nixos/modules/virtualisation/cri-o.nix at 23.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / virtualisation / cri-o.nix
at 23.11-pre 4.6 kB view raw
  1{ config, lib, pkgs, ... }:
  2
  3with lib;
  4let
  5  cfg = config.virtualisation.cri-o;
  6
  7  crioPackage = pkgs.cri-o.override {
  8    extraPackages = cfg.extraPackages
  9      ++ lib.optional (builtins.elem "zfs" config.boot.supportedFilesystems) config.boot.zfs.package;
 10  };
 11
 12  format = pkgs.formats.toml { };
 13
 14  cfgFile = format.generate "00-default.conf" cfg.settings;
 15in
 16{
 17  meta = {
 18    maintainers = teams.podman.members;
 19  };
 20
 21  options.virtualisation.cri-o = {
 22    enable = mkEnableOption (lib.mdDoc "Container Runtime Interface for OCI (CRI-O)");
 23
 24    storageDriver = mkOption {
 25      type = types.enum [ "aufs" "btrfs" "devmapper" "overlay" "vfs" "zfs" ];
 26      default = "overlay";
 27      description = lib.mdDoc "Storage driver to be used";
 28    };
 29
 30    logLevel = mkOption {
 31      type = types.enum [ "trace" "debug" "info" "warn" "error" "fatal" ];
 32      default = "info";
 33      description = lib.mdDoc "Log level to be used";
 34    };
 35
 36    pauseImage = mkOption {
 37      type = types.nullOr types.str;
 38      default = null;
 39      description = lib.mdDoc "Override the default pause image for pod sandboxes";
 40      example = "k8s.gcr.io/pause:3.2";
 41    };
 42
 43    pauseCommand = mkOption {
 44      type = types.nullOr types.str;
 45      default = null;
 46      description = lib.mdDoc "Override the default pause command";
 47      example = "/pause";
 48    };
 49
 50    runtime = mkOption {
 51      type = types.nullOr types.str;
 52      default = null;
 53      description = lib.mdDoc "Override the default runtime";
 54      example = "crun";
 55    };
 56
 57    extraPackages = mkOption {
 58      type = with types; listOf package;
 59      default = [ ];
 60      example = literalExpression ''
 61        [
 62          pkgs.gvisor
 63        ]
 64      '';
 65      description = lib.mdDoc ''
 66        Extra packages to be installed in the CRI-O wrapper.
 67      '';
 68    };
 69
 70    package = mkOption {
 71      type = types.package;
 72      default = crioPackage;
 73      internal = true;
 74      description = lib.mdDoc ''
 75        The final CRI-O package (including extra packages).
 76      '';
 77    };
 78
 79    networkDir = mkOption {
 80      type = types.nullOr types.path;
 81      default = null;
 82      description = lib.mdDoc "Override the network_dir option.";
 83      internal = true;
 84    };
 85
 86    settings = mkOption {
 87      type = format.type;
 88      default = { };
 89      description = lib.mdDoc ''
 90        Configuration for cri-o, see
 91        <https://github.com/cri-o/cri-o/blob/master/docs/crio.conf.5.md>.
 92      '';
 93    };
 94  };
 95
 96  config = mkIf cfg.enable {
 97    environment.systemPackages = [ cfg.package pkgs.cri-tools ];
 98
 99    environment.etc."crictl.yaml".source = "${cfg.package}/etc/crictl.yaml";
100
101    virtualisation.cri-o.settings.crio = {
102      storage_driver = cfg.storageDriver;
103
104      image = {
105        pause_image = mkIf (cfg.pauseImage != null) cfg.pauseImage;
106        pause_command = mkIf (cfg.pauseCommand != null) cfg.pauseCommand;
107      };
108
109      network = {
110        plugin_dirs = [ "${pkgs.cni-plugins}/bin" ];
111        network_dir = mkIf (cfg.networkDir != null) cfg.networkDir;
112      };
113
114      runtime = {
115        cgroup_manager = "systemd";
116        log_level = cfg.logLevel;
117        manage_ns_lifecycle = true;
118        pinns_path = "${cfg.package}/bin/pinns";
119        hooks_dir =
120          optional (config.virtualisation.containers.ociSeccompBpfHook.enable)
121            config.boot.kernelPackages.oci-seccomp-bpf-hook;
122
123        default_runtime = mkIf (cfg.runtime != null) cfg.runtime;
124        runtimes = mkIf (cfg.runtime != null) {
125          "${cfg.runtime}" = { };
126        };
127      };
128    };
129
130    environment.etc."cni/net.d/10-crio-bridge.conflist".source = "${cfg.package}/etc/cni/net.d/10-crio-bridge.conflist";
131    environment.etc."cni/net.d/99-loopback.conflist".source = "${cfg.package}/etc/cni/net.d/99-loopback.conflist";
132    environment.etc."crio/crio.conf.d/00-default.conf".source = cfgFile;
133
134    # Enable common /etc/containers configuration
135    virtualisation.containers.enable = true;
136
137    systemd.services.crio = {
138      description = "Container Runtime Interface for OCI (CRI-O)";
139      documentation = [ "https://github.com/cri-o/cri-o" ];
140      wantedBy = [ "multi-user.target" ];
141      after = [ "network.target" ];
142      path = [ cfg.package ];
143      serviceConfig = {
144        Type = "notify";
145        ExecStart = "${cfg.package}/bin/crio";
146        ExecReload = "/bin/kill -s HUP $MAINPID";
147        TasksMax = "infinity";
148        LimitNOFILE = "1048576";
149        LimitNPROC = "1048576";
150        LimitCORE = "infinity";
151        OOMScoreAdjust = "-999";
152        TimeoutStartSec = "0";
153        Restart = "on-abnormal";
154      };
155      restartTriggers = [ cfgFile ];
156    };
157  };
158}