nixos/virtualisation.podman: Init module

[adisbladis]

Motivation for this change

This is another stab at making a module for podman, a drop-in replacement for Docker.

Unlike previous attempts ( #68343 & #54925 ) this tries to stay very close to upstream defaults and introduce minimal configuration.

I also have tests and release notes.
I have been running a very similar module in my own configuration for quite some time without issues.
It works just fine rootless too with the following configuration in configuration.nix:

virtualisation.podman.enable = true;
virtualisation.podman.dockerCompat = true;
virtualisation.containers.users = [ "adisbladis" "aoeu" ];

Should we add a config option to set up subuid/subgid ranges for users in the podman module maybe? - done

Things done

• Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
• Built on platform(s)
  • NixOS
  • macOS
  • other Linux distributions
• Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
• Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
• Tested execution of all binary files (usually in ./result/bin/)
• Determined the impact on package closure size (by running nix path-info -S before and after)
• Ensured that relevant documentation is up to date
• Fits CONTRIBUTING.md.

cc @vdemeester @peterhoeg @nlewo

Closes #65202

[peterhoeg]

This is nice and much nicer than mine (a lot less code which is great!).

Should we add a config option to set up subuid/subgid ranges for users in the podman module maybe?

Yes please.

[adisbladis]

Should we add a config option to set up subuid/subgid ranges for users in the podman module maybe?
Yes please.

Can you think of a nice interface for this?

[adisbladis]

I've opted to make subuid/subgid users a simple list:

    virtualisation.podman.users = [
      "adisbladis"
    ];

[zowoq]

podman and related packages have a team if you want to add it as a maintainer for the module.

cc @saschagrunert

[adisbladis]

I've also moved declarative docker containers to podman in https://github.com/adisbladis/nixpkgs/tree/podman-declarative-containers. This will be a follow-up PR.

[adisbladis]

podman and related packages have a team if you want to add it as a maintainer for the module.

Done! also added myself to the podman team.

[adisbladis]

@GrahamcOfBorg eval
@GrahamcOfBorg test podman

[adisbladis]

Unless I get some very strong objections my plan is to move fast on this and merge soon.

[buckley310]

Is it a good idea to map all podman users to the same 100000+65536 range?

[zowoq]

Thanks for working on this!

Tested, works well. Looks great, just a couple of nits.

[adisbladis]

Is it a good idea to map all podman users to the same 100000+65536 range?

No that was an oversight. I've fixed this.

[adisbladis]

I have created a new virtualisation.containers module.
The cri-o module was also creating /etc/containers/policy.json so these modules would be mutually exclusive.
With this change things composes much better with multiple container runtimes.
This leads to a much smaller podman module with a better defined scope.

[adisbladis]

@GrahamcOfBorg test podman

[talyz]

Looks really good! The only issue I experienced was this message:

ERRO[0520] unable to close namespace: "close /proc/335/ns/user: bad file descriptor"

when exiting a container, seemingly at random. This might just be a podman bug and it doesn't seem to cause any problems.

[adisbladis]

@talyz That looks to be containers/podman#5873.

[nixos-discourse]

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/podman-and-docker-fail-to-mount/11709/3