Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support for docker rootless #168

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
47 changes: 31 additions & 16 deletions nixos-module.nix
Original file line number Diff line number Diff line change
@@ -1,9 +1,11 @@
{ config, lib, pkgs, ... }:
let
inherit (lib)
any
attrValues
mkIf
mkOption
mkEnableOption
mkMerge
types
;
Expand All @@ -25,24 +27,34 @@ let
type = arionSettingsType name;
visible = "shallow";
};
rootless = mkEnableOption "Run this project in rootless mode";
_systemd = mkOption { internal = true; };
};
config = {
_systemd.services."arion-${name}" = {
wantedBy = [ "multi-user.target" ];
after = [ "sockets.target" ];
config =
let

path = [
cfg.package
cfg.docker.client.package
];
environment.ARION_PREBUILT = config.settings.out.dockerComposeYaml;
script = ''
echo 1>&2 "docker compose file: $ARION_PREBUILT"
arion --prebuilt-file "$ARION_PREBUILT" up
'';
};
};
service = {
wantedBy = [ "multi-user.target" ];
after = [ "sockets.target" ];

path = [
cfg.package
cfg.docker.client.package
];
environment.ARION_PREBUILT = config.settings.out.dockerComposeYaml;
environment.DOCKER_HOST = mkIf config.rootless "unix:///run/user/1000/docker.sock"; # TODO: Do not hardcode path
script = ''
echo 1>&2 "docker compose file: $ARION_PREBUILT"
arion --prebuilt-file "$ARION_PREBUILT" up
'';
};

in
if false then
# if false then
{ _systemd.user.services."arion-${name}" = service; }
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Interesting. What is your use case for this?
I was expecting a system systemd service that runs entirely as a non-root user.
Both user and system systemd services seem like valid modes; even simultaneously.

Copy link
Author

@jooooscha jooooscha Oct 11, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, somehow I thought docker and docker-rootless are mutual exclusive. I will change it to support both simultaneously

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wait, I am a little bit confused. Would you like to start all services as root services?
I think I would start rootless containers as user services, and normal containers as system services.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Running a system service as a (system) user with rootless containers is a valid thing to do. It avoids potential confused deputy problems in the docker daemon.

You wouldn't be able to remove as many capabilities from the systemd unit as a non-containerized solution would, but presumably the rootless container runtime still removes those capabilities.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Which kind of "deputy problems" do you mean?

I rather think this could create problems on multi-user setups, because the DOCKER_HOST socket is individual to every user.

But don't get me wrong; it certainly is your thing to decide.

else
{ _systemd.services."arion-${name}" = service; };
};

arionSettingsType = name:
Expand All @@ -64,7 +76,7 @@ in
};
package = mkOption {
type = types.package;

default = (import ./. { inherit pkgs; }).arion;
description = ''
Arion package to use. This will provide <literal>arion</literal>
Expand Down Expand Up @@ -105,6 +117,9 @@ in
virtualisation.docker.enable = true;
virtualisation.arion.docker.client.package = pkgs.docker;
})
(mkIf (any (project: project.rootless) (attrValues cfg.projects)) {
virtualisation.docker.rootless.enable = true;
})
]
);
}