Browse Source

podman: updates podman package

- add missing runtime depency catatonit
 - removed SELinux variant, add config option for it instead, I do not believe we need variant of EVERY SELinux support capable software
 - add config option for iptables firewall setup in default cni network config, otherwise skip iptables part (part of nftables transition, use cni-plugins-nft for nftables fw support or better; forget about cni fw completely, instead use openwrt's own as that way your rules for containers do not disappear on firewall restart)

Signed-off-by: Oskari Rauta <oskari.rauta@gmail.com>
lilik-openwrt-22.03
Oskari Rauta 3 years ago
committed by Rosen Penev
parent
commit
21d2575a95
3 changed files with 87 additions and 28 deletions
  1. +22
    -28
      utils/podman/Makefile
  2. +37
    -0
      utils/podman/files/87-podman-bridge-iptables.conflist
  3. +28
    -0
      utils/podman/files/87-podman-bridge.conflist

+ 22
- 28
utils/podman/Makefile View File

@ -36,36 +36,30 @@ define Download/default-policy
HASH:=cddfaa8e6a7e5497b67cc0dd8e8517058d0c97de91bf46fff867528415f2d946 HASH:=cddfaa8e6a7e5497b67cc0dd8e8517058d0c97de91bf46fff867528415f2d946
endef endef
define Package/podman/Default
define Package/podman
SECTION:=utils SECTION:=utils
CATEGORY:=Utilities CATEGORY:=Utilities
TITLE:=Podman TITLE:=Podman
URL:=https://podman.io URL:=https://podman.io
endef
define Package/podman
$(call Package/podman/Default)
DEPENDS:=$(GO_ARCH_DEPENDS) +conmon +cni +cni-plugins +btrfs-progs +glib2 +gnupg2 +uci-firewall +libgpg-error +libseccomp +libgpgme +nsenter +zoneinfo-simple +kmod-veth
CONFLICTS:=podman-selinux
VARIANT:=default
PROVIDES:=podman
endef
define Package/podman-selinux
$(call Package/podman/Default)
TITLE += with SELinux support
DEPENDS:=$(GO_ARCH_DEPENDS) +conmon +cni +cni-plugins +btrfs-progs +glib2 +gnupg2 +uci-firewall +libgpg-error +libseccomp +libgpgme +nsenter +zoneinfo-simple +kmod-veth +libselinux
VARIANT:=selinux
PROVIDES:=podman
DEPENDS:=$(GO_ARCH_DEPENDS) +conmon +cni +cni-plugins +btrfs-progs +glib2 +gnupg2 +uci-firewall +libgpg-error +libseccomp +libgpgme +nsenter +zoneinfo-simple +kmod-veth +catatonit +PODMAN_SELINUX_SUPPORT:libselinux +PODMAN_IPTABLES_FW:iptables
endef endef
define Package/podman/description define Package/podman/description
Podman: A tool for managing OCI containers and pods Podman: A tool for managing OCI containers and pods
endef endef
define Package/podman-selinux/description
Podman: A tool for managing OCI containers and pods
SELinux enabled.
define Package/podman/config
menu "Configuration"
config PODMAN_SELINUX_SUPPORT
bool "Enable SELinux support"
default n
config PODMAN_IPTABLES_FW
bool "Add iptabels firewall options to default podman network"
default n
endmenu
endef endef
define Package/podman/conffiles define Package/podman/conffiles
@ -76,14 +70,18 @@ define Package/podman/conffiles
/etc/cni/net.d/87-podman-bridge.conflist /etc/cni/net.d/87-podman-bridge.conflist
endef endef
Package/podman-selinux/conffiles = $(Package/podman/conffiles)
ifeq ($(BUILD_VARIANT),selinux)
ifdef CONFIG_PODMAN_SELINUX_SUPPORT
GO_PKG_TAGS=seccomp,exclude_graphdriver_devicemapper,selinux,apparmor GO_PKG_TAGS=seccomp,exclude_graphdriver_devicemapper,selinux,apparmor
else else
GO_PKG_TAGS=seccomp,exclude_graphdriver_devicemapper,apparmor GO_PKG_TAGS=seccomp,exclude_graphdriver_devicemapper,apparmor
endif endif
ifdef CONFIG_PODMAN_IPTABLES_FW
CNIFILE:=87-podman-bridge-iptables.conflist
else
CNIFILE:=87-podman-bridge.conflist
endif
define Build/Prepare define Build/Prepare
$(call Build/Prepare/Default) $(call Build/Prepare/Default)
$(eval $(call Download,default-registries)) $(eval $(call Download,default-registries))
@ -98,7 +96,7 @@ define Package/podman/install
$(INSTALL_DATA) $(PKG_BUILD_DIR)/vendor/github.com/containers/storage/storage.conf $(1)/etc/containers/storage.conf $(INSTALL_DATA) $(PKG_BUILD_DIR)/vendor/github.com/containers/storage/storage.conf $(1)/etc/containers/storage.conf
$(INSTALL_DATA) ./files/containers.conf $(1)/etc/containers/containers.conf $(INSTALL_DATA) ./files/containers.conf $(1)/etc/containers/containers.conf
$(INSTALL_DIR) $(1)/etc/cni/net.d $(INSTALL_DIR) $(1)/etc/cni/net.d
$(INSTALL_CONF) $(PKG_BUILD_DIR)/cni/87-podman-bridge.conflist $(1)/etc/cni/net.d/
$(INSTALL_CONF) ./files/$(CNIFILE) $(1)/etc/cni/net.d/87-podman-bridge.conflist
$(INSTALL_DIR) $(1)/usr/share/containers $(INSTALL_DIR) $(1)/usr/share/containers
$(INSTALL_DATA) $(PKG_BUILD_DIR)/vendor/github.com/containers/common/pkg/seccomp/seccomp.json $(1)/usr/share/containers/ $(INSTALL_DATA) $(PKG_BUILD_DIR)/vendor/github.com/containers/common/pkg/seccomp/seccomp.json $(1)/usr/share/containers/
$(INSTALL_DIR) $(1)/etc/init.d $(INSTALL_DIR) $(1)/etc/init.d
@ -106,9 +104,5 @@ define Package/podman/install
$(SED) 's/driver = \"\"/driver = \"overlay\"/g' $(1)/etc/containers/storage.conf $(SED) 's/driver = \"\"/driver = \"overlay\"/g' $(1)/etc/containers/storage.conf
endef endef
Package/podman-selinux/install = $(Package/podman/install)
$(eval $(call GoBinPackage,podman)) $(eval $(call GoBinPackage,podman))
$(eval $(call BuildPackage,podman)) $(eval $(call BuildPackage,podman))
$(eval $(call GoBinPackage,podman-selinux))
$(eval $(call BuildPackage,podman-selinux))

