pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / tests / docker-tools.nix
at 23.05-pre 19 kB view raw
1# this test creates a simple GNU image with docker tools and sees if it executes 2 3import ./make-test-python.nix ({ pkgs, ... }: { 4 name = "docker-tools"; 5 meta = with pkgs.lib.maintainers; { 6 maintainers = [ lnl7 roberth ]; 7 }; 8 9 nodes = { 10 docker = { ... }: { 11 virtualisation = { 12 diskSize = 2048; 13 docker.enable = true; 14 }; 15 }; 16 }; 17 18 testScript = with pkgs.dockerTools; '' 19 unix_time_second1 = "1970-01-01T00:00:01Z" 20 21 docker.wait_for_unit("sockets.target") 22 23 with subtest("includeStorePath"): 24 with subtest("assumption"): 25 docker.succeed("${examples.helloOnRoot} | docker load") 26 docker.succeed("docker run --rm hello | grep -i hello") 27 docker.succeed("docker image rm hello:latest") 28 with subtest("includeStorePath = false; breaks example"): 29 docker.succeed("${examples.helloOnRootNoStore} | docker load") 30 docker.fail("docker run --rm hello | grep -i hello") 31 docker.succeed("docker image rm hello:latest") 32 with subtest("includeStorePath = false; works with mounted store"): 33 docker.succeed("${examples.helloOnRootNoStore} | docker load") 34 docker.succeed("docker run --rm --volume ${builtins.storeDir}:${builtins.storeDir}:ro hello | grep -i hello") 35 docker.succeed("docker image rm hello:latest") 36 37 with subtest("Ensure Docker images use a stable date by default"): 38 docker.succeed( 39 "docker load --input='${examples.bash}'" 40 ) 41 assert unix_time_second1 in docker.succeed( 42 "docker inspect ${examples.bash.imageName} " 43 + "| ${pkgs.jq}/bin/jq -r .[].Created", 44 ) 45 46 docker.succeed("docker run --rm ${examples.bash.imageName} bash --version") 47 # Check imageTag attribute matches image 48 docker.succeed("docker images --format '{{.Tag}}' | grep -F '${examples.bash.imageTag}'") 49 docker.succeed("docker rmi ${examples.bash.imageName}") 50 51 # The remaining combinations 52 with subtest("Ensure imageTag attribute matches image"): 53 docker.succeed( 54 "docker load --input='${examples.bashNoTag}'" 55 ) 56 docker.succeed( 57 "docker images --format '{{.Tag}}' | grep -F '${examples.bashNoTag.imageTag}'" 58 ) 59 docker.succeed("docker rmi ${examples.bashNoTag.imageName}:${examples.bashNoTag.imageTag}") 60 61 docker.succeed( 62 "docker load --input='${examples.bashNoTagLayered}'" 63 ) 64 docker.succeed( 65 "docker images --format '{{.Tag}}' | grep -F '${examples.bashNoTagLayered.imageTag}'" 66 ) 67 docker.succeed("docker rmi ${examples.bashNoTagLayered.imageName}:${examples.bashNoTagLayered.imageTag}") 68 69 docker.succeed( 70 "${examples.bashNoTagStreamLayered} | docker load" 71 ) 72 docker.succeed( 73 "docker images --format '{{.Tag}}' | grep -F '${examples.bashNoTagStreamLayered.imageTag}'" 74 ) 75 docker.succeed( 76 "docker rmi ${examples.bashNoTagStreamLayered.imageName}:${examples.bashNoTagStreamLayered.imageTag}" 77 ) 78 79 docker.succeed( 80 "docker load --input='${examples.nixLayered}'" 81 ) 82 docker.succeed("docker images --format '{{.Tag}}' | grep -F '${examples.nixLayered.imageTag}'") 83 docker.succeed("docker rmi ${examples.nixLayered.imageName}") 84 85 86 with subtest( 87 "Check if the nix store is correctly initialized by listing " 88 "dependencies of the installed Nix binary" 89 ): 90 docker.succeed( 91 "docker load --input='${examples.nix}'", 92 "docker run --rm ${examples.nix.imageName} nix-store -qR ${pkgs.nix}", 93 "docker rmi ${examples.nix.imageName}", 94 ) 95 96 with subtest( 97 "Ensure (layered) nix store has correct permissions " 98 "and that the container starts when its process does not have uid 0" 99 ): 100 docker.succeed( 101 "docker load --input='${examples.bashLayeredWithUser}'", 102 "docker run -u somebody --rm ${examples.bashLayeredWithUser.imageName} ${pkgs.bash}/bin/bash -c 'test 555 == $(stat --format=%a /nix) && test 555 == $(stat --format=%a /nix/store)'", 103 "docker rmi ${examples.bashLayeredWithUser.imageName}", 104 ) 105 106 with subtest("The nix binary symlinks are intact"): 107 docker.succeed( 108 "docker load --input='${examples.nix}'", 109 "docker run --rm ${examples.nix.imageName} ${pkgs.bash}/bin/bash -c 'test nix == $(readlink ${pkgs.nix}/bin/nix-daemon)'", 110 "docker rmi ${examples.nix.imageName}", 111 ) 112 113 with subtest("The nix binary symlinks are intact when the image is layered"): 114 docker.succeed( 115 "docker load --input='${examples.nixLayered}'", 116 "docker run --rm ${examples.nixLayered.imageName} ${pkgs.bash}/bin/bash -c 'test nix == $(readlink ${pkgs.nix}/bin/nix-daemon)'", 117 "docker rmi ${examples.nixLayered.imageName}", 118 ) 119 120 with subtest("The pullImage tool works"): 121 docker.succeed( 122 "docker load --input='${examples.testNixFromDockerHub}'", 123 "docker run --rm nix:2.2.1 nix-store --version", 124 "docker rmi nix:2.2.1", 125 ) 126 127 with subtest("runAsRoot and entry point work"): 128 docker.succeed( 129 "docker load --input='${examples.nginx}'", 130 "docker run --name nginx -d -p 8000:80 ${examples.nginx.imageName}", 131 ) 132 docker.wait_until_succeeds("curl -f http://localhost:8000/") 133 docker.succeed( 134 "docker rm --force nginx", 135 "docker rmi '${examples.nginx.imageName}'", 136 ) 137 138 with subtest("A pulled image can be used as base image"): 139 docker.succeed( 140 "docker load --input='${examples.onTopOfPulledImage}'", 141 "docker run --rm ontopofpulledimage hello", 142 "docker rmi ontopofpulledimage", 143 ) 144 145 with subtest("Regression test for issue #34779"): 146 docker.succeed( 147 "docker load --input='${examples.runAsRootExtraCommands}'", 148 "docker run --rm runasrootextracommands cat extraCommands", 149 "docker run --rm runasrootextracommands cat runAsRoot", 150 "docker rmi '${examples.runAsRootExtraCommands.imageName}'", 151 ) 152 153 with subtest("Ensure Docker images can use an unstable date"): 154 docker.succeed( 155 "docker load --input='${examples.unstableDate}'" 156 ) 157 assert unix_time_second1 not in docker.succeed( 158 "docker inspect ${examples.unstableDate.imageName} " 159 + "| ${pkgs.jq}/bin/jq -r .[].Created" 160 ) 161 162 with subtest("Ensure Layered Docker images can use an unstable date"): 163 docker.succeed( 164 "docker load --input='${examples.unstableDateLayered}'" 165 ) 166 assert unix_time_second1 not in docker.succeed( 167 "docker inspect ${examples.unstableDateLayered.imageName} " 168 + "| ${pkgs.jq}/bin/jq -r .[].Created" 169 ) 170 171 with subtest("Ensure Layered Docker images work"): 172 docker.succeed( 173 "docker load --input='${examples.layered-image}'", 174 "docker run --rm ${examples.layered-image.imageName}", 175 "docker run --rm ${examples.layered-image.imageName} cat extraCommands", 176 ) 177 178 with subtest("Ensure images built on top of layered Docker images work"): 179 docker.succeed( 180 "docker load --input='${examples.layered-on-top}'", 181 "docker run --rm ${examples.layered-on-top.imageName}", 182 ) 183 184 with subtest("Ensure layered images built on top of layered Docker images work"): 185 docker.succeed( 186 "docker load --input='${examples.layered-on-top-layered}'", 187 "docker run --rm ${examples.layered-on-top-layered.imageName}", 188 ) 189 190 191 def set_of_layers(image_name): 192 return set( 193 docker.succeed( 194 f"docker inspect {image_name} " 195 + "| ${pkgs.jq}/bin/jq -r '.