diff options
Diffstat (limited to 'nixos/tests')
-rw-r--r-- | nixos/tests/atd.nix | 6 | ||||
-rw-r--r-- | nixos/tests/chromium.nix | 24 | ||||
-rw-r--r-- | nixos/tests/containers-imperative.nix | 4 | ||||
-rw-r--r-- | nixos/tests/containers-physical_interfaces.nix | 4 | ||||
-rw-r--r-- | nixos/tests/docker-tools-overlay.nix | 32 | ||||
-rw-r--r-- | nixos/tests/docker-tools.nix | 6 | ||||
-rw-r--r-- | nixos/tests/gnome3-gdm.nix | 13 | ||||
-rw-r--r-- | nixos/tests/iftop.nix | 30 | ||||
-rw-r--r-- | nixos/tests/kernel-copperhead.nix | 4 | ||||
-rw-r--r-- | nixos/tests/kubernetes/certs.nix | 71 | ||||
-rw-r--r-- | nixos/tests/kubernetes/e2e.nix | 2 | ||||
-rw-r--r-- | nixos/tests/kubernetes/rbac.nix | 4 | ||||
-rw-r--r-- | nixos/tests/misc.nix | 2 | ||||
-rw-r--r-- | nixos/tests/openldap.nix | 2 | ||||
-rw-r--r-- | nixos/tests/systemd.nix | 2 | ||||
-rw-r--r-- | nixos/tests/transmission.nix | 21 |
16 files changed, 183 insertions, 44 deletions
diff --git a/nixos/tests/atd.nix b/nixos/tests/atd.nix index c2c0a716e0de..5260c8ddfb82 100644 --- a/nixos/tests/atd.nix +++ b/nixos/tests/atd.nix @@ -17,20 +17,14 @@ import ./make-test.nix ({ pkgs, lib, ... }: startAll; $machine->fail("test -f ~root/at-1"); - $machine->fail("test -f ~root/batch-1"); $machine->fail("test -f ~alice/at-1"); - $machine->fail("test -f ~alice/batch-1"); $machine->succeed("echo 'touch ~root/at-1' | at now+1min"); - $machine->succeed("echo 'touch ~root/batch-1' | batch"); $machine->succeed("su - alice -c \"echo 'touch at-1' | at now+1min\""); - $machine->succeed("su - alice -c \"echo 'touch batch-1' | batch\""); $machine->succeed("sleep 1.5m"); $machine->succeed("test -f ~root/at-1"); - $machine->succeed("test -f ~root/batch-1"); $machine->succeed("test -f ~alice/at-1"); - $machine->succeed("test -f ~alice/batch-1"); ''; }) diff --git a/nixos/tests/chromium.nix b/nixos/tests/chromium.nix index 3a2c65164766..65c314e22e1d 100644 --- a/nixos/tests/chromium.nix +++ b/nixos/tests/chromium.nix @@ -151,11 +151,11 @@ mapAttrs (channel: chromiumPkg: makeTest rec { $machine->screenshot("sandbox_info"); - $machine->succeed(ru "${xdo "submit-url" '' + $machine->succeed(ru "${xdo "find-window" '' search --sync --onlyvisible --name "sandbox status" windowfocus --sync ''}"); - $machine->succeed(ru "${xdo "submit-url" '' + $machine->succeed(ru "${xdo "copy-sandbox-info" '' key --delay 1000 Ctrl+a Ctrl+c ''}"); @@ -166,6 +166,26 @@ mapAttrs (channel: chromiumPkg: makeTest rec { && $clipboard =~ /network namespaces.*yes/mi && $clipboard =~ /seccomp.*sandbox.*yes/mi && $clipboard =~ /you are adequately sandboxed/mi; + + $machine->sleep(1); + $machine->succeed(ru "${xdo "find-window-after-copy" '' + search --onlyvisible --name "sandbox status" + ''}"); + + my $clipboard = $machine->succeed(ru "echo void | ${pkgs.xclip}/bin/xclip -i"); + $machine->succeed(ru "${xdo "copy-sandbox-info" '' + key --delay 1000 Ctrl+a Ctrl+c + ''}"); + + my $clipboard = $machine->succeed(ru "${pkgs.xclip}/bin/xclip -o"); + die "copying twice in a row does not work properly: $clipboard" + unless $clipboard =~ /namespace sandbox.