commit ab64310a5e5534a8c96d6523ba5a765d27beceaf · pyrox.dev/nixpkgs

nixos/doc/manual/from_md/release-notes/rl-2205.section.xml

···

       35
       35
        
             </listitem>

     

       36
       36
        
             <listitem>

     

       37
       37
        
               <para>

     

       38
       38
       +
                 <link xlink:href="https://docs.docker.com/engine/security/rootless/">rootless

     

       39
       39
       +
                 Docker</link>, a <literal>systemd --user</literal> Docker

     

       40
       40
       +
                 service which runs without root permissions. Available as

     

       41
       41
       +
                 <link xlink:href="options.html#opt-virtualisation.docker.rootless.enable">virtualisation.docker.rootless.enable</link>.

     

       42
       42
       +
               </para>

     

       43
       43
       +
             </listitem>

     

       44
       44
       +
             <listitem>

     

       45
       45
       +
               <para>

     

       38
       46
        
                 <link xlink:href="https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-overview.html">filebeat</link>,

     

       39
       47
        
                 a lightweight shipper for forwarding and centralizing log

     

       40
       48
        
                 data. Available as

nixos/doc/manual/release-notes/rl-2205.section.md

···

       11
       11
        
       ## New Services {#sec-release-22.05-new-services}

     

       12
       12
        
       

     

       13
       13
        
       - [aesmd](https://github.com/intel/linux-sgx#install-the-intelr-sgx-psw), the Intel SGX Architectural Enclave Service Manager. Available as [services.aesmd](#opt-services.aesmd.enable).

     

       14
       14
       +
       - [rootless Docker](https://docs.docker.com/engine/security/rootless/), a `systemd --user` Docker service which runs without root permissions. Available as [virtualisation.docker.rootless.enable](options.html#opt-virtualisation.docker.rootless.enable).

     

       14
       15
        
       

     

       15
       16
        
       - [filebeat](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-overview.html), a lightweight shipper for forwarding and centralizing log data. Available as [services.filebeat](#opt-services.filebeat.enable).

     

       16
       17

nixos/modules/module-list.nix

···

       1187
       1187
        
         ./virtualisation/oci-containers.nix

     

       1188
       1188
        
         ./virtualisation/cri-o.nix

     

       1189
       1189
        
         ./virtualisation/docker.nix

     

       1190
       1190
       +
         ./virtualisation/docker-rootless.nix

     

       1190
       1191
        
         ./virtualisation/ecs-agent.nix

     

       1191
       1192
        
         ./virtualisation/libvirtd.nix

     

       1192
       1193
        
         ./virtualisation/lxc.nix

+98

nixos/modules/virtualisation/docker-rootless.nix

···

       1
       1
       +
       { config, lib, pkgs, ... }:

     

       2
       2
       +
       

     

       3
       3
       +
       with lib;

     

       4
       4
       +
       

     

       5
       5
       +
       let

     

       6
       6
       +
       

     

       7
       7
       +
         cfg = config.virtualisation.docker.rootless;

     

       8
       8
       +
         proxy_env = config.networking.proxy.envVars;

     

       9
       9
       +
         settingsFormat = pkgs.formats.json {};

     

       10
       10
       +
         daemonSettingsFile = settingsFormat.generate "daemon.json" cfg.daemon.settings;

     

       11
       11
       +
       

     

       12
       12
       +
       in

     

       13
       13
       +
       

     

       14
       14
       +
       {

     

       15
       15
       +
         ###### interface

     

       16
       16
       +
       

     

       17
       17
       +
         options.virtualisation.docker.rootless = {

     

       18
       18
       +
           enable = mkOption {

     

       19
       19
       +
             type = types.bool;

     

       20
       20
       +
             default = false;

     

       21
       21
       +
             description = ''

     

       22
       22
       +
               This option enables docker in a rootless mode, a daemon that manages

     

       23
       23
       +
               linux containers. To interact with the daemon, one needs to set

     

       24
       24
       +
               <command>DOCKER_HOST=unix://$XDG_RUNTIME_DIR/docker.sock</command>.

