├── .direnv ├── flake-profile ├── flake-profile-1-link ├── flake-profile-2-link ├── flake-profile-3-link ├── flake-profile-4-link ├── flake-profile-5-link └── flake-profile-6-link ├── .gitignore ├── LICENSE ├── README.md ├── flake.lock ├── flake.nix ├── install-podman.sh ├── mess_capabilite.sh ├── podman.nix ├── policy.json ├── test_big-images.sh ├── test_binarys-in-path-versions.sh ├── test_configs.sh ├── test_exclude_loaded_image.sh ├── test_owner-of-file-creation-on-volume.sh ├── test_podman-rootless.sh ├── test_volume-permission.sh ├── test_volume-persistence.sh └── tests.sh /.direnv/flake-profile: -------------------------------------------------------------------------------- 1 | flake-profile-6-link -------------------------------------------------------------------------------- /.direnv/flake-profile-1-link: -------------------------------------------------------------------------------- 1 | /nix/store/kqp01ykxbz1bvqms80jz4xbb08ki8afm-nix-shell-env -------------------------------------------------------------------------------- /.direnv/flake-profile-2-link: -------------------------------------------------------------------------------- 1 | /nix/store/r83cdwkpqc17959dcgkzz4krblbnls1j-nix-shell-env -------------------------------------------------------------------------------- /.direnv/flake-profile-3-link: -------------------------------------------------------------------------------- 1 | /nix/store/2d9irfp4gh5ng9mjm4f388zq5drfj56s-nix-shell-env -------------------------------------------------------------------------------- /.direnv/flake-profile-4-link: -------------------------------------------------------------------------------- 1 | /nix/store/3lmfqbpym1m6f53h548gbik6s068bgvp-nix-shell-env -------------------------------------------------------------------------------- /.direnv/flake-profile-5-link: -------------------------------------------------------------------------------- 1 | /nix/store/zdzd4a6ri51xb05fw1ji1lhxrnd9kz42-nix-shell-env -------------------------------------------------------------------------------- /.direnv/flake-profile-6-link: -------------------------------------------------------------------------------- 1 | /nix/store/wvyzyajarw0jd764xpdjy5xvvxgdsx08-nix-shell-env -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | result 2 | .idea 3 | .direnv -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2021 ES-Nix 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # podman-rootless 2 | Example of using nix + flakes to have podman rootless working 3 | 4 | 5 | 6 | nix flake clone github:ES-Nix/podman-rootless --dest podman-rootless 7 | 8 | nix develop github:ES-Nix/podman-rootless/324855d116d15a0b54f33c9489cf7c5e6d9cd714 --command ./install-podman.sh && ./test_podman-rootless.sh 9 | 10 | nix develop github:ES-Nix/podman-rootless/bffe8ae0d5b933b321e9fc0de25d992f5f5540d0 11 | 12 | 13 | ## Install via git 14 | 15 | ``` 16 | git clone https://github.com/ES-Nix/podman-rootless.git 17 | cd podman-rootless 18 | git checkout bffe8ae0d5b933b321e9fc0de25d992f5f5540d0 19 | nix develop 20 | ``` 21 | 22 | 23 | 24 | IMAGE_VERSION='localhost/nix-oci-dockertools:0.0.1' 25 | 26 | podman run \ 27 | --interactive \ 28 | --rm=true \ 29 | --tty=true \ 30 | --workdir /code \ 31 | --volume "$(pwd)":/code \ 32 | "$IMAGE_VERSION" bash -c "sudo ls -al && id" 33 | 34 | 35 | Other somehow hard tests: 36 | 37 | ``` 38 | podman \ 39 | run \ 40 | --interactive \ 41 | --rm=true \ 42 | --tty=true \ 43 | python:3.8 \ 44 | bash 45 | ``` 46 | 47 | ``` 48 | podman \ 49 | run \ 50 | --interactive \ 51 | --rm=true \ 52 | --tty=true \ 53 | blang/latex \ 54 | bash 55 | ``` 56 | 57 | ``` 58 | podman \ 59 | run \ 60 | --interactive \ 61 | --rm=true \ 62 | --tty=true \ 63 | wernight/funbox \ 64 | nyancat 65 | ``` 66 | 67 | 68 | ## Notes 69 | 70 | The behavior "the nix develop command which uses the devShell.