Loading nixos/modules/services/misc/gitlab.md +5 −5 Original line number Diff line number Diff line Loading @@ -155,11 +155,11 @@ The [VM tested `podman-runner`](https://github.com/NixOS/nixpkgs/blob/master/nix **Container Images for Gitlab Jobs**: - `local/alpine`: An image based on Alpine with a Nix installation (variable `alpineImage`). (attribute `jobImages.alpine`). - `local/ubuntu`: An image based on Ubuntu with a Nix installation (variable `ubuntuImage`). (attribute `jobImages.ubuntu`). - `local/nix`: An image based on Nix which only comes with `nix` installed (variable `nixImage`). installed (attribute `jobImages.nix`). **Images for VM Setup**: - `local/nix-daemon-image`: An image with a Nix daemon which is Loading @@ -169,7 +169,7 @@ The [VM tested `podman-runner`](https://github.com/NixOS/nixpkgs/blob/master/nix (variable `podmanDaemonImage`). - Every job container runs in a `podman` container instance based by default on `ubuntuImage`. A pipeline job can override this with `image: local/alpine`. `jobImage.ubuntu`. A pipeline job can override this with `image: local/alpine`. - Each job container will have the `/nix/store` mounted from the container `nix-daemon-container` (see registration flags `--docker-volumes-from "nix-daemon-container:ro"`). Loading Loading @@ -202,7 +202,7 @@ The [VM tested `podman-runner`](https://github.com/NixOS/nixpkgs/blob/master/nix ::: {.note} Building container images with `buildah` (stripped `podman` for building images) inside a job which runs `alpineImage` `podman` for building images) inside a job which runs `jobImage.alpine` is still possible. ::: Loading nixos/tests/gitlab/runner/podman-runner/default.nix +146 −92 Original line number Diff line number Diff line Loading @@ -18,6 +18,10 @@ # - The `bootstrapPkgs` derivation is copied into the job containers # but without the Nix store paths cause they get provided by the # `nix-daemon-store` volume. # I cannot denote these volumes because they overmount the # shit which is in the image. # TODO: make a systemd service which starts before # that and creates some volumes and inits these from the image. # # - The `podman-daemon-socket` volume gets mounted to the job container # enabling it to use `podman`. Loading Loading @@ -77,16 +81,24 @@ let }; # This derivation will contain a folder `/etc` auxRootFiles = pkgs.callPackage ./root { }; files = pkgs.callPackage ./files { }; preBuildScript = pkgs.callPackage ./scripts/prebuild.nix { }; # These derivations are Linked into the job images root dir. bootstrapPkgs = [ pkgs.nix # Runtime dependencies of nix. pkgs.gnutar pkgs.gzip pkgs.openssh pkgs.xz pkgs.cacert # Other stuff. (lib.hiPrio pkgs.coreutils) (lib.hiPrio pkgs.findutils) pkgs.openssh pkgs.bash pkgs.bashInteractive (lib.hiPrio pkgs.git) pkgs.cachix Loading @@ -94,7 +106,16 @@ let pkgs.podman # For nested containers. preBuildScript auxRootFiles files.containers files.nixConfig ]; # All these packages are added to the Nix daemon. nixStorePkgs = bootstrapPkgs ++ [ # These files files.basicRoot files.fakeNixpkgs ]; toEnvList = envs: lib.mapAttrsToList (k: v: "${k}=${v}") envs; Loading @@ -110,6 +131,8 @@ let # You can add here a user with uid,gid,uname,gname etc. # We are using root. extraPkgs = nixStorePkgs; nixConf = { cores = "0"; experimental-features = [ Loading @@ -126,8 +149,6 @@ let name = "local/nix-daemon"; tag = "latest"; contents = bootstrapPkgs; config = { Volumes = { "/nix/store" = { }; Loading