Merge pull request #124589 from hercules-ci/containers-dnsname

nixos/podman-dnsname: init

nixos/modules/virtualisation/containers.nix

@@ -48,6 +48,23 @@ in
       description = "containers.conf configuration";
     };
 
+    containersConf.cniPlugins = mkOption {
+      type = types.listOf types.package;
+      defaultText = ''
+        [
+          pkgs.cni-plugins
+        ]
+      '';
+      example = lib.literalExample ''
+        [
+          pkgs.cniPlugins.dnsname
+        ]
+      '';
+      description = ''
+        CNI plugins to install on the system.
+      '';
+    };
+
     registries = {
       search = mkOption {
         type = types.listOf types.str;
@@ -97,8 +114,11 @@ in
   };
 
   config = lib.mkIf cfg.enable {
+
+    virtualisation.containers.containersConf.cniPlugins = [ pkgs.cni-plugins ];
+
     virtualisation.containers.containersConf.settings = {
-      network.cni_plugin_dirs = [ "${pkgs.cni-plugins}/bin/" ];
+      network.cni_plugin_dirs = map (p: "${lib.getBin p}/bin") cfg.containersConf.cniPlugins;
       engine = {
         init_path = "${pkgs.catatonit}/bin/catatonit";
       } // lib.optionalAttrs cfg.ociSeccompBpfHook.enable {

nixos/modules/virtualisation/podman-dnsname.nix

@@ -0,0 +1,36 @@
+{ config, lib, pkgs, ... }:
+let
+  inherit (lib)
+    mkOption
+    mkIf
+    types
+    ;
+
+  cfg = config.virtualisation.podman;
+
+in
+{
+  options = {
+    virtualisation.podman = {
+
+      defaultNetwork.dnsname.enable = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          Enable DNS resolution in the default podman network.
+        '';
+      };
+
+    };
+  };
+
+  config = {
+    virtualisation.containers.containersConf.cniPlugins = mkIf cfg.defaultNetwork.dnsname.enable [ pkgs.dnsname-cni ];
+    virtualisation.podman.defaultNetwork.extraPlugins =
+      lib.optional cfg.defaultNetwork.dnsname.enable {
+        type = "dnsname";
+        domainName = "dns.podman";
+        capabilities.aliases = true;
+      };
+  };
+}

nixos/modules/virtualisation/podman.nix

@@ -2,6 +2,7 @@
 let
   cfg = config.virtualisation.podman;
   toml = pkgs.formats.toml { };
+  json = pkgs.formats.json { };
 
   inherit (lib) mkOption types;
 
@@ -22,9 +23,23 @@ let
     done
   '';
 
+  net-conflist = pkgs.runCommand "87-podman-bridge.conflist" {
+    nativeBuildInputs = [ pkgs.jq ];
+    extraPlugins = builtins.toJSON cfg.defaultNetwork.extraPlugins;
+    jqScript = ''
+      . + { "plugins": (.plugins + $extraPlugins) }
+    '';
+  } ''
+    jq <${cfg.package}/etc/cni/net.d/87-podman-bridge.conflist \
+      --argjson extraPlugins "$extraPlugins" \
+      "$jqScript" \
+      >$out
+  '';
+
 in
 {
   imports = [
+    ./podman-dnsname.nix
     ./podman-network-socket.nix
     (lib.mkRenamedOptionModule [ "virtualisation" "podman" "libpod" ] [ "virtualisation" "containers" "containersConf" ])
   ];
@@ -99,6 +114,13 @@ in
       '';
     };
 
+    defaultNetwork.extraPlugins = lib.mkOption {
+      type = types.listOf json.type;
+      default = [];
+      description = ''
+        Extra CNI plugin configurations to add to podman's default network.
+      '';
+    };
 
   };
 
@@ -107,7 +129,7 @@ in
       environment.systemPackages = [ cfg.package ]
         ++ lib.optional cfg.dockerCompat dockerCompat;
 
-      environment.etc."cni/net.d/87-podman-bridge.conflist".source = "${cfg.package}/etc/cni/net.d/87-podman-bridge.conflist";
+      environment.etc."cni/net.d/87-podman-bridge.conflist".source = net-conflist;
 
       virtualisation.containers = {
         enable = true; # Enable common /etc/containers configuration

nixos/tests/all-tests.nix

@@ -335,6 +335,7 @@ in
   plotinus = handleTest ./plotinus.nix {};
   podgrab = handleTest ./podgrab.nix {};
   podman = handleTestOn ["x86_64-linux"] ./podman.nix {};
+  podman-dnsname = handleTestOn ["x86_64-linux"] ./podman-dnsname.nix {};
   podman-tls-ghostunnel = handleTestOn ["x86_64-linux"] ./podman-tls-ghostunnel.nix {};
   pomerium = handleTestOn ["x86_64-linux"] ./pomerium.nix {};
   postfix = handleTest ./postfix.nix {};

