diff options
| author |  sommerfeld <sommerfeld@sommerfeld.dev> | 2026-05-19 15:16:05 +0100 |
|---|---|---|
| committer | sommerfeld <sommerfeld@sommerfeld.dev> | 2026-05-19 15:16:05 +0100 |
| commit | d25a79ea717d29ceb8ecc1c97c0bc4ec8cbaf4d3 (patch) | |
| tree | 5852a6ae9d2a7d563c95e2377d28896a53b48186 /remote-dev/README.md | |
| parent | 3c3393fd755583a4b7cb3b287df384b06bf0e4d6 (diff) | |
| download | dotfiles-d25a79ea717d29ceb8ecc1c97c0bc4ec8cbaf4d3.tar.gz dotfiles-d25a79ea717d29ceb8ecc1c97c0bc4ec8cbaf4d3.tar.bz2 dotfiles-d25a79ea717d29ceb8ecc1c97c0bc4ec8cbaf4d3.zip | |
feat(remote-dev): rootless podman setup
Adds podman + helpers (crun, conmon, netavark, aardvark-dns,
slirp4netns, passt) to the home-manager profile, plus rootless-sane
registries.conf, storage.conf (overlay driver, kernel-native — VM
kernel 5.15 supports rootless overlay since 5.13, no fuse-overlayfs
needed), and policy.json.
Documents host-side prerequisites in remote-dev/README.md: install
uidmap, ensure subuid/subgid entries for the user, and enable cgroups
v2 (systemd.unified_cgroup_hierarchy=1) so rootless resource limits
work on Ubuntu 20.04.
Diffstat (limited to 'remote-dev/README.md')
| -rw-r--r-- | remote-dev/README.md | 33 |
1 files changed, 33 insertions, 0 deletions
diff --git a/remote-dev/README.md b/remote-dev/README.md index 2e92509..a17c913 100644 --- a/remote-dev/README.md +++ b/remote-dev/README.md @@ -157,6 +157,39 @@ git log --show-signature -1 PATH. The leaf-tools policy above exists precisely to keep this shadowing contained to harmless tools. +## Podman (rootless) + +Nix can't manage setuid helpers, `/etc/subuid`/`/etc/subgid`, or kernel +cmdline. Do this once on the VM as root: + +```sh +sudo apt install -y uidmap +grep "^$USER:" /etc/subuid /etc/subgid || \ + sudo usermod --add-subuids 100000-165535 --add-subgids 100000-165535 "$USER" +``` + +Then enable cgroups v2 (required for rootless CPU/memory limits on +Ubuntu 20.04, which still defaults to v1): + +```sh +sudo sed -i 's|^GRUB_CMDLINE_LINUX_DEFAULT="\(.*\)"|GRUB_CMDLINE_LINUX_DEFAULT="\1 systemd.unified_cgroup_hierarchy=1"|' /etc/default/grub +sudo update-grub +sudo reboot +``` + +Verify after reboot: + +```sh +stat -fc %T /sys/fs/cgroup/ # → cgroup2fs +podman info | grep -E 'cgroupVersion|graphDriverName|networkBackend' +# expected: cgroupVersion: v2, graphDriverName: overlay, networkBackend: netavark +podman run --rm docker.io/library/alpine echo hi +``` + +The home-manager profile already installs `podman`, `crun`, `conmon`, +`netavark`, `aardvark-dns`, `slirp4netns`, and `passt`, and writes +sensible `~/.config/containers/{registries,storage,policy}.conf` files. + ## How it's wired `home.nix` uses `config.lib.file.mkOutOfStoreSymlink` so the symlinks |