nixpkgs/nixos/tests/containers-imperative.nix

# Test for NixOS' container support.

import ./make-test.nix ({ pkgs, ...} : {
  name = "containers-imperative";
  meta = with pkgs.stdenv.lib.maintainers; {
    maintainers = [ aristid aszlig eelco kampfschlaefer ];
  };

  machine =
    { config, pkgs, lib, ... }:
    { imports = [ ../modules/installer/cd-dvd/channel.nix ];

      # XXX: Sandbox setup fails while trying to hardlink files from the host's
      #      store file system into the prepared chroot directory.
      nix.useSandbox = false;
      nix.binaryCaches = []; # don't try to access cache.nixos.org

      virtualisation.writableStore = true;
      virtualisation.memorySize = 1024;
      # Make sure we always have all the required dependencies for creating a
      # container available within the VM, because we don't have network access.
      virtualisation.pathsInNixDB = let
        emptyContainer = import ../lib/eval-config.nix {
          inherit (config.nixpkgs.localSystem) system;
          modules = lib.singleton {
            containers.foo.config = {
              system.stateVersion = "18.03";
            };
          };
        };
      in with pkgs; [
        stdenv stdenvNoCC emptyContainer.config.containers.foo.path
        libxslt desktop-file-utils texinfo docbook5 libxml2
        docbook_xsl_ns xorg.lndir documentation-highlighter
      ];
    };

  testScript = let
    tmpfilesContainerConfig = pkgs.writeText "container-config-tmpfiles" ''
      {
        systemd.tmpfiles.rules = [ "d /foo - - - - -" ];
        systemd.services.foo = {
          serviceConfig.Type = "oneshot";
          script = "ls -al /foo";
          wantedBy = [ "multi-user.target" ];
        };
      }
    ''; in
    ''
      # Make sure we have a NixOS tree (required by ‘nixos-container create’).
      $machine->succeed("PAGER=cat nix-env -qa -A nixos.hello >&2");

      # Create some containers imperatively.
      my $id1 = $machine->succeed("nixos-container create foo --ensure-unique-name");
      chomp $id1;
      $machine->log("created container $id1");

      my $id2 = $machine->succeed("nixos-container create foo --ensure-unique-name");
      chomp $id2;
      $machine->log("created container $id2");

      die if $id1 eq $id2;

      # Put the root of $id2 into a bind mount.
      $machine->succeed(
        "mv /var/lib/containers/$id2 /id2-bindmount",
        "mount --bind /id2-bindmount /var/lib/containers/$id1"
      );

      my $ip1 = $machine->succeed("nixos-container show-ip $id1");
      chomp $ip1;
      my $ip2 = $machine->succeed("nixos-container show-ip $id2");
      chomp $ip2;
      die if $ip1 eq $ip2;

      # Create a directory and a file we can later check if it still exists
      # after destruction of the container.
      $machine->succeed(
        "mkdir /nested-bindmount",
        "echo important data > /nested-bindmount/dummy",
      );

      # Create a directory with a dummy file and bind-mount it into both
      # containers.
      foreach ($id1, $id2) {
        my $importantPath = "/var/lib/containers/$_/very/important/data";
        $machine->succeed(
          "mkdir -p $importantPath",
          "mount --bind /nested-bindmount $importantPath"
        );
      }

      # Start one of them.
      $machine->succeed("nixos-container start $id1");

      # Execute commands via the root shell.
      $machine->succeed("nixos-container run $id1 -- uname") =~ /Linux/ or die;

      # Execute a nix command via the root shell. (regression test for #40355)
      $machine->succeed("nixos-container run $id1 -- nix-instantiate -E 'derivation { name = \"empty\"; builder = \"false\"; system = \"false\"; }'");

      # Stop and start (regression test for #4989)
      $machine->succeed("nixos-container stop $id1");
      $machine->succeed("nixos-container start $id1");

      # Ensure tmpfiles are present
      $machine->log("creating container tmpfiles");
      $machine->succeed("nixos-container create tmpfiles --config-file ${tmpfilesContainerConfig}");
      $machine->log("created, starting…");
      $machine->succeed("nixos-container start tmpfiles");
      $machine->log("done starting, investigating…");
      $machine->succeed("echo \$(nixos-container run tmpfiles -- systemctl is-active foo.service) | grep -q active;");
      $machine->succeed("nixos-container destroy tmpfiles");

      # Execute commands via the root shell.
      $machine->succeed("nixos-container run $id1 -- uname") =~ /Linux/ or die;

      # Destroy the containers.
      $machine->succeed("nixos-container destroy $id1");
      $machine->succeed("nixos-container destroy $id2");

