From 9e7fbc6f2c302f36ed43a43776da2a00179471e4 Mon Sep 17 00:00:00 2001
From: zowoq <59103226+zowoq@users.noreply.github.com>
Date: Tue, 12 May 2020 03:58:44 +1000
Subject: [PATCH] nixos/cri-o, cri-o: add wrapper

---
 nixos/modules/virtualisation/cri-o.nix        | 41 ++++++++++----
 .../virtualization/cri-o/wrapper.nix          | 53 +++++++++++++++++++
 pkgs/top-level/all-packages.nix               |  3 +-
 3 files changed, 86 insertions(+), 11 deletions(-)
 create mode 100644 pkgs/applications/virtualization/cri-o/wrapper.nix

diff --git a/nixos/modules/virtualisation/cri-o.nix b/nixos/modules/virtualisation/cri-o.nix
index 61c1e5be277b..e73c5893fb5c 100644
--- a/nixos/modules/virtualisation/cri-o.nix
+++ b/nixos/modules/virtualisation/cri-o.nix
@@ -5,6 +5,8 @@ with lib;
 let
   cfg = config.virtualisation.cri-o;
 
+  crioPackage = (pkgs.cri-o.override { inherit (cfg) extraPackages; });
+
   # Copy configuration files to avoid having the entire sources in the system closure
   copyFile = filePath: pkgs.runCommandNoCC (builtins.unsafeDiscardStringContext (builtins.baseNameOf filePath)) {} ''
     cp ${filePath} $out
@@ -23,13 +25,13 @@ in
     enable = mkEnableOption "Container Runtime Interface for OCI (CRI-O)";
 
     storageDriver = mkOption {
-      type = types.enum ["btrfs" "overlay" "vfs"];
+      type = types.enum [ "btrfs" "overlay" "vfs" ];
       default = "overlay";
       description = "Storage driver to be used";
     };
 
     logLevel = mkOption {
-      type = types.enum ["trace" "debug" "info" "warn" "error" "fatal"];
+      type = types.enum [ "trace" "debug" "info" "warn" "error" "fatal" ];
       default = "info";
       description = "Log level to be used";
     };
@@ -45,13 +47,34 @@ in
       default = "/pause";
       description = "Pause command to be executed";
     };
+
+    extraPackages = mkOption {
+      type = with types; listOf package;
+      default = [ ];
+      example = lib.literalExample ''
+        [
+          pkgs.gvisor
+        ]
+      '';
+      description = ''
+        Extra packages to be installed in the CRI-O wrapper.
+      '';
+    };
+
+    package = lib.mkOption {
+      type = types.package;
+      default = crioPackage;
+      internal = true;
+      description = ''
+        The final CRI-O package (including extra packages).
+      '';
+    };
   };
 
   config = mkIf cfg.enable {
-    environment.systemPackages = with pkgs;
-      [ cri-o cri-tools conmon iptables runc utillinux ];
+    environment.systemPackages = [ cfg.package pkgs.cri-tools ];
 
-    environment.etc."crictl.yaml".source = copyFile "${pkgs.cri-o.src}/crictl.yaml";
+    environment.etc."crictl.yaml".source = copyFile "${pkgs.cri-o-unwrapped.src}/crictl.yaml";
 
     environment.etc."crio/crio.conf".text = ''
       [crio]
@@ -63,16 +86,14 @@ in
 
       [crio.network]
       plugin_dirs = ["${pkgs.cni-plugins}/bin/"]
-      network_dir = "/etc/cni/net.d/"
 
       [crio.runtime]
-      conmon = "${pkgs.conmon}/bin/conmon"
       cgroup_manager = "systemd"
       log_level = "${cfg.logLevel}"
       manage_ns_lifecycle = true
     '';
 
-    environment.etc."cni/net.d/10-crio-bridge.conf".source = copyFile "${pkgs.cri-o.src}/contrib/cni/10-crio-bridge.conf";
+    environment.etc."cni/net.d/10-crio-bridge.conf".source = copyFile "${pkgs.cri-o-unwrapped.src}/contrib/cni/10-crio-bridge.conf";
 
     # Enable common /etc/containers configuration
     virtualisation.containers.enable = true;
@@ -82,10 +103,10 @@ in
       documentation = [ "https://github.com/cri-o/cri-o" ];
       wantedBy = [ "multi-user.target" ];
       after = [ "network.target" ];
-      path = [ pkgs.utillinux pkgs.runc pkgs.iptables ];
+      path = [ cfg.package ];
       serviceConfig = {
         Type = "notify";
-        ExecStart = "${pkgs.cri-o}/bin/crio";
+        ExecStart = "${cfg.package}/bin/crio";
         ExecReload = "/bin/kill -s HUP $MAINPID";
         TasksMax = "infinity";
         LimitNOFILE = "1048576";
diff --git a/pkgs/applications/virtualization/cri-o/wrapper.nix b/pkgs/applications/virtualization/cri-o/wrapper.nix
new file mode 100644
index 000000000000..1578eaf4f585
--- /dev/null
+++ b/pkgs/applications/virtualization/cri-o/wrapper.nix
@@ -0,0 +1,53 @@
+{ cri-o-unwrapped
+, runCommand
+, makeWrapper
+, lib
+, extraPackages ? []
+, cri-o
+, runc # Default container runtime
+, crun # Container runtime (default with cgroups v2 for podman/buildah)
+, conmon # Container runtime monitor
+, utillinux # nsenter
+, cni-plugins # not added to path
+, iptables
+, socat
+}:
+
+let
+  cri-o = cri-o-unwrapped;
+
+  binPath = lib.makeBinPath ([
+    runc
+    crun
+    conmon
+    utillinux
+    iptables
+    socat
+  ] ++ extraPackages);
+
+in runCommand cri-o.name {
+  name = "${cri-o.pname}-wrapper-${cri-o.version}";
+  inherit (cri-o) pname version;
+
+  meta = builtins.removeAttrs cri-o.meta [ "outputsToInstall" ];
+
+  outputs = [
+    "out"
+    "man"
+  ];
+
+  nativeBuildInputs = [
+    makeWrapper
+  ];
+
+} ''
+  ln -s ${cri-o.man} $man
+
+  mkdir -p $out/bin
+  ln -s ${cri-o-unwrapped}/share $out/share
+
+  for p in ${cri-o-unwrapped}/bin/*; do
+    makeWrapper $p $out/bin/''${p##*/} \
+      --prefix PATH : ${binPath}
+  done
+''
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index d552ddea8624..b967a3c31803 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -23438,7 +23438,8 @@ in
 
   crispyDoom = callPackage ../games/crispy-doom { };
 
-  cri-o = callPackage ../applications/virtualization/cri-o { };
+  cri-o = callPackage ../applications/virtualization/cri-o/wrapper.nix { };
+  cri-o-unwrapped = callPackage ../applications/virtualization/cri-o { };
 
   ckan = callPackage ../games/ckan { };