     

       25
       25
       +
             '';

     

       26
       26
       +
           };

     

       27
       27
       +
       

     

       28
       28
       +
           setSocketVariable = mkOption {

     

       29
       29
       +
             type = types.bool;

     

       30
       30
       +
             default = false;

     

       31
       31
       +
             description = ''

     

       32
       32
       +
               Point <command>DOCKER_HOST</command> to rootless Docker instance for

     

       33
       33
       +
               normal users by default.

     

       34
       34
       +
             '';

     

       35
       35
       +
           };

     

       36
       36
       +
       

     

       37
       37
       +
           daemon.settings = mkOption {

     

       38
       38
       +
             type = settingsFormat.type;

     

       39
       39
       +
             default = { };

     

       40
       40
       +
             example = {

     

       41
       41
       +
               ipv6 = true;

     

       42
       42
       +
               "fixed-cidr-v6" = "fd00::/80";

     

       43
       43
       +
             };

     

       44
       44
       +
             description = ''

     

       45
       45
       +
               Configuration for docker daemon. The attributes are serialized to JSON used as daemon.conf.

     

       46
       46
       +
               See https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-configuration-file

     

       47
       47
       +
             '';

     

       48
       48
       +
           };

     

       49
       49
       +
       

     

       50
       50
       +
           package = mkOption {

     

       51
       51
       +
             default = pkgs.docker;

     

       52
       52
       +
             defaultText = literalExpression "pkgs.docker";

     

       53
       53
       +
             type = types.package;

     

       54
       54
       +
             example = literalExpression "pkgs.docker-edge";

     

       55
       55
       +
             description = ''

     

       56
       56
       +
               Docker package to be used in the module.

     

       57
       57
       +
             '';

     

       58
       58
       +
           };

     

       59
       59
       +
         };

     

       60
       60
       +
       

     

       61
       61
       +
         ###### implementation

     

       62
       62
       +
       

     

       63
       63
       +
         config = mkIf cfg.enable {

     

       64
       64
       +
           environment.systemPackages = [ cfg.package ];

     

       65
       65
       +
       

     

       66
       66
       +
           environment.extraInit = optionalString cfg.setSocketVariable ''

     

       67
       67
       +
             if [ -z "$DOCKER_HOST" -a -n "$XDG_RUNTIME_DIR" ]; then

     

       68
       68
       +
               export DOCKER_HOST="unix://$XDG_RUNTIME_DIR/docker.sock"

     

       69
       69
       +
             fi

     

       70
       70
       +
           '';

     

       71
       71
       +
       

     

       72
       72
       +
           # Taken from https://github.com/moby/moby/blob/master/contrib/dockerd-rootless-setuptool.sh

     

       73
       73
       +
           systemd.user.services.docker = {

     

       74
       74
       +
             wantedBy = [ "default.target" ];

     

       75
       75
       +
             description = "Docker Application Container Engine (Rootless)";

     

       76
       76
       +
             # needs newuidmap from pkgs.shadow

     

       77
       77
       +
             path = [ "/run/wrappers" ];

     

       78
       78
       +
             environment = proxy_env;

     

       79
       79
       +
             unitConfig.StartLimitInterval = "60s";

     

       80
       80
       +
             serviceConfig = {

     

       81
       81
       +
               Type = "notify";

     

       82
       82
       +
               ExecStart = "${cfg.package}/bin/dockerd-rootless --config-file=${daemonSettingsFile}";

     

       83
       83
       +
               ExecReload = "${pkgs.procps}/bin/kill -s HUP $MAINPID";

     

       84
       84
       +
               TimeoutSec = 0;

     

       85
       85
       +
               RestartSec = 2;

     

       86
       86
       +
               Restart = "always";

     

       87
       87
       +
               StartLimitBurst = 3;

     

       88
       88
       +
               LimitNOFILE = "infinity";

     

       89
       89
       +
               LimitNPROC = "infinity";

