ehmry
/
nix-processmgmt
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Always deploy docker privileged, use different state dir for privileged deployments

This commit is contained in:
Sander van der Burg 2021-04-04 16:26:41 +02:00 committed by Sander van der Burg
parent b796c4336d
commit f277b95d29
2 changed files with 19 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
nixproc/backends/docker/test-module/default.nix
View File

@ -5,15 +5,25 @@ let
inherit (pkgs) lib;
};
# We cannot deploy Docker as unprivileged user. Use a privileged installation instead
profileSettingsProcessManager = import ../../../test-driver/profiles/privileged.nix;
# For privileged deployments, use a different directory than /var, because it does not have the right SELinux context to work with containers
profileSettingsSystem = if profileSettings.params.stateDir == "/var" then profileSettings // {
params = profileSettings.params // rec {
stateDir = "/dockervar";
runtimeDir = "${stateDir}/run";
};
} else profileSettings;
processesEnvProcessManager = import ../../sysvinit/build-sysvinit-env.nix ({
inherit pkgs system;
exprFile = ./processes-docker.nix;
} // profileSettings.params);
} // profileSettingsProcessManager.params);
processesEnvSystem = import ../build-docker-env.nix ({
inherit pkgs system exprFile extraParams;
}
// profileSettings.params);
} // profileSettingsSystem.params);
in
{
nixosModules = [];
@ -28,14 +38,16 @@ in
deployProcessManager = ''
machine.succeed(
"${executeDeploy { inherit profileSettings; processManager = "sysvinit"; processesEnv = processesEnvProcessManager; }}"
"${executeDeploy { profileSettings = profileSettingsProcessManager; processManager = "sysvinit"; processesEnv = processesEnvProcessManager; }}"
)
machine.wait_for_file("${profileSettings.params.stateDir}/run/docker.sock")
machine.wait_for_file("${profileSettingsProcessManager.params.stateDir}/run/docker.sock")
'' + pkgs.lib.optionalString profileSettings.params.forceDisableUserChange ''
machine.succeed("usermod -a -G docker unprivileged")
'';
deploySystem = ''
machine.succeed(
"${executeDeploy { inherit profileSettings; processManager = "docker"; processesEnv = processesEnvSystem; }}"
"${executeDeploy { profileSettings = profileSettingsSystem; processManager = "docker"; processesEnv = processesEnvSystem; }}"
)
'';
}

2
tools/docker/nixproc-docker-deploy.in
View File

@ -24,7 +24,7 @@ EOF
# Parse valid argument options
PARAMS=`@getopt@ -n $0 -o p:o:h -l profile:,old-profile:,user,help -- "$@"`
PARAMS=`@getopt@ -n $0 -o p:o:h -l profile:,old-profile:,state-dir:,force-disable-user-change,help -- "$@"`
if [ $? != 0 ]
then