nixos/cri-o: add OCI seccomp bpf hook support

We now set the hooks dir correctly if the OCI hook is enabled. CRI-O
supports this specific hook from v1.20.0.

Signed-off-by: Sascha Grunert <mail@saschagrunert.de>
This commit is contained in:
Sascha Grunert 2021-02-04 15:01:10 +01:00
parent dc7101ddd9
commit e2b7bdd08d
No known key found for this signature in database
GPG Key ID: BEDA150F1B0AFEEC

View File

@ -103,7 +103,10 @@ in
cgroup_manager = "systemd" cgroup_manager = "systemd"
log_level = "${cfg.logLevel}" log_level = "${cfg.logLevel}"
pinns_path = "${cfg.package}/bin/pinns" pinns_path = "${cfg.package}/bin/pinns"
hooks_dir = [] hooks_dir = [
${lib.optionalString config.virtualisation.containers.ociSeccompBpfHook.enable
''"${config.boot.kernelPackages.oci-seccomp-bpf-hook}",''}
]
${optionalString (cfg.runtime != null) '' ${optionalString (cfg.runtime != null) ''
default_runtime = "${cfg.runtime}" default_runtime = "${cfg.runtime}"