Loading @@ -166,14 +187,34 @@ let }; }; jobImages = { # The base image jobImages = let extraCommands = '' set -eu # Set missing Nix directories. mkdir -p -m 0755 nix/var/log/nix/drvs mkdir -p -m 0755 nix/var/nix/{gcroots,profiles,temproots,userpool} mkdir -p -m 1777 nix/var/nix/{gcroots,profiles}/per-user mkdir -p -m 0755 nix/var/nix/profiles/per-user/root # Need a HOME. mkdir -vp root mkdir -p -m 0700 root/.nix-defexpr ''; in { # The Nix image. nix = pkgs.dockerTools.buildLayeredImage { fromImage = nixImageBase; name = imageNames.nix; tag = "latest"; contents = bootstrapPkgs; extraCommands = extraCommands + '' set -eu # For `/usr/bin/env`. mkdir -p usr && ln -s ../bin usr/bin ''; contents = bootstrapPkgs ++ [ files.basicRoot ]; # No store paths are copied into. We provide them by mounting the # /nix/store. includeStorePaths = false; Loading @@ -182,7 +223,7 @@ let Labels = noPruneLabels; Env = toEnvList envs.nix; }; maxLayers = 4; maxLayers = 2; }; # This is the analog image to `local/nix` but alpine based. Loading @@ -205,6 +246,8 @@ let name = imageNames.alpine; tag = "latest"; inherit extraCommands; contents = bootstrapPkgs; # No store paths are copied into. We provide them by mounting the # /nix/store. Loading @@ -212,11 +255,11 @@ let config = { Labels = noPruneLabels; Env = toEnvList envs.alpine; Env = toEnvList envs.nix; }; # Only if `build buildLayeredImage`. maxLayers = 15; maxLayers = 3; }); # This is the analog image to `local/nix` but ubuntu based. Loading @@ -240,6 +283,8 @@ let name = imageNames.ubuntu; tag = "latest"; inherit extraCommands; contents = bootstrapPkgs; # No store paths are copied into. We provide them by mounting the # /nix/store. Loading @@ -251,7 +296,7 @@ let }; # Only if `build buildLayeredImage`. maxLayers = 15; maxLayers = 3; }); }; Loading Loading @@ -293,27 +338,36 @@ let # Environment variables for all job containers. envs = rec { daemons = { common = { # Access to the nix daemon. NIX_REMOTE = "daemon"; # Access to podman. CONTAINER_HOST = "unix:///run/podman/podman.sock"; }; nix = daemons // { IMAGE_OS_DIST = "nixos"; }; alpine = daemons // { IMAGE_OS_DIST = "alpine"; USER = "root"; PATH = "/nix/var/nix/profiles/default/bin:/nix/var/nix/profiles/default/sbin:/bin:/sbin:/usr/bin:/usr/sbin"; SSL_CERT_FILE = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"; NIX_SSL_CERT_FILE = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"; # For shells, source this file. ENV = "${pkgs.nix}/etc/profile.d/nix-daemon.sh"; BASH_ENV = "${pkgs.nix}/etc/profile.d/nix-daemon.sh"; # Make a fake nixpkgs which throws when using # `nix repl -f <nixpkgs>` for example. NIX_PATH = "nixpkgs=${files.fakeNixpkgs}"; }; nix = common // { IMAGE_OS_DIST = "nix"; }; alpine = common // { IMAGE_OS_DIST = "alpine"; }; ubuntu = alpine // { ubuntu = common // { IMAGE_OS_DIST = "ubuntu"; }; }; Loading nixos/tests/gitlab/runner/podman-runner/files/basicRoot/etc/group 0 → 100644 +21 −0 Original line number Diff line number Diff line root:x:0: wheel:x:1: kmem:x:2: tty:x:3: messagebus:x:4: disk:x:6: audio:x:17: floppy:x:18: uucp:x:19: lp:x:20: cdrom:x:24: tape:x:25: video:x:26: dialout:x:27: utmp:x:29: adm:x:55: keys:x:96: users:x:100: input:x:174: nixbld:x:30000:nixbld1,nixbld10,nixbld11,nixbld12,nixbld13,nixbld14,nixbld15,nixbld16,nixbld17,nixbld18,nixbld19,nixbld2,nixbld20,nixbld21,nixbld22,nixbld23,nixbld24,nixbld25,nixbld26,nixbld27,nixbld28,nixbld29,nixbld3,nixbld30,nixbld31,nixbld32,nixbld4,nixbld5,nixbld6,nixbld7,nixbld8,nixbld9 