nixos/tests/podman-dnsname.nix

@@ -0,0 +1,42 @@
+import ./make-test-python.nix (
+  { pkgs, lib, ... }:
+  let
+    inherit (pkgs) writeTextDir python3 curl;
+    webroot = writeTextDir "index.html" "<h1>Hi</h1>";
+  in
+  {
+    name = "podman-dnsname";
+    meta = {
+      maintainers = with lib.maintainers; [ roberth ] ++ lib.teams.podman.members;
+    };
+
+    nodes = {
+      podman = { pkgs, ... }: {
+        virtualisation.podman.enable = true;
+        virtualisation.podman.defaultNetwork.dnsname.enable = true;
+      };
+    };
+
+    testScript = ''
+      podman.wait_for_unit("sockets.target")
+
+      with subtest("DNS works"): # also tests inter-container tcp routing
+        podman.succeed("tar cv --files-from /dev/null | podman import - scratchimg")
+        podman.succeed(
+          "podman run -d --name=webserver -v /nix/store:/nix/store -v /run/current-system/sw/bin:/bin -w ${webroot} scratchimg ${python3}/bin/python -m http.server 8000"
+        )
+        podman.succeed("podman ps | grep webserver")
+        podman.succeed("""
+          for i in `seq 0 120`; do
+            podman run --rm --name=client -v /nix/store:/nix/store -v /run/current-system/sw/bin:/bin scratchimg ${curl}/bin/curl http://webserver:8000 >/dev/console \
+              && exit 0
+            sleep 0.5
+          done
+          exit 1
+        """)
+        podman.succeed("podman stop webserver")
+        podman.succeed("podman rm webserver")
+
+    '';
+  }
+)

pkgs/applications/networking/cluster/dnsname-cni/default.nix

@@ -1,4 +1,11 @@
-{ buildGoModule, fetchFromGitHub, lib, dnsmasq }:
+{
+  buildGoModule,
+  dnsmasq,
+  fetchFromGitHub,
+  lib,
+  nixosTests,
+  makeWrapper,
+}:
 
 buildGoModule rec {
   pname = "cni-plugin-dnsname";
@@ -11,10 +18,9 @@ buildGoModule rec {
     sha256 = "sha256-hHkQOHDso92gXFCz40iQ7j2cHTEAMsaeW8MCJV2Otqo=";
   };
 
-  patches = [ ./hardcode-dnsmasq-path.patch ];
-
-  postPatch = ''
-    substituteInPlace plugins/meta/dnsname/service.go --replace '@DNSMASQ@' '${dnsmasq}/bin/dnsmasq'
+  nativeBuildInputs = [ makeWrapper ];
+  postInstall = ''
+    wrapProgram $out/bin/dnsname --prefix PATH : ${lib.makeBinPath [ dnsmasq ]}
   '';
 
   vendorSha256 = null;
@@ -22,6 +28,10 @@ buildGoModule rec {
 
   doCheck = false; # NOTE: requires root privileges
 
+  passthru.tests = {
+    inherit (nixosTests) podman-dnsname;
+  };
+
   meta = with lib; {
     description = "DNS name resolution for containers";
     homepage = "https://github.com/containers/dnsname";

pkgs/applications/networking/cluster/dnsname-cni/hardcode-dnsmasq-path.patch

@@ -1,19 +0,0 @@
-diff --git a/plugins/meta/dnsname/service.go b/plugins/meta/dnsname/service.go
-index fc05f75..f6b4caf 100644
---- a/plugins/meta/dnsname/service.go
-+++ b/plugins/meta/dnsname/service.go
-@@ -16,10 +16,14 @@ import (
- 
- // newDNSMasqFile creates a new instance of a dnsNameFile
- func newDNSMasqFile(domainName, networkInterface, networkName string) (dnsNameFile, error) {
-+	/*
- 	dnsMasqBinary, err := exec.LookPath("dnsmasq")
- 	if err != nil {
- 		return dnsNameFile{}, errors.Errorf("the dnsmasq cni plugin requires the dnsmasq binary be in PATH")
- 	}
-+	*/
-+	_ = errors.Errorf // XXX(mikroskeem): reduce diff
-+	dnsMasqBinary := "@DNSMASQ@"
- 	masqConf := dnsNameFile{
- 		ConfigFile:       makePath(networkName, confFileName),
- 		Domain:           domainName,

pkgs/applications/virtualization/podman/default.nix

@@ -84,7 +84,10 @@ buildGoModule rec {
   passthru.tests = {
     inherit (nixosTests) podman;
     # related modules
-    inherit (nixosTests) podman-tls-ghostunnel;
+    inherit (nixosTests)
+      podman-tls-ghostunnel
+      podman-dnsname
+      ;
   };
 
   meta = with lib; {