diff options
author | Marek Mahut <marek.mahut@gmail.com> | 2019-08-23 08:00:35 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2019-08-23 08:00:35 +0200 |
commit | 27acea73b80d22af43b2d0d64dc84e40c3beb991 (patch) | |
tree | e0c3ac19651d08b486d965993fe59cc1d9438460 /nixos/tests | |
parent | dfc6d580bcc76f92a7ef2ab502a18ea4251594c2 (diff) | |
parent | 7e7fc6471e86cbc167255d56d84e2cbb8b0365ab (diff) | |
download | nixlib-27acea73b80d22af43b2d0d64dc84e40c3beb991.tar nixlib-27acea73b80d22af43b2d0d64dc84e40c3beb991.tar.gz nixlib-27acea73b80d22af43b2d0d64dc84e40c3beb991.tar.bz2 nixlib-27acea73b80d22af43b2d0d64dc84e40c3beb991.tar.lz nixlib-27acea73b80d22af43b2d0d64dc84e40c3beb991.tar.xz nixlib-27acea73b80d22af43b2d0d64dc84e40c3beb991.tar.zst nixlib-27acea73b80d22af43b2d0d64dc84e40c3beb991.zip |
Merge pull request #67130 from uvNikita/containers/unprivileged
nixos/containers: add unprivileged option
Diffstat (limited to 'nixos/tests')
-rw-r--r-- | nixos/tests/all-tests.nix | 1 | ||||
-rw-r--r-- | nixos/tests/containers-unprivileged.nix | 56 |
2 files changed, 57 insertions, 0 deletions
diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index b6930cc3a706..3ac3d683b535 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -48,6 +48,7 @@ in colord = handleTest ./colord.nix {}; containers-bridge = handleTest ./containers-bridge.nix {}; containers-ephemeral = handleTest ./containers-ephemeral.nix {}; + containers-unprivileged = handleTest ./containers-unprivileged.nix {}; containers-extra_veth = handleTest ./containers-extra_veth.nix {}; containers-hosts = handleTest ./containers-hosts.nix {}; containers-imperative = handleTest ./containers-imperative.nix {}; diff --git a/nixos/tests/containers-unprivileged.nix b/nixos/tests/containers-unprivileged.nix new file mode 100644 index 000000000000..2db6b7e4f022 --- /dev/null +++ b/nixos/tests/containers-unprivileged.nix @@ -0,0 +1,56 @@ +# Test for NixOS' container support. + +import ./make-test.nix ({ pkgs, ...} : { + name = "containers-unprivileged"; + + machine = { pkgs, ... }: { + virtualisation.memorySize = 768; + virtualisation.writableStore = true; + + containers.webserver = { + unprivileged = true; + privateNetwork = true; + hostAddress = "10.231.136.1"; + localAddress = "10.231.136.2"; + config = { + services.nginx = { + enable = true; + virtualHosts.localhost = { + root = (pkgs.runCommand "localhost" {} '' + mkdir "$out" + echo hello world > "$out/index.html" + ''); + }; + }; + networking.firewall.allowedTCPPorts = [ 80 ]; + }; + }; + }; + + testScript = '' + $machine->succeed("nixos-container list") =~ /webserver/ or die; + + # Start the webserver container. + $machine->succeed("nixos-container start webserver"); + + my $ip = $machine->succeed("nixos-container show-ip webserver"); + chomp $ip; + $machine->succeed("ping -n -c1 $ip"); + + # Check that container root folder is owned by a new private user + $machine->succeed('test $(stat -c "%U" /var/lib/containers/webserver) == "vu-webserver-0"'); + + # Check that webserver is working before reload + $machine->succeed("curl --fail http://$ip/ > /dev/null"); + + # Reload container + $machine->succeed('systemctl reload container@webserver'); + + # Check that webserver is working after reload + $machine->succeed("curl --fail http://$ip/ > /dev/null"); + + # Stop the container. + $machine->succeed("nixos-container stop webserver"); + $machine->fail("curl --fail --connect-timeout 2 http://$ip/ > /dev/null"); + ''; +}) |