Skip to content

Commit

Permalink
Podman DNS match pattern for nftables (#76)
Browse files Browse the repository at this point in the history 
Idea is to support both iptables (default) and nftables for Podman DNS config. See: NixOS/nixpkgs#226365 (comment)

Docker always uses iptables, and handles configuring firewall rules itself. See:

* NixOS/nixpkgs#111852
* Comment here on nftables + Docker: https://github.com/NixOS/nixpkgs/blob/f6687779bf4c396250831aa5a32cbfeb85bb07a3/nixos/modules/services/networking/nftables.nix#L61 

As part of this PR, I have also cleaned up the redundant Podman DNS config for the default network. `compose2nix` does not use the default network at all, and anyways configures a firewall rule that also covers the default network (`podman0` interface).
  • Loading branch information
@aksiksi
aksiksi authored Feb 2, 2025
1 parent abb340f commit 1baa2f5
Show file tree
Hide file tree
Showing 31 changed files with 218 additions and 233 deletions.
16 changes: 8 additions & 8 deletions nixos-test/podman-compose.nix
View file
Original file line number Diff line number Diff line change
@@ -1,21 +1,21 @@
# Auto-generated using compose2nix v0.3.2-pre.
{ pkgs, lib, ... }:
{ pkgs, lib, config, ... }:

{
# Runtime
virtualisation.podman = {
enable = true;
autoPrune.enable = true;
dockerCompat = true;
defaultNetwork.settings = {
# Required for container networking to be able to use names.
dns_enabled = true;
};
};

# Enable container name DNS for non-default Podman networks.
# https://github.com/NixOS/nixpkgs/issues/226365
networking.firewall.interfaces."podman+".allowedUDPPorts = [ 53 ];
# Enable container name DNS for all Podman networks.
# See: https://github.com/NixOS/nixpkgs/issues/226365
networking.firewall.interfaces = let
matchAll = if !config.networking.nftables.enable then "podman+" else "podman*";
in {
"${matchAll}".allowedUDPPorts = [ 53 ];
};

virtualisation.oci-containers.backend = "podman";

Expand Down
4 changes: 4 additions & 0 deletions nixos-test/test.nix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -77,6 +77,10 @@ in
m.succeed(f"systemctl show -p Restart {runtime}-service-b.service | grep -E '=on-success$'")
m.succeed(f"systemctl show -p Restart {runtime}-myproject-no-restart.service | grep -E '=no$'")
# Ensure we can reach a container in the same network. Regression test
# for DNS settings, especially for Podman.
m.succeed(f"{runtime} exec -it myproject-service-a wget http://no-restart")
# Stop the root unit.
m.systemctl(f"stop {runtime}-compose-myproject-root.target")
'';
Expand Down
17 changes: 9 additions & 8 deletions templates/main.nix.tmpl
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,8 @@
{{- if .Version -}}
# Auto-generated using compose2nix v{{.Version}}.
{ pkgs, lib, ... }:
{{end -}}
{{- if eq (.Runtime | printf "%s") "podman" -}}
{ pkgs, lib, config, ... }:
{{- else -}}
{ pkgs, lib, ... }:
{{- end}}
Expand All @@ -13,17 +15,16 @@
autoPrune.enable = true;
{{- if eq (.Runtime | printf "%s") "podman"}}
dockerCompat = true;
defaultNetwork.settings = {
# Required for container networking to be able to use names.
dns_enabled = true;
};
{{- end}}
};
{{- if eq (.Runtime | printf "%s") "podman"}}

# Enable container name DNS for non-default Podman networks.
# https://github.com/NixOS/nixpkgs/issues/226365
networking.firewall.interfaces."podman+".allowedUDPPorts = [ 53 ];
# Enable container name DNS for all Podman networks.
networking.firewall.interfaces = let
matchAll = if !config.networking.nftables.enable then "podman+" else "podman*";
in {
"${matchAll}".allowedUDPPorts = [ 53 ];
};

virtualisation.oci-containers.backend = "{{.Runtime}}";
{{- else}}
Expand Down
15 changes: 7 additions & 8 deletions testdata/TestAutoStart.podman.nix
View file
Original file line number Diff line number Diff line change
@@ -1,20 +1,19 @@
{ pkgs, lib, ... }:
{ pkgs, lib, config, ... }:

{
# Runtime
virtualisation.podman = {
enable = true;
autoPrune.enable = true;
dockerCompat = true;
defaultNetwork.settings = {
# Required for container networking to be able to use names.
dns_enabled = true;
};
};

# Enable container name DNS for non-default Podman networks.
# https://github.com/NixOS/nixpkgs/issues/226365
networking.firewall.interfaces."podman+".allowedUDPPorts = [ 53 ];
# Enable container name DNS for all Podman networks.
networking.firewall.interfaces = let
matchAll = if !config.networking.nftables.enable then "podman+" else "podman*";
in {
"${matchAll}".allowedUDPPorts = [ 53 ];
};

virtualisation.oci-containers.backend = "podman";

