nixpkgs/nixos/tests/incus/container.nix

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

155 lines
7.1 KiB
Nix
Raw Normal View History

import ../make-test-python.nix (
2024-11-30 05:04:27 +00:00
{
pkgs,
lib,
extra ? { },
name ? "incus-container",
incus ? pkgs.incus-lts,
...
}:
2024-11-30 05:04:27 +00:00
2023-10-20 04:10:59 +00:00
let
releases = import ../../release.nix {
2024-03-19 03:02:30 +00:00
configuration = lib.recursiveUpdate {
# Building documentation makes the test unnecessarily take a longer time:
documentation.enable = lib.mkForce false;
2024-03-19 03:02:30 +00:00
boot.kernel.sysctl."net.ipv4.ip_forward" = "1";
} extra;
2023-10-20 04:10:59 +00:00
};
2024-11-30 05:04:27 +00:00
container-image-metadata = "${
releases.incusContainerMeta.${pkgs.stdenv.hostPlatform.system}
}/tarball/nixos-image-lxc-*-${pkgs.stdenv.hostPlatform.system}.tar.xz";
container-image-rootfs = "${
releases.incusContainerImage.${pkgs.stdenv.hostPlatform.system}
}/nixos-lxc-image-${pkgs.stdenv.hostPlatform.system}.squashfs";
2023-10-20 04:10:59 +00:00
in
{
inherit name;
2024-11-30 05:04:27 +00:00
2023-10-20 04:10:59 +00:00
meta = {
maintainers = lib.teams.lxc.members;
};
nodes.machine =
2024-11-30 05:04:27 +00:00
{ ... }:
{
virtualisation = {
# Ensure test VM has enough resources for creating and managing guests
cores = 2;
memorySize = 1024;
diskSize = 4096;
2024-11-30 05:04:27 +00:00
incus = {
enable = true;
package = incus;
2024-11-30 05:04:27 +00:00
};
};
networking.nftables.enable = true;
2024-11-30 05:04:27 +00:00
};
testScript = # python
2024-11-30 05:04:27 +00:00
''
2023-10-20 04:10:59 +00:00
def instance_is_up(_) -> bool:
status, _ = machine.execute("incus exec container --disable-stdin --force-interactive /run/current-system/sw/bin/systemctl -- is-system-running")
return status == 0
def set_container(config):
machine.succeed(f"incus config set container {config}")
machine.succeed("incus restart container")
with machine.nested("Waiting for instance to start and be usable"):
retry(instance_is_up)
def check_sysctl(instance):
with subtest("systemd sysctl settings are applied"):
machine.succeed(f"incus exec {instance} -- systemctl status systemd-sysctl")
sysctl = machine.succeed(f"incus exec {instance} -- sysctl net.ipv4.ip_forward").strip().split(" ")[-1]
assert "1" == sysctl, f"systemd-sysctl configuration not correctly applied, {sysctl} != 1"
2024-11-30 05:04:27 +00:00
machine.wait_for_unit("incus.service")
2024-11-30 05:04:27 +00:00
# no preseed should mean no service
2023-10-20 04:10:59 +00:00
machine.fail("systemctl status incus-preseed.service")
machine.succeed("incus admin init --minimal")
2023-10-20 04:10:59 +00:00
with subtest("Container image can be imported"):
machine.succeed("incus image import ${container-image-metadata} ${container-image-rootfs} --alias nixos")
2024-11-30 05:04:27 +00:00
2023-10-20 04:10:59 +00:00
with subtest("Container can be launched and managed"):
machine.succeed("incus launch nixos container")
with machine.nested("Waiting for instance to start and be usable"):
retry(instance_is_up)
machine.succeed("echo true | incus exec container /run/current-system/sw/bin/bash -")
2024-11-30 05:04:27 +00:00
with subtest("Container mounts lxcfs overlays"):
machine.succeed("incus exec container mount | grep 'lxcfs on /proc/cpuinfo type fuse.lxcfs'")
machine.succeed("incus exec container mount | grep 'lxcfs on /proc/meminfo type fuse.lxcfs'")
2024-11-30 05:04:27 +00:00
with subtest("resource limits"):
with subtest("Container CPU limits can be managed"):