${system} 71 | flake output if it exists or defaultPackage.${system} otherwise.", [source](https://github.com/NixOS/nix/issues/2854#issuecomment-673923349), 72 | is really important to understand the current working state. 73 | 74 | [Additional groups in buildFHSUserEnv](https://nix-dev.science.uu.narkive.com/18BjYWWc/additional-groups-in-buildfhsuserenv) TL;DR it looks like (i am not sure) it is not possible. 75 | 76 | ## 77 | 78 | 79 | 80 | ``` 81 | nix build \ 82 | && result/fsh-podman-rootless-env podman --help 83 | ``` 84 | 85 | ### Troubleshooting 86 | 87 | ``` 88 | stat $(which newuidmap) 89 | stat $(which newgidmap) 90 | ``` 91 | 92 | cat /proc/self/uid_map 93 | podman unshare cat /proc/self/uid_map 94 | 95 | whereis newuidmap 96 | whereis newgidmap 97 | 98 | 99 | ls "$HOME"/.config/containers 100 | ls "$HOME"/.local/share/containers 101 | 102 | ls ~/.config/containers 103 | ls ~/.local/share/containers 104 | 105 | rm -rf ~/.config/containers ~/.local/share/containers 106 | 107 | Use the `--log-level=debug`, really usefull! 108 | 109 | 110 | podman unshare cat /proc/self/uid_map [from](https://github.com/containers/podman/issues/3890#issuecomment-525275812) 111 | Meaning of this in https://github.com/containers/podman/issues/3890#issuecomment-525276385 112 | 113 | filecap /usr/bin/newuidmap 114 | filecap $(which newuidmap) TODO: not tested 115 | 116 | `ls -l /usr/bin/new{uid,gid}*` 117 | 118 | 119 | TODO: reproduce it using QEMU? 120 | https://github.com/containers/podman/issues/3890#issuecomment-525298907 121 | https://github.com/containers/podman/issues/3890#issuecomment-525331569 122 | 123 | 124 | ``` 125 | UID_INSIDE=$(podman run --name UID_probe --rm foo-image /usr/bin/id -u) 126 | podman unshare chown -R $UID_INSIDE volumes 127 | 128 | podman run --pod foo-pod --name foo\ 129 | --rm\ 130 | -v $VOLUMES/data:$CONTAINER/data\ 131 | foo-image 132 | ``` 133 | https://github.com/containers/podman/issues/7778#issuecomment-698845316 134 | 135 | 136 | TODO: important! 137 | https://github.com/NixOS/nixpkgs/issues/112902 138 | 139 | About the `profile` in the [buildFHSUserEnv](https://nixos.org/manual/nixpkgs/stable/#sec-fhs-environments), [gsc.io sec-fhs-environments](https://gsc.io/70266391-48a6-49be-ab5d-acb5d7f17e76-nixpkgs/doc/nixpkgs-manual/html/sec-fhs-environments.html) 140 | https://github.com/NixOS/nixpkgs/pull/80457/files#diff-aff959a600d3441934b3b905339c0f90dcd8122e8774ee2dbcae35d72f349991R152 141 | 142 | IHaskell + jupyter + notebook + buildFHSUserEnv 143 | https://vaibhavsagar.com/blog/2018/03/17/faking-non-nixos-stack/ 144 | 145 | I've downloaded a binary, but I can't run it, what can I do? buildFHSUserEnv 146 | https://nixos.wiki/wiki/FAQ#How_can_I_manage_software_with_nix-env_like_with_configuration.nix.3F 147 | 148 | TODO: what is this? 149 | https://discourse.nixos.org/t/setting-run-user-with-oci-containers-and-systemd/9900/8 150 | 151 | ### Faced a annoying behavior: 152 | 153 | The podman command was in path, and it must not be, so a did: 154 | 155 | 156 | which podman 157 | 158 | nix-env --query | cat 159 | 160 | nix-env --uninstall podman-wrapper-2.1.1 161 | 162 | A improved version: 163 | nix-env --query --installed --out-path | cat 164 | 165 | 166 | podman unshare cat /proc/self/uid_map 167 | If this only shows 1 line, then you have not setup 168 | /etc/subuid and /etc/subgid properly or your newuidmap and newgidmap tools are not install properly. [from](https://github.com/containers/podman/issues/2788#issuecomment-702381214) 169 | 170 | ## WIP with 171 | 172 | ``` 173 | git clone https://github.com/ES-Nix/podman-rootless.git 174 | cd podman-rootless 175 | git checkout X 176 | 177 | nix develop 178 | ``` 179 | 180 | Why `sudo --preserve-env su -c 'nix develop'` prints: 181 | ``` 182 | bash: cannot set terminal process group (-1): Inappropriate ioctl for device 183 | bash: no job control in this shell 184 | Entering the nix devShell 185 | bash: cannot set terminal process group (14581): Inappropriate ioctl for device 186 | bash: no job control in this shell 187 | ``` 188 | 189 | Why even using `nix develop --ignore-environment` the docker binary still in path? 190 | See `readlink $(which docker)`. 