
|
||||
};
|
||||
|
||||
dockerCompat = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
|
@ -111,14 +126,36 @@ in
|
|||
};
|
||||
|
||||
systemd.sockets.podman.wantedBy = [ "sockets.target" ];
|
||||
systemd.sockets.podman.socketConfig.SocketGroup = "podman";
|
||||
|
||||
systemd.tmpfiles.packages = [ cfg.package ];
|
||||
systemd.tmpfiles.packages = [
|
||||
# The /run/podman rule interferes with our podman group, so we remove
|
||||
# it and let the systemd socket logic take care of it.
|
||||
(pkgs.runCommand "podman-tmpfiles-nixos" { package = cfg.package; } ''
|
||||
mkdir -p $out/lib/tmpfiles.d/
|
||||
grep -v 'D! /run/podman 0700 root root' \
|
||||
<$package/lib/tmpfiles.d/podman.conf \
|
||||
>$out/lib/tmpfiles.d/podman.conf
|
||||
'') ];
|
||||
|
||||
systemd.tmpfiles.rules =
|
||||
lib.optionals cfg.dockerSocket.enable [
|
||||
"L! /run/docker.sock - - - - /run/podman/podman.sock"
|
||||
];
|
||||
|
||||
users.groups.podman = {};
|
||||
|
||||
assertions = [
|
||||
{
|
||||
assertion = cfg.dockerCompat -> !config.virtualisation.docker.enable;
|
||||
message = "Option dockerCompat conflicts with docker";
|
||||
}
|
||||
{
|
||||
assertion = cfg.dockerSocket.enable -> !config.virtualisation.docker.enable;
|
||||
message = ''
|
||||
The options virtualisation.podman.dockerSocket.enable and virtualisation.docker.enable conflict, because only one can serve the socket.
|
||||
'';
|
||||
}
|
||||
];
|
||||
}
|
||||
]);
|
||||
|
|
|
@ -335,6 +335,7 @@ in
|
|||
plotinus = handleTest ./plotinus.nix {};
|
||||
podgrab = handleTest ./podgrab.nix {};
|
||||
podman = handleTestOn ["x86_64-linux"] ./podman.nix {};
|
||||
podman-tls-ghostunnel = handleTestOn ["x86_64-linux"] ./podman-tls-ghostunnel.nix {};
|
||||
pomerium = handleTestOn ["x86_64-linux"] ./pomerium.nix {};
|
||||
postfix = handleTest ./postfix.nix {};
|
||||
postfix-raise-smtpd-tls-security-level = handleTest ./postfix-raise-smtpd-tls-security-level.nix {};
|
||||
|
|
150
nixos/tests/podman-tls-ghostunnel.nix
Normal file
150
nixos/tests/podman-tls-ghostunnel.nix
Normal file
|
@ -0,0 +1,150 @@
|
|||
/*
|
||||
This test runs podman as a backend for the Docker CLI.
|
||||
*/
|
||||
import ./make-test-python.nix (
|
||||
{ pkgs, lib, ... }:
|
||||
|
||||
let gen-ca = pkgs.writeScript "gen-ca" ''
|
||||
# Create CA
|
||||
PATH="${pkgs.openssl}/bin:$PATH"
|
||||
openssl genrsa -out ca-key.pem 4096
|
||||
openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -subj '/C=NL/ST=Zuid-Holland/L=The Hague/O=Stevige Balken en Planken B.V./OU=OpSec/CN=Certificate Authority' -out ca.pem
|
||||
|
||||
# Create service
|
||||
openssl genrsa -out podman-key.pem 4096
|
||||
openssl req -subj '/CN=podman' -sha256 -new -key podman-key.pem -out service.csr
|
||||
echo subjectAltName = DNS:podman,IP:127.0.0.1 >> extfile.cnf
|
||||
echo extendedKeyUsage = serverAuth >> extfile.cnf
|
||||
openssl x509 -req -days 365 -sha256 -in service.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out podman-cert.pem -extfile extfile.cnf
|
||||
|
||||
# Create client
|
||||
openssl genrsa -out client-key.pem 4096
|
||||
openssl req -subj '/CN=client' -new -key client-key.pem -out client.csr
|
||||
echo extendedKeyUsage = clientAuth > extfile-client.cnf
|
||||
openssl x509 -req -days 365 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out client-cert.pem -extfile extfile-client.cnf
|
||||
|
||||
# Create CA 2
|
||||
PATH="${pkgs.openssl}/bin:$PATH"
|
||||
openssl genrsa -out ca-2-key.pem 4096
|
||||
openssl req -new -x509 -days 365 -key ca-2-key.pem -sha256 -subj '/C=NL/ST=Zuid-Holland/L=The Hague/O=Stevige Balken en Planken B.V./OU=OpSec/CN=Certificate Authority' -out ca-2.pem
