nixpkgs/nixos/tests/incus/incusd-options.nix
Matteo Sozzi 389de87aed
lxc: added option for unprivileged containers.
Added extra option to enable unprivileged containers. This includes a
patch to remove the hard-coded path to `lxc-user-nic` and a new security
wrapper to set SUID to `lxc-user-nic`.
2024-08-28 09:18:23 -04:00

114 lines
3.5 KiB
Nix

# this is a set of tests for non-default options. typically the default options
# will be handled by the other tests
import ../make-test-python.nix (
{
pkgs,
lib,
incus ? pkgs.incus-lts,
...
}:
let
releases = import ../../release.nix {
configuration = {
# Building documentation makes the test unnecessarily take a longer time:
documentation.enable = lib.mkForce false;
};
};
container-image-metadata = "${
releases.incusContainerMeta.${pkgs.stdenv.hostPlatform.system}
}/tarball/nixos-system-${pkgs.stdenv.hostPlatform.system}.tar.xz";
container-image-rootfs = "${
releases.incusContainerImage.${pkgs.stdenv.hostPlatform.system}
}/nixos-lxc-image-${pkgs.stdenv.hostPlatform.system}.squashfs";
in
{
name = "incusd-options";
meta = {
maintainers = lib.teams.lxc.members;
};
nodes.machine = {
virtualisation = {
cores = 2;
memorySize = 1024;
diskSize = 4096;
incus = {
enable = true;
package = incus;
softDaemonRestart = false;
preseed = {
networks = [
{
name = "nixostestbr0";
type = "bridge";
config = {
"ipv4.address" = "10.0.100.1/24";
"ipv4.nat" = "true";
};
}
];
profiles = [
{
name = "default";
devices = {
eth0 = {
name = "eth0";
network = "nixostestbr0";
type = "nic";
};
root = {
path = "/";
pool = "nixostest_pool";
size = "35GiB";
type = "disk";
};
};
}
];
storage_pools = [
{
name = "nixostest_pool";
driver = "dir";
}
];
};
};
};
networking.nftables.enable = true;
};
testScript = ''
def instance_is_up(_) -> bool:
status, _ = machine.execute("incus exec container --disable-stdin --force-interactive /run/current-system/sw/bin/systemctl -- is-system-running")
return status == 0
machine.wait_for_unit("incus.service")
machine.wait_for_unit("incus-preseed.service")
with subtest("Container image can be imported"):
machine.succeed("incus image import ${container-image-metadata} ${container-image-rootfs} --alias nixos")
with subtest("Container can be launched and managed"):
machine.succeed("incus launch nixos container")
with machine.nested("Waiting for instance to start and be usable"):
retry(instance_is_up)
machine.succeed("echo true | incus exec container /run/current-system/sw/bin/bash -")
with subtest("Verify preseed resources created"):
machine.succeed("incus profile show default")
machine.succeed("incus network info nixostestbr0")
machine.succeed("incus storage show nixostest_pool")
with subtest("Instance is stopped when softDaemonRestart is disabled and services is stopped"):
pid = machine.succeed("incus info container | grep 'PID'").split(":")[1].strip()
machine.succeed(f"ps {pid}")
machine.succeed("systemctl stop incus")
machine.fail(f"ps {pid}")
'';
}
)