nixpkgs/nixos/tests/containers-imperative.nix

# Test for NixOS' container support.

import ./make-test-python.nix ({ pkgs, ...} : {
  name = "containers-imperative";
  meta = with pkgs.stdenv.lib.maintainers; {
    maintainers = [ aristid aszlig eelco kampfschlaefer ];
  };

  machine =
    { config, pkgs, lib, ... }:
    { imports = [ ../modules/installer/cd-dvd/channel.nix ];

      # XXX: Sandbox setup fails while trying to hardlink files from the host's
      #      store file system into the prepared chroot directory.
      nix.useSandbox = false;
      nix.binaryCaches = []; # don't try to access cache.nixos.org

      virtualisation.writableStore = true;
      virtualisation.memorySize = 1024;
      # Make sure we always have all the required dependencies for creating a
      # container available within the VM, because we don't have network access.
      virtualisation.pathsInNixDB = let
        emptyContainer = import ../lib/eval-config.nix {
          inherit (config.nixpkgs.localSystem) system;
          modules = lib.singleton {
            containers.foo.config = {
              system.stateVersion = "18.03";
            };
          };
        };
      in with pkgs; [
        stdenv stdenvNoCC emptyContainer.config.containers.foo.path
        libxslt desktop-file-utils texinfo docbook5 libxml2
        docbook_xsl_ns xorg.lndir documentation-highlighter
      ];
    };

  testScript = let
      tmpfilesContainerConfig = pkgs.writeText "container-config-tmpfiles" ''
        {
          systemd.tmpfiles.rules = [ "d /foo - - - - -" ];
          systemd.services.foo = {
            serviceConfig.Type = "oneshot";
            script = "ls -al /foo";
            wantedBy = [ "multi-user.target" ];
          };
        }
      '';
      brokenCfg = pkgs.writeText "broken.nix" ''
        {
          assertions = [
            { assertion = false;
              message = "I never evaluate";
            }
          ];
        }
      '';
    in ''
      with subtest("Make sure we have a NixOS tree (required by ‘nixos-container create’)"):
          machine.succeed("PAGER=cat nix-env -qa -A nixos.hello >&2")

      id1, id2 = None, None

      with subtest("Create some containers imperatively"):
          id1 = machine.succeed("nixos-container create foo --ensure-unique-name").rstrip()
          machine.log(f"created container {id1}")

          id2 = machine.succeed("nixos-container create foo --ensure-unique-name").rstrip()
          machine.log(f"created container {id2}")

          assert id1 != id2

      with subtest(f"Put the root of {id2} into a bind mount"):
          machine.succeed(
              f"mv /var/lib/containers/{id2} /id2-bindmount",
              f"mount --bind /id2-bindmount /var/lib/containers/{id1}",
          )

          ip1 = machine.succeed(f"nixos-container show-ip {id1}").rstrip()
          ip2 = machine.succeed(f"nixos-container show-ip {id2}").rstrip()
          assert ip1 != ip2

      with subtest(
          "Create a directory and a file we can later check if it still exists "
          + "after destruction of the container"
      ):
          machine.succeed("mkdir /nested-bindmount")
          machine.succeed("echo important data > /nested-bindmount/dummy")

      with subtest(
          "Create a directory with a dummy file and bind-mount it into both containers."
      ):
          for id in id1, id2:
              important_path = f"/var/lib/containers/{id}/very/important/data"
              machine.succeed(
                  f"mkdir -p {important_path}",
                  f"mount --bind /nested-bindmount {important_path}",
              )

      with subtest("Start one of them"):
          machine.succeed(f"nixos-container start {id1}")

      with subtest("Execute commands via the root shell"):
          assert "Linux" in machine.succeed(f"nixos-container run {id1} -- uname")

      with subtest("Execute a nix command via the root shell. (regression test for #40355)"):
          machine.succeed(
              f"nixos-container run {id1} -- nix-instantiate -E "
              + '\'derivation { name = "empty"; builder = "false"; system = "false"; }\' '
          )

      with subtest("Stop and start (regression test for #4989)"):
          machine.succeed(f"nixos-container stop {id1}")
          machine.succeed(f"nixos-container start {id1}")

