nixpkgs/nixos/tests/oci-containers.nix

{ system ? builtins.currentSystem
, config ? {}
, pkgs ? import ../.. { inherit system config; }
, lib ? pkgs.lib
}:

let

  inherit (import ../lib/testing-python.nix { inherit system pkgs; }) makeTest;

  mkOCITest = backend: makeTest {
    name = "oci-containers-${backend}";

    meta.maintainers = lib.teams.serokell.members
                       ++ (with lib.maintainers; [ benley ]);

    nodes = {
      ${backend} = { pkgs, ... }: {
        virtualisation.oci-containers = {
          inherit backend;
          containers.nginx = {
            image = "nginx-container";
            imageStream = pkgs.dockerTools.examples.nginxStream;
            ports = ["8181:80"];
            capAdd = {
              CAP_AUDIT_READ = true;
            };
            capDrop = {
              CAP_AUDIT_WRITE = true;
            };
            privileged = false;
            devices = [
              "/dev/random:/dev/random"
            ];
          };
        };

        # Stop systemd from killing remaining processes if ExecStop script
        # doesn't work, so that proper stopping can be tested.
        systemd.services."${backend}-nginx".serviceConfig.KillSignal = "SIGCONT";
      };
    };

    testScript = ''
      import json

      start_all()
      ${backend}.wait_for_unit("${backend}-nginx.service")
      ${backend}.wait_for_open_port(8181)
      ${backend}.wait_until_succeeds("curl -f http://localhost:8181 | grep Hello")
      output = json.loads(${backend}.succeed("${backend} inspect nginx --format json").strip())[0]
      ${backend}.succeed("systemctl stop ${backend}-nginx.service", timeout=10)
      assert output['HostConfig']['CapAdd'] == ["CAP_AUDIT_READ"]
      assert output['HostConfig']['CapDrop'] == ${if backend == "docker" then "[\"CAP_AUDIT_WRITE\"]" else "[]"} # Rootless podman runs with no capabilities so it cannot drop them
      assert output['HostConfig']['Privileged'] == False
      assert output['HostConfig']['Devices'] == [{'PathOnHost': '/dev/random', 'PathInContainer': '/dev/random', 'CgroupPermissions': '${if backend == "docker" then "rwm" else ""}'}]
    '';
  };

in
lib.foldl' (attrs: backend: attrs // { ${backend} = mkOCITest backend; }) {} [
  "docker"
  "podman"
]
nixos/docker-containers: Rename to virtualisation.oci-containers.containers. And allow the runtime to be configurable via the `virtualisation.oci-containers.backend` option. Valid choices are "podman" and "docker". 2020-04-20 11:31:07 +00:00			`{ system ? builtins.currentSystem`
			`, config ? {}`
			`, pkgs ? import ../.. { inherit system config; }`
			`, lib ? pkgs.lib`
			`}:`