191 | 192 | TODO: maybe it is the problem? 193 | 194 | ls /etc/cni/net.d/ 195 | ls /opt/cni/bin 196 | 197 | https://github.com/containers/podman/issues/3679#issuecomment-588187954 198 | 199 | `ls /nix/store/* | grep cni-` 200 | 201 | `sudo podman --log-level=debug images` 202 | 203 | `dpkg-query -L podman` [Incompatibilities of podman from docker on Travis CI](https://github.com/containers/podman/issues/3679) 204 | 205 | Probably the one of the problems, missing this file: https://github.com/containers/podman/tree/master/cni 206 | 207 | Use something like this to test the CNI: `podman run --network foo --rm -it alpine ls` 208 | https://github.com/containers/podman/issues/2909#issuecomment-579490909 209 | https://github.com/containernetworking/cni/issues/770#issuecomment-641551771 210 | 211 | TODO: how to check it? 212 | `ip link add cni-podman0 type bridge` 213 | https://github.com/containers/podman/issues/4114#issuecomment-535849590 214 | 215 | ## Credits and history 216 | 217 | TODO: improve it, i am busy trying to make it work first. 218 | 219 | - While searching for some problem that i was facing i have found 220 | [this issue comment](https://github.com/NixOS/nixpkgs/issues/65202#issuecomment-558775869) from 221 | [adisbladis](https://github.com/adisbladis), it was pointing to 222 | [a gist that he have done](https://gist.github.com/adisbladis/187204cb772800489ee3dac4acdd9947). I didn't 223 | test it in [NixOS](https://gist.github.com/adisbladis/187204cb772800489ee3dac4acdd9947), but was able 224 | to use the `nix-shell` (it was intended to be used as `nix-shell`) and tranform it in a flake and do 225 | some crazy stuff to combine it in other flakes take a look at the 226 | [example of nix, flakes, shellHook, writeShellScriptBin, defaultPackage, all together](https://github.com/ES-Nix/nix-flakes-shellHook-writeShellScriptBin-defaultPackage) 227 | that uses what i did in this rev [170f002d76070b1d281cf7e6868076bcfb1fea07](https://github.com/ES-Nix/podman-rootless/tree/170f002d76070b1d281cf7e6868076bcfb1fea07). 228 | But a faced a problem, the file system, yes, even this kind of stuff to make things break. Podman was working really ok, 229 | but when i tried to load a "big" [OCI image](https://github.com/opencontainers/image-spec) with size > 0.5Gbyte it broke. 230 | The podman mantainers say "[We recommend using fuse-overlayfs instead, as it is capable of deduplicating storage.](https://github.com/containers/podman/issues/3846#issuecomment-522332015)" 231 | So now i am trying to use [buildFHSUserEnv](https://gsc.io/70266391-48a6-49be-ab5d-acb5d7f17e76-nixpkgs/doc/nixpkgs-manual/html/sec-fhs-environments.html), definition in nixpokgs [buildFHSUserEnv](https://github.com/NixOS/nixpkgs/blob/cb6d8368a3f6484c1c7f27475b8b4ebe0275dc1a/pkgs/build-support/build-fhs-userenv/default.nix) 232 | to solve it adapting the [danieldk commented](https://github.com/NixOS/nixpkgs/issues/65202#issuecomment-593103989). 