Revert "podman: remove wrapper"

This reverts commit 02f9255044. broke rootlessport port forwarding
2025-01-06 21:42:35 +03:00 · 2023-02-17 19:43:08 +10:00 · 2023-02-17 19:43:08 +10:00 · 3e081095a4
commit 3e081095a4
parent 1256bb346f
4 changed files with 105 additions and 58 deletions
--- a/nixos/modules/virtualisation/podman/default.nix
+++ b/nixos/modules/virtualisation/podman/default.nix
@ -9,8 +9,7 @@ let
    extraPackages = cfg.extraPackages
      # setuid shadow
      ++ [ "/run/wrappers" ]
-      # include pkgs.zfs by default in the wrapped podman used by the module so it is cached
-      ++ (if (builtins.elem "zfs" config.boot.supportedFilesystems) then [ config.boot.zfs.package ] else [ pkgs.zfs ]);
+      ++ lib.optional (builtins.elem "zfs" config.boot.supportedFilesystems) config.boot.zfs.package;
  });

  # Provides a fake "docker" binary mapping to podman
@ -184,6 +183,10 @@ in

      systemd.packages = [ cfg.package ];

+      systemd.services.podman.serviceConfig = {
+        ExecStart = [ "" "${cfg.package}/bin/podman $LOGGING system service" ];
+      };
+
      systemd.services.podman-prune = {
        description = "Prune podman resources";

@ -204,6 +207,10 @@ in
      systemd.sockets.podman.wantedBy = [ "sockets.target" ];
      systemd.sockets.podman.socketConfig.SocketGroup = "podman";

+      systemd.user.services.podman.serviceConfig = {
+        ExecStart = [ "" "${cfg.package}/bin/podman $LOGGING system service" ];
+      };
+
      systemd.user.sockets.podman.wantedBy = [ "sockets.target" ];

      systemd.tmpfiles.packages = [
--- a/pkgs/applications/virtualization/podman/default.nix
+++ b/pkgs/applications/virtualization/podman/default.nix
@ -14,52 +14,10 @@
 , go-md2man
 , nixosTests
 , python3
-, makeWrapper
-, symlinkJoin
-, extraPackages ? [ ]
-, runc
-, crun
-, conmon
-, slirp4netns
-, fuse-overlayfs
-, util-linux
-, iptables
-, iproute2
-, catatonit
-, gvproxy
-, aardvark-dns
-, netavark
 , testers
 , podman
 }:
-let
-  # do not add qemu to this wrapper, store paths get written to the podman vm config and break when GCed

-  binPath = lib.makeBinPath ([
-  ] ++ lib.optionals stdenv.isLinux [
-    runc
-    crun
-    conmon
-    slirp4netns
-    fuse-overlayfs
-    util-linux
-    iptables
-    iproute2
-  ] ++ extraPackages);
-
-  helpersBin = symlinkJoin {
-    name = "podman-helper-binary-wrapper";
-
-    # this only works for some binaries, others may need to be be added to `binPath` or in the modules
-    paths = [
-      gvproxy
-    ] ++ lib.optionals stdenv.isLinux [
-      aardvark-dns
-      catatonit # added here for the pause image and also set in `containersConf` for `init_path`
-      netavark
-    ];
-  };
-in
 buildGoModule rec {
  pname = "podman";
  version = "4.4.1";
@ -80,9 +38,9 @@ buildGoModule rec {

  doCheck = false;

-  outputs = [ "out" "man" ];
+  outputs = [ "out" "man" ] ++ lib.optionals stdenv.isLinux [ "rootlessport" ];

-  nativeBuildInputs = [ pkg-config go-md2man installShellFiles makeWrapper python3 ];
+  nativeBuildInputs = [ pkg-config go-md2man installShellFiles python3 ];

  buildInputs = lib.optionals stdenv.isLinux [
    btrfs-progs
@ -94,16 +52,13 @@ buildGoModule rec {
    systemd
  ];