|
||||
|
||||
# Create client signed by CA 2
|
||||
openssl genrsa -out client-2-key.pem 4096
|
||||
openssl req -subj '/CN=client' -new -key client-2-key.pem -out client-2.csr
|
||||
echo extendedKeyUsage = clientAuth > extfile-client.cnf
|
||||
openssl x509 -req -days 365 -sha256 -in client-2.csr -CA ca-2.pem -CAkey ca-2-key.pem -CAcreateserial -out client-2-cert.pem -extfile extfile-client.cnf
|
||||
|
||||
'';
|
||||
in
|
||||
{
|
||||
name = "podman-tls-ghostunnel";
|
||||
meta = {
|
||||
maintainers = lib.teams.podman.members ++ [ lib.maintainers.roberth ];
|
||||
};
|
||||
|
||||
nodes = {
|
||||
podman =
|
||||
{ pkgs, ... }:
|
||||
{
|
||||
virtualisation.podman.enable = true;
|
||||
virtualisation.podman.dockerSocket.enable = true;
|
||||
virtualisation.podman.networkSocket = {
|
||||
enable = true;
|
||||
openFirewall = true;
|
||||
server = "ghostunnel";
|
||||
tls.cert = "/root/podman-cert.pem";
|
||||
tls.key = "/root/podman-key.pem";
|
||||
tls.cacert = "/root/ca.pem";
|
||||
};
|
||||
|
||||
environment.systemPackages = [
|
||||
pkgs.docker-client
|
||||
];
|
||||
|
||||
users.users.alice = {
|
||||
isNormalUser = true;
|
||||
home = "/home/alice";
|
||||
description = "Alice Foobar";
|
||||
extraGroups = ["podman"];
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
client = { ... }: {
|
||||
environment.systemPackages = [
|
||||
# Installs the docker _client_ only
|
||||
# Normally, you'd want `virtualisation.docker.enable = true;`.
|
||||
pkgs.docker-client
|
||||
];
|
||||
environment.variables.DOCKER_HOST = "podman:2376";
|
||||
environment.variables.DOCKER_TLS_VERIFY = "1";
|
||||
};
|
||||
};
|
||||
|
||||
testScript = ''
|
||||
import shlex
|
||||
|
||||
|
||||
def su_cmd(user, cmd):
|
||||
cmd = shlex.quote(cmd)
|
||||
return f"su {user} -l -c {cmd}"
|
||||
|
||||
def cmd(command):
|
||||
print(f"+{command}")
|
||||
r = os.system(command)
|
||||
if r != 0:
|
||||
raise Exception(f"Command {command} failed with exit code {r}")
|
||||
|
||||
start_all()
|
||||
cmd("${gen-ca}")
|
||||
|
||||
podman.copy_from_host("ca.pem", "/root/ca.pem")
|
||||
podman.copy_from_host("podman-cert.pem", "/root/podman-cert.pem")
|
||||
podman.copy_from_host("podman-key.pem", "/root/podman-key.pem")
|
||||
|
||||
client.copy_from_host("ca.pem", "/root/.docker/ca.pem")
|
||||
# client.copy_from_host("podman-cert.pem", "/root/podman-cert.pem")
|
||||
client.copy_from_host("client-cert.pem", "/root/.docker/cert.pem")
|
||||
client.copy_from_host("client-key.pem", "/root/.docker/key.pem")
|
||||
|
||||
# TODO (ghostunnel): add file watchers so the restart isn't necessary
|
||||
podman.succeed("systemctl reset-failed && systemctl restart ghostunnel-server-podman-socket.service")
|
||||
|
||||
podman.wait_for_unit("sockets.target")
|
||||
podman.wait_for_unit("ghostunnel-server-podman-socket.service")
|
||||
|
||||
with subtest("Create default network"):
|
||||
podman.succeed("docker network create default")
|
||||
|
||||
with subtest("Root docker cli also works"):
|
||||
podman.succeed("docker version")
|
||||
|
||||
with subtest("A podman member can also still use the docker cli"):
|
||||
podman.succeed(su_cmd("alice", "docker version"))
|
||||
|
||||
with subtest("Run container remotely via docker cli"):
|
||||
client.succeed("docker version")
|
||||
|
||||
# via socket would be nicer
|
||||
podman.succeed("tar cv --files-from /dev/null | podman import - scratchimg")
|
||||
|
||||
client.succeed(
|
||||
"docker run -d --name=sleeping -v /nix/store:/nix/store -v /run/current-system/sw/bin:/bin scratchimg /bin/sleep 10"