233 | - https://www.youtube.com/watch?v=RDzsrmMl48I 234 | 235 | 236 | ## About Filesystem Hierarchy Standard (FHS) 237 | 238 | - Excelent: [On Nix, NixOS and the Filesystem Hierarchy Standard (FHS)](http://sandervanderburg.blogspot.com/2011/11/on-nix-nixos-and-filesystem-hierarchy.html) 239 | - Sander van der Burg is the creator of [buildFHSUserEnv](https://gsc.io/70266391-48a6-49be-ab5d-acb5d7f17e76-nixpkgs/doc/nixpkgs-manual/html/sec-fhs-environments.html), must read: [Composing FHS-compatible chroot environments with Nix (or deploying Steam in NixOS)](http://sandervanderburg.blogspot.com/2013/09/composing-fhs-compatible-chroot.html) 240 | - Podman official documentation: [Unsupported file systems in rootless mode](http://docs.podman.io/en/latest/markdown/podman.1.html#note-unsupported-file-systems-in-rootless-mode) 241 | - Maintainers in the podman repository ["we recommend using fuse-overlayfs"](https://github.com/containers/podman/issues/3846#issuecomment-522332015) 242 | - [Rootless Containers](https://rootlesscontaine.rs) 243 | 244 | - YouTube ExplainingComputers: [Explaining File Systems: NTFS, exFAT, FAT32, ext4 & More](https://www.youtube.com/watch?v=_h30HBYxtws) 245 | - YouTube Joe Collins: [Learning the Linux File System](https://www.youtube.com/watch?v=HIXzJ3Rz9po) 246 | - YouTube EuroBSDCon2014: [FUSE and beyond: bridging filesystems by Emannuel Dreyfus](https://www.youtube.com/watch?v=Yd6dy98BRtQ) 247 | - YouTube The Linux Man: [Linux File System Types](https://www.youtube.com/watch?v=g7OkSvioFlU) 248 | - developer.ibm [Anatomy of ext4](https://developer.ibm.com/technologies/systems/tutorials/l-anatomy-ext4/) 249 | - [Linux Filesystems: Where did they come from? [linux.conf.au 2014]](https://www.youtube.com/watch?v=SMcVdZk7wV8) 250 | - TODO watch it [A Study of Linux File System Evolution](https://www.usenix.org/conference/fast13/technical-sessions/presentation/lu) 251 | - TODO find scientific papers that go even more deeper in all this [Understanding Linux filesystems: ext4 and beyond](https://opensource.com/article/18/4/ext4-filesystem) 252 | - TODO replicate it using flakes [Making a Simple Deb Package NixOS Compatible (Mathematica's wolframscript)](https://unix.stackexchange.com/questions/520675/making-a-simple-deb-package-nixos-compatible-mathematicas-wolframscript) 253 | 254 | 255 | [RAID 0, RAID 1, RAID 10 - All You Need to Know as Fast As Possible](https://www.youtube.com/watch?v=eE7Bfw9lFfs), 256 | it looks like it is really old and [SSDs have changed it all](https://www.youtube.com/watch?v=eE7Bfw9lFfs&lc=UgwKswMApMLxMfVBK0V4AaABAg.8w0pXYZxjGI9-gxFP336ZB) 257 | [RAID 5 & RAID 6 - All You Need to Know as Fast As Possible](https://www.youtube.com/watch?v=1P8ZecG9iOI). 258 | 259 | Explains about history in the beginning: [btrfs: The Best Filesystem You've Never Heard Of](https://www.youtube.com/watch?v=-m01x3gHNjg) 260 | [Deploying Btrfs at Facebook Scale - Josef Bacik, Facebook](https://www.youtube.com/watch?v=U7gXR2L05IU) 261 | 262 | [File Systems | Which One is the Best? ZFS, BTRFS, or EXT4](https://www.youtube.com/watch?v=HdEozE2gN9I) 263 | 264 | 265 | [All File Systems Are Not Created Equal: On the Complexity of Crafting Crash-Consistent Applications](https://www.usenix.org/conference/osdi14/technical-sessions/presentation/pillai) 266 | 267 | TODO: Try to make it work: 268 | https://discourse.nixos.org/t/build-a-yocto-rootfs-inside-nix/2643/22 269 | 270 | TODO: Find the refs it cites [In-depth: ELF - The Extensible & Linkable Format](https://www.youtube.com/watch?v=nC1U1LJQL8o) 271 | and find an example of hardcoded path in the ELF and make from zero one working example. 272 | [2013 Day2P18 LoB: ELF Intro](https://www.youtube.com/watch?v=t09LFtfy4JU) 273 | [1 Handmade Linux x86 executables: ELF header](https://www.youtube.com/watch?v=XH6jDiKxod8) and 274 | [2 Handmade Linux x86 executables: Hello, world](https://www.youtube.com/watch?v=F9roqf2oTVk). 275 | 276 | 277 | ## Running as root 278 | 279 | 280 | 281 | 282 | 283 | ``` 284 | sudo \ 285 | --preserve-env \ 286 | su \ 287 | --preserve-env \ 288 | root \ 289 | -c 'nix develop --ignore-environment' 290 | ``` 291 | 292 | ``` 293 | su \ 294 | --preserve-env \ 295 | pedro \ 296 | -c 'echo 123 | sudo --stdin podman images' 297 | ``` 298 | 299 | Why the `--login` gives problems? It somehow scruds with the terminal! 