pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / tests / podman / default.nix
at 23.11-pre 7.6 kB view raw
1import ../make-test-python.nix ( 2 { pkgs, lib, ... }: { 3 name = "podman"; 4 meta = { 5 maintainers = lib.teams.podman.members; 6 }; 7 8 nodes = { 9 rootful = { pkgs, ... }: { 10 virtualisation.podman.enable = true; 11 12 # hack to ensure that podman built with and without zfs in extraPackages is cached 13 boot.supportedFilesystems = [ "zfs" ]; 14 networking.hostId = "00000000"; 15 }; 16 rootless = { pkgs, ... }: { 17 virtualisation.podman.enable = true; 18 19 users.users.alice = { 20 isNormalUser = true; 21 }; 22 }; 23 dns = { pkgs, ... }: { 24 virtualisation.podman.enable = true; 25 26 virtualisation.podman.defaultNetwork.settings.dns_enabled = true; 27 28 networking.firewall.allowedUDPPorts = [ 53 ]; 29 }; 30 docker = { pkgs, ... }: { 31 virtualisation.podman.enable = true; 32 33 virtualisation.podman.dockerSocket.enable = true; 34 35 environment.systemPackages = [ 36 pkgs.docker-client 37 ]; 38 39 users.users.alice = { 40 isNormalUser = true; 41 extraGroups = [ "podman" ]; 42 }; 43 44 users.users.mallory = { 45 isNormalUser = true; 46 }; 47 }; 48 }; 49 50 testScript = '' 51 import shlex 52 53 54 def su_cmd(cmd, user = "alice"): 55 cmd = shlex.quote(cmd) 56 return f"su {user} -l -c {cmd}" 57 58 59 rootful.wait_for_unit("sockets.target") 60 rootless.wait_for_unit("sockets.target") 61 dns.wait_for_unit("sockets.target") 62 docker.wait_for_unit("sockets.target") 63 start_all() 64 65 with subtest("Run container as root with runc"): 66 rootful.succeed("tar cv --files-from /dev/null | podman import - scratchimg") 67 rootful.succeed( 68 "podman run --runtime=runc -d --name=sleeping -v /nix/store:/nix/store -v /run/current-system/sw/bin:/bin scratchimg /bin/sleep 10" 69 ) 70 rootful.succeed("podman ps | grep sleeping") 71 rootful.succeed("podman stop sleeping") 72 rootful.succeed("podman rm sleeping") 73 74 with subtest("Run container as root with crun"): 75 rootful.succeed("tar cv --files-from /dev/null | podman import - scratchimg") 76 rootful.succeed( 77 "podman run --runtime=crun -d --name=sleeping -v /nix/store:/nix/store -v /run/current-system/sw/bin:/bin scratchimg /bin/sleep 10" 78 ) 79 rootful.succeed("podman ps | grep sleeping") 80 rootful.succeed("podman stop sleeping") 81 rootful.succeed("podman rm sleeping") 82 83 with subtest("Run container as root with the default backend"): 84 rootful.succeed("tar cv --files-from /dev/null | podman import - scratchimg") 85 rootful.succeed( 86 "podman run -d --name=sleeping -v /nix/store:/nix/store -v /run/current-system/sw/bin:/bin scratchimg /bin/sleep 10" 87 ) 88 rootful.succeed("podman ps | grep sleeping") 89 rootful.succeed("podman stop sleeping") 90 rootful.succeed("podman rm sleeping") 91 92 # start systemd session for rootless 93 rootless.succeed("loginctl enable-linger alice") 94 rootless.succeed(su_cmd("whoami")) 95 rootless.sleep(1) 96 97 with subtest("Run container rootless with runc"): 98 rootless.succeed(su_cmd("tar cv --files-from /dev/null | podman import - scratchimg")) 99 rootless.succeed( 100 su_cmd( 101 "podman run --runtime=runc -d --name=sleeping -v /nix/store:/nix/store -v /run/current-system/sw/bin:/bin scratchimg /bin/sleep 10" 102 ) 103 ) 104 rootless.succeed(su_cmd("podman ps | grep sleeping")) 105 rootless.succeed(su_cmd("podman stop sleeping")) 106 rootless.succeed(su_cmd("podman rm sleeping")) 107 108 with