159 lines
4.4 KiB
Nix
159 lines
4.4 KiB
Nix
|
{ config, lib, pkgs, ... }:
|
||
|
|
||
|
with lib;
|
||
|
let
|
||
|
cfg = config.virtualisation.cri-o;
|
||
|
|
||
|
crioPackage = pkgs.cri-o.override {
|
||
|
extraPackages = cfg.extraPackages
|
||
|
++ lib.optional (config.boot.supportedFilesystems.zfs or false) config.boot.zfs.package;
|
||
|
};
|
||
|
|
||
|
format = pkgs.formats.toml { };
|
||
|
|
||
|
cfgFile = format.generate "00-default.conf" cfg.settings;
|
||
|
in
|
||
|
{
|
||
|
meta = {
|
||
|
maintainers = teams.podman.members;
|
||
|
};
|
||
|
|
||
|
options.virtualisation.cri-o = {
|
||
|
enable = mkEnableOption "Container Runtime Interface for OCI (CRI-O)";
|
||
|
|
||
|
storageDriver = mkOption {
|
||
|
type = types.enum [ "aufs" "btrfs" "devmapper" "overlay" "vfs" "zfs" ];
|
||
|
default = "overlay";
|
||
|
description = "Storage driver to be used";
|
||
|
};
|
||
|
|
||
|
logLevel = mkOption {
|
||
|
type = types.enum [ "trace" "debug" "info" "warn" "error" "fatal" ];
|
||
|
default = "info";
|
||
|
description = "Log level to be used";
|
||
|
};
|
||
|
|
||
|
pauseImage = mkOption {
|
||
|
type = types.nullOr types.str;
|
||
|
default = null;
|
||
|
description = "Override the default pause image for pod sandboxes";
|
||
|
example = "k8s.gcr.io/pause:3.2";
|
||
|
};
|
||
|
|
||
|
pauseCommand = mkOption {
|
||
|
type = types.nullOr types.str;
|
||
|
default = null;
|
||
|
description = "Override the default pause command";
|
||
|
example = "/pause";
|
||
|
};
|
||
|
|
||
|
runtime = mkOption {
|
||
|
type = types.nullOr types.str;
|
||
|
default = null;
|
||
|
description = "Override the default runtime";
|
||
|
example = "crun";
|
||
|
};
|
||
|
|
||
|
extraPackages = mkOption {
|
||
|
type = with types; listOf package;
|
||
|
default = [ ];
|
||
|
example = literalExpression ''
|
||
|
[
|
||
|
pkgs.gvisor
|
||
|
]
|
||
|
'';
|
||
|
description = ''
|
||
|
Extra packages to be installed in the CRI-O wrapper.
|
||
|
'';
|
||
|
};
|
||
|
|
||
|
package = mkOption {
|
||
|
type = types.package;
|
||
|
default = crioPackage;
|
||
|
internal = true;
|
||
|
description = ''
|
||
|
The final CRI-O package (including extra packages).
|
||
|
'';
|
||
|
};
|
||
|
|
||
|
networkDir = mkOption {
|
||
|
type = types.nullOr types.path;
|
||
|
default = null;
|
||
|
description = "Override the network_dir option.";
|
||
|
internal = true;
|
||
|
};
|
||
|
|
||
|
settings = mkOption {
|
||
|
type = format.type;
|
||
|
default = { };
|
||
|
description = ''
|
||
|
Configuration for cri-o, see
|
||
|
<https://github.com/cri-o/cri-o/blob/master/docs/crio.conf.5.md>.
|
||
|
'';
|
||
|
};
|
||
|
};
|
||
|
|
||
|
config = mkIf cfg.enable {
|
||
|
environment.systemPackages = [ cfg.package pkgs.cri-tools ];
|
||
|
|
||
|
environment.etc."crictl.yaml".source = "${cfg.package}/etc/crictl.yaml";
|
||
|
|
||
|
virtualisation.cri-o.settings.crio = {
|
||
|
storage_driver = cfg.storageDriver;
|
||
|
|
||
|
image = {
|
||
|
pause_image = mkIf (cfg.pauseImage != null) cfg.pauseImage;
|
||
|
pause_command = mkIf (cfg.pauseCommand != null) cfg.pauseCommand;
|
||
|
};
|
||
|
|
||
|
network = {
|
||
|
plugin_dirs = [ "${pkgs.cni-plugins}/bin" ];
|
||
|
network_dir = mkIf (cfg.networkDir != null) cfg.networkDir;
|
||
|
};
|
||
|
|
||
|
runtime = {
|
||
|
cgroup_manager = "systemd";
|
||
|
log_level = cfg.logLevel;
|
||
|
manage_ns_lifecycle = true;
|
||
|
pinns_path = "${cfg.package}/bin/pinns";
|
||
|
hooks_dir =
|
||
|
optional (config.virtualisation.containers.ociSeccompBpfHook.enable)
|
||
|
config.boot.kernelPackages.oci-seccomp-bpf-hook;
|
||
|
|
||
|
default_runtime = mkIf (cfg.runtime != null) cfg.runtime;
|
||
|
runtimes = mkIf (cfg.runtime != null) {
|
||
|
"${cfg.runtime}" = { };
|
||
|
};
|
||
|
};
|
||
|
};
|
||
|
|
||
|
environment.etc."cni/net.d/10-crio-bridge.conflist".source = "${cfg.package}/etc/cni/net.d/10-crio-bridge.conflist";
|
||
|
environment.etc."cni/net.d/99-loopback.conflist".source = "${cfg.package}/etc/cni/net.d/99-loopback.conflist";
|
||
|
environment.etc."crio/crio.conf.d/00-default.conf".source = cfgFile;
|
||
|
|
||
|
# Enable common /etc/containers configuration
|
||
|
virtualisation.containers.enable = true;
|
||
|
|
||
|
systemd.services.crio = {
|
||
|
description = "Container Runtime Interface for OCI (CRI-O)";
|
||
|
documentation = [ "https://github.com/cri-o/cri-o" ];
|
||
|
wantedBy = [ "multi-user.target" ];
|
||
|
after = [ "network.target" ];
|
||
|
path = [ cfg.package ];
|
||
|
serviceConfig = {
|
||
|
Type = "notify";
|
||
|
ExecStart = "${cfg.package}/bin/crio";
|
||
|
ExecReload = "/bin/kill -s HUP $MAINPID";
|
||
|
TasksMax = "infinity";
|
||
|
LimitNOFILE = "1048576";
|
||
|
LimitNPROC = "1048576";
|
||
|
LimitCORE = "infinity";
|
||
|
OOMScoreAdjust = "-999";
|
||
|
TimeoutStartSec = "0";
|
||
|
Restart = "on-abnormal";
|
||
|
};
|
||
|
restartTriggers = [ cfgFile ];
|
||
|
};
|
||
|
};
|
||
|
}
|