Expand Down
15 changes: 7 additions & 8 deletions testdata/TestBasic.podman.nix
View file
Original file line number Diff line number Diff line change
@@ -1,20 +1,19 @@
{ pkgs, lib, ... }:
{ pkgs, lib, config, ... }:

{
# Runtime
virtualisation.podman = {
enable = true;
autoPrune.enable = true;
dockerCompat = true;
defaultNetwork.settings = {
# Required for container networking to be able to use names.
dns_enabled = true;
};
};

# Enable container name DNS for non-default Podman networks.
# https://github.com/NixOS/nixpkgs/issues/226365
networking.firewall.interfaces."podman+".allowedUDPPorts = [ 53 ];
# Enable container name DNS for all Podman networks.
networking.firewall.interfaces = let
matchAll = if !config.networking.nftables.enable then "podman+" else "podman*";
in {
"${matchAll}".allowedUDPPorts = [ 53 ];
};

virtualisation.oci-containers.backend = "podman";

Expand Down
22 changes: 14 additions & 8 deletions testdata/TestBasicAutoFormat.podman.nix
View file
Original file line number Diff line number Diff line change
@@ -1,20 +1,26 @@
{ pkgs, lib, ... }:
{
pkgs,
lib,
config,
...
}:

{
# Runtime
virtualisation.podman = {
enable = true;
autoPrune.enable = true;
dockerCompat = true;
defaultNetwork.settings = {
# Required for container networking to be able to use names.
dns_enabled = true;
};
};

# Enable container name DNS for non-default Podman networks.
# https://github.com/NixOS/nixpkgs/issues/226365
networking.firewall.interfaces."podman+".allowedUDPPorts = [ 53 ];
# Enable container name DNS for all Podman networks.
networking.firewall.interfaces =
let
matchAll = if !config.networking.nftables.enable then "podman+" else "podman*";
in
{
"${matchAll}".allowedUDPPorts = [ 53 ];
};

virtualisation.oci-containers.backend = "podman";

Expand Down
15 changes: 7 additions & 8 deletions testdata/TestBuildSpec.podman.nix
View file
Original file line number Diff line number Diff line change
@@ -1,20 +1,19 @@
{ pkgs, lib, ... }:
{ pkgs, lib, config, ... }:

{
# Runtime
virtualisation.podman = {
enable = true;
autoPrune.enable = true;
dockerCompat = true;
defaultNetwork.settings = {
# Required for container networking to be able to use names.
dns_enabled = true;
};
};

# Enable container name DNS for non-default Podman networks.
# https://github.com/NixOS/nixpkgs/issues/226365
networking.firewall.interfaces."podman+".allowedUDPPorts = [ 53 ];
# Enable container name DNS for all Podman networks.
networking.firewall.interfaces = let
matchAll = if !config.networking.nftables.enable then "podman+" else "podman*";
in {
"${matchAll}".allowedUDPPorts = [ 53 ];
};

virtualisation.oci-containers.backend = "podman";

Expand Down
15 changes: 7 additions & 8 deletions testdata/TestBuildSpec_BuildEnabled.podman.nix
View file
Original file line number Diff line number Diff line change
@@ -1,20 +1,19 @@
{ pkgs, lib, ... }:
{ pkgs, lib, config, ... }:

{
# Runtime
virtualisation.podman = {
enable = true;
autoPrune.enable = true;
dockerCompat = true;
defaultNetwork.settings = {
# Required for container networking to be able to use names.
dns_enabled = true;
};
};

# Enable container name DNS for non-default Podman networks.
# https://github.com/NixOS/nixpkgs/issues/226365
networking.firewall.interfaces."podman+".allowedUDPPorts = [ 53 ];
# Enable container name DNS for all Podman networks.
networking.firewall.interfaces = let
matchAll = if !config.networking.nftables.enable then "podman+" else "podman*";
in {
"${matchAll}".allowedUDPPorts = [ 53 ];
};

virtualisation.oci-containers.backend = "podman";

Expand Down
15 changes: 7 additions & 8 deletions testdata/TestCommandAndEntrypoint.podman.nix
View file
Original file line number Diff line number Diff line change
@@ -1,20 +1,19 @@
{ pkgs, lib, ... }:
{ pkgs, lib, config, ... }:

{
# Runtime
virtualisation.podman = {
enable = true;
autoPrune.enable = true;
dockerCompat = true;
defaultNetwork.settings = {
# Required for container networking to be able to use names.
dns_enabled = true;
};
};

# Enable container name DNS for non-default Podman networks.
# https://github.com/NixOS/nixpkgs/issues/226365
networking.firewall.interfaces."podman+".allowedUDPPorts = [ 53 ];
# Enable container name DNS for all Podman networks.
networking.firewall.interfaces = let
matchAll = if !config.networking.nftables.enable then "podman+" else "podman*";
in {
"${matchAll}".allowedUDPPorts = [ 53 ];
};

virtualisation.oci-containers.backend = "podman";

