Commit 21e7f00
Changed files (1)
flake.nix
@@ -16,15 +16,14 @@
perSystem = {
inputs',
- lib,
pkgs,
- system,
...
}: let
nix2container = inputs'.nix2container.packages.nix2container;
fakeNss = pkgs.dockerTools.fakeNss.override {
extraPasswdLines = [
+ "podman:x:1000:1000:Podman user:/home/podman:/bin/bash"
"nixbld1:!:999:999:Nix build user 1:/var/empty:/sbin/nologin"
"nixbld2:!:999:999:Nix build user 1:/var/empty:/sbin/nologin"
"nixbld3:!:999:999:Nix build user 1:/var/empty:/sbin/nologin"
@@ -37,6 +36,7 @@
"nixbld10:!:999:999:Nix build user 1:/var/empty:/sbin/nologin"
];
extraGroupLines = [
+ "podman:x:1000:podman"
"nixbld:x:999:nixbld1,nixbld2,nixbld3,nixbld4,nixbld5,nixbld6,nixbld7,nixbld8,nixbld9,nixbld10"
];
};
@@ -49,6 +49,85 @@
mkdir -p $out/tmp
mkdir -p $out/var/tmp
'';
+
+ mkPodmanConfig = pkgs.runCommand "podman-config" {} ''
+ mkdir -p $out/etc/containers
+ mkdir -p $out/home/podman
+ mkdir -p $out/var/lib/containers
+ mkdir -p $out/var/lib/shared/overlay-images
+ mkdir -p $out/var/lib/shared/overlay-layers
+ mkdir -p $out/var/lib/shared/vfs-images
+ mkdir -p $out/var/lib/shared/vfs-layers
+ mkdir -p $out/run
+
+ touch $out/var/lib/shared/overlay-images/images.lock
+ touch $out/var/lib/shared/overlay-layers/layers.lock
+ touch $out/var/lib/shared/vfs-images/images.lock
+ touch $out/var/lib/shared/vfs-layers/layers.lock
+
+ cat > $out/etc/containers/containers.conf << 'EOF'
+ [containers]
+ netns="host"
+ userns="host"
+ ipcns="host"
+ utsns="host"
+ cgroupns="host"
+ cgroups="disabled"
+ log_driver = "k8s-file"
+ [engine]
+ cgroup_manager = "cgroupfs"
+ events_logger="file"
+ runtime="crun"
+ EOF
+
+ cat > $out/etc/containers/containers.conf.rootless << 'EOF'
+ [containers]
+ volumes = [
+ "/proc:/proc",
+ ]
+ default_sysctls = []
+ EOF
+
+ cat > $out/etc/containers/storage.conf << 'EOF'
+ [storage]
+ driver = "overlay"
+ runroot = "/run/containers/storage"
+ graphroot = "/var/lib/containers/storage"
+ [storage.options]
+ mount_program = "${pkgs.fuse-overlayfs}/bin/fuse-overlayfs"
+ mountopt = "nodev,fsync=0"
+ additionalimagestores = [
+ "/var/lib/shared",
+ ]
+ [storage.options.overlay]
+ ignore_chown_errors = "true"
+ EOF
+
+ cat > $out/etc/containers/mounts.conf << 'EOF'
+ /run/secrets/etc-pki-entitlement:/run/secrets/etc-pki-entitlement
+ /run/secrets/rhsm:/run/secrets/rhsm
+ EOF
+
+ cat > $out/etc/containers/policy.json << 'EOF'
+ {"default":[{"type":"insecureAcceptAnything"}]}
+ EOF
+ '';
+
+ mkSubugid = pkgs.runCommand "subugid" {} ''
+ mkdir -p $out/etc
+ cat > $out/etc/subuid << 'EOF'
+ root:1:999
+ root:1001:64535
+ podman:1:999
+ podman:1001:64535
+ EOF
+ cat > $out/etc/subgid << 'EOF'
+ root:1:999
+ root:1001:64535
+ podman:1:999
+ podman:1001:64535
+ EOF
+ '';
in {
packages.default = nix2container.buildImage {
name = "repo.hpcesia.com/HPCesia/nix-act-image";
@@ -117,8 +196,15 @@
sudo
tree
yq
+
+ # Podman in Podman
+ fuse-overlayfs
+ mkPodmanConfig
+ podman
+ shadow
];
})
+ mkSubugid
];
perms = [
{
@@ -126,6 +212,16 @@
regex = ".*";
mode = "1777";
}
+ {
+ path = mkPodmanConfig;
+ regex = "home/podman";
+ mode = "0777";
+ }
+ {
+ path = pkgs.shadow;
+ regex = "bin/new[ug]idmap";
+ mode = "4555";
+ }
];
config = {
Entrypoint = ["/bin/bash"];
@@ -135,6 +231,10 @@
"PATH=/bin"
"NIX_PAGER=cat"
"SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"
+ "DOCKER_HOST=unix:///run/user/1000/podman/podman.sock"
+ "CONTAINERS_STORAGE=/var/lib/containers/storage"
+ "_CONTAINERS_USERNS_CONFIGURED="
+ "BUILDAH_ISOLATION=chroot"
];
Labels = {
"org.opencontainers.image.source" = "https://codeberg.org/HPCesia/nix-act-image";