From 2c3dcbb9d09a9757c26a1bc34ba5b8f263a7e554 Mon Sep 17 00:00:00 2001 From: Sascha Grunert Date: Sat, 21 Sep 2019 16:18:42 +0200 Subject: [PATCH] Add cri-o service to modules (#68153) Signed-off-by: Sascha Grunert --- nixos/modules/module-list.nix | 1 + nixos/modules/virtualisation/cri-o.nix | 106 +++++++++++++++++++++++++ 2 files changed, 107 insertions(+) create mode 100644 nixos/modules/virtualisation/cri-o.nix diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index fb8453f1d53..775cc05aa0a 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -938,6 +938,7 @@ ./virtualisation/anbox.nix ./virtualisation/container-config.nix ./virtualisation/containers.nix + ./virtualisation/cri-o.nix ./virtualisation/docker.nix ./virtualisation/docker-containers.nix ./virtualisation/ecs-agent.nix diff --git a/nixos/modules/virtualisation/cri-o.nix b/nixos/modules/virtualisation/cri-o.nix new file mode 100644 index 00000000000..14a435f6c8b --- /dev/null +++ b/nixos/modules/virtualisation/cri-o.nix @@ -0,0 +1,106 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.virtualisation.cri-o; +in +{ + options.virtualisation.cri-o = { + enable = mkEnableOption "Container Runtime Interface for OCI (CRI-O)"; + + storageDriver = mkOption { + type = types.enum ["btrfs" "overlay" "vfs"]; + default = "overlay"; + description = "Storage driver to be used"; + }; + + logLevel = mkOption { + type = types.enum ["trace" "debug" "info" "warn" "error" "fatal"]; + default = "info"; + description = "Log level to be used"; + }; + + pauseImage = mkOption { + type = types.str; + default = "k8s.gcr.io/pause:3.1"; + description = "Pause image for pod sandboxes to be used"; + }; + + pauseCommand = mkOption { + type = types.str; + default = "/pause"; + description = "Pause command to be executed"; + }; + + registries = mkOption { + type = types.listOf types.str; + default = [ "docker.io" "quay.io" ]; + description = "Registries to be configured for unqualified image pull"; + }; + }; + + config = mkIf cfg.enable { + environment.systemPackages = with pkgs; + [ cri-o cri-tools conmon cni-plugins iptables runc utillinux ]; + environment.etc."crictl.yaml".text = '' + runtime-endpoint: unix:///var/run/crio/crio.sock + ''; + environment.etc."crio/crio.conf".text = '' + [crio] + storage_driver = "${cfg.storageDriver}" + + [crio.image] + pause_image = "${cfg.pauseImage}" + pause_command = "${cfg.pauseCommand}" + registries = [ + ${concatMapStringsSep ", " (x: "\"" + x + "\"") cfg.registries} + ] + + [crio.runtime] + conmon = "${pkgs.conmon}/bin/conmon" + log_level = "${cfg.logLevel}" + manage_network_ns_lifecycle = true + ''; + environment.etc."containers/policy.json".text = '' + {"default": [{"type": "insecureAcceptAnything"}]} + ''; + environment.etc."cni/net.d/20-cri-o-bridge.conf".text = '' + { + "cniVersion": "0.3.1", + "name": "crio-bridge", + "type": "bridge", + "bridge": "cni0", + "isGateway": true, + "ipMasq": true, + "ipam": { + "type": "host-local", + "subnet": "10.88.0.0/16", + "routes": [ + { "dst": "0.0.0.0/0" } + ] + } + } + ''; + + systemd.services.crio = { + description = "Container Runtime Interface for OCI (CRI-O)"; + documentation = [ "https://github.com/cri-o/cri-o" ]; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + path = [ pkgs.utillinux pkgs.runc pkgs.iptables ]; + serviceConfig = { + Type = "notify"; + ExecStart = "${pkgs.cri-o}/bin/crio"; + ExecReload = "/bin/kill -s HUP $MAINPID"; + TasksMax = "infinity"; + LimitNOFILE = "1048576"; + LimitNPROC = "1048576"; + LimitCORE = "infinity"; + OOMScoreAdjust = "-999"; + TimeoutStartSec = "0"; + Restart = "on-abnormal"; + }; + }; + }; +}