[] | .RootFS.Layers | .[]'" 196 ).split() 197 ) 198 199 200 with subtest("Ensure layers are shared between images"): 201 docker.succeed( 202 "docker load --input='${examples.another-layered-image}'" 203 ) 204 layers1 = set_of_layers("${examples.layered-image.imageName}") 205 layers2 = set_of_layers("${examples.another-layered-image.imageName}") 206 assert bool(layers1 & layers2) 207 208 with subtest("Ensure order of layers is correct"): 209 docker.succeed( 210 "docker load --input='${examples.layersOrder}'" 211 ) 212 213 for index in 1, 2, 3: 214 assert f"layer{index}" in docker.succeed( 215 f"docker run --rm ${examples.layersOrder.imageName} cat /tmp/layer{index}" 216 ) 217 218 with subtest("Ensure layers unpacked in correct order before runAsRoot runs"): 219 assert "abc" in docker.succeed( 220 "docker load --input='${examples.layersUnpackOrder}'", 221 "docker run --rm ${examples.layersUnpackOrder.imageName} cat /layer-order" 222 ) 223 224 with subtest("Ensure environment variables are correctly inherited"): 225 docker.succeed( 226 "docker load --input='${examples.environmentVariables}'" 227 ) 228 out = docker.succeed("docker run --rm ${examples.environmentVariables.imageName} env") 229 env = out.splitlines() 230 assert "FROM_PARENT=true" in env, "envvars from the parent should be preserved" 231 assert "FROM_CHILD=true" in env, "envvars from the child should be preserved" 232 assert "LAST_LAYER=child" in env, "envvars from the child should take priority" 233 234 with subtest("Ensure environment variables of layered images are correctly inherited"): 235 docker.succeed( 236 "docker load --input='${examples.environmentVariablesLayered}'" 237 ) 238 out = docker.succeed("docker run --rm ${examples.environmentVariablesLayered.imageName} env") 239 env = out.splitlines() 240 assert "FROM_PARENT=true" in env, "envvars from the parent should be preserved" 241 assert "FROM_CHILD=true" in env, "envvars from the child should be preserved" 242 assert "LAST_LAYER=child" in env, "envvars from the child should take priority" 243 244 with subtest( 245 "Ensure inherited environment variables of layered images are correctly resolved" 246 ): 247 # Read environment variables as stored in image config 248 config = docker.succeed( 249 "tar -xOf ${examples.environmentVariablesLayered} manifest.json | ${pkgs.jq}/bin/jq -r .[].Config" 250 ).strip() 251 out = docker.succeed( 252 f"tar -xOf ${examples.environmentVariablesLayered} {config} | ${pkgs.jq}/bin/jq -r '.config.Env | .[]'" 253 ) 254 env = out.splitlines() 255 assert ( 256 sum(entry.startswith("LAST_LAYER") for entry in env) == 1 257 ), "envvars overridden by child should be unique" 258 259 with subtest("Ensure image with only 2 layers can be loaded"): 260 docker.succeed( 261 "docker load --input='${examples.two-layered-image}'" 262 ) 263 264 with subtest( 265 "Ensure the bulk layer doesn't miss store paths (regression test for #78744)" 266 ): 267 docker.succeed( 268 "docker load --input='${pkgs.dockerTools.examples.bulk-layer}'", 269 # Ensure the two output paths (ls and hello) are in the layer 270 "docker run bulk-layer ls /bin/hello", 271 ) 272 273 with subtest( 274 "Ensure the bulk layer with a base image respects the number of maxLayers" 275 ): 276 docker.succeed( 277 "docker load --input='${pkgs.dockerTools.examples.layered-bulk-layer}'", 278 # Ensure the image runs correctly 279 "docker run layered-bulk-layer ls /bin/hello", 280 ) 281 282 # Ensure the image has the correct number of layers 283 assert len(set_of_layers("layered-bulk-layer")) == 4 284 285 with subtest("Ensure only minimal paths are added to the store"): 286 # TODO: make an example that has no store paths, for example by making 287 # busybox non-self-referential. 