-  HELPER_BINARIES_DIR = "${helpersBin}/bin";
-  PREFIX = "${placeholder "out"}";
-
  buildPhase = ''
    runHook preBuild
    patchShebangs .
    ${if stdenv.isDarwin then ''
      make podman-remote # podman-mac-helper uses FHS paths
    '' else ''
-      make bin/podman bin/rootlessport bin/quadlet
+      make bin/podman bin/rootlessport
    ''}
    make docs
    runHook postBuild
@ -111,20 +66,26 @@ buildGoModule rec {

  installPhase = ''
    runHook preInstall
+    mkdir -p {$out/{bin,etc,lib,share},$man} # ensure paths exist for the wrapper
    ${if stdenv.isDarwin then ''
-      install bin/darwin/podman -Dt $out/bin
+      mv bin/{darwin/podman,podman}
    '' else ''
-      make install.bin install.systemd
+      install -Dm644 contrib/tmpfile/podman.conf -t $out/lib/tmpfiles.d
+      for s in contrib/systemd/**/*.in; do
+        substituteInPlace "$s" --replace "@@PODMAN@@" "podman" # don't use unwrapped binary
+      done
+      PREFIX=$out make install.systemd
+      install -Dm555 bin/rootlessport -t $rootlessport/bin
    ''}
-    make install.completions install.man
-    wrapProgram $out/bin/podman \
-      --prefix PATH : ${lib.escapeShellArg binPath}
+    install -Dm555 bin/podman -t $out/bin
+    PREFIX=$out make install.completions
+    MANDIR=$man/share/man make install.man
    runHook postInstall
  '';

  postFixup = lib.optionalString stdenv.isLinux ''
-    RPATH=$(patchelf --print-rpath $out/bin/.podman-wrapped)
-    patchelf --set-rpath "${lib.makeLibraryPath [ systemd ]}":$RPATH $out/bin/.podman-wrapped
+    RPATH=$(patchelf --print-rpath $out/bin/podman)
+    patchelf --set-rpath "${lib.makeLibraryPath [ systemd ]}":$RPATH $out/bin/podman
  '';

  passthru.tests = {
--- a/pkgs/applications/virtualization/podman/wrapper.nix
+++ b/pkgs/applications/virtualization/podman/wrapper.nix
@ -0,0 +1,78 @@
+{ podman-unwrapped
+, runCommand
+, makeWrapper
+, symlinkJoin
+, lib
+, stdenv
+, extraPackages ? []
+, runc # Default container runtime
+, crun # Container runtime (default with cgroups v2 for podman/buildah)
+, conmon # Container runtime monitor
+, slirp4netns # User-mode networking for unprivileged namespaces
+, fuse-overlayfs # CoW for images, much faster than default vfs
+, util-linux # nsenter
+, iptables
+, iproute2
+, catatonit
+, gvproxy
+, aardvark-dns
+, netavark
+}:
+
+# do not add qemu to this wrapper, store paths get written to the podman vm config and break when GCed
+
+let
+  binPath = lib.makeBinPath ([
+  ] ++ lib.optionals stdenv.isLinux [
+    runc
+    crun
+    conmon
+    slirp4netns
+    fuse-overlayfs
+    util-linux
+    iptables
+    iproute2
+  ] ++ extraPackages);
+
+  helpersBin = symlinkJoin {
+    name = "${podman-unwrapped.pname}-helper-binary-wrapper-${podman-unwrapped.version}";
+
+    # this only works for some binaries, others may need to be be added to `binPath` or in the modules
+    paths = [
+      gvproxy
+    ] ++ lib.optionals stdenv.isLinux [
+      aardvark-dns
+      catatonit # added here for the pause image and also set in `containersConf` for `init_path`
+      netavark
+      podman-unwrapped.rootlessport
+    ];
+  };
+
+in runCommand podman-unwrapped.name {
+  name = "${podman-unwrapped.pname}-wrapper-${podman-unwrapped.version}";
+  inherit (podman-unwrapped) pname version passthru;
+
+  preferLocalBuild = true;
+
+  meta = builtins.removeAttrs podman-unwrapped.meta [ "outputsToInstall" ];
+
+  outputs = [
+    "out"
+    "man"
+  ];
+
+  nativeBuildInputs = [
+    makeWrapper
+  ];
+
+} ''
+  ln -s ${podman-unwrapped.man} $man
+
+  mkdir -p $out/bin
+  ln -s ${podman-unwrapped}/etc $out/etc
+  ln -s ${podman-unwrapped}/lib $out/lib
+  ln -s ${podman-unwrapped}/share $out/share
+  makeWrapper ${podman-unwrapped}/bin/podman $out/bin/podman \
+    --set CONTAINERS_HELPER_BINARY_DIR ${helpersBin}/bin \
+    --prefix PATH : ${lib.escapeShellArg binPath}
+''
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@ -11010,7 +11010,8 @@ with pkgs;

  pocketbase = callPackage ../servers/pocketbase { };

-  podman = callPackage ../applications/virtualization/podman { };
+  podman = callPackage ../applications/virtualization/podman/wrapper.nix { };
+  podman-unwrapped = callPackage ../applications/virtualization/podman { };

  podman-compose = python3Packages.callPackage ../applications/virtualization/podman-compose {};