nogroup:x:65534: nixos/tests/gitlab/runner/podman-runner/files/basicRoot/etc/nsswitch.conf 0 → 100644 +11 −0 Original line number Diff line number Diff line passwd: files mymachines systemd group: files mymachines systemd shadow: files hosts: files mymachines dns myhostname networks: files ethers: files services: files protocols: files rpc: files nixos/tests/gitlab/runner/podman-runner/files/basicRoot/etc/passwd 0 → 100644 +34 −0 Original line number Diff line number Diff line root:x:0:0:System administrator:/root:/bin/bash nixbld1:x:30001:30000:Nix build user 1:/var/empty:/run/current-system/sw/bin/nologin nixbld2:x:30002:30000:Nix build user 2:/var/empty:/run/current-system/sw/bin/nologin nixbld3:x:30003:30000:Nix build user 3:/var/empty:/run/current-system/sw/bin/nologin nixbld4:x:30004:30000:Nix build user 4:/var/empty:/run/current-system/sw/bin/nologin nixbld5:x:30005:30000:Nix build user 5:/var/empty:/run/current-system/sw/bin/nologin nixbld6:x:30006:30000:Nix build user 6:/var/empty:/run/current-system/sw/bin/nologin nixbld7:x:30007:30000:Nix build user 7:/var/empty:/run/current-system/sw/bin/nologin nixbld8:x:30008:30000:Nix build user 8:/var/empty:/run/current-system/sw/bin/nologin nixbld9:x:30009:30000:Nix build user 9:/var/empty:/run/current-system/sw/bin/nologin nixbld10:x:30010:30000:Nix build user 10:/var/empty:/run/current-system/sw/bin/nologin nixbld11:x:30011:30000:Nix build user 11:/var/empty:/run/current-system/sw/bin/nologin nixbld12:x:30012:30000:Nix build user 12:/var/empty:/run/current-system/sw/bin/nologin nixbld13:x:30013:30000:Nix build user 13:/var/empty:/run/current-system/sw/bin/nologin nixbld14:x:30014:30000:Nix build user 14:/var/empty:/run/current-system/sw/bin/nologin nixbld15:x:30015:30000:Nix build user 15:/var/empty:/run/current-system/sw/bin/nologin nixbld16:x:30016:30000:Nix build user 16:/var/empty:/run/current-system/sw/bin/nologin nixbld17:x:30017:30000:Nix build user 17:/var/empty:/run/current-system/sw/bin/nologin nixbld18:x:30018:30000:Nix build user 18:/var/empty:/run/current-system/sw/bin/nologin nixbld19:x:30019:30000:Nix build user 19:/var/empty:/run/current-system/sw/bin/nologin nixbld20:x:30020:30000:Nix build user 20:/var/empty:/run/current-system/sw/bin/nologin nixbld21:x:30021:30000:Nix build user 21:/var/empty:/run/current-system/sw/bin/nologin nixbld22:x:30022:30000:Nix build user 22:/var/empty:/run/current-system/sw/bin/nologin nixbld23:x:30023:30000:Nix build user 23:/var/empty:/run/current-system/sw/bin/nologin nixbld24:x:30024:30000:Nix build user 24:/var/empty:/run/current-system/sw/bin/nologin nixbld25:x:30025:30000:Nix build user 25:/var/empty:/run/current-system/sw/bin/nologin nixbld26:x:30026:30000:Nix build user 26:/var/empty:/run/current-system/sw/bin/nologin nixbld27:x:30027:30000:Nix build user 27:/var/empty:/run/current-system/sw/bin/nologin nixbld28:x:30028:30000:Nix build user 28:/var/empty:/run/current-system/sw/bin/nologin nixbld29:x:30029:30000:Nix build user 29:/var/empty:/run/current-system/sw/bin/nologin nixbld30:x:30030:30000:Nix build user 30:/var/empty:/run/current-system/sw/bin/nologin nixbld31:x:30031:30000:Nix build user 31:/var/empty:/run/current-system/sw/bin/nologin nixbld32:x:30032:30000:Nix build user 32:/var/empty:/run/current-system/sw/bin/nologin nobody:x:65534:65534:Unprivileged account (don't use!):/var/empty:/run/current-system/sw/bin/nologin Loading