      $machine->succeed(
        # Check whether destruction of any container has killed important data
        "grep -qF 'important data' /nested-bindmount/dummy",
        # Ensure that the container path is gone
        "test ! -e /var/lib/containers/$id1"
      );
    '';

})
-												Add a test for NixOS containers

											
										
										
											2014-04-03 16:26:03 +02:00
+								# Test for NixOS' container support.
-												all tests: added meta.maintainers section

											
										
										
											2015-07-12 12:09:40 +02:00
+								import ./make-test.nix ({ pkgs, ...} : {
-												containers tests: Distinguish declarative and imperative containers

											
										
										
											2016-03-18 15:29:45 +01:00
+								  name = "containers-imperative";
-												all tests: added meta.maintainers section

											
										
										
											2015-07-12 12:09:40 +02:00
+								  meta = with pkgs.stdenv.lib.maintainers; {
-												Remove myself as maintainer from packages

I'm currently not maintaining any packages.

											
										
										
											2019-02-22 16:14:13 +01:00
+								    maintainers = [ aristid aszlig eelco kampfschlaefer ];
-												all tests: added meta.maintainers section

											
										
										
											2015-07-12 12:09:40 +02:00
+								  };
-												Add a test for NixOS containers

											
										
										
											2014-04-03 16:26:03 +02:00
 								  machine =
-												nixos/tests/containers: Remove unused module arg

Just removing the system argument because it doesn't exist (it's
actually config.nixpkgs.system, which we're already using). We won't get
an error anyway if we're not actually using it, so this is just an
aesthetics fix.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>

											
										
										
											2016-05-04 20:44:55 +02:00
+								    { config, pkgs, lib, ... }:
-												Add a test for NixOS containers

											
										
										
											2014-04-03 16:26:03 +02:00
+								    { imports = [ ../modules/installer/cd-dvd/channel.nix ];
-												tests/containers-imperative: Disable useSandbox

Since 4f6df27aee0a3f620d65280c7b6644d5cce094ae, nix.useSandbox defaults
to true which causes the Nix build within the containers-imperative test
to fail while trying to hardlink files into the chroot:

link("/nix/store/foo", "/nix/store/bar.drv.chroot/nix/store/foo")
   = -1 EPERM (Operation not permitted)

The reason this happens is that the hosts store is mounted using 9p and
an overlayfs is mounted on top, so even if we would disable the tmpfs
for the upper directory the hardlink would still cross filesystem
boundaries, which then fails with the above error code.

I haven't yet seen any other test which fails in a similar way, which
might be because building within VM tests is not very common and the
installer tests build in a separate store, so they're not affected.

Signed-off-by: aszlig <aszlig@nix.build>
Issue: https://github.com/NixOS/nix/issues/2324
Cc: @aristidb, @edolstra, @chaoflow, @kampfschlaefer

											
										
										
											2018-08-02 05:32:39 +02:00
 								      # XXX: Sandbox setup fails while trying to hardlink files from the host's
 								      #      store file system into the prepared chroot directory.
 								      nix.useSandbox = false;
-												nixos/tests/containers-imperative: fix on i686 (#46874)

Test failed on i686 in a sandbox because some packages required
to build the nixos manual for the container were missing. Add them.
											
										
										
											2018-09-19 16:19:31 +02:00
+								      nix.binaryCaches = []; # don't try to access cache.nixos.org
-												tests/containers-imperative: Disable useSandbox

Since 4f6df27aee0a3f620d65280c7b6644d5cce094ae, nix.useSandbox defaults
to true which causes the Nix build within the containers-imperative test
to fail while trying to hardlink files into the chroot:

link("/nix/store/foo", "/nix/store/bar.drv.chroot/nix/store/foo")
   = -1 EPERM (Operation not permitted)

The reason this happens is that the hosts store is mounted using 9p and
an overlayfs is mounted on top, so even if we would disable the tmpfs
for the upper directory the hardlink would still cross filesystem
boundaries, which then fails with the above error code.

I haven't yet seen any other test which fails in a similar way, which
might be because building within VM tests is not very common and the
installer tests build in a separate store, so they're not affected.