      with subtest("tmpfiles are present"):
          machine.log("creating container tmpfiles")
          machine.succeed(
              "nixos-container create tmpfiles --config-file ${tmpfilesContainerConfig}"
          )
          machine.log("created, starting…")
          machine.succeed("nixos-container start tmpfiles")
          machine.log("done starting, investigating…")
          machine.succeed(
              "echo $(nixos-container run tmpfiles -- systemctl is-active foo.service) | grep -q active;"
          )
          machine.succeed("nixos-container destroy tmpfiles")

      with subtest("Execute commands via the root shell"):
          assert "Linux" in machine.succeed(f"nixos-container run {id1} -- uname")

      with subtest("Destroy the containers"):
          for id in id1, id2:
              machine.succeed(f"nixos-container destroy {id}")

      with subtest("Check whether destruction of any container has killed important data"):
          machine.succeed("grep -qF 'important data' /nested-bindmount/dummy")

      with subtest("Ensure that the container path is gone"):
          print(machine.succeed("ls -lsa /var/lib/containers"))
          machine.succeed(f"test ! -e /var/lib/containers/{id1}")

      with subtest("Ensure that a failed container creation doesn'leave any state"):
          machine.fail(
              "nixos-container create b0rk --config-file ${brokenCfg}"
          )
          machine.succeed(f"test ! -e /var/lib/containers/b0rk")
    '';
})
-												Add a test for NixOS containers

											
										
										
											2014-04-03 16:26:03 +02:00
+								# Test for NixOS' container support.
-												nixos/containers-imperative: Port test to python

											
										
										
											2019-11-26 09:11:30 +01:00
+								import ./make-test-python.nix ({ pkgs, ...} : {
-												containers tests: Distinguish declarative and imperative containers

											
										
										
											2016-03-18 15:29:45 +01:00
+								  name = "containers-imperative";
-												all tests: added meta.maintainers section

											
										
										
											2015-07-12 12:09:40 +02:00
+								  meta = with pkgs.stdenv.lib.maintainers; {
-												Remove myself as maintainer from packages

I'm currently not maintaining any packages.

											
										
										
											2019-02-22 16:14:13 +01:00
+								    maintainers = [ aristid aszlig eelco kampfschlaefer ];
-												all tests: added meta.maintainers section

											
										
										
											2015-07-12 12:09:40 +02:00
+								  };
-												Add a test for NixOS containers

											
										
										
											2014-04-03 16:26:03 +02:00
 								  machine =
-												nixos/tests/containers: Remove unused module arg

Just removing the system argument because it doesn't exist (it's
actually config.nixpkgs.system, which we're already using). We won't get
an error anyway if we're not actually using it, so this is just an
aesthetics fix.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>

											
										
										
											2016-05-04 20:44:55 +02:00
+								    { config, pkgs, lib, ... }:
-												Add a test for NixOS containers

											
										
										
											2014-04-03 16:26:03 +02:00
+								    { imports = [ ../modules/installer/cd-dvd/channel.nix ];
-												tests/containers-imperative: Disable useSandbox

Since 4f6df27aee0a3f620d65280c7b6644d5cce094ae, nix.useSandbox defaults
to true which causes the Nix build within the containers-imperative test
to fail while trying to hardlink files into the chroot:

link("/nix/store/foo", "/nix/store/bar.drv.chroot/nix/store/foo")
   = -1 EPERM (Operation not permitted)

The reason this happens is that the hosts store is mounted using 9p and
an overlayfs is mounted on top, so even if we would disable the tmpfs
for the upper directory the hardlink would still cross filesystem
boundaries, which then fails with the above error code.

I haven't yet seen any other test which fails in a similar way, which
might be because building within VM tests is not very common and the
installer tests build in a separate store, so they're not affected.

Signed-off-by: aszlig <aszlig@nix.build>
Issue: https://github.com/NixOS/nix/issues/2324
Cc: @aristidb, @edolstra, @chaoflow, @kampfschlaefer

											
										
										
											2018-08-02 05:32:39 +02:00
 								      # XXX: Sandbox setup fails while trying to hardlink files from the host's
 								      #      store file system into the prepared chroot directory.
 								      nix.useSandbox = false;
-												nixos/tests/containers-imperative: fix on i686 (#46874)

Test failed on i686 in a sandbox because some packages required
to build the nixos manual for the container were missing. Add them.
											