nixos/modules/services/misc/gitlab.md +5 −5 Original line number Diff line number Diff line Loading @@ -155,11 +155,11 @@ The [VM tested `podman-runner`](https://github.com/NixOS/nixpkgs/blob/master/nix **Container Images for Gitlab Jobs**: - `local/alpine`: An image based on Alpine with a Nix installation (variable `alpineImage`). (attribute `jobImages.alpine`). - `local/ubuntu`: An image based on Ubuntu with a Nix installation (variable `ubuntuImage`). (attribute `jobImages.ubuntu`). - `local/nix`: An image based on Nix which only comes with `nix` installed (variable `nixImage`). installed (attribute `jobImages.nix`). **Images for VM Setup**: - `local/nix-daemon-image`: An image with a Nix daemon which is Loading @@ -169,7 +169,7 @@ The [VM tested `podman-runner`](https://github.com/NixOS/nixpkgs/blob/master/nix (variable `podmanDaemonImage`). - Every job container runs in a `podman` container instance based by default on `ubuntuImage`. A pipeline job can override this with `image: local/alpine`. `jobImage.ubuntu`. A pipeline job can override this with `image: local/alpine`. - Each job container will have the `/nix/store` mounted from the container `nix-daemon-container` (see registration flags `--docker-volumes-from "nix-daemon-container:ro"`). Loading Loading @@ -202,7 +202,7 @@ The [VM tested `podman-runner`](https://github.com/NixOS/nixpkgs/blob/master/nix ::: {.note} Building container images with `buildah` (stripped `podman` for building images) inside a job which runs `alpineImage` `podman` for building images) inside a job which runs `jobImage.alpine` is still possible. ::: Loading
nixos/tests/gitlab/runner/podman-runner/default.nix +146 −92 Original line number Diff line number Diff line Loading @@ -18,6 +18,10 @@ # - The `bootstrapPkgs` derivation is copied into the job containers # but without the Nix store paths cause they get provided by the # `nix-daemon-store` volume. # I cannot denote these volumes because they overmount the # shit which is in the image. # TODO: make a systemd service which starts before # that and creates some volumes and inits these from the image. # # - The `podman-daemon-socket` volume gets mounted to the job container # enabling it to use `podman`. Loading Loading @@ -77,16 +81,24 @@ let }; # This derivation will contain a folder `/etc` auxRootFiles = pkgs.callPackage ./root { }; files = pkgs.callPackage ./files { }; preBuildScript = pkgs.callPackage ./scripts/prebuild.nix { }; # These derivations are Linked into the job images root dir. bootstrapPkgs = [ pkgs.nix # Runtime dependencies of nix. pkgs.gnutar pkgs.gzip pkgs.openssh pkgs.xz pkgs.cacert # Other stuff. (lib.hiPrio pkgs.coreutils) (lib.hiPrio pkgs.findutils) pkgs.openssh pkgs.bash pkgs.bashInteractive (lib.hiPrio pkgs.git) pkgs.cachix Loading @@ -94,7 +106,16 @@ let pkgs.podman # For nested containers. preBuildScript auxRootFiles files.containers files.nixConfig ]; # All these packages are added to the Nix daemon. nixStorePkgs = bootstrapPkgs ++ [ # These files files.basicRoot files.fakeNixpkgs ]; toEnvList = envs: lib.mapAttrsToList (k: v: "${k}=${v}") envs; Loading @@ -110,6 +131,8 @@ let # You can add here a user with uid,gid,uname,gname etc. # We are using root. extraPkgs = nixStorePkgs; nixConf = { cores = "0"; experimental-features = [ Loading @@ -126,8 +149,6 @@ let name = "local/nix-daemon"; tag = "latest"; contents = bootstrapPkgs; config = { Volumes = { "/nix/store" = { }; Loading