mirror of
https://github.com/privatevoid-net/nix-super.git
synced 2024-11-22 05:56:15 +02:00
Add tests for auto-uid-allocation, uid-range and cgroups
This commit is contained in:
parent
2aa3f2e810
commit
f1b5c6876b
4 changed files with 157 additions and 0 deletions
|
@ -506,6 +506,12 @@
|
||||||
overlay = self.overlays.default;
|
overlay = self.overlays.default;
|
||||||
});
|
});
|
||||||
|
|
||||||
|
tests.containers = (import ./tests/containers.nix rec {
|
||||||
|
system = "x86_64-linux";
|
||||||
|
inherit nixpkgs;
|
||||||
|
overlay = self.overlays.default;
|
||||||
|
});
|
||||||
|
|
||||||
tests.setuid = nixpkgs.lib.genAttrs
|
tests.setuid = nixpkgs.lib.genAttrs
|
||||||
["i686-linux" "x86_64-linux"]
|
["i686-linux" "x86_64-linux"]
|
||||||
(system:
|
(system:
|
||||||
|
|
68
tests/containers.nix
Normal file
68
tests/containers.nix
Normal file
|
@ -0,0 +1,68 @@
|
||||||
|
# Test whether we can run a NixOS container inside a Nix build using systemd-nspawn.
|
||||||
|
{ nixpkgs, system, overlay }:
|
||||||
|
|
||||||
|
with import (nixpkgs + "/nixos/lib/testing-python.nix") {
|
||||||
|
inherit system;
|
||||||
|
extraConfigurations = [ { nixpkgs.overlays = [ overlay ]; } ];
|
||||||
|
};
|
||||||
|
|
||||||
|
makeTest ({
|
||||||
|
name = "containers";
|
||||||
|
|
||||||
|
nodes =
|
||||||
|
{
|
||||||
|
host =
|
||||||
|
{ config, lib, pkgs, nodes, ... }:
|
||||||
|
{ virtualisation.writableStore = true;
|
||||||
|
virtualisation.diskSize = 2048;
|
||||||
|
virtualisation.additionalPaths =
|
||||||
|
[ pkgs.stdenv
|
||||||
|
(import ./systemd-nspawn.nix { inherit nixpkgs; }).toplevel
|
||||||
|
];
|
||||||
|
virtualisation.memorySize = 4096;
|
||||||
|
nix.binaryCaches = lib.mkForce [ ];
|
||||||
|
nix.extraOptions =
|
||||||
|
''
|
||||||
|
extra-experimental-features = nix-command auto-allocate-uids
|
||||||
|
extra-system-features = uid-range
|
||||||
|
'';
|
||||||
|
nix.nixPath = [ "nixpkgs=${nixpkgs}" ];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
testScript = { nodes }: ''
|
||||||
|
start_all()
|
||||||
|
|
||||||
|
host.succeed("nix --version >&2")
|
||||||
|
|
||||||
|
# Test that 'id' gives the expected result in various configurations.
|
||||||
|
|
||||||
|
# Existing UIDs, sandbox.
|
||||||
|
host.succeed("nix build --no-auto-allocate-uids --sandbox -L --offline --impure --file ${./id-test.nix} --argstr name id-test-1")
|
||||||
|
host.succeed("[[ $(cat ./result) = 'uid=1000(nixbld) gid=100(nixbld) groups=100(nixbld)' ]]")
|
||||||
|
|
||||||
|
# Existing UIDs, no sandbox.
|
||||||
|
host.succeed("nix build --no-auto-allocate-uids --no-sandbox -L --offline --impure --file ${./id-test.nix} --argstr name id-test-2")
|
||||||
|
host.succeed("[[ $(cat ./result) = 'uid=30001(nixbld1) gid=30000(nixbld) groups=30000(nixbld)' ]]")
|
||||||
|
|
||||||
|
# Auto-allocated UIDs, sandbox.
|
||||||
|
host.succeed("nix build --auto-allocate-uids --sandbox -L --offline --impure --file ${./id-test.nix} --argstr name id-test-3")
|
||||||
|
host.succeed("[[ $(cat ./result) = 'uid=1000(nixbld) gid=100(nixbld) groups=100(nixbld)' ]]")
|
||||||
|
|
||||||
|
# Auto-allocated UIDs, no sandbox.
|
||||||
|
host.succeed("nix build --auto-allocate-uids --no-sandbox -L --offline --impure --file ${./id-test.nix} --argstr name id-test-4")
|
||||||
|
host.succeed("[[ $(cat ./result) = 'uid=872415232 gid=30000(nixbld) groups=30000(nixbld)' ]]")
