Commit 21e7f00

HPCesia <me@hpcesia.com>
2026-05-25 15:40:51
Implement Podman in Docker/Podman
1 parent 82be452
Changed files (1)
flake.nix
@@ -16,15 +16,14 @@
 
       perSystem = {
         inputs',
-        lib,
         pkgs,
-        system,
         ...
       }: let
         nix2container = inputs'.nix2container.packages.nix2container;
 
         fakeNss = pkgs.dockerTools.fakeNss.override {
           extraPasswdLines = [
+            "podman:x:1000:1000:Podman user:/home/podman:/bin/bash"
             "nixbld1:!:999:999:Nix build user 1:/var/empty:/sbin/nologin"
             "nixbld2:!:999:999:Nix build user 1:/var/empty:/sbin/nologin"
             "nixbld3:!:999:999:Nix build user 1:/var/empty:/sbin/nologin"
@@ -37,6 +36,7 @@
             "nixbld10:!:999:999:Nix build user 1:/var/empty:/sbin/nologin"
           ];
           extraGroupLines = [
+            "podman:x:1000:podman"
             "nixbld:x:999:nixbld1,nixbld2,nixbld3,nixbld4,nixbld5,nixbld6,nixbld7,nixbld8,nixbld9,nixbld10"
           ];
         };
@@ -49,6 +49,85 @@
           mkdir -p $out/tmp
           mkdir -p $out/var/tmp
         '';
+
+        mkPodmanConfig = pkgs.runCommand "podman-config" {} ''
+          mkdir -p $out/etc/containers
+          mkdir -p $out/home/podman
+          mkdir -p $out/var/lib/containers
+          mkdir -p $out/var/lib/shared/overlay-images
+          mkdir -p $out/var/lib/shared/overlay-layers
+          mkdir -p $out/var/lib/shared/vfs-images
+          mkdir -p $out/var/lib/shared/vfs-layers
+          mkdir -p $out/run
+
+          touch $out/var/lib/shared/overlay-images/images.lock
+          touch $out/var/lib/shared/overlay-layers/layers.lock
+          touch $out/var/lib/shared/vfs-images/images.lock
+          touch $out/var/lib/shared/vfs-layers/layers.lock
+
+          cat > $out/etc/containers/containers.conf << 'EOF'
+          [containers]
+          netns="host"
+          userns="host"
+          ipcns="host"
+          utsns="host"
+          cgroupns="host"
+          cgroups="disabled"
+          log_driver = "k8s-file"
+          [engine]
+          cgroup_manager = "cgroupfs"
+          events_logger="file"
+          runtime="crun"
+          EOF
+
+          cat > $out/etc/containers/containers.conf.rootless << 'EOF'
+          [containers]
+          volumes = [
+            "/proc:/proc",
+          ]
+          default_sysctls = []
+          EOF
+
+          cat > $out/etc/containers/storage.conf << 'EOF'
+          [storage]
+          driver = "overlay"
+          runroot = "/run/containers/storage"
+          graphroot = "/var/lib/containers/storage"
+          [storage.options]
+          mount_program = "${pkgs.fuse-overlayfs}/bin/fuse-overlayfs"
+          mountopt = "nodev,fsync=0"
+          additionalimagestores = [
+            "/var/lib/shared",
+          ]
+          [storage.options.overlay]
+          ignore_chown_errors = "true"
+          EOF
+
+          cat > $out/etc/containers/mounts.conf << 'EOF'
+          /run/secrets/etc-pki-entitlement:/run/secrets/etc-pki-entitlement
+          /run/secrets/rhsm:/run/secrets/rhsm
+          EOF
+
+          cat > $out/etc/containers/policy.json << 'EOF'
+          {"default":[{"type":"insecureAcceptAnything"}]}
+          EOF
+        '';
+
+        mkSubugid = pkgs.runCommand "subugid" {} ''
+          mkdir -p $out/etc
+          cat > $out/etc/subuid << 'EOF'
+          root:1:999
+          root:1001:64535
+          podman:1:999
+          podman:1001:64535
+          EOF
+          cat > $out/etc/subgid << 'EOF'
+          root:1:999
+          root:1001:64535
+          podman:1:999
+          podman:1001:64535
+          EOF
+        '';
       in {
         packages.default = nix2container.buildImage {
           name = "repo.hpcesia.com/HPCesia/nix-act-image";
@@ -117,8 +196,15 @@
                 sudo
                 tree
                 yq
+
+                # Podman in Podman
+                fuse-overlayfs
+                mkPodmanConfig
+                podman
+                shadow
               ];
             })
+            mkSubugid
           ];
           perms = [
             {
@@ -126,6 +212,16 @@
               regex = ".*";
               mode = "1777";
             }
+            {
+              path = mkPodmanConfig;
+              regex = "home/podman";
+              mode = "0777";
+            }
+            {
+              path = pkgs.shadow;
+              regex = "bin/new[ug]idmap";
+              mode = "4555";
+            }
           ];
           config = {
             Entrypoint = ["/bin/bash"];
@@ -135,6 +231,10 @@
               "PATH=/bin"
               "NIX_PAGER=cat"
               "SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"
+              "DOCKER_HOST=unix:///run/user/1000/podman/podman.sock"
+              "CONTAINERS_STORAGE=/var/lib/containers/storage"
+              "_CONTAINERS_USERNS_CONFIGURED="
+              "BUILDAH_ISOLATION=chroot"
             ];
             Labels = {
               "org.opencontainers.image.source" = "https://codeberg.org/HPCesia/nix-act-image";