pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / tests / podman / tls-ghostunnel.nix
at 23.05-pre 5.7 kB view raw
1/* 2 This test runs podman as a backend for the Docker CLI. 3 */ 4import ../make-test-python.nix ( 5 { pkgs, lib, ... }: 6 7 let gen-ca = pkgs.writeScript "gen-ca" '' 8 # Create CA 9 PATH="${pkgs.openssl}/bin:$PATH" 10 openssl genrsa -out ca-key.pem 4096 11 openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -subj '/C=NL/ST=Zuid-Holland/L=The Hague/O=Stevige Balken en Planken B.V./OU=OpSec/CN=Certificate Authority' -out ca.pem 12 13 # Create service 14 openssl genrsa -out podman-key.pem 4096 15 openssl req -subj '/CN=podman' -sha256 -new -key podman-key.pem -out service.csr 16 echo subjectAltName = DNS:podman,IP:127.0.0.1 >> extfile.cnf 17 echo extendedKeyUsage = serverAuth >> extfile.cnf 18 openssl x509 -req -days 365 -sha256 -in service.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out podman-cert.pem -extfile extfile.cnf 19 20 # Create client 21 openssl genrsa -out client-key.pem 4096 22 openssl req -subj '/CN=client' -new -key client-key.pem -out client.csr 23 echo extendedKeyUsage = clientAuth > extfile-client.cnf 24 openssl x509 -req -days 365 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out client-cert.pem -extfile extfile-client.cnf 25 26 # Create CA 2 27 PATH="${pkgs.openssl}/bin:$PATH" 28 openssl genrsa -out ca-2-key.pem 4096 29 openssl req -new -x509 -days 365 -key ca-2-key.pem -sha256 -subj '/C=NL/ST=Zuid-Holland/L=The Hague/O=Stevige Balken en Planken B.V./OU=OpSec/CN=Certificate Authority' -out ca-2.pem 30 31 # Create client signed by CA 2 32 openssl genrsa -out client-2-key.pem 4096 33 openssl req -subj '/CN=client' -new -key client-2-key.pem -out client-2.csr 34 echo extendedKeyUsage = clientAuth > extfile-client.cnf 35 openssl x509 -req -days 365 -sha256 -in client-2.csr -CA ca-2.pem -CAkey ca-2-key.pem -CAcreateserial -out client-2-cert.pem -extfile extfile-client.cnf 36 37 ''; 38 in 39 { 40 name = "podman-tls-ghostunnel"; 41 meta = { 42 maintainers = lib.teams.podman.members ++ [ lib.maintainers.roberth ]; 43 }; 44 45 nodes = { 46 podman = 47 { pkgs, ... }: 48 { 49 virtualisation.podman.enable = true; 50 virtualisation.podman.dockerSocket.enable = true; 51 virtualisation.podman.networkSocket = { 52 enable = true; 53 openFirewall = true; 54 server = "ghostunnel"; 55 tls.cert = "/root/podman-cert.pem"; 56 tls.key = "/root/podman-key.pem"; 57 tls.cacert = "/root/ca.pem"; 58 }; 59 60 environment.systemPackages = [ 61 pkgs.docker-client 62 ]; 63 64 users.users.alice = { 65 isNormalUser = true; 66 home = "/home/alice"; 67 description = "Alice Foobar"; 68 extraGroups = ["podman"]; 69 }; 70 71 }; 72 73 client = { ... }: { 74 environment.systemPackages = [ 75 # Installs the docker _client_ only 76 # Normally, you'd want `virtualisation.docker.enable = true;`. 77 pkgs.docker-client 78 ]; 79 environment.variables.DOCKER_HOST = "podman:2376"; 80 environment.variables.DOCKER_TLS_VERIFY = "1"; 81 }; 82 }; 83 84 testScript = '' 85 import shlex 86 87 88 def su_cmd(user, cmd): 89 cmd = shlex.quote(cmd) 90 return f"su {user} -l -c {cmd}" 91 92 def cmd(command): 93 print(f"+{command}") 94 r = os.system(command) 95 if r != 0: 96 raise Exception(f"Command {command} failed with exit code {r}") 97 98 start_all() 99 cmd("${gen-ca}") 100 101 podman.copy_from_host("ca.pem", "/root/ca.pem") 102 podman.copy_from_host("podman-cert.pem", "/root/podman-cert.pem") 103 podman.copy_from_host("podman-key.pem", "/root/podman-key.pem") 104 105 client.copy_from_host("ca.pem", "/root/.docker/ca.pem") 106 # client.copy_from_host("podman-cert.pem", "/root/podman-cert.pem") 107 client.copy_from_host("client-cert.pem", "/root/.docker/cert.pem") 108 client.copy_from_host("client-key.pem", "/root/.docker/key.pem") 109 110 # TODO (ghostunnel): add file watchers so the restart isn't necessary 111 podman.succeed("systemctl reset-failed && systemctl restart ghostunnel-server-podman-socket.service") 112 113 podman.wait_for_unit("sockets.target") 114 podman.wait_for_unit("ghostunnel-server-podman-socket.service") 115 116 with subtest("Create default network"): 117 podman.succeed("docker network create default") 118 119 with subtest("Root docker cli also works"): 120 podman.succeed("docker version") 121 122 with subtest("A podman member can also still use the docker cli"): 123 podman.succeed(su_cmd("alice", "docker version")) 124 125 with subtest("Run container remotely via docker cli"): 126 client.succeed("docker version") 127 128 # via socket would be nicer 129 podman.succeed("tar cv --files-from /dev/null | podman import - scratchimg") 130 131 client.succeed( 132 "docker run -d --name=sleeping -v /nix/store:/nix/store -v /run/current-system/sw/bin:/bin localhost/scratchimg /bin/sleep 10" 133 ) 134 client.succeed("docker ps | grep sleeping") 135 podman.succeed("docker ps | grep sleeping") 136 client.succeed("docker stop sleeping") 137 client.succeed("docker rm sleeping") 138 139 with subtest("Clients without cert will be denied"): 140 client.succeed("rm /root/.docker/{cert,key}.pem") 141 client.fail("docker version") 142 143 with subtest("Clients with wrong cert will be denied"): 144 client.copy_from_host("client-2-cert.pem", "/root/.docker/cert.pem") 145 client.copy_from_host("client-2-key.pem", "/root/.docker/key.pem") 146 client.fail("docker version") 147 148 ''; 149 } 150)