										
										
											2018-09-19 16:19:31 +02:00
+								      nix.binaryCaches = []; # don't try to access cache.nixos.org
-												tests/containers-imperative: Disable useSandbox

Since 4f6df27aee0a3f620d65280c7b6644d5cce094ae, nix.useSandbox defaults
to true which causes the Nix build within the containers-imperative test
to fail while trying to hardlink files into the chroot:

link("/nix/store/foo", "/nix/store/bar.drv.chroot/nix/store/foo")
   = -1 EPERM (Operation not permitted)

The reason this happens is that the hosts store is mounted using 9p and
an overlayfs is mounted on top, so even if we would disable the tmpfs
for the upper directory the hardlink would still cross filesystem
boundaries, which then fails with the above error code.

I haven't yet seen any other test which fails in a similar way, which
might be because building within VM tests is not very common and the
installer tests build in a separate store, so they're not affected.

Signed-off-by: aszlig <aszlig@nix.build>
Issue: https://github.com/NixOS/nix/issues/2324
Cc: @aristidb, @edolstra, @chaoflow, @kampfschlaefer

											
										
										
											2018-08-02 05:32:39 +02:00
-												Add a test for NixOS containers

											
										
										
											2014-04-03 16:26:03 +02:00
+								      virtualisation.writableStore = true;
-												nixos.tests.containers-imperative: increase VM memory

Apparently merging #43021 1bdb1387103 did increase memory usage
in some cases.  1 GiB for a VM memory seems still low enough to me.

											
										
										
											2018-07-06 15:55:33 +02:00
+								      virtualisation.memorySize = 1024;
-												nixos/tests/containers-imperative: Fix test

Make sure that we always have everything available within the store of
the VM, so let's evaluate/build the test container fully on the host
system and propagate all dependencies to the VM.

This way, even if there are additional default dependencies that come
with containers in the future we should be on the safe side as these
dependencies should now be included for the test as well.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Cc: @kampfschlaefer, @edolstra

											
										
										
											2016-05-04 19:53:43 +02:00
+								      # Make sure we always have all the required dependencies for creating a
 								      # container available within the VM, because we don't have network access.
 								      virtualisation.pathsInNixDB = let
 								        emptyContainer = import ../lib/eval-config.nix {
-												nixos/tests/containers-imperative: Fix eval

The commit c6f7d4367894047592cc412740f0c1f5b2ca2b59 changed the system
attribute to be below config.nixpkgs.localSystem, but the test still
uses the old attribute.

I have not tested whether the test actually succeeds but just checked
whether evaluation works and it evaluates successfully now.

Signed-off-by: aszlig <aszlig@nix.build>

											
										
										
											2018-04-20 12:22:40 +02:00
+								          inherit (config.nixpkgs.localSystem) system;
-												nixos/tests/containers-imperative: Fix test

Make sure that we always have everything available within the store of
the VM, so let's evaluate/build the test container fully on the host
system and propagate all dependencies to the VM.

This way, even if there are additional default dependencies that come
with containers in the future we should be on the safe side as these
dependencies should now be included for the test as well.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Cc: @kampfschlaefer, @edolstra

											
										
										
											2016-05-04 19:53:43 +02:00
+								          modules = lib.singleton {
-												nixos/tests: prevent stateVersion warnings in eval

... introduced by 1f0b6922d3c
continuation of 88fa50c2f2bbc472fe7169eac8f2a1b2312ef03b

											
										
										
											2018-05-15 00:18:49 +02:00
+								            containers.foo.config = {
-												Revert "nixos: rename system.{stateVersion,defaultChannel} -> system.nixos.\1"

This reverts commit 095fe5b43def40279a243e663c662b02caac5318.

Pointless renames considered harmful. All they do is force people to
spend extra work updating their configs for no benefit, and hindering
the ability to switch between unstable and stable versions of NixOS.

Like, what was the value of having the "nixos." there? I mean, by
definition anything in a NixOS module has something to do with NixOS...

											
										
										
											2018-07-25 23:22:54 +03:00
+								              system.stateVersion = "18.03";
-												nixos/tests: prevent stateVersion warnings in eval

... introduced by 1f0b6922d3c
continuation of 88fa50c2f2bbc472fe7169eac8f2a1b2312ef03b

											
										
										
											2018-05-15 00:18:49 +02:00
+								            };
-												nixos/tests/containers-imperative: Fix test

Make sure that we always have everything available within the store of
the VM, so let's evaluate/build the test container fully on the host
system and propagate all dependencies to the VM.