set_container("limits.cpu 1")
cpuinfo = machine.succeed("incus exec container grep -- -c ^processor /proc/cpuinfo").strip()
assert cpuinfo == "1", f"Wrong number of CPUs reported from /proc/cpuinfo, want: 1, got: {cpuinfo}"
2024-11-30 05:04:27 +00:00
set_container("limits.cpu 2")
cpuinfo = machine.succeed("incus exec container grep -- -c ^processor /proc/cpuinfo").strip()
assert cpuinfo == "2", f"Wrong number of CPUs reported from /proc/cpuinfo, want: 2, got: {cpuinfo}"
2024-11-30 05:04:27 +00:00
with subtest("Container memory limits can be managed"):
set_container("limits.memory 64MB")
meminfo = machine.succeed("incus exec container grep -- MemTotal /proc/meminfo").strip()
meminfo_bytes = " ".join(meminfo.split(' ')[-2:])
assert meminfo_bytes == "62500 kB", f"Wrong amount of memory reported from /proc/meminfo, want: '62500 kB', got: '{meminfo_bytes}'"
2024-11-30 05:04:27 +00:00
set_container("limits.memory 128MB")
meminfo = machine.succeed("incus exec container grep -- MemTotal /proc/meminfo").strip()
meminfo_bytes = " ".join(meminfo.split(' ')[-2:])
assert meminfo_bytes == "125000 kB", f"Wrong amount of memory reported from /proc/meminfo, want: '125000 kB', got: '{meminfo_bytes}'"
2024-11-30 05:04:27 +00:00
2024-11-23 21:37:31 +00:00
with subtest("virtual tpm can be configured"):
machine.succeed("incus config device add container vtpm tpm path=/dev/tpm0 pathrm=/dev/tpmrm0")
machine.succeed("incus exec container -- test -e /dev/tpm0")
machine.succeed("incus exec container -- test -e /dev/tpmrm0")
machine.succeed("incus config device remove container vtpm")
machine.fail("incus exec container -- test -e /dev/tpm0")
2024-11-30 05:04:27 +00:00
with subtest("lxc-generator"):
with subtest("lxc-container generator configures plain container"):
# reuse the existing container to save some time
machine.succeed("incus exec container test -- -e /run/systemd/system/service.d/zzz-lxc-service.conf")
check_sysctl("container")
2024-11-30 05:04:27 +00:00
with subtest("lxc-container generator configures nested container"):
machine.execute("incus delete --force container")
machine.succeed("incus launch nixos container --config security.nesting=true")
with machine.nested("Waiting for instance to start and be usable"):
retry(instance_is_up)
2024-11-30 05:04:27 +00:00
machine.fail("incus exec container test -- -e /run/systemd/system/service.d/zzz-lxc-service.conf")
target = machine.succeed("incus exec container readlink -- -f /run/systemd/system/systemd-binfmt.service").strip()
assert target == "/dev/null", "lxc generator did not correctly mask /run/systemd/system/systemd-binfmt.service"
2024-11-30 05:04:27 +00:00
check_sysctl("container")
2024-11-30 05:04:27 +00:00
with subtest("lxc-container generator configures privileged container"):
machine.execute("incus delete --force container")
machine.succeed("incus launch nixos container --config security.privileged=true")
with machine.nested("Waiting for instance to start and be usable"):
retry(instance_is_up)
2024-11-30 05:04:27 +00:00
machine.succeed("incus exec container test -- -e /run/systemd/system/service.d/zzz-lxc-service.conf")
2024-11-30 05:04:27 +00:00
check_sysctl("container")
2024-11-30 05:04:27 +00:00
with subtest("softDaemonRestart"):
with subtest("Instance remains running when softDaemonRestart is enabled and services is stopped"):
pid = machine.succeed("incus info container | grep 'PID'").split(":")[1].strip()
machine.succeed(f"ps {pid}")
machine.succeed("systemctl stop incus")
machine.succeed(f"ps {pid}")
2023-10-20 04:10:59 +00:00
'';
}
)