300 | 301 | 0b4d0714bfaab2d3fd45176699658c1ae5437742 302 | 303 | 304 | ``` 305 | git clone https://github.com/ES-Nix/podman-rootless.git 306 | cd podman-rootless 307 | git checkout 0b4d0714bfaab2d3fd45176699658c1ae5437742 308 | nix develop 309 | ``` 310 | 311 | 312 | sudo \ 313 | --preserve-env \ 314 | su \ 315 | --preserve-env \ 316 | root \ 317 | -c 'nix develop --ignore-environment github:ES-Nix/podman-rootless' 318 | -------------------------------------------------------------------------------- /flake.lock: -------------------------------------------------------------------------------- 1 | { 2 | "nodes": { 3 | "flake-utils": { 4 | "locked": { 5 | "lastModified": 1610051610, 6 | "narHash": "sha256-U9rPz/usA1/Aohhk7Cmc2gBrEEKRzcW4nwPWMPwja4Y=", 7 | "owner": "numtide", 8 | "repo": "flake-utils", 9 | "rev": "3982c9903e93927c2164caa727cd3f6a0e6d14cc", 10 | "type": "github" 11 | }, 12 | "original": { 13 | "owner": "numtide", 14 | "repo": "flake-utils", 15 | "type": "github" 16 | } 17 | }, 18 | "nixpkgs": { 19 | "locked": { 20 | "lastModified": 1613434981, 21 | "narHash": "sha256-Q6JRyPs5g2AXov/yEof//jOOiQ/VZVxrSYC7jiCEhSE=", 22 | "owner": "NixOS", 23 | "repo": "nixpkgs", 24 | "rev": "82abb66345f583001009f1be36f81c4082098011", 25 | "type": "github" 26 | }, 27 | "original": { 28 | "id": "nixpkgs", 29 | "type": "indirect" 30 | } 31 | }, 32 | "root": { 33 | "inputs": { 34 | "flake-utils": "flake-utils", 35 | "nixpkgs": "nixpkgs" 36 | } 37 | } 38 | }, 39 | "root": "root", 40 | "version": 7 41 | } 42 | -------------------------------------------------------------------------------- /flake.nix: -------------------------------------------------------------------------------- 1 | { 2 | description = "This is a nix flake podman rootless package"; 3 | 4 | inputs.flake-utils.url = "github:numtide/flake-utils"; 5 | 6 | outputs = { self, nixpkgs, flake-utils }: 7 | flake-utils.lib.eachDefaultSystem (system: 8 | let 9 | pkgs = nixpkgs.legacyPackages.${system}; 10 | pkgsAllowUnfree = import nixpkgs { 11 | system = "x86_64-linux"; 12 | config = { allowUnfree = true; }; 13 | }; 14 | 15 | in 16 | { 17 | packages.podman = import ./podman.nix { 18 | pkgs = pkgs; 19 | }; 20 | 21 | #defaultPackage = import ./podman.nix { 22 | # pkgs = pkgs; 23 | #}; 24 | 25 | devShell = pkgsAllowUnfree.mkShell { 26 | buildInputs = with pkgsAllowUnfree; [ 27 | neovim 28 | #self.defaultPackage.${system} 29 | self.packages.${system}.podman 30 | ]; 31 | shellHook = '' 32 | echo "Entering the nix devShell" 33 | echo ${self.packages.${system}.podman} 34 | 35 | ls -al ${self.packages.${system}.podman}/opt/cni 36 | mkdir --parent /opt/cni/bin/ 37 | #ln --symbolic --force ${self.packages.${system}.podman}/opt/cni/bin /opt/cni/bin 38 | exec ${self.packages.${system}.podman}/fsh-podman-rootless-env 39 | #script-exemple 40 | ''; 41 | }; 42 | }); 43 | } 44 | -------------------------------------------------------------------------------- /install-podman.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | # See https://vaneyckt.io/posts/safer_bash_scripts_with_set_euxo_pipefail/ 4 | set -euxo pipefail 5 | 6 | 7 | NEWUIDMAP=$(readlink --canonicalize $(which newuidmap)) 8 | NEWGIDMAP=$(readlink --canonicalize $(which newgidmap)) 9 | 10 | sudo setcap cap_setuid+ep "$NEWUIDMAP" 11 | sudo setcap cap_setgid+ep "$NEWGIDMAP" 12 | 13 | sudo chmod -s "$NEWUIDMAP" 14 | sudo chmod -s "$NEWGIDMAP" 15 | 16 | 17 | cat << EOF > policy.json 18 | { 19 | "default": [ 20 | { 21 | "type": "insecureAcceptAnything" 22 | } 23 | ], 24 | "transports": 25 | { 26 | "docker-daemon": 27 | { 28 | "": [{"type":"insecureAcceptAnything"}] 29 | } 30 | } 31 | } 32 | EOF 33 | -------------------------------------------------------------------------------- /mess_capabilite.