pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / tests / docker-tools.nix
at 25.11-pre 27 kB view raw
1# this test creates a simple GNU image with docker tools and sees if it executes 2 3import ./make-test-python.nix ( 4 { pkgs, ... }: 5 let 6 # nixpkgs#214434: dockerTools.buildImage fails to unpack base images 7 # containing duplicate layers when those duplicate tarballs 8 # appear under the manifest's 'Layers'. Docker can generate images 9 # like this even though dockerTools does not. 10 repeatedLayerTestImage = 11 let 12 # Rootfs diffs for layers 1 and 2 are identical (and empty) 13 layer1 = pkgs.dockerTools.buildImage { name = "empty"; }; 14 layer2 = layer1.overrideAttrs (_: { 15 fromImage = layer1; 16 }); 17 repeatedRootfsDiffs = 18 pkgs.runCommand "image-with-links.tar" 19 { 20 nativeBuildInputs = [ pkgs.jq ]; 21 } 22 '' 23 mkdir contents 24 tar -xf "${layer2}" -C contents 25 cd contents 26 first_rootfs=$(jq -r '.[0].Layers[0]' manifest.json) 27 second_rootfs=$(jq -r '.[0].Layers[1]' manifest.json) 28 target_rootfs=$(sha256sum "$first_rootfs" | cut -d' ' -f 1).tar 29 30 # Replace duplicated rootfs diffs with symlinks to one tarball 31 chmod -R ug+w . 32 mv "$first_rootfs" "$target_rootfs" 33 rm "$second_rootfs" 34 ln -s "../$target_rootfs" "$first_rootfs" 35 ln -s "../$target_rootfs" "$second_rootfs" 36 37 # Update manifest's layers to use the symlinks' target 38 cat manifest.json | \ 39 jq ".[0].Layers[0] = \"$target_rootfs\"" | 40 jq ".[0].Layers[1] = \"$target_rootfs\"" > manifest.json.new 41 mv manifest.json.new manifest.json 42 43 tar --sort=name --hard-dereference -cf $out . 44 ''; 45 in 46 pkgs.dockerTools.buildImage { 47 fromImage = repeatedRootfsDiffs; 48 name = "repeated-layer-test"; 49 tag = "latest"; 50 copyToRoot = pkgs.bash; 51 # A runAsRoot script is required to force previous layers to be unpacked 52 runAsRoot = '' 53 echo 'runAsRoot has run.' 54 ''; 55 }; 56 57 chownTestImage = pkgs.dockerTools.streamLayeredImage { 58 name = "chown-test"; 59 tag = "latest"; 60 enableFakechroot = true; 61 fakeRootCommands = '' 62 touch /testfile 63 chown 12345:12345 /testfile 64 ''; 65 config.Cmd = [ 66 "${pkgs.coreutils}/bin/stat" 67 "-c" 68 "%u:%g" 69 "/testfile" 70 ]; 71 }; 72 73 nonRootTestImage = pkgs.dockerTools.streamLayeredImage { 74 name = "non-root-test"; 75 tag = "latest"; 76 uid = 1000; 77 gid = 1000; 78 uname = "user"; 79 gname = "user"; 80 config = { 81 User = "user"; 82 Cmd = [ 83 "${pkgs.coreutils}/bin/stat" 84 "-c" 85 "%u:%g" 86 "${pkgs.coreutils}/bin/stat" 87 ]; 88 }; 89 }; 90 in 91 { 92 name = "docker-tools"; 93 meta = with pkgs.lib.maintainers; { 94 maintainers = [ 95 lnl7 96 roberth 97 ]; 98 }; 99 100 nodes = { 101 docker = 102 { ... }: 103 { 104 virtualisation = { 105 diskSize = 3072; 106 docker.enable = true; 107 }; 108 }; 109 }; 110 111 testScript = with pkgs.dockerTools; '' 112 unix_time_second1 = "1970-01-01T00:00:01Z" 113 114 docker.wait_for_unit("sockets.target") 115 116 with subtest("includeStorePath"): 117 with subtest("assumption"): 118 docker.succeed("${examples.helloOnRoot} | docker load") 119 docker.succeed("docker run --rm hello | grep -i hello") 120 docker.succeed("docker image rm hello:latest") 121 122 with subtest("includeStorePath = false; breaks example"): 123 docker.succeed("${examples.helloOnRootNoStore} | docker load") 124 docker.fail("docker run --rm hello | grep -i hello") 125 docker.succeed("docker image rm hello:latest") 126 with subtest("includeStorePath = false; breaks example (fakechroot)"): 127 docker.succeed("${examples.helloOnRootNoStoreFakechroot} | docker load") 128 docker.fail("docker run --rm hello | grep -i hello") 129 docker.succeed("docker image rm hello:latest") 130 131 with subtest("Ensure ZERO paths are added to the store"): 132 docker.fail("${examples.helloOnRootNoStore} | ${pkgs.crane}/bin/crane export - - | tar t | grep 'nix/store/'") 133 with subtest("Ensure ZERO paths are added to the store (fakechroot)"): 134 docker.fail("${examples.helloOnRootNoStoreFakechroot} | ${pkgs.crane}/bin/crane