nixos/modules/virtualisation/cri-o.nix at 22.05-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / virtualisation / cri-o.nix
at 22.05-pre 4.6 kB view raw
  1{ config, lib, pkgs, utils, ... }:
  2
  3with lib;
  4let
  5  cfg = config.virtualisation.cri-o;
  6
  7  crioPackage = (pkgs.cri-o.override { inherit (cfg) extraPackages; });
  8
  9  format = pkgs.formats.toml { };
 10
 11  cfgFile = format.generate "00-default.conf" cfg.settings;
 12in
 13{
 14  imports = [
 15    (mkRenamedOptionModule [ "virtualisation" "cri-o" "registries" ] [ "virtualisation" "containers" "registries" "search" ])
 16  ];
 17
 18  meta = {
 19    maintainers = teams.podman.members;
 20  };
 21
 22  options.virtualisation.cri-o = {
 23    enable = mkEnableOption "Container Runtime Interface for OCI (CRI-O)";
 24
 25    storageDriver = mkOption {
 26      type = types.enum [ "btrfs" "overlay" "vfs" ];
 27      default = "overlay";
 28      description = "Storage driver to be used";
 29    };
 30
 31    logLevel = mkOption {
 32      type = types.enum [ "trace" "debug" "info" "warn" "error" "fatal" ];
 33      default = "info";
 34      description = "Log level to be used";
 35    };
 36
 37    pauseImage = mkOption {
 38      type = types.nullOr types.str;
 39      default = null;
 40      description = "Override the default pause image for pod sandboxes";
 41      example = "k8s.gcr.io/pause:3.2";
 42    };
 43
 44    pauseCommand = mkOption {
 45      type = types.nullOr types.str;
 46      default = null;
 47      description = "Override the default pause command";
 48      example = "/pause";
 49    };
 50
 51    runtime = mkOption {
 52      type = types.nullOr types.str;
 53      default = null;
 54      description = "Override the default runtime";
 55      example = "crun";
 56    };
 57
 58    extraPackages = mkOption {
 59      type = with types; listOf package;
 60      default = [ ];
 61      example = literalExpression ''
 62        [
 63          pkgs.gvisor
 64        ]
 65      '';
 66      description = ''
 67        Extra packages to be installed in the CRI-O wrapper.
 68      '';
 69    };
 70
 71    package = mkOption {
 72      type = types.package;
 73      default = crioPackage;
 74      internal = true;
 75      description = ''
 76        The final CRI-O package (including extra packages).
 77      '';
 78    };
 79
 80    networkDir = mkOption {
 81      type = types.nullOr types.path;
 82      default = null;
 83      description = "Override the network_dir option.";
 84      internal = true;
 85    };
 86
 87    settings = mkOption {
 88      type = format.type;
 89      default = { };
 90      description = ''
 91        Configuration for cri-o, see
 92        <link xlink:href="https://github.com/cri-o/cri-o/blob/master/docs/crio.conf.5.md"/>.
 93      '';
 94    };
 95  };
 96
 97  config = mkIf cfg.enable {
 98    environment.systemPackages = [ cfg.package pkgs.cri-tools ];
 99
100    environment.etc."crictl.yaml".source = utils.copyFile "${pkgs.cri-o-unwrapped.src}/crictl.yaml";
101
102    virtualisation.cri-o.settings.crio = {
103      storage_driver = cfg.storageDriver;
104
105      image = {
106        pause_image = mkIf (cfg.pauseImage != null) cfg.pauseImage;
107        pause_command = mkIf (cfg.pauseCommand != null) cfg.pauseCommand;
108      };
109
110      network = {
111        plugin_dirs = [ "${pkgs.cni-plugins}/bin" ];
112        network_dir = mkIf (cfg.networkDir != null) cfg.networkDir;
113      };
114
115      runtime = {
116        cgroup_manager = "systemd";
117        log_level = cfg.logLevel;
118        manage_ns_lifecycle = true;
119        pinns_path = "${cfg.package}/bin/pinns";
120        hooks_dir =
121          optional (config.virtualisation.containers.ociSeccompBpfHook.enable)
122            config.boot.kernelPackages.oci-seccomp-bpf-hook;
123
124        default_runtime = mkIf (cfg.runtime != null) cfg.runtime;
125        runtimes = mkIf (cfg.runtime != null) {
126          "${cfg.runtime}" = { };
127        };
128      };
129    };
130
131    environment.etc."cni/net.d/10-crio-bridge.conf".source = utils.copyFile "${pkgs.cri-o-unwrapped.src}/contrib/cni/10-crio-bridge.conf";
132    environment.etc."cni/net.d/99-loopback.conf".source = utils.copyFile "${pkgs.cri-o-unwrapped.src}/contrib/cni/99-loopback.conf";
133    environment.etc."crio/crio.conf.d/00-default.conf".source = cfgFile;
134
135    # Enable common /etc/containers configuration
136    virtualisation.containers.enable = true;
137
138    systemd.services.crio = {
139      description = "Container Runtime Interface for OCI (CRI-O)";
140      documentation = [ "https://github.com/cri-o/cri-o" ];
141      wantedBy = [ "multi-user.target" ];
142      after = [ "network.target" ];
143      path = [ cfg.package ];
144      serviceConfig = {
145        Type = "notify";
146        ExecStart = "${cfg.package}/bin/crio";
147        ExecReload = "/bin/kill -s HUP $MAINPID";
148        TasksMax = "infinity";
149        LimitNOFILE = "1048576";
150        LimitNPROC = "1048576";
151        LimitCORE = "infinity";
152        OOMScoreAdjust = "-999";
153        TimeoutStartSec = "0";
154        Restart = "on-abnormal";
155      };
156      restartTriggers = [ cfgFile ];
157    };
158  };
159}