This way, even if there are additional default dependencies that come
with containers in the future we should be on the safe side as these
dependencies should now be included for the test as well.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Cc: @kampfschlaefer, @edolstra

											
										
										
											2016-05-04 19:53:43 +02:00
+								          };
 								        };
-												nixos/tests/containers-imperative: fix on i686 (#46874)

Test failed on i686 in a sandbox because some packages required
to build the nixos manual for the container were missing. Add them.
											
										
										
											2018-09-19 16:19:31 +02:00
+								      in with pkgs; [
 								        stdenv stdenvNoCC emptyContainer.config.containers.foo.path
 								        libxslt desktop-file-utils texinfo docbook5 libxml2
 								        docbook_xsl_ns xorg.lndir documentation-highlighter
-												tests/containers-imperative: Include stdenvNoCC

While building the container there are a few occasions where stdenvNoCC
is used underneath. During the last staging merge, some change now tries
to build texinfo during the test while building stdenvNoCC.

With this change, I'm adding stdenvNoCC to the closure to make sure that
even when we have future stdenv changes, it doesn't break (well, except
if we do have another variation like stdenvNoCC that overrides stdenv).

I haven't bisected the exact change, but I'd suspect that it could be
one of the commits in #39457.

This fixes the test and it no longer fails with the following error:

error: unable to download 'http://ftpmirror.gnu.org/texinfo/texinfo-6.5.tar.xz': Couldn't resolve host name (6)
builder for '/nix/store/r7sf1wjbnimwgnv276jh59nfnzw40x30-texinfo-6.5.tar.xz.drv' failed with exit code 1
cannot build derivation '/nix/store/5w1pv788ayi1wahyy76i90yqv96ai4h5-texinfo-6.5.drv': 1 dependencies couldn't be built
cannot build derivation '/nix/store/cnsfkf0j5xmm14zzm5a3a66pz66gbc82-stdenv-linux.drv': 1 dependencies couldn't be built
cannot build derivation '/nix/store/11kkhk57ic8kfd7g197sqwgd0pzqfjhl-nixos-system-foo-0-18.09pre-git.drv': 1 dependencies couldn't be built
error: build of '/nix/store/11kkhk57ic8kfd7g197sqwgd0pzqfjhl-nixos-system-foo-0-18.09pre-git.drv' failed
/run/current-system/sw/bin/nixos-container: failed to build initial container configuration

Signed-off-by: aszlig <aszlig@nix.build>
Cc: @aristidb, @edolstra, @chaoflow, @kampfschlaefer

											
										
										
											2018-06-01 08:10:27 +02:00
+								      ];
-												Add a test for NixOS containers

											
										
										
											2014-04-03 16:26:03 +02:00
+								    };
-												nixosTests.containers-imperative: add tmpfiles test

(cherry picked from commit 92600a90e248aa27f2aedcce4ad309f987a390df)

											
										
										
											2019-05-11 23:33:58 +02:00
+								  testScript = let
-												nixos/containers-imperative: Port test to python

											
										
										
											2019-11-26 09:11:30 +01:00
+								      tmpfilesContainerConfig = pkgs.writeText "container-config-tmpfiles" ''
 								        {
 								          systemd.tmpfiles.rules = [ "d /foo - - - - -" ];
 								          systemd.services.foo = {
 								            serviceConfig.Type = "oneshot";
 								            script = "ls -al /foo";
 								            wantedBy = [ "multi-user.target" ];
 								          };
 								        }
 								      '';
-												nixos/nixos-container: ensure that the state-dir is cleaned up if a build fails

											
										
										
											2020-02-10 02:21:24 +01:00
+								      brokenCfg = pkgs.writeText "broken.nix" ''
 								        {
 								          assertions = [
 								            { assertion = false;
 								              message = "I never evaluate";
 								            }
 								          ];
 								        }
 								      '';
-												nixos/containers-imperative: Port test to python

											
										
