nixos/tests/dockerTools: add test for running non-root containers with buildLayeredImage

Co-authored-by: Robert Hensing <roberth@users.noreply.github.com>
This commit is contained in:
Johan Thomsen 2020-07-30 17:18:41 +02:00
parent 9f86685cc7
commit f5db415e2f
2 changed files with 46 additions and 0 deletions

View File

@ -79,6 +79,16 @@ import ./make-test-python.nix ({ pkgs, ... }: {
"docker rmi ${examples.nix.imageName}",
)
with subtest(
"Ensure (layered) nix store has correct permissions "
"and that the container starts when its process does not have uid 0"
):
docker.succeed(
"docker load --input='${examples.bashLayeredWithUser}'",
"docker run -u somebody --rm ${examples.bashLayeredWithUser.imageName} ${pkgs.bash}/bin/bash -c 'test 555 == $(stat --format=%a /nix) && test 555 == $(stat --format=%a /nix/store)'",
"docker rmi ${examples.bashLayeredWithUser.imageName}",
)
with subtest("The nix binary symlinks are intact"):
docker.succeed(
"docker load --input='${examples.nix}'",

View File

@ -382,4 +382,40 @@ rec {
contents = pkgs.bashInteractive;
};
# buildLayeredImage with non-root user
bashLayeredWithUser =
let
nonRootShadowSetup = { user, uid, gid ? uid }: with pkgs; [
(
writeTextDir "etc/shadow" ''
root:!x:::::::
${user}:!:::::::
''
)
(
writeTextDir "etc/passwd" ''
root:x:0:0::/root:${runtimeShell}
${user}:x:${toString uid}:${toString gid}::/home/${user}:
''
)
(
writeTextDir "etc/group" ''
root:x:0:
${user}:x:${toString gid}:
''
)
(
writeTextDir "etc/gshadow" ''
root:x::
${user}:x::
''
)
];
in
pkgs.dockerTools.buildLayeredImage {
name = "bash-layered-with-user";
tag = "latest";
contents = [ pkgs.bash pkgs.coreutils (nonRootShadowSetup { uid = 999; user = "somebody"; }) ];
};
}