From fb8b0a38433c8e83a53c1dc0a739c5a7ad64e2fc Mon Sep 17 00:00:00 2001 From: Robert Hensing Date: Tue, 25 May 2021 10:22:29 +0200 Subject: nixos/podman: Change podman socket to new podman group --- nixos/modules/virtualisation/podman.nix | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) (limited to 'nixos/modules') diff --git a/nixos/modules/virtualisation/podman.nix b/nixos/modules/virtualisation/podman.nix index d6421d488b8b..e879b5ad8f9f 100644 --- a/nixos/modules/virtualisation/podman.nix +++ b/nixos/modules/virtualisation/podman.nix @@ -111,8 +111,19 @@ in }; systemd.sockets.podman.wantedBy = [ "sockets.target" ]; - - systemd.tmpfiles.packages = [ cfg.package ]; + systemd.sockets.podman.socketConfig.SocketGroup = "podman"; + + systemd.tmpfiles.packages = [ + # The /run/podman rule interferes with our podman group, so we remove + # it and let the systemd socket logic take care of it. + (pkgs.runCommand "podman-tmpfiles-nixos" { package = cfg.package; } '' + mkdir -p $out/lib/tmpfiles.d/ + grep -v 'D! /run/podman 0700 root root' \ + <$package/lib/tmpfiles.d/podman.conf \ + >$out/lib/tmpfiles.d/podman.conf + '') ]; + + users.groups.podman = {}; assertions = [ { -- cgit v1.2.3 From ff4d83a66727ad13da0f51d00db4eda8a8c50590 Mon Sep 17 00:00:00 2001 From: Robert Hensing Date: Tue, 25 May 2021 10:26:28 +0200 Subject: nixos/podman: Add dockerSocket.enable --- nixos/modules/virtualisation/podman.nix | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) (limited to 'nixos/modules') diff --git a/nixos/modules/virtualisation/podman.nix b/nixos/modules/virtualisation/podman.nix index e879b5ad8f9f..edf4bbe079a3 100644 --- a/nixos/modules/virtualisation/podman.nix +++ b/nixos/modules/virtualisation/podman.nix @@ -46,6 +46,20 @@ in ''; }; + dockerSocket.enable = mkOption { + type = types.bool; + default = false; + description = '' + Make the Podman socket available in place of the Docker socket, so + Docker tools can find the Podman socket. + + Podman implements the Docker API. + + Users must be in the podman group in order to connect. As + with Docker, members of this group can gain root access. + ''; + }; + dockerCompat = mkOption { type = types.bool; default = false; @@ -123,6 +137,11 @@ in >$out/lib/tmpfiles.d/podman.conf '') ]; + systemd.tmpfiles.rules = + lib.optionals cfg.dockerSocket.enable [ + "L! /run/docker.sock - - - - /run/podman/podman.sock" + ]; + users.groups.podman = {}; assertions = [ @@ -130,6 +149,12 @@ in assertion = cfg.dockerCompat -> !config.virtualisation.docker.enable; message = "Option dockerCompat conflicts with docker"; } + { + assertion = cfg.dockerSocket.enable -> !config.virtualisation.docker.enable; + message = '' + The options virtualisation.podman.dockerSocket.enable and virtualisation.docker.enable conflict, because only one can serve the socket. + ''; + } ]; } ]); -- cgit v1.2.3 From 52844efcd67028a481a24103d8e93c7ef2bf4f08 Mon Sep 17 00:00:00 2001 From: Robert Hensing Date: Tue, 25 May 2021 10:16:30 +0200 Subject: nixos/podman: Add generic networkSocket interface --- .../virtualisation/podman-network-socket.nix | 91 ++++++++++++++++++++++ nixos/modules/virtualisation/podman.nix | 1 + 2 files changed, 92 insertions(+) create mode 100644 nixos/modules/virtualisation/podman-network-socket.nix (limited to 'nixos/modules') diff --git a/nixos/modules/virtualisation/podman-network-socket.nix b/nixos/modules/virtualisation/podman-network-socket.nix new file mode 100644 index 000000000000..1429164630b3 --- /dev/null +++ b/nixos/modules/virtualisation/podman-network-socket.nix @@ -0,0 +1,91 @@ +{ config, lib, pkg, ... }: +let + inherit (lib) + mkOption + types + ; + + cfg = config.virtualisation.podman.networkSocket; + +in +{ + options.virtualisation.podman.networkSocket = { + enable = mkOption { + type = types.bool; + default = false; + description = '' + Make the Podman and Docker compatibility API available over the network + with TLS client certificate