nixos/modules/virtualisation/cri-o.nix at 23.05-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / virtualisation / cri-o.nix
at 23.05-pre 4.6 kB view raw
  1{ config, lib, pkgs, utils, ... }:
  2
  3with lib;
  4let
  5  cfg = config.virtualisation.cri-o;
  6
  7  crioPackage = (pkgs.cri-o.override { inherit (cfg) extraPackages; });
  8
  9  format = pkgs.formats.toml { };
 10
 11  cfgFile = format.generate "00-default.conf" cfg.settings;
 12in
 13{
 14  meta = {
 15    maintainers = teams.podman.members;
 16  };
 17
 18  options.virtualisation.cri-o = {
 19    enable = mkEnableOption (lib.mdDoc "Container Runtime Interface for OCI (CRI-O)");
 20
 21    storageDriver = mkOption {
 22      type = types.enum [ "btrfs" "overlay" "vfs" ];
 23      default = "overlay";
 24      description = lib.mdDoc "Storage driver to be used";
 25    };
 26
 27    logLevel = mkOption {
 28      type = types.enum [ "trace" "debug" "info" "warn" "error" "fatal" ];
 29      default = "info";
 30      description = lib.mdDoc "Log level to be used";
 31    };
 32
 33    pauseImage = mkOption {
 34      type = types.nullOr types.str;
 35      default = null;
 36      description = lib.mdDoc "Override the default pause image for pod sandboxes";
 37      example = "k8s.gcr.io/pause:3.2";
 38    };
 39
 40    pauseCommand = mkOption {
 41      type = types.nullOr types.str;
 42      default = null;
 43      description = lib.mdDoc "Override the default pause command";
 44      example = "/pause";
 45    };
 46
 47    runtime = mkOption {
 48      type = types.nullOr types.str;
 49      default = null;
 50      description = lib.mdDoc "Override the default runtime";
 51      example = "crun";
 52    };
 53
 54    extraPackages = mkOption {
 55      type = with types; listOf package;
 56      default = [ ];
 57      example = literalExpression ''
 58        [
 59          pkgs.gvisor
 60        ]
 61      '';
 62      description = lib.mdDoc ''
 63        Extra packages to be installed in the CRI-O wrapper.
 64      '';
 65    };
 66
 67    package = mkOption {
 68      type = types.package;
 69      default = crioPackage;
 70      internal = true;
 71      description = lib.mdDoc ''
 72        The final CRI-O package (including extra packages).
 73      '';
 74    };
 75
 76    networkDir = mkOption {
 77      type = types.nullOr types.path;
 78      default = null;
 79      description = lib.mdDoc "Override the network_dir option.";
 80      internal = true;
 81    };
 82
 83    settings = mkOption {
 84      type = format.type;
 85      default = { };
 86      description = lib.mdDoc ''
 87        Configuration for cri-o, see
 88        <https://github.com/cri-o/cri-o/blob/master/docs/crio.conf.5.md>.
 89      '';
 90    };
 91  };
 92
 93  config = mkIf cfg.enable {
 94    environment.systemPackages = [ cfg.package pkgs.cri-tools ];
 95
 96    environment.etc."crictl.yaml".source = utils.copyFile "${pkgs.cri-o-unwrapped.src}/crictl.yaml";
 97
 98    virtualisation.cri-o.settings.crio = {
 99      storage_driver = cfg.storageDriver;
100
101      image = {
102        pause_image = mkIf (cfg.pauseImage != null) cfg.pauseImage;
103        pause_command = mkIf (cfg.pauseCommand != null) cfg.pauseCommand;
104      };
105
106      network = {
107        plugin_dirs = [ "${pkgs.cni-plugins}/bin" ];
108        network_dir = mkIf (cfg.networkDir != null) cfg.networkDir;
109      };
110
111      runtime = {
112        cgroup_manager = "systemd";
113        log_level = cfg.logLevel;
114        manage_ns_lifecycle = true;
115        pinns_path = "${cfg.package}/bin/pinns";
116        hooks_dir =
117          optional (config.virtualisation.containers.ociSeccompBpfHook.enable)
118            config.boot.kernelPackages.oci-seccomp-bpf-hook;
119
120        default_runtime = mkIf (cfg.runtime != null) cfg.runtime;
121        runtimes = mkIf (cfg.runtime != null) {
122          "${cfg.runtime}" = { };
123        };
124      };
125    };
126
127    environment.etc."cni/net.d/10-crio-bridge.conf".source = utils.copyFile "${pkgs.cri-o-unwrapped.src}/contrib/cni/10-crio-bridge.conf";
128    environment.etc."cni/net.d/99-loopback.conf".source = utils.copyFile "${pkgs.cri-o-unwrapped.src}/contrib/cni/99-loopback.conf";
129    environment.etc."crio/crio.conf.d/00-default.conf".source = cfgFile;
130
131    # Enable common /etc/containers configuration
132    virtualisation.containers.enable = true;
133
134    systemd.services.crio = {
135      description = "Container Runtime Interface for OCI (CRI-O)";
136      documentation = [ "https://github.com/cri-o/cri-o" ];
137      wantedBy = [ "multi-user.target" ];
138      after = [ "network.target" ];
139      path = [ cfg.package ];
140      serviceConfig = {
141        Type = "notify";
142        ExecStart = "${cfg.package}/bin/crio";
143        ExecReload = "/bin/kill -s HUP $MAINPID";
144        TasksMax = "infinity";
145        LimitNOFILE = "1048576";
146        LimitNPROC = "1048576";
147        LimitCORE = "infinity";
148        OOMScoreAdjust = "-999";
149        TimeoutStartSec = "0";
150        Restart = "on-abnormal";
151      };
152      restartTriggers = [ cfgFile ];
153    };
154  };
155}