diff options
author | zowoq <59103226+zowoq@users.noreply.github.com> | 2021-12-09 12:10:44 +1000 |
---|---|---|
committer | zowoq <59103226+zowoq@users.noreply.github.com> | 2021-12-09 13:03:16 +1000 |
commit | 79e66fce1c2b5a7de3e9a0e75b591ca9552a62ef (patch) | |
tree | ce67a92c6dee4e6a303db425d9eefccba438cbd9 /nixos/tests/podman | |
parent | ce82da442b5f66c26f71443e7567e1765953ea9d (diff) |
nixos/podman: sort files into directories
Makes codeowners, git history, etc. a bit simpler now that podman has expanded beyond the original single file module and test.
Diffstat (limited to 'nixos/tests/podman')
-rw-r--r-- | nixos/tests/podman/default.nix | 144 | ||||
-rw-r--r-- | nixos/tests/podman/dnsname.nix | 42 | ||||
-rw-r--r-- | nixos/tests/podman/tls-ghostunnel.nix | 150 |
3 files changed, 336 insertions, 0 deletions
diff --git a/nixos/tests/podman/default.nix b/nixos/tests/podman/default.nix new file mode 100644 index 0000000000000..b52a7f060ad66 --- /dev/null +++ b/nixos/tests/podman/default.nix @@ -0,0 +1,144 @@ +# This test runs podman and checks if simple container starts + +import ../make-test-python.nix ( + { pkgs, lib, ... }: { + name = "podman"; + meta = { + maintainers = lib.teams.podman.members; + }; + + nodes = { + podman = + { pkgs, ... }: + { + virtualisation.podman.enable = true; + + # To test docker socket support + virtualisation.podman.dockerSocket.enable = true; + environment.systemPackages = [ + pkgs.docker-client + ]; + + users.users.alice = { + isNormalUser = true; + home = "/home/alice"; + description = "Alice Foobar"; + extraGroups = [ "podman" ]; + }; + + users.users.mallory = { + isNormalUser = true; + home = "/home/mallory"; + description = "Mallory Foobar"; + }; + + }; + }; + + testScript = '' + import shlex + + + def su_cmd(cmd, user = "alice"): + cmd = shlex.quote(cmd) + return f"su {user} -l -c {cmd}" + + + podman.wait_for_unit("sockets.target") + start_all() + + with subtest("Run container as root with runc"): + podman.succeed("tar cv --files-from /dev/null | podman import - scratchimg") + podman.succeed( + "podman run --runtime=runc -d --name=sleeping -v /nix/store:/nix/store -v /run/current-system/sw/bin:/bin scratchimg /bin/sleep 10" + ) + podman.succeed("podman ps | grep sleeping") + podman.succeed("podman stop sleeping") + podman.succeed("podman rm sleeping") + + with subtest("Run container as root with crun"): + podman.succeed("tar cv --files-from /dev/null | podman import - scratchimg") + podman.succeed( + "podman run --runtime=crun -d --name=sleeping -v /nix/store:/nix/store -v /run/current-system/sw/bin:/bin scratchimg /bin/sleep 10" + ) + podman.succeed("podman ps | grep sleeping") + podman.succeed("podman stop sleeping") + podman.succeed("podman rm sleeping") + + with subtest("Run container as root with the default backend"): + podman.succeed("tar cv --files-from /dev/null | podman import - scratchimg") + podman.succeed( + "podman run -d --name=sleeping -v /nix/store:/nix/store -v /run/current-system/sw/bin:/bin scratchimg /bin/sleep 10" + ) + podman.succeed("podman ps | grep sleeping") + podman.succeed("podman stop sleeping") + podman.succeed("podman rm sleeping") + + # create systemd session for rootless + podman.succeed("loginctl enable-linger alice") + + with subtest("Run container rootless with runc"): + podman.succeed(su_cmd("tar cv --files-from /dev/null | podman import - scratchimg")) + podman.succeed( + su_cmd( + "podman run --runtime=runc -d --name=sleeping -v /nix/store:/nix/store -v /run/current-system/sw/bin:/bin scratchimg /bin/sleep 10" + ) + ) + podman.succeed(su_cmd("podman ps | grep sleeping")) + podman.succeed(su_cmd("podman stop sleeping")) + podman.succeed(su_cmd("podman rm sleeping")) + + with subtest("Run container rootless with crun"): + podman.succeed(su_cmd("tar cv --files-from /dev/null | podman import - scratchimg")) + podman.succeed( + su_cmd( + "podman run --runtime=crun -d --name=sleeping -v /nix/store:/nix/store -v /run/current-system/sw/bin:/bin scratchimg /bin/sleep 10" + ) + ) + podman.succeed(su_cmd("podman ps | grep sleeping")) + podman.succeed(su_cmd("podman stop sleeping")) + podman.succeed(su_cmd("podman rm