oci-containers: consolidate capabilities interface (#363574) (91bb1c6d) · Commits · nix / nixpkgs

nixos/modules/virtualisation/oci-containers.nix

+8 −17

Original line number	Diff line number	Diff line
		@@ -295,28 +295,19 @@ let
		'';
		};

		capAdd = mkOption {
		capabilities = mkOption {
		type = with types; lazyAttrsOf (nullOr bool);
		default = { };
		description = ''
		Capabilities to add to container
		'';
		example = literalExpression ''
		{
		SYS_ADMIN = true;
		{
		'';
		};

		capDrop = mkOption {
		type = with types; lazyAttrsOf (nullOr bool);
		default = { };
		description = ''
		Capabilities to drop from container
		Capabilities to configure for the container.
		When set to true, capability is added to the container.
		When set to false, capability is dropped from the container.
		When null, default runtime settings apply.
		'';
		example = literalExpression ''
		{
		SYS_ADMIN = true;
		SYS_WRITE = false;
		{
		'';
		};
		@@ -441,10 +432,10 @@ let
		++ optional (container.workdir != null) "-w ${escapeShellArg container.workdir}"
		++ optional (container.privileged) "--privileged"
		++ mapAttrsToList (k: _: "--cap-add=${escapeShellArg k}") (
		filterAttrs (_: v: v == true) container.capAdd
		filterAttrs (_: v: v == true) container.capabilities
		)
		++ mapAttrsToList (k: _: "--cap-drop=${escapeShellArg k}") (
		filterAttrs (_: v: v == true) container.capDrop
		filterAttrs (_: v: v == false) container.capabilities
		)
		++ map (d: "--device=${escapeShellArg d}") container.devices
		++ map (n: "--network=${escapeShellArg n}") container.networks

nixos/tests/oci-containers.nix

+52 −46

Original line number	Diff line number	Diff line
		{ system ? builtins.currentSystem
		, config ? {}
		, pkgs ? import ../.. { inherit system config; }
		, lib ? pkgs.lib
		{
		system ? builtins.currentSystem,
		config ? { },
		pkgs ? import ../.. { inherit system config; },
		lib ? pkgs.lib,
		}:

		let

		inherit (import ../lib/testing-python.nix { inherit system pkgs; }) makeTest;

		mkOCITest = backend: makeTest {
		mkOCITest =
		backend:
		makeTest {
		name = "oci-containers-${backend}";

		meta.maintainers = lib.teams.serokell.members
		++ (with lib.maintainers; [ benley ]);
		meta.maintainers = lib.teams.serokell.members ++ (with lib.maintainers; [ benley ]);

		nodes = {
		${backend} = { pkgs, ... }: {
		${backend} =
		{ pkgs, ... }:
		{
		virtualisation.oci-containers = {
		inherit backend;
		containers.nginx = {
		image = "nginx-container";
		imageStream = pkgs.dockerTools.examples.nginxStream;
		ports = [ "8181:80" ];
		capAdd = {
		capabilities = {
		CAP_AUDIT_READ = true;
		};
		capDrop = {
		CAP_AUDIT_WRITE = true;
		CAP_AUDIT_WRITE = false;
		};
		privileged = false;
		devices = [
		@@ -51,9 +53,13 @@ let
		output = json.loads(${backend}.succeed("${backend} inspect nginx --format json").strip())[0]
		${backend}.succeed("systemctl stop ${backend}-nginx.service", timeout=10)
		assert output['HostConfig']['CapAdd'] == ["CAP_AUDIT_READ"]
		assert output['HostConfig']['CapDrop'] == ${if backend == "docker" then "[\"CAP_AUDIT_WRITE\"]" else "[]"} # Rootless podman runs with no capabilities so it cannot drop them
		assert output['HostConfig']['CapDrop'] == ${
		if backend == "docker" then "[\"CAP_AUDIT_WRITE\"]" else "[]"
		} # Rootless podman runs with no capabilities so it cannot drop them
		assert output['HostConfig']['Privileged'] == False
		assert output['HostConfig']['Devices'] == [{'PathOnHost': '/dev/random', 'PathInContainer': '/dev/random', 'CgroupPermissions': '${if backend == "docker" then "rwm" else ""}'}]
		assert output['HostConfig']['Devices'] == [{'PathOnHost': '/dev/random', 'PathInContainer': '/dev/random', 'CgroupPermissions': '${
		if backend == "docker" then "rwm" else ""
		}'}]
		'';
		};

Admin message