nixos/modules/virtualisation/cri-o.nix at 25.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / virtualisation / cri-o.nix
at 25.11-pre 4.7 kB view raw
  1{
  2  config,
  3  lib,
  4  pkgs,
  5  ...
  6}:
  7
  8with lib;
  9let
 10  cfg = config.virtualisation.cri-o;
 11
 12  crioPackage = pkgs.cri-o.override {
 13    extraPackages =
 14      cfg.extraPackages
 15      ++ lib.optional (config.boot.supportedFilesystems.zfs or false) config.boot.zfs.package;
 16  };
 17
 18  format = pkgs.formats.toml { };
 19
 20  cfgFile = format.generate "00-default.conf" cfg.settings;
 21in
 22{
 23  meta = {
 24    maintainers = teams.podman.members;
 25  };
 26
 27  options.virtualisation.cri-o = {
 28    enable = mkEnableOption "Container Runtime Interface for OCI (CRI-O)";
 29
 30    storageDriver = mkOption {
 31      type = types.enum [
 32        "aufs"
 33        "btrfs"
 34        "devmapper"
 35        "overlay"
 36        "vfs"
 37        "zfs"
 38      ];
 39      default = "overlay";
 40      description = "Storage driver to be used";
 41    };
 42
 43    logLevel = mkOption {
 44      type = types.enum [
 45        "trace"
 46        "debug"
 47        "info"
 48        "warn"
 49        "error"
 50        "fatal"
 51      ];
 52      default = "info";
 53      description = "Log level to be used";
 54    };
 55
 56    pauseImage = mkOption {
 57      type = types.nullOr types.str;
 58      default = null;
 59      description = "Override the default pause image for pod sandboxes";
 60      example = "k8s.gcr.io/pause:3.2";
 61    };
 62
 63    pauseCommand = mkOption {
 64      type = types.nullOr types.str;
 65      default = null;
 66      description = "Override the default pause command";
 67      example = "/pause";
 68    };
 69
 70    runtime = mkOption {
 71      type = types.nullOr types.str;
 72      default = null;
 73      description = "Override the default runtime";
 74      example = "crun";
 75    };
 76
 77    extraPackages = mkOption {
 78      type = with types; listOf package;
 79      default = [ ];
 80      example = literalExpression ''
 81        [
 82          pkgs.gvisor
 83        ]
 84      '';
 85      description = ''
 86        Extra packages to be installed in the CRI-O wrapper.
 87      '';
 88    };
 89
 90    package = mkOption {
 91      type = types.package;
 92      default = crioPackage;
 93      internal = true;
 94      description = ''
 95        The final CRI-O package (including extra packages).
 96      '';
 97    };
 98
 99    networkDir = mkOption {
100      type = types.nullOr types.path;
101      default = null;
102      description = "Override the network_dir option.";
103      internal = true;
104    };
105
106    settings = mkOption {
107      type = format.type;
108      default = { };
109      description = ''
110        Configuration for cri-o, see
111        <https://github.com/cri-o/cri-o/blob/master/docs/crio.conf.5.md>.
112      '';
113    };
114  };
115
116  config = mkIf cfg.enable {
117    environment.systemPackages = [
118      cfg.package
119      pkgs.cri-tools
120    ];
121
122    environment.etc."crictl.yaml".source = "${cfg.package}/etc/crictl.yaml";
123
124    virtualisation.cri-o.settings.crio = {
125      storage_driver = cfg.storageDriver;
126
127      image = {
128        pause_image = mkIf (cfg.pauseImage != null) cfg.pauseImage;
129        pause_command = mkIf (cfg.pauseCommand != null) cfg.pauseCommand;
130      };
131
132      network = {
133        plugin_dirs = [ "${pkgs.cni-plugins}/bin" ];
134        network_dir = mkIf (cfg.networkDir != null) cfg.networkDir;
135      };
136
137      runtime = {
138        cgroup_manager = "systemd";
139        log_level = cfg.logLevel;
140        manage_ns_lifecycle = true;
141        pinns_path = "${cfg.package}/bin/pinns";
142        hooks_dir = optional (config.virtualisation.containers.ociSeccompBpfHook.enable) config.boot.kernelPackages.oci-seccomp-bpf-hook;
143
144        default_runtime = mkIf (cfg.runtime != null) cfg.runtime;
145        runtimes = mkIf (cfg.runtime != null) {
146          "${cfg.runtime}" = { };
147        };
148      };
149    };
150
151    environment.etc."cni/net.d/10-crio-bridge.conflist".source =
152      "${cfg.package}/etc/cni/net.d/10-crio-bridge.conflist";
153    environment.etc."cni/net.d/99-loopback.conflist".source =
154      "${cfg.package}/etc/cni/net.d/99-loopback.conflist";
155    environment.etc."crio/crio.conf.d/00-default.conf".source = cfgFile;
156
157    # Enable common /etc/containers configuration
158    virtualisation.containers.enable = true;
159
160    systemd.services.crio = {
161      description = "Container Runtime Interface for OCI (CRI-O)";
162      documentation = [ "https://github.com/cri-o/cri-o" ];
163      wantedBy = [ "multi-user.target" ];
164      after = [ "network.target" ];
165      path = [ cfg.package ];
166      serviceConfig = {
167        Type = "notify";
168        ExecStart = "${cfg.package}/bin/crio";
169        ExecReload = "/bin/kill -s HUP $MAINPID";
170        TasksMax = "infinity";
171        LimitNOFILE = "1048576";
172        LimitNPROC = "1048576";
173        LimitCORE = "infinity";
174        OOMScoreAdjust = "-999";
175        TimeoutStartSec = "0";
176        Restart = "on-abnormal";
177      };
178      restartTriggers = [ cfgFile ];
179    };
180  };
181}