sleeping")) + + with subtest("Run container rootless with the default backend"): + podman.succeed(su_cmd("tar cv --files-from /dev/null | podman import - scratchimg")) + podman.succeed( + su_cmd( + "podman run -d --name=sleeping -v /nix/store:/nix/store -v /run/current-system/sw/bin:/bin scratchimg /bin/sleep 10" + ) + ) + podman.succeed(su_cmd("podman ps | grep sleeping")) + podman.succeed(su_cmd("podman stop sleeping")) + podman.succeed(su_cmd("podman rm sleeping")) + + with subtest("Run container with init"): + podman.succeed( + "tar cv -C ${pkgs.pkgsStatic.busybox} . | podman import - busybox" + ) + pid = podman.succeed("podman run --rm busybox readlink /proc/self").strip() + assert pid == "1" + pid = podman.succeed("podman run --rm --init busybox readlink /proc/self").strip() + assert pid == "2" + + with subtest("A podman member can use the docker cli"): + podman.succeed(su_cmd("docker version")) + + with subtest("Run container via docker cli"): + podman.succeed("docker network create default") + podman.succeed("tar cv --files-from /dev/null | podman import - scratchimg") + podman.succeed( + "docker run -d --name=sleeping -v /nix/store:/nix/store -v /run/current-system/sw/bin:/bin scratchimg /bin/sleep 10" + ) + podman.succeed("docker ps | grep sleeping") + podman.succeed("podman ps | grep sleeping") + podman.succeed("docker stop sleeping") + podman.succeed("docker rm sleeping") + podman.succeed("docker network rm default") + + with subtest("A podman non-member can not use the docker cli"): + podman.fail(su_cmd("docker version", user="mallory")) + + # TODO: add docker-compose test + + ''; + } +) diff --git a/nixos/tests/podman/dnsname.nix b/nixos/tests/podman/dnsname.nix new file mode 100644 index 0000000000000..3768ae79e0676 --- /dev/null +++ b/nixos/tests/podman/dnsname.nix @@ -0,0 +1,42 @@ +import ../make-test-python.nix ( + { pkgs, lib, ... }: + let + inherit (pkgs) writeTextDir python3 curl; + webroot = writeTextDir "index.html" "<h1>Hi</h1>"; + in + { + name = "podman-dnsname"; + meta = { + maintainers = with lib.maintainers; [ roberth ] ++ lib.teams.podman.members; + }; + + nodes = { + podman = { pkgs, ... }: { + virtualisation.podman.enable = true; + virtualisation.podman.defaultNetwork.dnsname.enable = true; + }; + }; + + testScript = '' + podman.wait_for_unit("sockets.target") + + with subtest("DNS works"): # also tests inter-container tcp routing + podman.succeed("tar cv --files-from /dev/null | podman import - scratchimg") + podman.succeed( + "podman run -d --name=webserver -v /nix/store:/nix/store -v /run/current-system/sw/bin:/bin -w ${webroot} scratchimg ${python3}/bin/python -m http.server 8000" + ) + podman.succeed("podman ps | grep webserver") + podman.succeed(""" + for i in `seq 0 120`; do + podman run --rm --name=client -v /nix/store:/nix/store -v /run/current-system/sw/bin:/bin scratchimg ${curl}/bin/curl http://webserver:8000 >/dev/console \ + && exit 0 + sleep 0.5 + done + exit 1 + """) + podman.succeed("podman stop webserver") + podman.succeed("podman rm webserver") + + ''; + } +) diff --git a/nixos/tests/podman/tls-ghostunnel.nix b/nixos/tests/podman/tls-ghostunnel.nix new file mode 100644 index 0000000000000..c0bc47cc40b1b --- /dev/null +++ b/nixos/tests/podman/tls-ghostunnel.nix @@ -0,0 +1,150 @@ +/* + This test runs podman as a backend for the Docker CLI. + */ +import ../make-test-python.nix ( + { pkgs, lib, ... }: + + let gen-ca = pkgs.writeScript "gen-ca" '' + # Create CA + PATH="${pkgs.openssl}/bin:$PATH" + openssl genrsa -out ca-key.pem 4096 + openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -subj '/C=NL/ST=Zuid-Holland/L=The Hague/O=Stevige Balken en Planken B.V./OU=OpSec/CN=Certificate Authority' -out ca.pem + + # Create service + openssl genrsa -out podman-key.pem 4096 + openssl req -subj '/CN=podman' -sha256 -new -key podman-key.pem -out service.csr + echo subjectAltName = DNS:podman,IP:127.0.0.1 >> extfile.cnf + echo extendedKeyUsage = serverAuth >> extfile.cnf + openssl x509 -req -days 365 -sha256 -in service.