Loading @@ -166,14 +187,34 @@ let }; }; jobImages = { # The base image jobImages = let extraCommands = '' set -eu # Set missing Nix directories. mkdir -p -m 0755 nix/var/log/nix/drvs mkdir -p -m 0755 nix/var/nix/{gcroots,profiles,temproots,userpool} mkdir -p -m 1777 nix/var/nix/{gcroots,profiles}/per-user mkdir -p -m 0755 nix/var/nix/profiles/per-user/root # Need a HOME. mkdir -vp root mkdir -p -m 0700 root/.nix-defexpr ''; in { # The Nix image. nix = pkgs.dockerTools.buildLayeredImage { fromImage = nixImageBase; name = imageNames.nix; tag = "latest"; contents = bootstrapPkgs; extraCommands = extraCommands + '' set -eu # For `/usr/bin/env`. mkdir -p usr && ln -s ../bin usr/bin ''; contents = bootstrapPkgs ++ [ files.basicRoot ]; # No store paths are copied into. We provide them by mounting the # /nix/store. includeStorePaths = false; Loading @@ -182,7 +223,7 @@ let Labels = noPruneLabels; Env = toEnvList envs.nix; }; maxLayers = 4; maxLayers = 2; }; # This is the analog image to `local/nix` but alpine based. Loading @@ -205,6 +246,8 @@ let name = imageNames.alpine; tag = "latest"; inherit extraCommands; contents = bootstrapPkgs; # No store paths are copied into. We provide them by mounting the # /nix/store. Loading @@ -212,11 +255,11 @@ let config = { Labels = noPruneLabels; Env = toEnvList envs.alpine; Env = toEnvList envs.nix; }; # Only if `build buildLayeredImage`. maxLayers = 15; maxLayers = 3; }); # This is the analog image to `local/nix` but ubuntu based. Loading @@ -240,6 +283,8 @@ let name = imageNames.ubuntu; tag = "latest"; inherit extraCommands; contents = bootstrapPkgs; # No store paths are copied into. We provide them by mounting the # /nix/store. Loading @@ -251,7 +296,7 @@ let }; # Only if `build buildLayeredImage`. maxLayers = 15; maxLayers = 3; }); }; Loading Loading @@ -293,27 +338,36 @@ let # Environment variables for all job containers. envs = rec { daemons = { common = { # Access to the nix daemon. NIX_REMOTE = "daemon"; # Access to podman. CONTAINER_HOST = "unix:///run/podman/podman.sock"; }; nix = daemons // { IMAGE_OS_DIST = "nixos"; }; alpine = daemons // { IMAGE_OS_DIST = "alpine"; USER = "root"; PATH = "/nix/var/nix/profiles/default/bin:/nix/var/nix/profiles/default/sbin:/bin:/sbin:/usr/bin:/usr/sbin"; SSL_CERT_FILE = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"; NIX_SSL_CERT_FILE = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"; # For shells, source this file. ENV = "${pkgs.nix}/etc/profile.d/nix-daemon.sh"; BASH_ENV = "${pkgs.nix}/etc/profile.d/nix-daemon.sh"; # Make a fake nixpkgs which throws when using # `nix repl -f <nixpkgs>` for example. NIX_PATH = "nixpkgs=${files.fakeNixpkgs}"; }; nix = common // { IMAGE_OS_DIST = "nix"; }; alpine = common // { IMAGE_OS_DIST = "alpine"; }; ubuntu = alpine // { ubuntu = common // { IMAGE_OS_DIST = "ubuntu"; }; }; Loading
nixos/tests/gitlab/runner/podman-runner/files/basicRoot/etc/group 0 → 100644 +21 −0 Original line number Diff line number Diff line root:x:0: wheel:x:1: kmem:x:2: tty:x:3: messagebus:x:4: disk:x:6: audio:x:17: floppy:x:18: uucp:x:19: lp:x:20: cdrom:x:24: tape:x:25: video:x:26: dialout:x:27: utmp:x:29: adm:x:55: keys:x:96: users:x:100: input:x:174: nixbld:x:30000:nixbld1,nixbld10,nixbld11,nixbld12,nixbld13,nixbld14,nixbld15,nixbld16,nixbld17,nixbld18,nixbld19,nixbld2,nixbld20,nixbld21,nixbld22,nixbld23,nixbld24,nixbld25,nixbld26,nixbld27,nixbld28,nixbld29,nixbld3,nixbld30,nixbld31,nixbld32,nixbld4,nixbld5,nixbld6,nixbld7,nixbld8,nixbld9 nogroup:x:65534:
nixos/tests/gitlab/runner/podman-runner/files/basicRoot/etc/nsswitch.conf 0 → 100644 +11 −0 Original line number Diff line number Diff line passwd: files mymachines systemd group: files mymachines systemd shadow: files hosts: files mymachines dns myhostname networks: files ethers: files services: files protocols: files rpc: files
nixos/tests/gitlab/runner/podman-runner/files/basicRoot/etc/passwd 0 → 100644 +34 −0 Original line number Diff line number Diff line root:x:0:0:System administrator:/root:/bin/bash nixbld1:x:30001:30000:Nix build user 1:/var/empty:/run/current-system/sw/bin/nologin nixbld2:x:30002:30000:Nix build user 2:/var/empty:/run/current-system/sw/bin/nologin nixbld3:x:30003:30000:Nix build user 3:/var/empty:/run/current-system/sw/bin/nologin nixbld4:x:30004:30000:Nix build user 4:/var/empty:/run/current-system/sw/bin/nologin nixbld5:x:30005:30000:Nix build user 5:/var/empty:/run/current-system/sw/bin/nologin nixbld6:x:30006:30000:Nix build user 6:/var/empty:/run/current-system/sw/bin/nologin nixbld7:x:30007:30000:Nix build user 7:/var/empty:/run/current-system/sw/bin/nologin nixbld8:x:30008:30000:Nix build user 8:/var/empty:/run/current-system/sw/bin/nologin nixbld9:x:30009:30000:Nix build user 9:/var/empty:/run/current-system/sw/bin/nologin nixbld10:x:30010:30000:Nix build user 10:/var/empty:/run/current-system/sw/bin/nologin nixbld11:x:30011:30000:Nix build user 11:/var/empty:/run/current-system/sw/bin/nologin nixbld12:x:30012:30000:Nix build user 12:/var/empty:/run/current-system/sw/bin/nologin nixbld13:x:30013:30000:Nix build user 13:/var/empty:/run/current-system/sw/bin/nologin nixbld14:x:30014:30000:Nix build user 14:/var/empty:/run/current-system/sw/bin/nologin nixbld15:x:30015:30000:Nix build user 15:/var/empty:/run/current-system/sw/bin/nologin nixbld16:x:30016:30000:Nix build user 16:/var/empty:/run/current-system/sw/bin/nologin nixbld17:x:30017:30000:Nix build user 17:/var/empty:/run/current-system/sw/bin/nologin nixbld18:x:30018:30000:Nix build user 18:/var/empty:/run/current-system/sw/bin/nologin nixbld19:x:30019:30000:Nix build user 19:/var/empty:/run/current-system/sw/bin/nologin nixbld20:x:30020:30000:Nix build user 20:/var/empty:/run/current-system/sw/bin/nologin nixbld21:x:30021:30000:Nix build user 21:/var/empty:/run/current-system/sw/bin/nologin nixbld22:x:30022:30000:Nix build user 22:/var/empty:/run/current-system/sw/bin/nologin nixbld23:x:30023:30000:Nix build user 23:/var/empty:/run/current-system/sw/bin/nologin nixbld24:x:30024:30000:Nix build user 24:/var/empty:/run/current-system/sw/bin/nologin nixbld25:x:30025:30000:Nix build user 25:/var/empty:/run/current-system/sw/bin/nologin nixbld26:x:30026:30000:Nix build user 26:/var/empty:/run/current-system/sw/bin/nologin nixbld27:x:30027:30000:Nix build user 27:/var/empty:/run/current-system/sw/bin/nologin nixbld28:x:30028:30000:Nix build user 28:/var/empty:/run/current-system/sw/bin/nologin nixbld29:x:30029:30000:Nix build user 29:/var/empty:/run/current-system/sw/bin/nologin nixbld30:x:30030:30000:Nix build user 30:/var/empty:/run/current-system/sw/bin/nologin nixbld31:x:30031:30000:Nix build user 31:/var/empty:/run/current-system/sw/bin/nologin nixbld32:x:30032:30000:Nix build user 32:/var/empty:/run/current-system/sw/bin/nologin nobody:x:65534:65534:Unprivileged account (don't use!):/var/empty:/run/current-system/sw/bin/nologin