Expand Down
15 changes: 7 additions & 8 deletions testdata/TestComposeEnvFiles.podman.nix
View file
Original file line number Diff line number Diff line change
@@ -1,20 +1,19 @@
{ pkgs, lib, ... }:
{ pkgs, lib, config, ... }:

{
# Runtime
virtualisation.podman = {
enable = true;
autoPrune.enable = true;
dockerCompat = true;
defaultNetwork.settings = {
# Required for container networking to be able to use names.
dns_enabled = true;
};
};

# Enable container name DNS for non-default Podman networks.
# https://github.com/NixOS/nixpkgs/issues/226365
networking.firewall.interfaces."podman+".allowedUDPPorts = [ 53 ];
# Enable container name DNS for all Podman networks.
networking.firewall.interfaces = let
matchAll = if !config.networking.nftables.enable then "podman+" else "podman*";
in {
"${matchAll}".allowedUDPPorts = [ 53 ];
};

virtualisation.oci-containers.backend = "podman";

Expand Down
15 changes: 7 additions & 8 deletions testdata/TestDeployDevices.podman.nix
View file
Original file line number Diff line number Diff line change
@@ -1,20 +1,19 @@
{ pkgs, lib, ... }:
{ pkgs, lib, config, ... }:

{
# Runtime
virtualisation.podman = {
enable = true;
autoPrune.enable = true;
dockerCompat = true;
defaultNetwork.settings = {
# Required for container networking to be able to use names.
dns_enabled = true;
};
};

# Enable container name DNS for non-default Podman networks.
# https://github.com/NixOS/nixpkgs/issues/226365
networking.firewall.interfaces."podman+".allowedUDPPorts = [ 53 ];
# Enable container name DNS for all Podman networks.
networking.firewall.interfaces = let
matchAll = if !config.networking.nftables.enable then "podman+" else "podman*";
in {
"${matchAll}".allowedUDPPorts = [ 53 ];
};

virtualisation.oci-containers.backend = "podman";

Expand Down
15 changes: 7 additions & 8 deletions testdata/TestEmptyEnv.podman.nix
View file
Original file line number Diff line number Diff line change
@@ -1,20 +1,19 @@
{ pkgs, lib, ... }:
{ pkgs, lib, config, ... }:

{
# Runtime
virtualisation.podman = {
enable = true;
autoPrune.enable = true;
dockerCompat = true;
defaultNetwork.settings = {
# Required for container networking to be able to use names.
dns_enabled = true;
};
};

# Enable container name DNS for non-default Podman networks.
# https://github.com/NixOS/nixpkgs/issues/226365
networking.firewall.interfaces."podman+".allowedUDPPorts = [ 53 ];
# Enable container name DNS for all Podman networks.
networking.firewall.interfaces = let
matchAll = if !config.networking.nftables.enable then "podman+" else "podman*";
in {
"${matchAll}".allowedUDPPorts = [ 53 ];
};

virtualisation.oci-containers.backend = "podman";

Expand Down
15 changes: 7 additions & 8 deletions testdata/TestEnvFiles.podman.nix
View file
Original file line number Diff line number Diff line change
@@ -1,20 +1,19 @@
{ pkgs, lib, ... }:
{ pkgs, lib, config, ... }:

{
# Runtime
virtualisation.podman = {
enable = true;
autoPrune.enable = true;
dockerCompat = true;
defaultNetwork.settings = {
# Required for container networking to be able to use names.
dns_enabled = true;
};
};

# Enable container name DNS for non-default Podman networks.
# https://github.com/NixOS/nixpkgs/issues/226365
networking.firewall.interfaces."podman+".allowedUDPPorts = [ 53 ];
# Enable container name DNS for all Podman networks.
networking.firewall.interfaces = let
matchAll = if !config.networking.nftables.enable then "podman+" else "podman*";
in {
"${matchAll}".allowedUDPPorts = [ 53 ];
};

virtualisation.oci-containers.backend = "podman";

Expand Down
15 changes: 7 additions & 8 deletions testdata/TestEnvFilesOnly.podman.nix
View file
Original file line number Diff line number Diff line change
@@ -1,20 +1,19 @@
{ pkgs, lib, ... }:
{ pkgs, lib, config, ... }:

{
# Runtime
virtualisation.podman = {
enable = true;
autoPrune.enable = true;
dockerCompat = true;
defaultNetwork.settings = {
# Required for container networking to be able to use names.
dns_enabled = true;
};
};

# Enable container name DNS for non-default Podman networks.
# https://github.com/NixOS/nixpkgs/issues/226365
networking.firewall.interfaces."podman+".allowedUDPPorts = [ 53 ];
# Enable container name DNS for all Podman networks.
networking.firewall.interfaces = let
matchAll = if !config.networking.nftables.enable then "podman+" else "podman*";
in {
"${matchAll}".allowedUDPPorts = [ 53 ];
};

virtualisation.oci-containers.backend = "podman";

Expand Down
Loading

0 comments on commit 1baa2f5

Please sign in to comment.