authentication. + + This allows Docker clients to connect with the equivalents of the Docker + CLI -H and --tls* family of options. + + For certificate setup, see https://docs.docker.com/engine/security/protect-access/ + + This option is independent of . + ''; + }; + + server = mkOption { + type = types.enum []; + description = '' + Choice of TLS proxy server. + ''; + example = "ghostunnel"; + }; + + openFirewall = mkOption { + type = types.bool; + default = false; + description = '' + Whether to open the port in the firewall. + ''; + }; + + tls.cacert = mkOption { + type = types.path; + description = '' + Path to CA certificate to use for client authentication. + ''; + }; + + tls.cert = mkOption { + type = types.path; + description = '' + Path to certificate describing the server. + ''; + }; + + tls.key = mkOption { + type = types.path; + description = '' + Path to the private key corresponding to the server certificate. + + Use a string for this setting. Otherwise it will be copied to the Nix + store first, where it is readable by any system process. + ''; + }; + + port = mkOption { + type = types.port; + default = 2376; + description = '' + TCP port number for receiving TLS connections. + ''; + }; + listenAddress = mkOption { + type = types.str; + default = "0.0.0.0"; + description = '' + Interface address for receiving TLS connections. + ''; + }; + }; + + config = { + networking.firewall.allowedTCPPorts = + lib.optional (cfg.enable && cfg.openFirewall) cfg.port; + }; + + meta.maintainers = lib.teams.podman.members ++ [ lib.maintainers.roberth ]; +} diff --git a/nixos/modules/virtualisation/podman.nix b/nixos/modules/virtualisation/podman.nix index edf4bbe079a3..01ff84bc6293 100644 --- a/nixos/modules/virtualisation/podman.nix +++ b/nixos/modules/virtualisation/podman.nix @@ -25,6 +25,7 @@ let in { imports = [ + ./podman-network-socket.nix (lib.mkRenamedOptionModule [ "virtualisation" "podman" "libpod" ] [ "virtualisation" "containers" "containersConf" ]) ]; -- cgit v1.2.3 From b6570e723836167640c9b7efc63f327ff17b0755 Mon Sep 17 00:00:00 2001 From: Robert Hensing Date: Tue, 25 May 2021 10:15:22 +0200 Subject: nixos/podman-network-socket-ghostunnel: init --- nixos/modules/module-list.nix | 1 + .../podman-network-socket-ghostunnel.nix | 34 ++++++++++++++++++++++ 2 files changed, 35 insertions(+) create mode 100644 nixos/modules/virtualisation/podman-network-socket-ghostunnel.nix (limited to 'nixos/modules') diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index e51c833a01ca..c45f3268b975 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -1113,6 +1113,7 @@ ./virtualisation/openvswitch.nix ./virtualisation/parallels-guest.nix ./virtualisation/podman.nix + ./virtualisation/podman-network-socket-ghostunnel.nix ./virtualisation/qemu-guest-agent.nix ./virtualisation/railcar.nix ./virtualisation/spice-usb-redirection.nix diff --git a/nixos/modules/virtualisation/podman-network-socket-ghostunnel.nix b/nixos/modules/virtualisation/podman-network-socket-ghostunnel.nix new file mode 100644 index 000000000000..1f1ada7f0891 --- /dev/null +++ b/nixos/modules/virtualisation/podman-network-socket-ghostunnel.nix @@ -0,0 +1,34 @@ +{ config, lib, pkg, ... }: +let + inherit (lib) + mkOption + types + ; + + cfg = config.virtualisation.podman.networkSocket; + +in +{ + options.virtualisation.podman.networkSocket = { + server = mkOption { + type = types.enum [ "ghostunnel" ]; + }; + }; + + config = { + + services.ghostunnel = lib.mkIf (cfg.enable && cfg.server == "ghostunnel") { + enable = true; + servers."podman-socket" = { + inherit (cfg.tls) cert key cacert; + listen = "${cfg.listenAddress}:${toString cfg.port}"; + target = "unix:/run/podman/podman.sock"; + allowAll = lib.mkDefault true; + }; + }; + systemd.services.ghostunnel-server-podman-socket.serviceConfig.SupplementaryGroups = ["podman"]; + + }; + + meta.maintainers = lib.teams.podman.members ++ [ lib.maintainers.roberth ]; +} -- cgit v1.2.3