|
||||
)
|
||||
client.succeed("docker ps | grep sleeping")
|
||||
podman.succeed("docker ps | grep sleeping")
|
||||
client.succeed("docker stop sleeping")
|
||||
client.succeed("docker rm sleeping")
|
||||
|
||||
with subtest("Clients without cert will be denied"):
|
||||
client.succeed("rm /root/.docker/{cert,key}.pem")
|
||||
client.fail("docker version")
|
||||
|
||||
with subtest("Clients with wrong cert will be denied"):
|
||||
client.copy_from_host("client-2-cert.pem", "/root/.docker/cert.pem")
|
||||
client.copy_from_host("client-2-key.pem", "/root/.docker/key.pem")
|
||||
client.fail("docker version")
|
||||
|
||||
'';
|
||||
}
|
||||
)
|
|
@ -13,10 +13,23 @@ import ./make-test-python.nix (
|
|||
{
|
||||
virtualisation.podman.enable = true;
|
||||
|
||||
# To test docker socket support
|
||||
virtualisation.podman.dockerSocket.enable = true;
|
||||
environment.systemPackages = [
|
||||
pkgs.docker-client
|
||||
];
|
||||
|
||||
users.users.alice = {
|
||||
isNormalUser = true;
|
||||
home = "/home/alice";
|
||||
description = "Alice Foobar";
|
||||
extraGroups = [ "podman" ];
|
||||
};
|
||||
|
||||
users.users.mallory = {
|
||||
isNormalUser = true;
|
||||
home = "/home/mallory";
|
||||
description = "Mallory Foobar";
|
||||
};
|
||||
|
||||
};
|
||||
|
@ -26,9 +39,9 @@ import ./make-test-python.nix (
|
|||
import shlex
|
||||
|
||||
|
||||
def su_cmd(cmd):
|
||||
def su_cmd(cmd, user = "alice"):
|
||||
cmd = shlex.quote(cmd)
|
||||
return f"su alice -l -c {cmd}"
|
||||
return f"su {user} -l -c {cmd}"
|
||||
|
||||
|
||||
podman.wait_for_unit("sockets.target")
|
||||
|
@ -105,6 +118,27 @@ import ./make-test-python.nix (
|
|||
assert pid == "1"
|
||||
pid = podman.succeed("podman run --rm --init busybox readlink /proc/self").strip()
|
||||
assert pid == "2"
|
||||
|
||||
with subtest("A podman member can use the docker cli"):
|
||||
podman.succeed(su_cmd("docker version"))
|
||||
|
||||
with subtest("Run container via docker cli"):
|
||||
podman.succeed("docker network create default")
|
||||
podman.succeed("tar cv --files-from /dev/null | podman import - scratchimg")
|
||||
podman.succeed(
|
||||
"docker run -d --name=sleeping -v /nix/store:/nix/store -v /run/current-system/sw/bin:/bin scratchimg /bin/sleep 10"
|
||||
)
|
||||
podman.succeed("docker ps | grep sleeping")
|
||||
podman.succeed("podman ps | grep sleeping")
|
||||
podman.succeed("docker stop sleeping")
|
||||
podman.succeed("docker rm sleeping")
|
||||
podman.succeed("docker network rm default")
|
||||
|
||||
with subtest("A podman non-member can not use the docker cli"):
|
||||
podman.fail(su_cmd("docker version", user="mallory"))
|
||||
|
||||
# TODO: add docker-compose test
|
||||
|
||||
'';
|
||||
}
|
||||
)
|
||||
|
|
|
@ -80,7 +80,11 @@ buildGoModule rec {
|
|||
patchelf --set-rpath "${lib.makeLibraryPath [ systemd ]}":$RPATH $out/bin/podman
|
||||
'';
|
||||
|
||||
passthru.tests = { inherit (nixosTests) podman; };
|
||||
passthru.tests = {
|
||||
inherit (nixosTests) podman;
|
||||
# related modules
|
||||
inherit (nixosTests) podman-tls-ghostunnel;
|
||||
};
|
||||
|
||||
meta = with lib; {
|
||||
homepage = "https://podman.io/";
|
||||
|
|
|
@ -12,6 +12,7 @@
|
|||
, util-linux # nsenter
|
||||
, cni-plugins # not added to path
|
||||
, iptables
|
||||
, iproute2
|
||||
}:
|
||||
|
||||
let
|
||||
|
@ -25,6 +26,7 @@ let
|
|||
fuse-overlayfs
|
||||
util-linux
|
||||
iptables
|
||||
iproute2
|
||||
] ++ extraPackages);
|
||||
|
||||
in runCommand podman.name {
|
||||
|
|
Loading…
Reference in a new issue