nixos/cri-o, cri-o: add wrapper

2020-05-12 03:58:44 +10:00 · 2020-05-12 03:58:44 +10:00 · 9e7fbc6f2c
commit 9e7fbc6f2c
parent 4b0d5ecee8
3 changed files with 86 additions and 11 deletions
--- a/nixos/modules/virtualisation/cri-o.nix
+++ b/nixos/modules/virtualisation/cri-o.nix
@ -5,6 +5,8 @@ with lib;
 let
  cfg = config.virtualisation.cri-o;

+  crioPackage = (pkgs.cri-o.override { inherit (cfg) extraPackages; });
+
  # Copy configuration files to avoid having the entire sources in the system closure
  copyFile = filePath: pkgs.runCommandNoCC (builtins.unsafeDiscardStringContext (builtins.baseNameOf filePath)) {} ''
    cp ${filePath} $out
@ -23,13 +25,13 @@ in
    enable = mkEnableOption "Container Runtime Interface for OCI (CRI-O)";

    storageDriver = mkOption {
-      type = types.enum ["btrfs" "overlay" "vfs"];
+      type = types.enum [ "btrfs" "overlay" "vfs" ];
      default = "overlay";
      description = "Storage driver to be used";
    };

    logLevel = mkOption {
-      type = types.enum ["trace" "debug" "info" "warn" "error" "fatal"];
+      type = types.enum [ "trace" "debug" "info" "warn" "error" "fatal" ];
      default = "info";
      description = "Log level to be used";
    };
@ -45,13 +47,34 @@ in
      default = "/pause";
      description = "Pause command to be executed";
    };
+
+    extraPackages = mkOption {
+      type = with types; listOf package;
+      default = [ ];
+      example = lib.literalExample ''
+        [
+          pkgs.gvisor
+        ]
+      '';
+      description = ''
+        Extra packages to be installed in the CRI-O wrapper.
+      '';
+    };
+
+    package = lib.mkOption {
+      type = types.package;
+      default = crioPackage;
+      internal = true;
+      description = ''
+        The final CRI-O package (including extra packages).
+      '';
+    };
  };

  config = mkIf cfg.enable {
-    environment.systemPackages = with pkgs;
-      [ cri-o cri-tools conmon iptables runc utillinux ];
+    environment.systemPackages = [ cfg.package pkgs.cri-tools ];

-    environment.etc."crictl.yaml".source = copyFile "${pkgs.cri-o.src}/crictl.yaml";
+    environment.etc."crictl.yaml".source = copyFile "${pkgs.cri-o-unwrapped.src}/crictl.yaml";

    environment.etc."crio/crio.conf".text = ''
      [crio]
@ -63,16 +86,14 @@ in

      [crio.network]
      plugin_dirs = ["${pkgs.cni-plugins}/bin/"]
-      network_dir = "/etc/cni/net.d/"

      [crio.runtime]
-      conmon = "${pkgs.conmon}/bin/conmon"
      cgroup_manager = "systemd"
      log_level = "${cfg.logLevel}"
      manage_ns_lifecycle = true
    '';

-    environment.etc."cni/net.d/10-crio-bridge.conf".source = copyFile "${pkgs.cri-o.src}/contrib/cni/10-crio-bridge.conf";
+    environment.etc."cni/net.d/10-crio-bridge.conf".source = copyFile "${pkgs.cri-o-unwrapped.src}/contrib/cni/10-crio-bridge.conf";

    # Enable common /etc/containers configuration
    virtualisation.containers.enable = true;
@ -82,10 +103,10 @@ in
      documentation = [ "https://github.com/cri-o/cri-o" ];
      wantedBy = [ "multi-user.target" ];
      after = [ "network.target" ];
-      path = [ pkgs.utillinux pkgs.runc pkgs.iptables ];
+      path = [ cfg.package ];
      serviceConfig = {
        Type = "notify";
-        ExecStart = "${pkgs.cri-o}/bin/crio";
+        ExecStart = "${cfg.package}/bin/crio";
        ExecReload = "/bin/kill -s HUP $MAINPID";
        TasksMax = "infinity";
        LimitNOFILE = "1048576";
--- a/pkgs/applications/virtualization/cri-o/wrapper.nix
+++ b/pkgs/applications/virtualization/cri-o/wrapper.nix
@ -0,0 +1,53 @@
+{ cri-o-unwrapped
+, runCommand
+, makeWrapper
+, lib
+, extraPackages ? []
+, cri-o
+, runc # Default container runtime
+, crun # Container runtime (default with cgroups v2 for podman/buildah)
+, conmon # Container runtime monitor
+, utillinux # nsenter
+, cni-plugins # not added to path
+, iptables
+, socat
+}:
+
+let
+  cri-o = cri-o-unwrapped;
+
+  binPath = lib.makeBinPath ([
+    runc
+    crun
+    conmon
+    utillinux
+    iptables
+    socat
+  ] ++ extraPackages);
+
+in runCommand cri-o.name {
+  name = "${cri-o.pname}-wrapper-${cri-o.version}";
+  inherit (cri-o) pname version;
+
+  meta = builtins.removeAttrs cri-o.meta [ "outputsToInstall" ];
+
+  outputs = [
+    "out"
+    "man"
+  ];
+
+  nativeBuildInputs = [
+    makeWrapper
+  ];
+
+} ''
+  ln -s ${cri-o.man} $man
+
+  mkdir -p $out/bin
+  ln -s ${cri-o-unwrapped}/share $out/share
+
+  for p in ${cri-o-unwrapped}/bin/*; do
+    makeWrapper $p $out/bin/''${p##*/} \
+      --prefix PATH : ${binPath}
+  done
+''
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@ -23438,7 +23438,8 @@ in

  crispyDoom = callPackage ../games/crispy-doom { };

-  cri-o = callPackage ../applications/virtualization/cri-o { };
+  cri-o = callPackage ../applications/virtualization/cri-o/wrapper.nix { };
+  cri-o-unwrapped = callPackage ../applications/virtualization/cri-o { };

  ckan = callPackage ../games/ckan { };