*yes/mi + && $clipboard =~ /pid namespaces.*yes/mi + && $clipboard =~ /network namespaces.*yes/mi + && $clipboard =~ /seccomp.*sandbox.*yes/mi + && $clipboard =~ /you are adequately sandboxed/mi; + + $machine->screenshot("afer_copy_from_chromium"); }; $machine->shutdown; diff --git a/nixos/tests/containers-imperative.nix b/nixos/tests/containers-imperative.nix index 7e2a54976387..015b79b1cee6 100644 --- a/nixos/tests/containers-imperative.nix +++ b/nixos/tests/containers-imperative.nix @@ -15,12 +15,12 @@ import ./make-test.nix ({ pkgs, ...} : { # container available within the VM, because we don't have network access. virtualisation.pathsInNixDB = let emptyContainer = import ../lib/eval-config.nix { - inherit (config.nixpkgs) system; + inherit (config.nixpkgs.localSystem) system; modules = lib.singleton { containers.foo.config = {}; }; }; - in [ pkgs.stdenv emptyContainer.config.containers.foo.path ]; + in [ pkgs.stdenv emptyContainer.config.containers.foo.path pkgs.libxslt ]; }; testScript = diff --git a/nixos/tests/containers-physical_interfaces.nix b/nixos/tests/containers-physical_interfaces.nix index bd1228b8e37d..bde8e175f953 100644 --- a/nixos/tests/containers-physical_interfaces.nix +++ b/nixos/tests/containers-physical_interfaces.nix @@ -52,7 +52,7 @@ import ./make-test.nix ({ pkgs, ...} : { config = { networking.bonds.bond0 = { interfaces = [ "eth1" ]; - mode = "active-backup"; + driverOptions.mode = "active-backup"; }; networking.interfaces.bond0.ipv4.addresses = [ { address = "10.10.0.3"; prefixLength = 24; } @@ -73,7 +73,7 @@ import ./make-test.nix ({ pkgs, ...} : { config = { networking.bonds.bond0 = { interfaces = [ "eth1" ]; - mode = "active-backup"; + driverOptions.mode = "active-backup"; }; networking.bridges.br0.interfaces = [ "bond0" ]; networking.interfaces.br0.ipv4.addresses = [ diff --git a/nixos/tests/docker-tools-overlay.nix b/nixos/tests/docker-tools-overlay.nix new file mode 100644 index 000000000000..9d7fa3e7a8c5 --- /dev/null +++ b/nixos/tests/docker-tools-overlay.nix @@ -0,0 +1,32 @@ +# this test creates a simple GNU image with docker tools and sees if it executes + +import ./make-test.nix ({ pkgs, ... }: +{ + name = "docker-tools-overlay"; + meta = with pkgs.stdenv.lib.maintainers; { + maintainers = [ lnl7 ]; + }; + + nodes = { + docker = + { config, pkgs, ... }: + { + virtualisation.docker.enable = true; + virtualisation.docker.storageDriver = "overlay"; # defaults to overlay2 + }; + }; + + testScript = + '' + $docker->waitForUnit("sockets.target"); + + $docker->succeed("docker load --input='${pkgs.dockerTools.examples.bash}'"); + $docker->succeed("docker run --rm ${pkgs.dockerTools.examples.bash.imageName} bash --version"); + + # Check if the nix store has correct user permissions depending on what + # storage driver is used, incorrectly built images can show up as readonly. + # drw------- 3 0 0 3 Apr 14 11:36 /nix + # drw------- 99 0 0 100 Apr 14 11:36 /nix/store + $docker->succeed("docker run --rm -u 1000:1000 ${pkgs.dockerTools.examples.bash.imageName} bash --version"); + ''; +}) diff --git a/nixos/tests/docker-tools.nix b/nixos/tests/docker-tools.nix index 9135bca0f4f6..4466081d01e9 100644 --- a/nixos/tests/docker-tools.nix +++ b/nixos/tests/docker-tools.nix @@ -3,7 +3,7 @@ import ./make-test.nix ({ pkgs, ... }: { name = "docker-tools"; meta = with pkgs.stdenv.lib.maintainers; { - maintainers = [ ]; + maintainers = [ lnl7 ]; }; nodes = { @@ -21,12 +21,12 @@ import ./make-test.nix ({ pkgs, ... }: { $docker->waitForUnit("sockets.target"); $docker->succeed("docker load --input='${pkgs.dockerTools.examples.bash}'"); - $docker->succeed("docker run --rm ${pkgs.dockerTools.examples.bash.imageName} /bin/bash --version"); + $docker->succeed("docker run --rm ${pkgs.dockerTools.examples.bash.imageName} bash --version"); $docker->succeed("docker rmi ${pkgs.dockerTools.examples.bash.imageName}"); # Check if the nix store is correctly initialized by listing dependencies of the installed Nix binary $docker->succeed("docker load --input='${pkgs.dockerTools.examples.nix}'"); - $docker->succeed("docker run --rm ${pkgs.dockerTools.examples.nix.imageName} /bin/nix-store -qR ${pkgs.nix}"); + $docker->succeed("docker run --rm ${pkgs.dockerTools.examples.nix.imageName} nix-store -qR ${pkgs.nix}"); $docker->succeed("docker rmi ${pkgs.dockerTools.examples.nix.imageName}"); # To test the pullImage tool diff --git a/nixos/tests/gnome3-gdm.nix b/nixos/tests/gnome3-gdm.nix index 4b459e93e1be..71ae1709d526 100644 --- a/nixos/tests/gnome3-gdm.nix +++ b/nixos/tests/gnome3-gdm.nix @@ -26,15 +26,22 @@ import ./make-test.nix ({ pkgs, ...} : { testScript = '' + # wait for gdm to start and bring up X + $machine->waitForUnit("display-manager.service"); $machine->waitForX; - $machine->sleep(15); + + # wait for alice to be logged in + $machine->waitForUnit("default.target","alice"); # Check that logging in has given the user ownership of devices. $machine->succeed("getfacl /dev/snd/timer | grep -q alice"); - $machine->succeed("su - alice -c 'DISPLAY=:0.0 gnome-terminal &'"); - $machine->succeed("xauth merge ~alice/.Xauthority"); + # open a terminal and check it's there + $machine->succeed("su - alice -c 'DISPLAY=:0.0 XAUTHORITY=/run/user/\$UID/gdm/Xauthority gnome-terminal'"); + $machine->succeed("xauth merge /run/user/1000/gdm/Xauthority"); $machine->waitForWindow(qr/Terminal/); + + # wait to get a nice screenshot $machine->sleep(20); $machine->screenshot("screen"); ''; diff --git a/nixos/tests/iftop.nix b/nixos/tests/iftop.nix new file mode 100644 index 000000000000..21ff3cafed7c --- /dev/null +++ b/nixos/tests/iftop.nix @@ -0,0 +1,30 @@ +import ./make-test.nix ({ pkgs, lib, ... }: + +with lib; + +{ + name = "iftop"; + meta.maintainers = with pkgs.stdenv.lib.maintainers; [ ma27 ]; + + nodes = { + withIftop = { + imports = [ ./common/user-account.nix ]; + + programs.iftop.enable = true; + }; + withoutIftop = { + imports = [ ./common/user-account.nix ]; + }; + }; + + testScript = '' + subtest "machine with iftop enabled", sub { + $withIftop->start; + $withIftop->succeed("su -l alice -c 'iftop -t -s 1'"); + }; + subtest "machine without iftop", sub { + $withoutIftop->start; + $withoutIftop->mustFail("su -l alice -c 'iftop -t -s 1'"); + }; + ''; +}) diff --git a/nixos/tests/kernel-copperhead.nix b/nixos/tests/kernel-copperhead.nix index 07427d7f2a89..0af978f1851f 100644 --- a/nixos/tests/kernel-copperhead.nix +++ b/nixos/tests/kernel-copperhead.nix @@ -6,14 +6,14 @@ import ./make-test.nix ({ pkgs, ...