+ 37
- 0
utils/podman/files/87-podman-bridge-iptables.conflist View File

@ -0,0 +1,37 @@
{
"cniVersion": "0.4.0",
"name": "podman",
"plugins": [
{
"type": "bridge",
"bridge": "cni-podman0",
"isGateway": true,
"ipMasq": true,
"hairpinMode": true,
"ipam": {
"type": "host-local",
"routes": [{ "dst": "0.0.0.0/0" }],
"ranges": [
[
{
"subnet": "10.88.0.0/16",
"gateway": "10.88.0.1"
}
]
]
}
},
{
"type": "portmap",
"capabilities": {
"portMappings": true
}
},
{
"type": "firewall"
},
{
"type": "tuning"
}
]
}

+ 28
- 0
utils/podman/files/87-podman-bridge.conflist View File

@ -0,0 +1,28 @@
{
"cniVersion": "0.4.0",
"name": "podman",
"plugins": [
{
"type": "bridge",
"bridge": "cni-podman0",
"isGateway": true,
"ipMasq": true,
"hairpinMode": true,
"ipam": {
"type": "host-local",
"routes": [{ "dst": "0.0.0.0/0" }],
"ranges": [
[
{
"subnet": "10.88.0.0/16",
"gateway": "10.88.0.1"
}
]
]
}
},
{
"type": "tuning"
}
]
}

Loading…
Cancel
Save