Signed-off-by: aszlig <aszlig@nix.build>
Issue: https://github.com/NixOS/nix/issues/2324
Cc: @aristidb, @edolstra, @chaoflow, @kampfschlaefer

											
										
										
											2018-08-02 05:32:39 +02:00
-												Add a test for NixOS containers

											
										
										
											2014-04-03 16:26:03 +02:00
+								      virtualisation.writableStore = true;
-												nixos.tests.containers-imperative: increase VM memory

Apparently merging #43021 1bdb1387103 did increase memory usage
in some cases.  1 GiB for a VM memory seems still low enough to me.

											
										
										
											2018-07-06 15:55:33 +02:00
+								      virtualisation.memorySize = 1024;
-												nixos/tests/containers-imperative: Fix test

Make sure that we always have everything available within the store of
the VM, so let's evaluate/build the test container fully on the host
system and propagate all dependencies to the VM.

This way, even if there are additional default dependencies that come
with containers in the future we should be on the safe side as these
dependencies should now be included for the test as well.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Cc: @kampfschlaefer, @edolstra

											
										
										
											2016-05-04 19:53:43 +02:00
+								      # Make sure we always have all the required dependencies for creating a
 								      # container available within the VM, because we don't have network access.
 								      virtualisation.pathsInNixDB = let
 								        emptyContainer = import ../lib/eval-config.nix {
-												nixos/tests/containers-imperative: Fix eval

The commit c6f7d4367894047592cc412740f0c1f5b2ca2b59 changed the system
attribute to be below config.nixpkgs.localSystem, but the test still
uses the old attribute.

I have not tested whether the test actually succeeds but just checked
whether evaluation works and it evaluates successfully now.

Signed-off-by: aszlig <aszlig@nix.build>

											
										
										
											2018-04-20 12:22:40 +02:00
+								          inherit (config.nixpkgs.localSystem) system;
-												nixos/tests/containers-imperative: Fix test

Make sure that we always have everything available within the store of
the VM, so let's evaluate/build the test container fully on the host
system and propagate all dependencies to the VM.

This way, even if there are additional default dependencies that come
with containers in the future we should be on the safe side as these
dependencies should now be included for the test as well.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Cc: @kampfschlaefer, @edolstra

											
										
										
											2016-05-04 19:53:43 +02:00
+								          modules = lib.singleton {
-												nixos/tests: prevent stateVersion warnings in eval

... introduced by 1f0b6922d3c
continuation of 88fa50c2f2bbc472fe7169eac8f2a1b2312ef03b

											
										
										
											2018-05-15 00:18:49 +02:00
+								            containers.foo.config = {
-												Revert "nixos: rename system.{stateVersion,defaultChannel} -> system.nixos.\1"

This reverts commit 095fe5b43def40279a243e663c662b02caac5318.

Pointless renames considered harmful. All they do is force people to
spend extra work updating their configs for no benefit, and hindering
the ability to switch between unstable and stable versions of NixOS.

Like, what was the value of having the "nixos." there? I mean, by
definition anything in a NixOS module has something to do with NixOS...

											
										
										
											2018-07-25 23:22:54 +03:00
+								              system.stateVersion = "18.03";
-												nixos/tests: prevent stateVersion warnings in eval

... introduced by 1f0b6922d3c
continuation of 88fa50c2f2bbc472fe7169eac8f2a1b2312ef03b

											
										
										
											2018-05-15 00:18:49 +02:00
+								            };
-												nixos/tests/containers-imperative: Fix test

Make sure that we always have everything available within the store of
the VM, so let's evaluate/build the test container fully on the host
system and propagate all dependencies to the VM.

This way, even if there are additional default dependencies that come
with containers in the future we should be on the safe side as these
dependencies should now be included for the test as well.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Cc: @kampfschlaefer, @edolstra

											
										
										
											2016-05-04 19:53:43 +02:00
+								          };
 								        };
-												nixos/tests/containers-imperative: fix on i686 (#46874)

Test failed on i686 in a sandbox because some packages required
to build the nixos manual for the container were missing. Add them.
											
										
										
											2018-09-19 16:19:31 +02:00
+								      in with pkgs; [
 								        stdenv stdenvNoCC emptyContainer.config.containers.foo.path
 								        libxslt desktop-file-utils texinfo docbook5 libxml2
 								        docbook_xsl_ns xorg.lndir documentation-highlighter
-												tests/containers-imperative: Include stdenvNoCC

While building the container there are a few occasions where stdenvNoCC
is used underneath. During the last staging merge, some change now tries
to build texinfo during the test while building stdenvNoCC.

With this change, I'm adding stdenvNoCC to the closure to make sure that
even when we have future stdenv changes, it doesn't break (well, except
if we do have another variation like stdenvNoCC that overrides stdenv).