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out podman-cert.pem -extfile extfile.cnf + + # Create client + openssl genrsa -out client-key.pem 4096 + openssl req -subj '/CN=client' -new -key client-key.pem -out client.csr + echo extendedKeyUsage = clientAuth > extfile-client.cnf + openssl x509 -req -days 365 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out client-cert.pem -extfile extfile-client.cnf + + # Create CA 2 + PATH="${pkgs.openssl}/bin:$PATH" + openssl genrsa -out ca-2-key.pem 4096 + openssl req -new -x509 -days 365 -key ca-2-key.pem -sha256 -subj '/C=NL/ST=Zuid-Holland/L=The Hague/O=Stevige Balken en Planken B.V./OU=OpSec/CN=Certificate Authority' -out ca-2.pem + + # Create client signed by CA 2 + openssl genrsa -out client-2-key.pem 4096 + openssl req -subj '/CN=client' -new -key client-2-key.pem -out client-2.csr + echo extendedKeyUsage = clientAuth > extfile-client.cnf + openssl x509 -req -days 365 -sha256 -in client-2.csr -CA ca-2.pem -CAkey ca-2-key.pem -CAcreateserial -out client-2-cert.pem -extfile extfile-client.cnf + + ''; + in + { + name = "podman-tls-ghostunnel"; + meta = { + maintainers = lib.teams.podman.members ++ [ lib.maintainers.roberth ]; + }; + + nodes = { + podman = + { pkgs, ... }: + { + virtualisation.podman.enable = true; + virtualisation.podman.dockerSocket.enable = true; + virtualisation.podman.networkSocket = { + enable = true; + openFirewall = true; + server = "ghostunnel"; + tls.cert = "/root/podman-cert.pem"; + tls.key = "/root/podman-key.pem"; + tls.cacert = "/root/ca.pem"; + }; + + environment.systemPackages = [ + pkgs.docker-client + ]; + + users.users.alice = { + isNormalUser = true; + home = "/home/alice"; + description = "Alice Foobar"; + extraGroups = ["podman"]; + }; + + }; + + client = { ... }: { + environment.systemPackages = [ + # Installs the docker _client_ only + # Normally, you'd want `virtualisation.docker.enable = true;`. + pkgs.docker-client + ]; + environment.variables.DOCKER_HOST = "podman:2376"; + environment.variables.DOCKER_TLS_VERIFY = "1"; + }; + }; + + testScript = '' + import shlex + + + def su_cmd(user, cmd): + cmd = shlex.quote(cmd) + return f"su {user} -l -c {cmd}" + + def cmd(command): + print(f"+{command}") + r = os.system(command) + if r != 0: + raise Exception(f"Command {command} failed with exit code {r}") + + start_all() + cmd("${gen-ca}") + + podman.copy_from_host("ca.pem", "/root/ca.pem") + podman.copy_from_host("podman-cert.pem", "/root/podman-cert.pem") + podman.copy_from_host("podman-key.pem", "/root/podman-key.pem") + + client.copy_from_host("ca.pem", "/root/.docker/ca.pem") + # client.copy_from_host("podman-cert.pem", "/root/podman-cert.pem") + client.copy_from_host("client-cert.pem", "/root/.docker/cert.pem") + client.copy_from_host("client-key.pem", "/root/.docker/key.pem") + + # TODO (ghostunnel): add file watchers so the restart isn't necessary + podman.succeed("systemctl reset-failed && systemctl restart ghostunnel-server-podman-socket.service") + + podman.wait_for_unit("sockets.target") + podman.wait_for_unit("ghostunnel-server-podman-socket.service") + + with subtest("Create default network"): + podman.succeed("docker network create default") + + with subtest("Root docker cli also works"): + podman.succeed("docker version") + + with subtest("A podman member can also still use the docker cli"): + podman.succeed(su_cmd("alice", "docker version")) + + with subtest("Run container remotely via docker cli"): + client.succeed("docker version") + + # via socket would be nicer + podman.succeed("tar cv --files-from /dev/null | podman import - scratchimg") + + client.succeed( + "docker run -d --name=sleeping -v /nix/store:/nix/store -v /run/current-system/sw/bin:/bin scratchimg /bin/sleep 10" + ) + client.succeed("docker ps | grep sleeping") + podman.succeed("docker ps | grep sleeping") + client.succeed("docker stop sleeping") + client.succeed("docker rm sleeping") + + with subtest("Clients without cert will be denied"): + client.succeed("rm /root/.docker/{cert,key}.pem") + client.fail("docker version") + + with subtest("Clients with wrong cert will be denied"): + client.copy_from_host("client-2-cert.pem", "/root/.docker/cert.pem") + client.copy_from_host("client-2-key.pem", "/root/.docker/key.pem") + client.fail("docker version") + + ''; + } +) |