			`let`

			`inherit (import ../lib/testing-python.nix { inherit system pkgs; }) makeTest;`

			`mkOCITest = backend: makeTest {`
			`name = "oci-containers-${backend}";`

nixos/tests/oci-containers.nix: get rid of `with lib` 2023-04-30 14:26:18 +00:00			`meta.maintainers = lib.teams.serokell.members`
mkaito: Remove 2024-11-13 11:56:11 +00:00			`++ (with lib.maintainers; [ benley ]);`
nixos/docker-containers: Rename to virtualisation.oci-containers.containers. And allow the runtime to be configurable via the `virtualisation.oci-containers.backend` option. Valid choices are "podman" and "docker". 2020-04-20 11:31:07 +00:00
			`nodes = {`
			`${backend} = { pkgs, ... }: {`
			`virtualisation.oci-containers = {`
			`inherit backend;`
			`containers.nginx = {`
			`image = "nginx-container";`
virtualisation.oci-containers: Add new `imageStream` option (#335430) This adds a new `imageStream` option that can be used in conjunction with `pkgs.dockerTools.streamLayeredImage` so that the image archive never needs to be materialized in the `/nix/store`. This greatly improves the disk utilization for systems that use container images built using Nix because they only need to store image layers instead of the full image. Additionally, when deploying the new system and only new layers need to be built/copied. 2024-08-24 02:38:27 +00:00			`imageStream = pkgs.dockerTools.examples.nginxStream;`
nixos/docker-containers: Rename to virtualisation.oci-containers.containers. And allow the runtime to be configurable via the `virtualisation.oci-containers.backend` option. Valid choices are "podman" and "docker". 2020-04-20 11:31:07 +00:00			`ports = ["8181:80"];`
nixos/modules/virtualisation: additional configuration options (#349537) oci-containers: additional configuration options 2024-12-05 17:48:41 +00:00			`capAdd = {`
			`CAP_AUDIT_READ = true;`
			`};`
			`capDrop = {`
			`CAP_AUDIT_WRITE = true;`
			`};`
			`privileged = false;`
			`devices = [`
			`"/dev/random:/dev/random"`
			`];`
nixos/docker-containers: Rename to virtualisation.oci-containers.containers. And allow the runtime to be configurable via the `virtualisation.oci-containers.backend` option. Valid choices are "podman" and "docker". 2020-04-20 11:31:07 +00:00			`};`
			`};`
nixos/oci-containers: stop container using backend Make systemd actually call `podman stop` when stopping a container unit. Fixes #249332 2023-08-10 08:24:26 +00:00
			`# Stop systemd from killing remaining processes if ExecStop script`
			`# doesn't work, so that proper stopping can be tested.`
			`systemd.services."${backend}-nginx".serviceConfig.KillSignal = "SIGCONT";`
nixos/docker-containers: Rename to virtualisation.oci-containers.containers. And allow the runtime to be configurable via the `virtualisation.oci-containers.backend` option. Valid choices are "podman" and "docker". 2020-04-20 11:31:07 +00:00			`};`
			`};`

			`testScript = ''`
nixos/modules/virtualisation: additional configuration options (#349537) oci-containers: additional configuration options 2024-12-05 17:48:41 +00:00			`import json`

nixos/docker-containers: Rename to virtualisation.oci-containers.containers. And allow the runtime to be configurable via the `virtualisation.oci-containers.backend` option. Valid choices are "podman" and "docker". 2020-04-20 11:31:07 +00:00			`start_all()`
			`${backend}.wait_for_unit("${backend}-nginx.service")`
			`${backend}.wait_for_open_port(8181)`
nixos/tests/oci-containers: Use curl --fail 2020-09-16 15:31:34 +00:00			`${backend}.wait_until_succeeds("curl -f http://localhost:8181 \| grep Hello")`
nixos/modules/virtualisation: additional configuration options (#349537) oci-containers: additional configuration options 2024-12-05 17:48:41 +00:00			`output = json.loads(${backend}.succeed("${backend} inspect nginx --format json").strip())[0]`
nixos/oci-containers: stop container using backend Make systemd actually call `podman stop` when stopping a container unit. Fixes #249332 2023-08-10 08:24:26 +00:00			`${backend}.succeed("systemctl stop ${backend}-nginx.service", timeout=10)`
nixos/modules/virtualisation: additional configuration options (#349537) oci-containers: additional configuration options 2024-12-05 17:48:41 +00:00			`assert output['HostConfig']['CapAdd'] == ["CAP_AUDIT_READ"]`
			`assert output['HostConfig']['CapDrop'] == ${if backend == "docker" then "[\"CAP_AUDIT_WRITE\"]" else "[]"} # Rootless podman runs with no capabilities so it cannot drop them`
			`assert output['HostConfig']['Privileged'] == False`
			`assert output['HostConfig']['Devices'] == [{'PathOnHost': '/dev/random', 'PathInContainer': '/dev/random', 'CgroupPermissions': '${if backend == "docker" then "rwm" else ""}'}]`
nixos/docker-containers: Rename to virtualisation.oci-containers.containers. And allow the runtime to be configurable via the `virtualisation.oci-containers.backend` option. Valid choices are "podman" and "docker". 2020-04-20 11:31:07 +00:00			`'';`
			`};`

			`in`
			`lib.foldl' (attrs: backend: attrs // { ${backend} = mkOCITest backend; }) {} [`
			`"docker"`
			`"podman"`
			`]`