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | 4 | # See https://vaneyckt.io/posts/safer_bash_scripts_with_set_euxo_pipefail/ 5 | set -eux pipefail 6 | 7 | 8 | NEWUIDMAP=$(which newuidmap) 9 | echo $NEWUIDMAP=$(which newuidmap) 10 | getcap $NEWUIDMAP 11 | echo 12 | 13 | stat $(which newuidmap) 14 | stat $(which newgidmap) 15 | 16 | getcap $(which newuidmap) 17 | getcap $(which newgidmap) 18 | 19 | #setcap cap_setuid+ep $(which newuidmap) 20 | #setcap cap_setuid+ep $(which newgidmap) 21 | -------------------------------------------------------------------------------- /podman.nix: -------------------------------------------------------------------------------- 1 | { pkgs ? import {} }: 2 | 3 | let 4 | 5 | fhs = pkgs.buildFHSUserEnv { 6 | 7 | name = "fsh-podman-rootless-env"; 8 | 9 | targetPkgs = pkgs: with pkgs; 10 | [ 11 | conmon 12 | cni 13 | cni-plugins # https://github.com/containers/podman/issues/3679 14 | etcFiles 15 | fuse-overlayfs 16 | file 17 | podman 18 | libcap 19 | runc 20 | skopeo 21 | slirp4netns 22 | shadow 23 | dbus 24 | hello # just for tests 25 | scriptExample 26 | unixtools.whereis 27 | which 28 | ]; 29 | 30 | multiPkgs = pkgs: with pkgs; [ zlib ]; 31 | 32 | #extraBuildCommands = '' 33 | # mkdir --parent $out/test-extraBuildCommands 34 | #''; 35 | 36 | #extraInstallCommands = '' 37 | # mkdir --parent $out/etc/containers 38 | #''; 39 | 40 | runScript = "bash"; 41 | }; 42 | 43 | scriptExample = pkgs.writeShellScriptBin "script-example" '' 44 | #!${pkgs.runtimeShell} 45 | echo 'A bash script example!' 46 | ''; 47 | 48 | registriesConf = pkgs.writeText "registries.conf" '' 49 | [registries.search] 50 | registries = ['docker.io'] 51 | [registries.block] 52 | registries = [] 53 | ''; 54 | etcFiles = pkgs.runCommandNoCC "setup-etc" {} '' 55 | mkdir --parent $out/etc/containers 56 | ln --symbolic ${pkgs.skopeo.src}/default-policy.json \ 57 | $out/etc/containers/policy.json 58 | ln --symbolic ${registriesConf} $out/etc/containers/registries.conf 59 | 60 | ln --symbolic /host/etc/subuid $out/etc/subuid 61 | ln --symbolic /host/etc/subgid $out/etc/subgid 62 | ''; 63 | 64 | 65 | in pkgs.stdenv.mkDerivation { 66 | name = "fhs-env-derivation"; 67 | 68 | # https://nix.dev/anti-patterns/language.html#reproducability-referencing-top-level-directory-with 69 | src = builtins.path { path = ./.; }; 70 | 71 | nativeBuildInputs = [ fhs scriptExample ]; 72 | buildInputs = [ etcFiles ]; 73 | installPhase = '' 74 | mkdir --parent $out 75 | ln --symbolic --force ${fhs}/bin/fsh-podman-rootless-env $out/fsh-podman-rootless-env 76 | ln --symbolic --force ${etcFiles}/etc $out/etc 77 | 78 | mkdir --parent $out/opt/cni/ 79 | mkdir --parent $out/test/abc 80 | ln --symbolic --force ${pkgs.cni-plugins}/bin/ $out/test/abc 81 | ln --symbolic --force ${pkgs.cni-plugins}/bin/ $out/opt/cni/ 82 | 83 | ''; 84 | phases = [ "installPhase" "fixupPhase"]; 85 | } 86 | 87 | -------------------------------------------------------------------------------- /policy.json: -------------------------------------------------------------------------------- 1 | { 2 | "default": [ 3 | { 4 | "type": "insecureAcceptAnything" 5 | } 6 | ], 7 | "transports": 8 | { 9 | "docker-daemon": 10 | { 11 | "": [{"type":"insecureAcceptAnything"}] 12 | } 13 | } 14 | } 15 | -------------------------------------------------------------------------------- /test_big-images.