+8

nixos/doc/manual/from_md/release-notes/rl-2205.section.xml

··· 35 35 </listitem> 36 36 <listitem> 37 37 <para> 38 38 + <link xlink:href="https://docs.docker.com/engine/security/rootless/">rootless 39 39 + Docker</link>, a <literal>systemd --user</literal> Docker 40 40 + service which runs without root permissions. Available as 41 41 + <link xlink:href="options.html#opt-virtualisation.docker.rootless.enable">virtualisation.docker.rootless.enable</link>. 42 42 + </para> 43 43 + </listitem> 44 44 + <listitem> 45 45 + <para> 38 46 <link xlink:href="https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-overview.html">filebeat</link>, 39 47 a lightweight shipper for forwarding and centralizing log 40 48 data. Available as

+1

nixos/doc/manual/release-notes/rl-2205.section.md

··· 11 11 ## New Services {#sec-release-22.05-new-services} 12 12 13 13 - [aesmd](https://github.com/intel/linux-sgx#install-the-intelr-sgx-psw), the Intel SGX Architectural Enclave Service Manager. Available as [services.aesmd](#opt-services.aesmd.enable). 14 14 + - [rootless Docker](https://docs.docker.com/engine/security/rootless/), a `systemd --user` Docker service which runs without root permissions. Available as [virtualisation.docker.rootless.enable](options.html#opt-virtualisation.docker.rootless.enable). 14 15 15 16 - [filebeat](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-overview.html), a lightweight shipper for forwarding and centralizing log data. Available as [services.filebeat](#opt-services.filebeat.enable). 16 17

+1

nixos/modules/module-list.nix

··· 1187 1187 ./virtualisation/oci-containers.nix 1188 1188 ./virtualisation/cri-o.nix 1189 1189 ./virtualisation/docker.nix 1190 1190 + ./virtualisation/docker-rootless.nix 1190 1191 ./virtualisation/ecs-agent.nix 1191 1192 ./virtualisation/libvirtd.nix 1192 1193 ./virtualisation/lxc.nix

+98

nixos/modules/virtualisation/docker-rootless.nix

··· 1 1 + { config, lib, pkgs, ... }: 2 2 + 3 3 + with lib; 4 4 + 5 5 + let 6 6 + 7 7 + cfg = config.virtualisation.docker.rootless; 8 8 + proxy_env = config.networking.proxy.envVars; 9 9 + settingsFormat = pkgs.formats.json {}; 10 10 + daemonSettingsFile = settingsFormat.generate "daemon.json" cfg.daemon.settings; 11 11 + 12 12 + in 13 13 + 14 14 + { 15 15 + ###### interface 16 16 + 17 17 + options.virtualisation.docker.rootless = { 18 18 + enable = mkOption { 19 19 + type = types.bool; 20 20 + default = false; 21 21 + description = '' 22 22 + This option enables docker in a rootless mode, a daemon that manages 23 23 + linux containers. To interact with the daemon, one needs to set 24 24 + <command>DOCKER_HOST=unix://$XDG_RUNTIME_DIR/docker.sock</command>. 25 25 + ''; 26 26 + }; 27 27 + 28 28 + setSocketVariable = mkOption { 29 29 + type = types.bool; 30 30 + default = false; 31 31 + description = '' 32 32 + Point <command>DOCKER_HOST</command> to rootless Docker instance for 33 33 + normal users by default. 34 34 + ''; 35 35 + }; 36 36 + 37 37 + daemon.settings = mkOption { 38 38 + type = settingsFormat.type; 39 39 + default = { }; 40 40 + example = { 41 41 + ipv6 = true; 42 42 + "fixed-cidr-v6" = "fd00::/80"; 43 43 + }; 44 44 + description = '' 45 45 + Configuration for docker daemon. The attributes are serialized to JSON used as daemon.conf. 46 46 + See https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-configuration-file 47 47 + ''; 48 48 + }; 49 49 + 50 50 + package = mkOption { 51 51 + default = pkgs.docker; 52 52 + defaultText = literalExpression "pkgs.docker"; 53 53 + type = types.package; 54 54 + example = literalExpression "pkgs.docker-edge"; 55 55 + description = '' 56 56 + Docker package to be used in the module. 57 57 + ''; 58 58 + }; 59 59 + }; 60 60 + 61 61 + ###### implementation 62 62 + 63 63 + config = mkIf cfg.enable { 64 64 + environment.systemPackages = [ cfg.package ]; 65 65 + 66 66 + environment.extraInit = optionalString cfg.setSocketVariable '' 67 67 + if [ -z "$DOCKER_HOST" -a -n "$XDG_RUNTIME_DIR" ]; then 68 68 + export DOCKER_HOST="unix://$XDG_RUNTIME_DIR/docker.sock" 69 69 + fi 70 70 + ''; 71 71 + 72 72 + # Taken from https://github.com/moby/moby/blob/master/contrib/dockerd-rootless-setuptool.sh 73 73 + systemd.user.services.docker = { 74 74 + wantedBy = [ "default.target" ]; 75 75 + description = "Docker Application Container Engine (Rootless)"; 76 76 + # needs newuidmap from pkgs.shadow 77 77 + path = [ "/run/wrappers" ]; 78 78 + environment = proxy_env; 79 79 + unitConfig.StartLimitInterval = "60s"; 80 80 + serviceConfig = { 81 81 + Type = "notify"; 82 82 + ExecStart = "${cfg.package}/bin/dockerd-rootless --config-file=${daemonSettingsFile}"; 83 83 + ExecReload = "${pkgs.procps}/bin/kill -s HUP $MAINPID"; 84 84 + TimeoutSec = 0; 85 85 + RestartSec = 2; 86 86 + Restart = "always"; 87 87 + StartLimitBurst = 3; 88 88 + LimitNOFILE = "infinity"; 89 89 + LimitNPROC = "infinity"; 90 90 + LimitCORE = "infinity"; 91 91 + Delegate = true; 92 92 + NotifyAccess = "all"; 93 93 + KillMode = "mixed"; 94 94 + }; 95 95 + }; 96 96 + }; 97 97 + 98 98 + }

