nixos-config/virtualisation/containers.nix

{ pkgs, lib, ... }:

{
  # Enable /etc/containers configuration (used by podman, cri-o, etc.)
  virtualisation.containers.enable = true;
  virtualisation.containers.containersConf.settings = {
    # Create unique User Namespace for the container
    containers.userns = "auto";
    engine = {
      conmon_env_vars = [ "PATH=${lib.makeBinPath [ pkgs.gvisor ]}" ];
      runtimes.runsc = [ "${pkgs.gvisor}/bin/runsc" ];
      runtime = "runsc";
    };
  };
  virtualisation.containers.storage.settings = {
    # defaults
    storage = {
      driver = "overlay";
      graphroot = "/var/lib/containers/storage";
      runroot = "/run/containers/storage";
    };

    # SUB_UID_MAX: https://man7.org/linux/man-pages/man5/login.defs.5.html
    storage.options.auto-userns-max-size = 600100000;
  };

  # Increase sub{u,g}id range
  users.users."containers" = {
    isSystemUser = true;
    group = "containers";
    subUidRanges = [{
      startUid = 60100000;
      count = 60000000;
    }];
    subGidRanges = [{
      startGid = 60100000;
      count = 60000000;
    }];
  };

  users.groups.containers = { };
}
feat(virtualisation): enable gvisor for containers 2024-03-07 20:47:24 +01:00			`{ pkgs, lib, ... }:`
feat(virtualisation): set userns auto for containers 2023-09-18 19:33:14 +02:00
			`{`
			`# Enable /etc/containers configuration (used by podman, cri-o, etc.)`
			`virtualisation.containers.enable = true;`
			`virtualisation.containers.containersConf.settings = {`
			`# Create unique User Namespace for the container`
			`containers.userns = "auto";`
feat(virtualisation): enable gvisor for containers 2024-03-07 20:47:24 +01:00			`engine = {`
			`conmon_env_vars = [ "PATH=${lib.makeBinPath [ pkgs.gvisor ]}" ];`
			`runtimes.runsc = [ "${pkgs.gvisor}/bin/runsc" ];`
			`runtime = "runsc";`
			`};`
feat(virtualisation): set userns auto for containers 2023-09-18 19:33:14 +02:00			`};`
fix(virtualisation): add & extend sub{u,g}id ranges 2023-09-18 23:39:37 +02:00			`virtualisation.containers.storage.settings = {`
			`# defaults`
			`storage = {`
			`driver = "overlay";`
			`graphroot = "/var/lib/containers/storage";`
			`runroot = "/run/containers/storage";`
			`};`

			`# SUB_UID_MAX: https://man7.org/linux/man-pages/man5/login.defs.5.html`
			`storage.options.auto-userns-max-size = 600100000;`
			`};`

			`# Increase sub{u,g}id range`
fix(virtualisation): specify sub{u,g}id ranges for containers instead of root Privileged podman uses `containers` user for user namespaces. 2023-09-30 02:37:35 +02:00			`users.users."containers" = {`
			`isSystemUser = true;`
			`group = "containers";`
fix(virtualisation): add & extend sub{u,g}id ranges 2023-09-18 23:39:37 +02:00			`subUidRanges = [{`
			`startUid = 60100000;`
			`count = 60000000;`
			`}];`
			`subGidRanges = [{`
			`startGid = 60100000;`
			`count = 60000000;`
			`}];`
			`};`
fix(virtualisation): specify sub{u,g}id ranges for containers instead of root Privileged podman uses `containers` user for user namespaces. 2023-09-30 02:37:35 +02:00
			`users.groups.containers = { };`
feat(virtualisation): set userns auto for containers 2023-09-18 19:33:14 +02:00			`}`