I haven't bisected the exact change, but I'd suspect that it could be
one of the commits in #39457.

This fixes the test and it no longer fails with the following error:

error: unable to download 'http://ftpmirror.gnu.org/texinfo/texinfo-6.5.tar.xz': Couldn't resolve host name (6)
builder for '/nix/store/r7sf1wjbnimwgnv276jh59nfnzw40x30-texinfo-6.5.tar.xz.drv' failed with exit code 1
cannot build derivation '/nix/store/5w1pv788ayi1wahyy76i90yqv96ai4h5-texinfo-6.5.drv': 1 dependencies couldn't be built
cannot build derivation '/nix/store/cnsfkf0j5xmm14zzm5a3a66pz66gbc82-stdenv-linux.drv': 1 dependencies couldn't be built
cannot build derivation '/nix/store/11kkhk57ic8kfd7g197sqwgd0pzqfjhl-nixos-system-foo-0-18.09pre-git.drv': 1 dependencies couldn't be built
error: build of '/nix/store/11kkhk57ic8kfd7g197sqwgd0pzqfjhl-nixos-system-foo-0-18.09pre-git.drv' failed
/run/current-system/sw/bin/nixos-container: failed to build initial container configuration

Signed-off-by: aszlig <aszlig@nix.build>
Cc: @aristidb, @edolstra, @chaoflow, @kampfschlaefer

											
										
										
											2018-06-01 08:10:27 +02:00
+								      ];
-												Add a test for NixOS containers

											
										
										
											2014-04-03 16:26:03 +02:00
+								    };
-												nixosTests.containers-imperative: add tmpfiles test

(cherry picked from commit 92600a90e248aa27f2aedcce4ad309f987a390df)

											
										
										
											2019-05-11 23:33:58 +02:00
+								  testScript = let
 								    tmpfilesContainerConfig = pkgs.writeText "container-config-tmpfiles" ''
 								      {
 								        systemd.tmpfiles.rules = [ "d /foo - - - - -" ];
 								        systemd.services.foo = {
 								          serviceConfig.Type = "oneshot";
 								          script = "ls -al /foo";
 								          wantedBy = [ "multi-user.target" ];
 								        };
 								      }
 								    ''; in
-												Add a test for NixOS containers

											
										
										
											2014-04-03 16:26:03 +02:00
+								    ''
 								      # Make sure we have a NixOS tree (required by ‘nixos-container create’).
-												Unify NixOS and Nixpkgs channel structure

This is primarily to ensure that

  -I nixpkgs=https://nixos.org/channels/nixos-unstable/nixexprs.tar.xz

and

  -I nixpkgs=https://github.com/NixOS/nixpkgs-channels/archive/nixos-unstable.tar.gz

and

  -I nixpkgs=https://nixos.org/channels/nixpkgs-unstable/nixexprs.tar.xz

behave consistently.

It also allows installing packages via "nix-env -iA nixos.<pkg>"
rather than "nixos.pkgs.<pkg>". It would be even better to allow
"nixpkgs.<pkg>", but that requires a change to nix-channel.

Fixes #7659.

											
										
										
											2015-08-05 17:29:08 +02:00
+								      $machine->succeed("PAGER=cat nix-env -qa -A nixos.hello >&2");
-												Add a test for NixOS containers

											
										
										
											2014-04-03 16:26:03 +02:00
 								      # Create some containers imperatively.
 								      my $id1 = $machine->succeed("nixos-container create foo --ensure-unique-name");
 								      chomp $id1;
 								      $machine->log("created container $id1");
 								      my $id2 = $machine->succeed("nixos-container create foo --ensure-unique-name");
 								      chomp $id2;
 								      $machine->log("created container $id2");
 								      die if $id1 eq $id2;
-												containers: Don't descend into mounts on destroy.

This tells the sad tale of @the-kenny who had bind-mounted his home
directory into a container. After doing `nixos-container destroy` he
discovered that his home directory went from "full of precious data" to
"no more data".

We want to avoid having similar sad tales in the future, so this now also
check this in the containers VM test.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>

											
										
										
											2014-09-11 18:03:45 +02:00
+								      # Put the root of $id2 into a bind mount.
 								      $machine->succeed(
 								        "mv /var/lib/containers/$id2 /id2-bindmount",
 								        "mount --bind /id2-bindmount /var/lib/containers/$id1"
 								      );
-												Add a test for NixOS containers

											
										
										
											2014-04-03 16:26:03 +02:00
+								      my $ip1 = $machine->succeed("nixos-container show-ip $id1");
 								      chomp $ip1;
 								      my $ip2 = $machine->succeed("nixos-container show-ip $id2");
 								      chomp $ip2;
 								      die if $ip1 eq $ip2;
-												containers: Don't descend into mounts on destroy.