} : { machine = { config, lib, pkgs, ... }: { - boot.kernelPackages = pkgs.linuxPackages_hardened_copperhead; + boot.kernelPackages = pkgs.linuxPackages_copperhead_hardened; }; testScript = '' $machine->succeed("uname -a"); $machine->succeed("uname -s | grep 'Linux'"); - $machine->succeed("uname -a | grep '${pkgs.linuxPackages_hardened_copperhead.kernel.modDirVersion}'"); + $machine->succeed("uname -a | grep '${pkgs.linuxPackages_copperhead_hardened.kernel.modDirVersion}'"); $machine->succeed("uname -a | grep 'hardened'"); ''; }) diff --git a/nixos/tests/kubernetes/certs.nix b/nixos/tests/kubernetes/certs.nix index d3eff910c467..520c728b65ee 100644 --- a/nixos/tests/kubernetes/certs.nix +++ b/nixos/tests/kubernetes/certs.nix @@ -6,29 +6,62 @@ kubelets }: let - runWithCFSSL = name: cmd: - builtins.fromJSON (builtins.readFile ( - pkgs.runCommand "${name}-cfss.json" { - buildInputs = [ pkgs.cfssl ]; - } "cfssl ${cmd} > $out" - )); - - writeCFSSL = content: - pkgs.runCommand content.name { - buildInputs = [ pkgs.cfssl ]; - } '' - mkdir -p $out - cd $out - cat ${writeFile content} | cfssljson -bare ${content.name} - ''; + runWithCFSSL = name: cmd: + let secrets = pkgs.runCommand "${name}-cfss.json" { + buildInputs = [ pkgs.cfssl pkgs.jq ]; + outputs = [ "out" "cert" "key" "csr" ]; + } + '' + ( + echo "${cmd}" + cfssl ${cmd} > tmp + cat tmp | jq -r .key > $key + cat tmp | jq -r .cert > $cert + cat tmp | jq -r .csr > $csr + + touch $out + ) 2>&1 | fold -w 80 -s + ''; + in { + key = secrets.key; + cert = secrets.cert; + csr = secrets.csr; + }; + + writeCFSSL = content: + pkgs.runCommand content.name { + buildInputs = [ pkgs.cfssl pkgs.jq ]; + } '' + mkdir -p $out + cd $out + + json=${pkgs.lib.escapeShellArg (builtins.toJSON content)} + + # for a given $field in the $json, treat the associated value as a + # file path and substitute the contents thereof into the $json + # object. + expandFileField() { + local field=$1 + if jq -e --arg field "$field" 'has($field)'; then + local path="$(echo "$json" | jq -r ".$field")" + json="$(echo "$json" | jq --arg val "$(cat "$path")" ".$field = \$val")" + fi + } + + expandFileField key + expandFileField ca + expandFileField cert + + echo "$json" | cfssljson -bare ${content.name} + ''; noCSR = content: pkgs.lib.filterAttrs (n: v: n != "csr") content; noKey = content: pkgs.lib.filterAttrs (n: v: n != "key") content; - writeFile = content: pkgs.writeText "content" ( - if pkgs.lib.isAttrs content then builtins.toJSON content - else toString content - ); + writeFile = content: + if pkgs.lib.isDerivation content + then content + else pkgs.writeText "content" (builtins.toJSON content); createServingCertKey = { ca, cn, hosts? [], size ? 