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | 4 | # See https://vaneyckt.io/posts/safer_bash_scripts_with_set_euxo_pipefail/ 5 | set -eux pipefail 6 | 7 | 8 | # This image is > 850MB 9 | podman \ 10 | run \ 11 | --interactive \ 12 | --network host \ 13 | --rm \ 14 | --tty \ 15 | python:3.9 \ 16 | bash -c 'python --version' 17 | 18 | # This image is > 2.5Gbytes 19 | podman \ 20 | run \ 21 | --interactive \ 22 | --network host \ 23 | --rm \ 24 | --tty \ 25 | jupyter/scipy-notebook \ 26 | bash -c 'python --version' 27 | 28 | # This image is > 4Gbytes 29 | podman \ 30 | run \ 31 | --interactive \ 32 | --network host \ 33 | --rm \ 34 | --tty \ 35 | jupyter/datascience-notebook:r-4.0.3 \ 36 | bash -c 'python --version' 37 | 38 | # This image is > 4Gbytes 39 | podman \ 40 | run \ 41 | --interactive \ 42 | --network host \ 43 | --rm \ 44 | --tty \ 45 | blang/latex \ 46 | bash -c 'pdflatex --version' 47 | -------------------------------------------------------------------------------- /test_binarys-in-path-versions.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | 4 | # See https://vaneyckt.io/posts/safer_bash_scripts_with_set_euxo_pipefail/ 5 | set -eux pipefail 6 | 7 | podman --version 8 | 9 | conmon --version 10 | skopeo --version 11 | runc --version 12 | -------------------------------------------------------------------------------- /test_configs.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | 4 | # See https://vaneyckt.io/posts/safer_bash_scripts_with_set_euxo_pipefail/ 5 | set -eux pipefail 6 | 7 | 8 | # Why this changed location? 9 | #stat ~/.config/containers/policy.json 10 | #stat ~/.config/containers/registries.conf 11 | 12 | stat /etc/containers/policy.json 13 | stat /etc/containers/registries.conf 14 | -------------------------------------------------------------------------------- /test_exclude_loaded_image.sh: -------------------------------------------------------------------------------- 1 | 2 | #!/usr/bin/env bash 3 | 4 | 5 | # See https://vaneyckt.io/posts/safer_bash_scripts_with_set_euxo_pipefail/ 6 | set -eux pipefail 7 | 8 | 9 | #curl -fsSL https://get.docker.com | sudo sh \ 10 | #&& sudo usermod --append --groups docker "$USER" \ 11 | #&& docker --version \ 12 | #&& sudo reboot 13 | 14 | docker pull alpine:3.13.0 15 | 16 | 17 | podman images --quiet | xargs --no-run-if-empty podman rmi --force 18 | podman images 19 | 20 | docker save alpine:3.13.0 --output=oci_apine3_13_0 21 | 22 | 23 | stat oci_apine3_13_0 24 | # Note: The file command may not be in the environment. 25 | file oci_apine3_13_0 | grep tar 26 | 27 | 28 | podman load < oci_apine3_13_0 29 | podman images 30 | 31 | nix build github:ES-Nix/poetry2nix-examples/424f84dbc089f448a7400292f78b903e44c7f074#poetry2nixOCIImage 32 | file result 33 | file --dereference result 34 | 35 | podman load < result 36 | 37 | podman images 38 | 39 | ## TODO: publish ports, test it! 40 | #podman \ 41 | #run \ 42 | #--interactive \ 43 | #--network host \ 44 | #--publish=5000:5000 \ 45 | #--rm \ 46 | #--tty \ 47 | #localhost/numtild-dockertools-poetry2nix:0.0.1 \ 48 | #nixfriday 49 | # 50 | #docker \ 51 | #run \ 52 | #--interactive \ 53 | #--network host \ 54 | #--publish=5000:5000 \ 55 | #--rm \ 56 | #--tty \ 57 | #numtild-dockertools-poetry2nix:0.0.1 \ 58 | #nixfriday 59 | 60 | rm --force --verbose oci_apine3_13_0 61 | 62 | -------------------------------------------------------------------------------- /test_owner-of-file-creation-on-volume.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | 4 | # See https://vaneyckt.io/posts/safer_bash_scripts_with_set_euxo_pipefail/ 5 | set -eux pipefail 6 | 7 | 8 | 9 | podman \ 10 | run \ 11 | --interactive \ 12 | --tty \ 13 | --workdir /code \ 14 | --volume "$(pwd)":/code \ 15 | alpine:3.13.0 \ 16 | sh -c 'id && touch my-file.txt && stat my-file.txt' 17 | 18 | stat my-file.txt 19 | echo 20 | 21 | id 22 | 23 | echo 24 | 25 | # If it is removed with no errors the test is supposed to be ok 26 | rm my-file.txt 27 | -------------------------------------------------------------------------------- /test_podman-rootless.