From 3e081095a4471f126dfb1346cb51ddec36784c23 Mon Sep 17 00:00:00 2001 From: zowoq <59103226+zowoq@users.noreply.github.com> Date: Fri, 17 Feb 2023 19:43:08 +1000 Subject: [PATCH] Revert "podman: remove wrapper" This reverts commit 02f92550441de39d0e42b39b538ac5529714ed41. broke rootlessport port forwarding --- .../modules/virtualisation/podman/default.nix | 11 ++- .../virtualization/podman/default.nix | 71 ++++------------- .../virtualization/podman/wrapper.nix | 78 +++++++++++++++++++ pkgs/top-level/all-packages.nix | 3 +- 4 files changed, 105 insertions(+), 58 deletions(-) create mode 100644 pkgs/applications/virtualization/podman/wrapper.nix diff --git a/nixos/modules/virtualisation/podman/default.nix b/nixos/modules/virtualisation/podman/default.nix index 2e2190e4188c..baca48305188 100644 --- a/nixos/modules/virtualisation/podman/default.nix +++ b/nixos/modules/virtualisation/podman/default.nix @@ -9,8 +9,7 @@ let extraPackages = cfg.extraPackages # setuid shadow ++ [ "/run/wrappers" ] - # include pkgs.zfs by default in the wrapped podman used by the module so it is cached - ++ (if (builtins.elem "zfs" config.boot.supportedFilesystems) then [ config.boot.zfs.package ] else [ pkgs.zfs ]); + ++ lib.optional (builtins.elem "zfs" config.boot.supportedFilesystems) config.boot.zfs.package; }); # Provides a fake "docker" binary mapping to podman @@ -184,6 +183,10 @@ in systemd.packages = [ cfg.package ]; + systemd.services.podman.serviceConfig = { + ExecStart = [ "" "${cfg.package}/bin/podman $LOGGING system service" ]; + }; + systemd.services.podman-prune = { description = "Prune podman resources"; @@ -204,6 +207,10 @@ in systemd.sockets.podman.wantedBy = [ "sockets.target" ]; systemd.sockets.podman.socketConfig.SocketGroup = "podman"; + systemd.user.services.podman.serviceConfig = { + ExecStart = [ "" "${cfg.package}/bin/podman $LOGGING system service" ]; + }; + systemd.user.sockets.podman.wantedBy = [ "sockets.target" ]; systemd.tmpfiles.packages = [ diff --git a/pkgs/applications/virtualization/podman/default.nix b/pkgs/applications/virtualization/podman/default.nix index 766a9fd1de50..d8bfa140fa87 100644 --- a/pkgs/applications/virtualization/podman/default.nix +++ b/pkgs/applications/virtualization/podman/default.nix @@ -14,52 +14,10 @@ , go-md2man , nixosTests , python3 -, makeWrapper -, symlinkJoin -, extraPackages ? [ ] -, runc -, crun -, conmon -, slirp4netns -, fuse-overlayfs -, util-linux -, iptables -, iproute2 -, catatonit -, gvproxy -, aardvark-dns -, netavark , testers , podman }: -let - # do not add qemu to this wrapper, store paths get written to the podman vm config and break when GCed - binPath = lib.makeBinPath ([ - ] ++ lib.optionals stdenv.isLinux [ - runc - crun - conmon - slirp4netns - fuse-overlayfs - util-linux - iptables - iproute2 - ] ++ extraPackages); - - helpersBin = symlinkJoin { - name = "podman-helper-binary-wrapper"; - - # this only works for some binaries, others may need to be be added to `binPath` or in the modules - paths = [ - gvproxy - ] ++ lib.optionals stdenv.isLinux [ - aardvark-dns - catatonit # added here for the pause image and also set in `containersConf` for `init_path` - netavark - ]; - }; -in buildGoModule rec { pname = "podman"; version = "4.4.1"; @@ -80,9 +38,9 @@ buildGoModule rec { doCheck = false; - outputs = [ "out" "man" ]; + outputs = [ "out" "man" ] ++ lib.optionals stdenv.isLinux [ "rootlessport" ]; - nativeBuildInputs = [ pkg-config go-md2man installShellFiles makeWrapper python3 ]; + nativeBuildInputs = [ pkg-config go-md2man installShellFiles python3 ]; buildInputs = lib.optionals stdenv.isLinux [ btrfs-progs @@ -94,16 +52,13 @@ buildGoModule rec { systemd ]; - HELPER_BINARIES_DIR = "${helpersBin}/bin"; - PREFIX = "${placeholder "out"}"; - buildPhase = '' runHook preBuild patchShebangs . ${if stdenv.isDarwin then '' make podman-remote # podman-mac-helper uses FHS paths '' else '' - make bin/podman bin/rootlessport bin/quadlet + make bin/podman bin/rootlessport ''} make docs runHook postBuild @@ -111,20 +66,26 @@ buildGoModule rec { installPhase = '' runHook preInstall + mkdir -p {$out/{bin,etc,lib,share},$man} # ensure paths exist for the wrapper ${if stdenv.isDarwin then '' - install bin/darwin/podman -Dt $out/bin + mv bin/{darwin/podman,podman} '' else '' - make install.bin install.systemd + install -Dm644 contrib/tmpfile/podman.conf -t $out/lib/tmpfiles.d + for s in contrib/systemd/**/*.in; do + substituteInPlace "$s" --replace "@@PODMAN@@" "podman" # don't use unwrapped binary + done + PREFIX=$out make install.systemd + install -Dm555 bin/rootlessport -t $rootlessport/bin ''} - make install.completions install.man - wrapProgram $out/bin/podman \ - --prefix PATH : ${lib.escapeShellArg binPath} + install -Dm555 bin/podman -t $out/bin + PREFIX=$out make install.completions + MANDIR=$man/share/man make install.man runHook postInstall ''; postFixup = lib.optionalString stdenv.isLinux '' - RPATH=$(patchelf --print-rpath $out/bin/.podman-wrapped) - patchelf --set-rpath "${lib.makeLibraryPath [ systemd ]}":$RPATH $out/bin/.podman-wrapped + RPATH=$(patchelf --print-rpath $out/bin/podman) + patchelf --set-rpath "${lib.makeLibraryPath [ systemd ]}":$RPATH $out/bin/podman ''; passthru.tests = { diff --git a/pkgs/applications/virtualization/podman/wrapper.nix b/pkgs/applications/virtualization/podman/wrapper.nix new file mode 100644 index 000000000000..7fe483a7079e --- /dev/null +++ b/pkgs/applications/virtualization/podman/wrapper.nix @@ -0,0 +1,78 @@ +{ podman-unwrapped +, runCommand +, makeWrapper +, symlinkJoin +, lib +, stdenv +, extraPackages ? [] +, runc # Default container runtime +, crun # Container runtime (default with cgroups v2 for podman/buildah) +, conmon # Container runtime monitor +, slirp4netns # User-mode networking for unprivileged namespaces +, fuse-overlayfs # CoW for images, much faster than default vfs +, util-linux # nsenter +, iptables +, iproute2 +, catatonit +, gvproxy +, aardvark-dns +, netavark +}: + +# do not add qemu to this wrapper, store paths get written to the podman vm config and break when GCed + +let + binPath = lib.makeBinPath ([ + ] ++ lib.optionals stdenv.isLinux [ + runc + crun + conmon + slirp4netns + fuse-overlayfs + util-linux + iptables + iproute2 + ] ++ extraPackages); + + helpersBin = symlinkJoin { + name = "${podman-unwrapped.pname}-helper-binary-wrapper-${podman-unwrapped.version}"; + + # this only works for some binaries, others may need to be be added to `binPath` or in the modules + paths = [ + gvproxy + ] ++ lib.optionals stdenv.isLinux [ + aardvark-dns + catatonit # added here for the pause image and also set in `containersConf` for `init_path` + netavark + podman-unwrapped.rootlessport + ]; + }; + +in runCommand podman-unwrapped.name { + name = "${podman-unwrapped.pname}-wrapper-${podman-unwrapped.version}"; + inherit (podman-unwrapped) pname version passthru; + + preferLocalBuild = true; + + meta = builtins.removeAttrs podman-unwrapped.meta [ "outputsToInstall" ]; + + outputs = [ + "out" + "man" + ]; + + nativeBuildInputs = [ + makeWrapper + ]; + +} '' + ln -s ${podman-unwrapped.man} $man + + mkdir -p $out/bin + ln -s ${podman-unwrapped}/etc $out/etc + ln -s ${podman-unwrapped}/lib $out/lib + ln -s ${podman-unwrapped}/share $out/share + makeWrapper ${podman-unwrapped}/bin/podman $out/bin/podman \ + --set CONTAINERS_HELPER_BINARY_DIR ${helpersBin}/bin \ + --prefix PATH : ${lib.escapeShellArg binPath} +'' diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 3965e4224ed9..9379a920d59e 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -11010,7 +11010,8 @@ with pkgs; pocketbase = callPackage ../servers/pocketbase { }; - podman = callPackage ../applications/virtualization/podman { }; + podman = callPackage ../applications/virtualization/podman/wrapper.nix { }; + podman-unwrapped = callPackage ../applications/virtualization/podman { }; podman-compose = python3Packages.callPackage ../applications/virtualization/podman-compose {};