2048, name ? cn }: noCSR ( diff --git a/nixos/tests/kubernetes/e2e.nix b/nixos/tests/kubernetes/e2e.nix index d9d7ba9bb2cc..175d8413045e 100644 --- a/nixos/tests/kubernetes/e2e.nix +++ b/nixos/tests/kubernetes/e2e.nix @@ -2,7 +2,7 @@ with import ./base.nix { inherit system; }; let domain = "my.zyx"; - certs = import ./certs.nix { externalDomain = domain; }; + certs = import ./certs.nix { externalDomain = domain; kubelets = ["machine1" "machine2"]; }; kubeconfig = pkgs.writeText "kubeconfig.json" (builtins.toJSON { apiVersion = "v1"; kind = "Config"; diff --git a/nixos/tests/kubernetes/rbac.nix b/nixos/tests/kubernetes/rbac.nix index 1966fed3a5fb..226808c4b263 100644 --- a/nixos/tests/kubernetes/rbac.nix +++ b/nixos/tests/kubernetes/rbac.nix @@ -12,7 +12,7 @@ let }); roRoleBinding = pkgs.writeText "ro-role-binding.json" (builtins.toJSON { - apiVersion = "rbac.authorization.k8s.io/v1beta1"; + apiVersion = "rbac.authorization.k8s.io/v1"; kind = "RoleBinding"; metadata = { name = "read-pods"; @@ -31,7 +31,7 @@ let }); roRole = pkgs.writeText "ro-role.json" (builtins.toJSON { - apiVersion = "rbac.authorization.k8s.io/v1beta1"; + apiVersion = "rbac.authorization.k8s.io/v1"; kind = "Role"; metadata = { name = "pod-reader"; diff --git a/nixos/tests/misc.nix b/nixos/tests/misc.nix index 4fd9466dc502..179c95e76436 100644 --- a/nixos/tests/misc.nix +++ b/nixos/tests/misc.nix @@ -96,7 +96,7 @@ import ./make-test.nix ({ pkgs, ...} : rec { $machine->succeed("systemctl start systemd-udev-settle.service"); subtest "udev-auto-load", sub { $machine->waitForUnit('systemd-udev-settle.service'); - $machine->succeed('lsmod | grep psmouse'); + $machine->succeed('lsmod | grep mousedev'); }; # Test whether systemd-tmpfiles-clean works. diff --git a/nixos/tests/openldap.nix b/nixos/tests/openldap.nix index 1bef867c57b7..1eaf87a8eaa8 100644 --- a/nixos/tests/openldap.nix +++ b/nixos/tests/openldap.nix @@ -1,5 +1,5 @@ import ./make-test.nix { - name = "dovecot"; + name = "openldap"; machine = { pkgs, ... }: { services.openldap = { diff --git a/nixos/tests/systemd.nix b/nixos/tests/systemd.nix index 2df6f341c4ef..65aa553b3148 100644 --- a/nixos/tests/systemd.nix +++ b/nixos/tests/systemd.nix @@ -46,6 +46,8 @@ import ./make-test.nix { testScript = '' $machine->waitForX; + # wait for user services + $machine->waitForUnit("default.target","alice"); # Regression test for https://github.com/NixOS/nixpkgs/issues/35415 subtest "configuration files are recognized by systemd", sub { diff --git a/nixos/tests/transmission.nix b/nixos/tests/transmission.nix new file mode 100644 index 000000000000..34c49bd7f15b --- /dev/null +++ b/nixos/tests/transmission.nix @@ -0,0 +1,21 @@ +import ./make-test.nix ({ pkgs, ...} : { + name = "transmission"; + meta = with pkgs.stdenv.lib.maintainers; { + maintainers = [ coconnor ]; + }; + + machine = { config, pkgs, ... }: { + imports = [ ../modules/profiles/minimal.nix ]; + + networking.firewall.allowedTCPPorts = [ 9091 ]; + + services.transmission.enable = true; + }; + + testScript = + '' + startAll; + $machine->waitForUnit("transmission"); + $machine->shutdown; + ''; +}) |