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | 4 | # See https://vaneyckt.io/posts/safer_bash_scripts_with_set_euxo_pipefail/ 5 | set -eux pipefail 6 | 7 | 8 | podman \ 9 | run \ 10 | --interactive=true \ 11 | --network host \ 12 | --rm=true \ 13 | --tty=true \ 14 | tianon/toybox \ 15 | sh -c id 16 | 17 | 18 | podman \ 19 | run \ 20 | --interactive \ 21 | --network host \ 22 | --rm=true \ 23 | --tty=true \ 24 | busybox:1.32.1-musl \ 25 | sh -c id 26 | 27 | 28 | podman \ 29 | run \ 30 | --interactive=true \ 31 | --network host \ 32 | --tty=true \ 33 | --workdir /code \ 34 | --volume "$(pwd)":/code \ 35 | alpine:3.13.0 \ 36 | sh -c 'id' 37 | 38 | 39 | podman \ 40 | run \ 41 | --interactive \ 42 | --network host \ 43 | --rm=true \ 44 | --tty \ 45 | --user=nobody \ 46 | ubuntu:20.04 \ 47 | bash -c 'id' 48 | 49 | 50 | podman \ 51 | run \ 52 | --interactive \ 53 | --network host \ 54 | --rm=true \ 55 | --tty=true \ 56 | --user=nobody \ 57 | --workdir /code \ 58 | --volume "$(pwd)":/code \ 59 | alpine:3.13.0 \ 60 | sh -c 'id' 61 | 62 | 63 | podman \ 64 | run \ 65 | --interactive \ 66 | --network host \ 67 | --rm=true \ 68 | --tty=true \ 69 | ubuntu:20.04 \ 70 | bash -c 'apt update && apt install -y curl' 71 | 72 | 73 | podman \ 74 | run \ 75 | --interactive \ 76 | --network host \ 77 | --rm=true \ 78 | --tty=true \ 79 | --workdir /code \ 80 | --volume "$(pwd)":/code \ 81 | alpine:3.13.0 \ 82 | sh -c 'apk add --no-cache curl && curl google.com' 83 | 84 | 85 | # From: https://github.com/containernetworking/cni/issues/770#issuecomment-641532110 86 | 87 | podman \ 88 | run \ 89 | --interactive=true \ 90 | --network=host \ 91 | --tty=true \ 92 | alpine:3.13.0 \ 93 | sh -c 'ip addr show' -------------------------------------------------------------------------------- /test_volume-permission.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | # See https://vaneyckt.io/posts/safer_bash_scripts_with_set_euxo_pipefail/ 4 | set -euxo pipefail 5 | 6 | 7 | 8 | podman \ 9 | run \ 10 | --name=service \ 11 | --rm=true \ 12 | --tty=true \ 13 | --user='root:root' \ 14 | --workdir=/code \ 15 | --volume="$(pwd)":/code \ 16 | alpine \ 17 | bash -c 'stat /app' 18 | 19 | 20 | podman \ 21 | run \ 22 | --name=service \ 23 | --rm=true \ 24 | --tty=true \ 25 | --user='app_user:app_group' \ 26 | --workdir=/code \ 27 | --volume="$(pwd)":/code \ 28 | alpine \ 29 | bash -c 'stat media' -------------------------------------------------------------------------------- /test_volume-persistence.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | 4 | # See https://vaneyckt.io/posts/safer_bash_scripts_with_set_euxo_pipefail/ 5 | set -eux pipefail 6 | 7 | 8 | podman volume create hostvolumetest 9 | 10 | 11 | podman \ 12 | run \ 13 | --interactive \ 14 | --name=testvolume1 \ 15 | --tty \ 16 | --workdir /code \ 17 | --volume hostvolumetest:/code \ 18 | alpine:3.13.0 \ 19 | sh -c 'id && touch my-file.txt && stat my-file.txt' 20 | 21 | podman \ 22 | run \ 23 | --interactive \ 24 | --name=testvolume2 \ 25 | --tty \ 26 | --workdir /code \ 27 | --volume hostvolumetest:/code \ 28 | alpine:3.13.0 \ 29 | sh -c 'stat my-file.txt' 30 | 31 | 32 | podman rm testvolume1 testvolume2 33 | podman volume rm hostvolumetest 34 | -------------------------------------------------------------------------------- /tests.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | 4 | # See https://vaneyckt.io/posts/safer_bash_scripts_with_set_euxo_pipefail/ 5 | set -eux pipefail 6 | 7 | 8 | ./test_binarys-in-path-versions.sh 9 | 10 | ./test_configs.sh 11 | ./test_exclude_loaded_image.sh 12 | ./test_podman-rootless.sh 13 | 14 | ./test_owner-of-file-creation-on-volume.sh 15 | 16 | --------------------------------------------------------------------------------