subtest("Run container rootless with crun"): 109 rootless.succeed(su_cmd("tar cv --files-from /dev/null | podman import - scratchimg")) 110 rootless.succeed( 111 su_cmd( 112 "podman run --runtime=crun -d --name=sleeping -v /nix/store:/nix/store -v /run/current-system/sw/bin:/bin scratchimg /bin/sleep 10" 113 ) 114 ) 115 rootless.succeed(su_cmd("podman ps | grep sleeping")) 116 rootless.succeed(su_cmd("podman stop sleeping")) 117 rootless.succeed(su_cmd("podman rm sleeping")) 118 119 with subtest("Run container rootless with the default backend"): 120 rootless.succeed(su_cmd("tar cv --files-from /dev/null | podman import - scratchimg")) 121 rootless.succeed( 122 su_cmd( 123 "podman run -d --name=sleeping -v /nix/store:/nix/store -v /run/current-system/sw/bin:/bin scratchimg /bin/sleep 10" 124 ) 125 ) 126 rootless.succeed(su_cmd("podman ps | grep sleeping")) 127 rootless.succeed(su_cmd("podman stop sleeping")) 128 rootless.succeed(su_cmd("podman rm sleeping")) 129 130 with subtest("rootlessport"): 131 rootless.succeed(su_cmd("tar cv --files-from /dev/null | podman import - scratchimg")) 132 rootless.succeed( 133 su_cmd( 134 "podman run -d -p 9000:8888 --name=rootlessport -v /nix/store:/nix/store -v /run/current-system/sw/bin:/bin -w ${pkgs.writeTextDir "index.html" "<h1>Testing</h1>"} scratchimg ${pkgs.python3}/bin/python -m http.server 8888" 135 ) 136 ) 137 rootless.succeed(su_cmd("podman ps | grep rootlessport")) 138 rootless.wait_until_succeeds(su_cmd("${pkgs.curl}/bin/curl localhost:9000 | grep Testing")) 139 rootless.succeed(su_cmd("podman stop rootlessport")) 140 rootless.succeed(su_cmd("podman rm rootlessport")) 141 142 with subtest("Run container with init"): 143 rootful.succeed( 144 "tar cv -C ${pkgs.pkgsStatic.busybox} . | podman import - busybox" 145 ) 146 pid = rootful.succeed("podman run --rm busybox readlink /proc/self").strip() 147 assert pid == "1" 148 pid = rootful.succeed("podman run --rm --init busybox readlink /proc/self").strip() 149 assert pid == "2" 150 151 with subtest("aardvark-dns"): 152 dns.succeed("tar cv --files-from /dev/null | podman import - scratchimg") 153 dns.succeed( 154 "podman run -d --name=webserver -v /nix/store:/nix/store -v /run/current-system/sw/bin:/bin -w ${pkgs.writeTextDir "index.html" "<h1>Testing</h1>"} scratchimg ${pkgs.python3}/bin/python -m http.server 8000" 155 ) 156 dns.succeed("podman ps | grep webserver") 157 dns.wait_until_succeeds( 158 "podman run --rm --name=client -v /nix/store:/nix/store -v /run/current-system/sw/bin:/bin scratchimg ${pkgs.curl}/bin/curl http://webserver:8000 | grep Testing" 159 ) 160 dns.succeed("podman stop webserver") 161 dns.succeed("podman rm webserver") 162 163 with subtest("A podman member can use the docker cli"): 164 docker.succeed(su_cmd("docker version")) 165 166 with subtest("Run container via docker cli"): 167 docker.succeed("tar cv --files-from /dev/null | podman import - scratchimg") 168 docker.succeed( 169 "docker run -d --name=sleeping -v /nix/store:/nix/store -v /run/current-system/sw/bin:/bin localhost/scratchimg /bin/sleep 10" 170 ) 171 docker.succeed("docker ps | grep sleeping") 172 docker.succeed("podman ps | grep sleeping") 173 docker.succeed("docker stop sleeping") 174 docker.succeed("docker rm sleeping") 175 176 with subtest("A podman non-member can not use the docker cli"): 177 docker.fail(su_cmd("docker version", user="mallory")) 178 179 # TODO: add docker-compose test 180 181 ''; 182 } 183)