288 289 # This check tests that buildLayeredImage can build images that don't need a store. 290 docker.succeed( 291 "docker load --input='${pkgs.dockerTools.examples.no-store-paths}'" 292 ) 293 294 docker.succeed("docker run --rm no-store-paths ls / >/dev/console") 295 296 # If busybox isn't self-referential, we need this line 297 # docker.fail("docker run --rm no-store-paths ls /nix/store >/dev/console") 298 # However, it currently is self-referential, so we check that it is the 299 # only store path. 300 docker.succeed("diff <(docker run --rm no-store-paths ls /nix/store) <(basename ${pkgs.pkgsStatic.busybox}) >/dev/console") 301 302 with subtest("Ensure buildLayeredImage does not change store path contents."): 303 docker.succeed( 304 "docker load --input='${pkgs.dockerTools.examples.filesInStore}'", 305 "docker run --rm file-in-store nix-store --verify --check-contents", 306 "docker run --rm file-in-store |& grep 'some data'", 307 ) 308 309 with subtest("Ensure cross compiled image can be loaded and has correct arch."): 310 docker.succeed( 311 "docker load --input='${pkgs.dockerTools.examples.cross}'", 312 ) 313 assert ( 314 docker.succeed( 315 "docker inspect ${pkgs.dockerTools.examples.cross.imageName} " 316 + "| ${pkgs.jq}/bin/jq -r .[].Architecture" 317 ).strip() 318 == "${if pkgs.stdenv.hostPlatform.system == "aarch64-linux" then "amd64" else "arm64"}" 319 ) 320 321 with subtest("buildLayeredImage doesn't dereference /nix/store symlink layers"): 322 docker.succeed( 323 "docker load --input='${examples.layeredStoreSymlink}'", 324 "docker run --rm ${examples.layeredStoreSymlink.imageName} bash -c 'test -L ${examples.layeredStoreSymlink.passthru.symlink}'", 325 "docker rmi ${examples.layeredStoreSymlink.imageName}", 326 ) 327 328 with subtest("buildImage supports registry/ prefix in image name"): 329 docker.succeed( 330 "docker load --input='${examples.prefixedImage}'" 331 ) 332 docker.succeed( 333 "docker images --format '{{.Repository}}' | grep -F '${examples.prefixedImage.imageName}'" 334 ) 335 336 with subtest("buildLayeredImage supports registry/ prefix in image name"): 337 docker.succeed( 338 "docker load --input='${examples.prefixedLayeredImage}'" 339 ) 340 docker.succeed( 341 "docker images --format '{{.Repository}}' | grep -F '${examples.prefixedLayeredImage.imageName}'" 342 ) 343 344 with subtest("buildLayeredImage supports running chown with fakeRootCommands"): 345 docker.succeed( 346 "docker load --input='${examples.layeredImageWithFakeRootCommands}'" 347 ) 348 docker.succeed( 349 "docker run --rm ${examples.layeredImageWithFakeRootCommands.imageName} sh -c 'stat -c '%u' /home/alice | grep -E ^1000$'" 350 ) 351 352 with subtest("Ensure docker load on merged images loads all of the constituent images"): 353 docker.succeed( 354 "docker load --input='${examples.mergedBashAndRedis}'" 355 ) 356 docker.succeed( 357 "docker images --format '{{.Repository}}-{{.Tag}}' | grep -F '${examples.bash.imageName}-${examples.bash.imageTag}'" 358 ) 359 docker.succeed( 360 "docker