+1

nixos/tests/all-tests.nix

··· 104 104 dnscrypt-wrapper = handleTestOn ["x86_64-linux"] ./dnscrypt-wrapper {}; 105 105 doas = handleTest ./doas.nix {}; 106 106 docker = handleTestOn ["x86_64-linux"] ./docker.nix {}; 107 107 + docker-rootless = handleTestOn ["x86_64-linux"] ./docker-rootless.nix {}; 107 108 docker-edge = handleTestOn ["x86_64-linux"] ./docker-edge.nix {}; 108 109 docker-registry = handleTest ./docker-registry.nix {}; 109 110 docker-tools = handleTestOn ["x86_64-linux"] ./docker-tools.nix {};

+41

nixos/tests/docker-rootless.nix

··· 1 1 + # This test runs docker and checks if simple container starts 2 2 + 3 3 + import ./make-test-python.nix ({ lib, pkgs, ...} : { 4 4 + name = "docker-rootless"; 5 5 + meta = with pkgs.lib.maintainers; { 6 6 + maintainers = [ abbradar ]; 7 7 + }; 8 8 + 9 9 + nodes = { 10 10 + machine = { pkgs, ... }: { 11 11 + virtualisation.docker.rootless.enable = true; 12 12 + 13 13 + users.users.alice = { 14 14 + uid = 1000; 15 15 + isNormalUser = true; 16 16 + }; 17 17 + }; 18 18 + }; 19 19 + 20 20 + testScript = { nodes, ... }: 21 21 + let 22 22 + user = nodes.machine.config.users.users.alice; 23 23 + sudo = lib.concatStringsSep " " [ 24 24 + "XDG_RUNTIME_DIR=/run/user/${toString user.uid}" 25 25 + "DOCKER_HOST=unix:///run/user/${toString user.uid}/docker.sock" 26 26 + "sudo" "--preserve-env=XDG_RUNTIME_DIR,DOCKER_HOST" "-u" "alice" 27 27 + ]; 28 28 + in '' 29 29 + machine.wait_for_unit("multi-user.target") 30 30 + 31 31 + machine.succeed("loginctl enable-linger alice") 32 32 + machine.wait_until_succeeds("${sudo} systemctl --user is-active docker.service") 33 33 + 34 34 + machine.succeed("tar cv --files-from /dev/null | ${sudo} docker import - scratchimg") 35 35 + machine.succeed( 36 36 + "${sudo} docker run -d --name=sleeping -v /nix/store:/nix/store -v /run/current-system/sw/bin:/bin scratchimg /bin/sleep 10" 37 37 + ) 38 38 + machine.succeed("${sudo} docker ps | grep sleeping") 39 39 + machine.succeed("${sudo} docker stop sleeping") 40 40 + ''; 41 41 + })