|
||||||
|
|
||||||
|
# Auto-allocated UIDs, UID range, sandbox.
|
||||||
|
host.succeed("nix build --auto-allocate-uids --sandbox -L --offline --impure --file ${./id-test.nix} --argstr name id-test-5 --arg uidRange true")
|
||||||
|
host.succeed("[[ $(cat ./result) = 'uid=0(root) gid=0(root) groups=0(root)' ]]")
|
||||||
|
|
||||||
|
# Auto-allocated UIDs, UID range, no sandbox.
|
||||||
|
host.fail("nix build --auto-allocate-uids --no-sandbox -L --offline --impure --file ${./id-test.nix} --argstr name id-test-6 --arg uidRange true")
|
||||||
|
|
||||||
|
# Run systemd-nspawn in a Nix build.
|
||||||
|
host.succeed("nix build --auto-allocate-uids --sandbox -L --offline --impure --file ${./systemd-nspawn.nix} --argstr nixpkgs ${nixpkgs}")
|
||||||
|
host.succeed("[[ $(cat ./result/msg) = 'Hello World' ]]")
|
||||||
|
'';
|
||||||
|
|
||||||
|
})
|
8
tests/id-test.nix
Normal file
8
tests/id-test.nix
Normal file
|
@ -0,0 +1,8 @@
|
||||||
|
{ name, uidRange ? false }:
|
||||||
|
|
||||||
|
with import <nixpkgs> {};
|
||||||
|
|
||||||
|
runCommand name
|
||||||
|
{ requiredSystemFeatures = if uidRange then ["uid-range"] else [];
|
||||||
|
}
|
||||||
|
"id; id > $out"
|
75
tests/systemd-nspawn.nix
Normal file
75
tests/systemd-nspawn.nix
Normal file
|
@ -0,0 +1,75 @@
|
||||||
|
{ nixpkgs }:
|
||||||
|
|
||||||
|
let
|
||||||
|
|
||||||
|
machine = { config, pkgs, ... }:
|
||||||
|
{
|
||||||
|
system.stateVersion = "22.05";
|
||||||
|
boot.isContainer = true;
|
||||||
|
systemd.services.console-getty.enable = false;
|
||||||
|
networking.dhcpcd.enable = false;
|
||||||
|
|
||||||
|
services.httpd = {
|
||||||
|
enable = true;
|
||||||
|
adminAddr = "nixos@example.org";
|
||||||
|
};
|
||||||
|
|
||||||
|
systemd.services.test = {
|
||||||
|
wantedBy = [ "multi-user.target" ];
|
||||||
|
after = [ "httpd.service" ];
|
||||||
|
script = ''
|
||||||
|
source /.env
|
||||||
|
echo "Hello World" > $out/msg
|
||||||
|
ls -lR /dev > $out/dev
|
||||||
|
${pkgs.curl}/bin/curl -sS --fail http://localhost/ > $out/page.html
|
||||||
|
'';
|
||||||
|
unitConfig = {
|
||||||
|
FailureAction = "exit-force";
|
||||||
|
FailureActionExitStatus = 42;
|
||||||
|
SuccessAction = "exit-force";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
config = (import (nixpkgs + "/nixos/lib/eval-config.nix") {
|
||||||
|
modules = [ machine ];
|
||||||
|
}).config;
|
||||||
|
|
||||||
|
in
|
||||||
|
|
||||||
|
with import nixpkgs {};
|
||||||
|
|
||||||
|
runCommand "test"
|
||||||
|
{ buildInputs = [ config.system.path ];
|
||||||
|
requiredSystemFeatures = [ "uid-range" ];
|
||||||
|
toplevel = config.system.build.toplevel;
|
||||||
|
}
|
||||||
|
''
|
||||||
|
root=$(pwd)/root
|
||||||
|
mkdir -p $root $root/etc
|
||||||
|
|
||||||
|
export > $root/.env
|
||||||
|
|
||||||
|
# Make /run a tmpfs to shut up a systemd warning.
|
||||||
|
mkdir /run
|
||||||
|
mount -t tmpfs none /run
|
||||||
|
chmod 0700 /run
|
||||||
|
|
||||||
|
mount -t cgroup2 none /sys/fs/cgroup
|
||||||
|
|
||||||
|
mkdir -p $out
|
||||||
|
|
||||||
|
touch /etc/os-release
|
||||||
|
echo a5ea3f98dedc0278b6f3cc8c37eeaeac > /etc/machine-id
|
||||||
|
|
||||||
|
SYSTEMD_NSPAWN_UNIFIED_HIERARCHY=1 \
|
||||||
|
${config.systemd.package}/bin/systemd-nspawn \
|
||||||
|
--keep-unit \
|
||||||
|
-M ${config.networking.hostName} -D "$root" \
|
||||||
|
--register=no \
|
||||||
|
--resolv-conf=off \
|
||||||
|
--bind-ro=/nix/store \
|
||||||
|
--bind=$out \
|
||||||
|
--private-network \
|
||||||
|
$toplevel/init
|
||||||
|
''
|
Loading…
Reference in a new issue