Always deploy docker privileged, use different state dir for privileged deployments
This commit is contained in:
parent
b796c4336d
commit
f277b95d29
|
@ -5,15 +5,25 @@ let
|
||||||
inherit (pkgs) lib;
|
inherit (pkgs) lib;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
# We cannot deploy Docker as unprivileged user. Use a privileged installation instead
|
||||||
|
profileSettingsProcessManager = import ../../../test-driver/profiles/privileged.nix;
|
||||||
|
|
||||||
|
# For privileged deployments, use a different directory than /var, because it does not have the right SELinux context to work with containers
|
||||||
|
profileSettingsSystem = if profileSettings.params.stateDir == "/var" then profileSettings // {
|
||||||
|
params = profileSettings.params // rec {
|
||||||
|
stateDir = "/dockervar";
|
||||||
|
runtimeDir = "${stateDir}/run";
|
||||||
|
};
|
||||||
|
} else profileSettings;
|
||||||
|
|
||||||
processesEnvProcessManager = import ../../sysvinit/build-sysvinit-env.nix ({
|
processesEnvProcessManager = import ../../sysvinit/build-sysvinit-env.nix ({
|
||||||
inherit pkgs system;
|
inherit pkgs system;
|
||||||
exprFile = ./processes-docker.nix;
|
exprFile = ./processes-docker.nix;
|
||||||
} // profileSettings.params);
|
} // profileSettingsProcessManager.params);
|
||||||
|
|
||||||
processesEnvSystem = import ../build-docker-env.nix ({
|
processesEnvSystem = import ../build-docker-env.nix ({
|
||||||
inherit pkgs system exprFile extraParams;
|
inherit pkgs system exprFile extraParams;
|
||||||
}
|
} // profileSettingsSystem.params);
|
||||||
// profileSettings.params);
|
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
nixosModules = [];
|
nixosModules = [];
|
||||||
|
@ -28,14 +38,16 @@ in
|
||||||
|
|
||||||
deployProcessManager = ''
|
deployProcessManager = ''
|
||||||
machine.succeed(
|
machine.succeed(
|
||||||
"${executeDeploy { inherit profileSettings; processManager = "sysvinit"; processesEnv = processesEnvProcessManager; }}"
|
"${executeDeploy { profileSettings = profileSettingsProcessManager; processManager = "sysvinit"; processesEnv = processesEnvProcessManager; }}"
|
||||||
)
|
)
|
||||||
machine.wait_for_file("${profileSettings.params.stateDir}/run/docker.sock")
|
machine.wait_for_file("${profileSettingsProcessManager.params.stateDir}/run/docker.sock")
|
||||||
|
'' + pkgs.lib.optionalString profileSettings.params.forceDisableUserChange ''
|
||||||
|
machine.succeed("usermod -a -G docker unprivileged")
|
||||||
'';
|
'';
|
||||||
|
|
||||||
deploySystem = ''
|
deploySystem = ''
|
||||||
machine.succeed(
|
machine.succeed(
|
||||||
"${executeDeploy { inherit profileSettings; processManager = "docker"; processesEnv = processesEnvSystem; }}"
|
"${executeDeploy { profileSettings = profileSettingsSystem; processManager = "docker"; processesEnv = processesEnvSystem; }}"
|
||||||
)
|
)
|
||||||
'';
|
'';
|
||||||
}
|
}
|
||||||
|
|
|
@ -24,7 +24,7 @@ EOF
|
||||||
|
|
||||||
# Parse valid argument options
|
# Parse valid argument options
|
||||||
|
|
||||||
PARAMS=`@getopt@ -n $0 -o p:o:h -l profile:,old-profile:,user,help -- "$@"`
|
PARAMS=`@getopt@ -n $0 -o p:o:h -l profile:,old-profile:,state-dir:,force-disable-user-change,help -- "$@"`
|
||||||
|
|
||||||
if [ $? != 0 ]
|
if [ $? != 0 ]
|
||||||
then
|
then
|
||||||
|
|
Loading…
Reference in New Issue