     

       90
       90
       +
               LimitCORE = "infinity";

     

       91
       91
       +
               Delegate = true;

     

       92
       92
       +
               NotifyAccess = "all";

     

       93
       93
       +
               KillMode = "mixed";

     

       94
       94
       +
             };

     

       95
       95
       +
           };

     

       96
       96
       +
         };

     

       97
       97
       +
       

     

       98
       98
       +
       }

nixos/tests/all-tests.nix

···

       104
       104
        
         dnscrypt-wrapper = handleTestOn ["x86_64-linux"] ./dnscrypt-wrapper {};

     

       105
       105
        
         doas = handleTest ./doas.nix {};

     

       106
       106
        
         docker = handleTestOn ["x86_64-linux"] ./docker.nix {};

     

       107
       107
       +
         docker-rootless = handleTestOn ["x86_64-linux"] ./docker-rootless.nix {};

     

       107
       108
        
         docker-edge = handleTestOn ["x86_64-linux"] ./docker-edge.nix {};

     

       108
       109
        
         docker-registry = handleTest ./docker-registry.nix {};

     

       109
       110
        
         docker-tools = handleTestOn ["x86_64-linux"] ./docker-tools.nix {};

+41

nixos/tests/docker-rootless.nix

···

       1
       1
       +
       # This test runs docker and checks if simple container starts

     

       2
       2
       +
       

     

       3
       3
       +
       import ./make-test-python.nix ({ lib, pkgs, ...} : {

     

       4
       4
       +
         name = "docker-rootless";

     

       5
       5
       +
         meta = with pkgs.lib.maintainers; {

     

       6
       6
       +
           maintainers = [ abbradar ];

     

       7
       7
       +
         };

     

       8
       8
       +
       

     

       9
       9
       +
         nodes = {

     

       10
       10
       +
           machine = { pkgs, ... }: {

     

       11
       11
       +
             virtualisation.docker.rootless.enable = true;

     

       12
       12
       +
       

     

       13
       13
       +
             users.users.alice = {

     

       14
       14
       +
               uid = 1000;

     

       15
       15
       +
               isNormalUser = true;

     

       16
       16
       +
             };

     

       17
       17
       +
           };

     

       18
       18
       +
         };

     

       19
       19
       +
       

     

       20
       20
       +
         testScript = { nodes, ... }:

     

       21
       21
       +
           let

     

       22
       22
       +
             user = nodes.machine.config.users.users.alice;

     

       23
       23
       +
             sudo = lib.concatStringsSep " " [

     

       24
       24
       +
               "XDG_RUNTIME_DIR=/run/user/${toString user.uid}"

     

       25
       25
       +
               "DOCKER_HOST=unix:///run/user/${toString user.uid}/docker.sock"

     

       26
       26
       +
               "sudo" "--preserve-env=XDG_RUNTIME_DIR,DOCKER_HOST" "-u" "alice"

     

       27
       27
       +
             ];

     

       28
       28
       +
           in ''

     

       29
       29
       +
             machine.wait_for_unit("multi-user.target")

     

       30
       30
       +
       

     

       31
       31
       +
             machine.succeed("loginctl enable-linger alice")

     

       32
       32
       +
             machine.wait_until_succeeds("${sudo} systemctl --user is-active docker.service")

     

       33
       33
       +
       

     

       34
       34
       +
             machine.succeed("tar cv --files-from /dev/null | ${sudo} docker import - scratchimg")

     

       35
       35
       +
             machine.succeed(

     

       36
       36
       +
                 "${sudo} docker run -d --name=sleeping -v /nix/store:/nix/store -v /run/current-system/sw/bin:/bin scratchimg /bin/sleep 10"

     

       37
       37
       +
             )

     

       38
       38
       +
             machine.succeed("${sudo} docker ps | grep sleeping")

     

       39
       39
       +
             machine.succeed("${sudo} docker stop sleeping")

     

       40
       40
       +
           '';

     

       41
       41
       +
       })