This tells the sad tale of @the-kenny who had bind-mounted his home
directory into a container. After doing `nixos-container destroy` he
discovered that his home directory went from "full of precious data" to
"no more data".

We want to avoid having similar sad tales in the future, so this now also
check this in the containers VM test.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>

											
										
										
											2014-09-11 18:03:45 +02:00
+								      # Create a directory and a file we can later check if it still exists
 								      # after destruction of the container.
 								      $machine->succeed(
 								        "mkdir /nested-bindmount",
 								        "echo important data > /nested-bindmount/dummy",
 								      );
 								      # Create a directory with a dummy file and bind-mount it into both
 								      # containers.
 								      foreach ($id1, $id2) {
 								        my $importantPath = "/var/lib/containers/$_/very/important/data";
 								        $machine->succeed(
 								          "mkdir -p $importantPath",
 								          "mount --bind /nested-bindmount $importantPath"
 								        );
 								      }
-												Add a test for NixOS containers

											
										
										
											2014-04-03 16:26:03 +02:00
+								      # Start one of them.
 								      $machine->succeed("nixos-container start $id1");
 								      # Execute commands via the root shell.
-												Fix tests

Doing a =~ regexp check doesn't do anything in itself...

											
										
										
											2014-04-16 16:09:32 +02:00
+								      $machine->succeed("nixos-container run $id1 -- uname") =~ /Linux/ or die;
-												Add a test for NixOS containers

											
										
										
											2014-04-03 16:26:03 +02:00
-												nixos/containers: Add regression test for #40355

											
										
										
											2018-10-05 16:13:42 +02:00
+								      # Execute a nix command via the root shell. (regression test for #40355)
 								      $machine->succeed("nixos-container run $id1 -- nix-instantiate -E 'derivation { name = \"empty\"; builder = \"false\"; system = \"false\"; }'");
-												containers: add test that stopping and starting a container works (#4989)

											
										
										
											2014-11-24 23:19:34 +01:00
+								      # Stop and start (regression test for #4989)
 								      $machine->succeed("nixos-container stop $id1");
 								      $machine->succeed("nixos-container start $id1");
-												nixosTests.containers-imperative: add tmpfiles test

(cherry picked from commit 92600a90e248aa27f2aedcce4ad309f987a390df)

											
										
										
											2019-05-11 23:33:58 +02:00
+								      # Ensure tmpfiles are present
 								      $machine->log("creating container tmpfiles");
 								      $machine->succeed("nixos-container create tmpfiles --config-file ${tmpfilesContainerConfig}");
 								      $machine->log("created, starting…");
 								      $machine->succeed("nixos-container start tmpfiles");
 								      $machine->log("done starting, investigating…");
 								      $machine->succeed("echo \$(nixos-container run tmpfiles -- systemctl is-active foo.service) | grep -q active;");
 								      $machine->succeed("nixos-container destroy tmpfiles");
-												containers: add test that stopping and starting a container works (#4989)

											
										
										
											2014-11-24 23:19:34 +01:00
+								      # Execute commands via the root shell.
 								      $machine->succeed("nixos-container run $id1 -- uname") =~ /Linux/ or die;
-												Add a test for NixOS containers

											
										
										
											2014-04-03 16:26:03 +02:00
+								      # Destroy the containers.
 								      $machine->succeed("nixos-container destroy $id1");
 								      $machine->succeed("nixos-container destroy $id2");
-												containers: Don't descend into mounts on destroy.

This tells the sad tale of @the-kenny who had bind-mounted his home
directory into a container. After doing `nixos-container destroy` he
discovered that his home directory went from "full of precious data" to
"no more data".

We want to avoid having similar sad tales in the future, so this now also
check this in the containers VM test.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>

											
										
										
											2014-09-11 18:03:45 +02:00
+								      $machine->succeed(
 								        # Check whether destruction of any container has killed important data
 								        "grep -qF 'important data' /nested-bindmount/dummy",
 								        # Ensure that the container path is gone
 								        "test ! -e /var/lib/containers/$id1"
 								      );
-												Add a test for NixOS containers

											
										
										
											2014-04-03 16:26:03 +02:00
+								    '';
-												all tests: added meta.maintainers section

											
										
										
											2015-07-12 12:09:40 +02:00
+								})