images --format '{{.Repository}}-{{.Tag}}' | grep -F '${examples.redis.imageName}-${examples.redis.imageTag}'" 361 ) 362 docker.succeed("docker run --rm ${examples.bash.imageName} bash --version") 363 docker.succeed("docker run --rm ${examples.redis.imageName} redis-cli --version") 364 docker.succeed("docker rmi ${examples.bash.imageName}") 365 docker.succeed("docker rmi ${examples.redis.imageName}") 366 367 with subtest( 368 "Ensure docker load on merged images loads all of the constituent images (missing tags)" 369 ): 370 docker.succeed( 371 "docker load --input='${examples.mergedBashNoTagAndRedis}'" 372 ) 373 docker.succeed( 374 "docker images --format '{{.Repository}}-{{.Tag}}' | grep -F '${examples.bashNoTag.imageName}-${examples.bashNoTag.imageTag}'" 375 ) 376 docker.succeed( 377 "docker images --format '{{.Repository}}-{{.Tag}}' | grep -F '${examples.redis.imageName}-${examples.redis.imageTag}'" 378 ) 379 # we need to explicitly specify the generated tag here 380 docker.succeed( 381 "docker run --rm ${examples.bashNoTag.imageName}:${examples.bashNoTag.imageTag} bash --version" 382 ) 383 docker.succeed("docker run --rm ${examples.redis.imageName} redis-cli --version") 384 docker.succeed("docker rmi ${examples.bashNoTag.imageName}:${examples.bashNoTag.imageTag}") 385 docker.succeed("docker rmi ${examples.redis.imageName}") 386 387 with subtest("mergeImages preserves owners of the original images"): 388 docker.succeed( 389 "docker load --input='${examples.mergedBashFakeRoot}'" 390 ) 391 docker.succeed( 392 "docker run --rm ${examples.layeredImageWithFakeRootCommands.imageName} sh -c 'stat -c '%u' /home/alice | grep -E ^1000$'" 393 ) 394 395 with subtest("The image contains store paths referenced by the fakeRootCommands output"): 396 docker.succeed( 397 "docker run --rm ${examples.layeredImageWithFakeRootCommands.imageName} /hello/bin/layeredImageWithFakeRootCommands-hello" 398 ) 399 400 with subtest("exportImage produces a valid tarball"): 401 docker.succeed( 402 "tar -tf ${examples.exportBash} | grep '\./bin/bash' > /dev/null" 403 ) 404 405 with subtest("layered image fakeRootCommands with fakechroot works"): 406 docker.succeed("${examples.imageViaFakeChroot} | docker load") 407 docker.succeed("docker run --rm image-via-fake-chroot | grep -i hello") 408 docker.succeed("docker image rm image-via-fake-chroot:latest") 409 410 with subtest("Ensure bare paths in contents are loaded correctly"): 411 docker.succeed( 412 "docker load --input='${examples.build-image-with-path}'", 413 "docker run --rm build-image-with-path bash -c '[[ -e /hello.txt ]]'", 414 "docker rmi build-image-with-path", 415 ) 416 docker.succeed( 417 "${examples.layered-image-with-path} | docker load", 418 "docker run --rm layered-image-with-path bash -c '[[ -e /hello.txt ]]'", 419 "docker rmi layered-image-with-path", 420 ) 421 422 with subtest("etc"): 423 docker.succeed("${examples.etc} | docker load") 424 docker.succeed("docker run --rm etc | grep localhost") 425 docker.succeed("docker image rm etc:latest") 426 427 with subtest("image-with-certs"): 428 docker.succeed("<${examples.image-with-certs} docker load") 429 docker.succeed("docker run --rm image-with-certs:latest test -r /etc/ssl/certs/ca-bundle.crt") 430 docker.succeed("docker run --rm image-with-certs:latest test -r /etc/ssl/certs/ca-certificates.crt") 431 docker.succeed("docker run --rm image-with-certs:latest test -r /etc/pki/tls/certs/ca-bundle.crt") 432 docker.succeed("docker image rm image-with-certs:latest") 433 434 ''; 435})