										
											2019-11-26 09:11:30 +01:00
+								    in ''
 								      with subtest("Make sure we have a NixOS tree (required by ‘nixos-container create’)"):
 								          machine.succeed("PAGER=cat nix-env -qa -A nixos.hello >&2")
 								      id1, id2 = None, None
 								      with subtest("Create some containers imperatively"):
 								          id1 = machine.succeed("nixos-container create foo --ensure-unique-name").rstrip()
 								          machine.log(f"created container {id1}")
 								          id2 = machine.succeed("nixos-container create foo --ensure-unique-name").rstrip()
 								          machine.log(f"created container {id2}")
 								          assert id1 != id2
 								      with subtest(f"Put the root of {id2} into a bind mount"):
 								          machine.succeed(
 								              f"mv /var/lib/containers/{id2} /id2-bindmount",
 								              f"mount --bind /id2-bindmount /var/lib/containers/{id1}",
 								          )
 								          ip1 = machine.succeed(f"nixos-container show-ip {id1}").rstrip()
 								          ip2 = machine.succeed(f"nixos-container show-ip {id2}").rstrip()
 								          assert ip1 != ip2
 								      with subtest(
 								          "Create a directory and a file we can later check if it still exists "
 								          + "after destruction of the container"
 								      ):
 								          machine.succeed("mkdir /nested-bindmount")
 								          machine.succeed("echo important data > /nested-bindmount/dummy")
 								      with subtest(
 								          "Create a directory with a dummy file and bind-mount it into both containers."
 								      ):
 								          for id in id1, id2:
 								              important_path = f"/var/lib/containers/{id}/very/important/data"
 								              machine.succeed(
 								                  f"mkdir -p {important_path}",
 								                  f"mount --bind /nested-bindmount {important_path}",
 								              )
 								      with subtest("Start one of them"):
 								          machine.succeed(f"nixos-container start {id1}")
 								      with subtest("Execute commands via the root shell"):
 								          assert "Linux" in machine.succeed(f"nixos-container run {id1} -- uname")
 								      with subtest("Execute a nix command via the root shell. (regression test for #40355)"):
 								          machine.succeed(
 								              f"nixos-container run {id1} -- nix-instantiate -E "
 								              + '\'derivation { name = "empty"; builder = "false"; system = "false"; }\' '
 								          )
 								      with subtest("Stop and start (regression test for #4989)"):
 								          machine.succeed(f"nixos-container stop {id1}")
 								          machine.succeed(f"nixos-container start {id1}")
 								      with subtest("tmpfiles are present"):
 								          machine.log("creating container tmpfiles")
 								          machine.succeed(
 								              "nixos-container create tmpfiles --config-file ${tmpfilesContainerConfig}"
 								          )
 								          machine.log("created, starting…")
 								          machine.succeed("nixos-container start tmpfiles")
 								          machine.log("done starting, investigating…")
 								          machine.succeed(
 								              "echo $(nixos-container run tmpfiles -- systemctl is-active foo.service) | grep -q active;"
 								          )
 								          machine.succeed("nixos-container destroy tmpfiles")
 								      with subtest("Execute commands via the root shell"):
 								          assert "Linux" in machine.succeed(f"nixos-container run {id1} -- uname")
 								      with subtest("Destroy the containers"):
 								          for id in id1, id2:
 								              machine.succeed(f"nixos-container destroy {id}")
 								      with subtest("Check whether destruction of any container has killed important data"):
 								          machine.succeed("grep -qF 'important data' /nested-bindmount/dummy")
 								      with subtest("Ensure that the container path is gone"):
 								          print(machine.succeed("ls -lsa /var/lib/containers"))
 								          machine.succeed(f"test ! -e /var/lib/containers/{id1}")
-												nixos/nixos-container: ensure that the state-dir is cleaned up if a build fails

											
										
										
											2020-02-10 02:21:24 +01:00
 								      with subtest("Ensure that a failed container creation doesn'leave any state"):
 								          machine.fail(
 								              "nixos-container create b0rk --config-file ${brokenCfg}"
 								          )
 								          machine.succeed(f"test ! -e /var/lib/containers/b0rk")
-												Add a test for NixOS containers

											
										
										
											2014-04-03 16:26:03 +02:00
+								    '';
-												all tests: added meta.maintainers section

											
										
										
											2015-07-12 12:09:40 +02:00
+								})