export - - | tar t | grep 'nix/store/'") 135 136 with subtest("includeStorePath = false; works with mounted store"): 137 docker.succeed("${examples.helloOnRootNoStore} | docker load") 138 docker.succeed("docker run --rm --volume ${builtins.storeDir}:${builtins.storeDir}:ro hello | grep -i hello") 139 docker.succeed("docker image rm hello:latest") 140 with subtest("includeStorePath = false; works with mounted store (fakechroot)"): 141 docker.succeed("${examples.helloOnRootNoStoreFakechroot} | docker load") 142 docker.succeed("docker run --rm --volume ${builtins.storeDir}:${builtins.storeDir}:ro hello | grep -i hello") 143 docker.succeed("docker image rm hello:latest") 144 145 with subtest("Ensure Docker images use a stable date by default"): 146 docker.succeed( 147 "docker load --input='${examples.bash}'" 148 ) 149 assert unix_time_second1 in docker.succeed( 150 "docker inspect ${examples.bash.imageName} " 151 + "| ${pkgs.jq}/bin/jq -r .[].Created", 152 ) 153 154 docker.succeed("docker run --rm ${examples.bash.imageName} bash --version") 155 # Check imageTag attribute matches image 156 docker.succeed("docker images --format '{{.Tag}}' | grep -F '${examples.bash.imageTag}'") 157 docker.succeed("docker rmi ${examples.bash.imageName}") 158 159 # The remaining combinations 160 with subtest("Ensure imageTag attribute matches image"): 161 docker.succeed( 162 "docker load --input='${examples.bashNoTag}'" 163 ) 164 docker.succeed( 165 "docker images --format '{{.Tag}}' | grep -F '${examples.bashNoTag.imageTag}'" 166 ) 167 docker.succeed("docker rmi ${examples.bashNoTag.imageName}:${examples.bashNoTag.imageTag}") 168 169 docker.succeed( 170 "docker load --input='${examples.bashNoTagLayered}'" 171 ) 172 docker.succeed( 173 "docker images --format '{{.Tag}}' | grep -F '${examples.bashNoTagLayered.imageTag}'" 174 ) 175 docker.succeed("docker rmi ${examples.bashNoTagLayered.imageName}:${examples.bashNoTagLayered.imageTag}") 176 177 docker.succeed( 178 "${examples.bashNoTagStreamLayered} | docker load" 179 ) 180 docker.succeed( 181 "docker images --format '{{.Tag}}' | grep -F '${examples.bashNoTagStreamLayered.imageTag}'" 182 ) 183 docker.succeed( 184 "docker rmi ${examples.bashNoTagStreamLayered.imageName}:${examples.bashNoTagStreamLayered.imageTag}" 185 ) 186 187 docker.succeed( 188 "docker load --input='${examples.nixLayered}'" 189 ) 190 docker.succeed("docker images --format '{{.Tag}}' | grep -F '${examples.nixLayered.imageTag}'") 191 docker.succeed("docker rmi ${examples.nixLayered.imageName}") 192 193 with subtest("Check that images with alternative compression schemas load"): 194 docker.succeed( 195 "docker load --input='${examples.bashZstdCompressed}'", 196 "docker rmi ${examples.bashZstdCompressed.imageName}", 197 ) 198 docker.succeed( 199 "docker load --input='${examples.bashUncompressed}'", 200 "docker rmi ${examples.bashUncompressed.imageName}", 201 ) 202 docker.succeed( 203 "docker load --input='${examples.bashLayeredUncompressed}'", 204 "docker rmi ${examples.bashLayeredUncompressed.imageName}", 205 ) 206 docker.succeed( 207 "docker load --input='${examples.bashLayeredZstdCompressed}'", 208 "docker rmi ${examples.bashLayeredZstdCompressed.imageName}", 209 ) 210 211 with subtest( 212 "Check if the nix store is correctly initialized by listing " 213 "dependencies of the installed Nix binary" 214 ): 215 docker.succeed( 216 "docker load --input='${examples.nix}'", 217 "docker run --rm ${examples.nix.imageName} nix-store -qR ${pkgs.nix}", 218 "docker rmi ${examples.nix.imageName}", 219 ) 220 221 with subtest( 222 "Ensure (layered) nix store has correct permissions " 223 "and that the container starts when its process does not have uid 0" 224 ): 225 docker.succeed( 226 "docker load --input='${examples.bashLayeredWithUser}'", 227 "docker run -u somebody --rm ${examples.bashLayeredWithUser.imageName} ${pkgs.bash}/bin/bash -c 'test 755 == $(stat --format=%a /nix) && test 755 == $(stat --format=%a /nix/store)'", 228 "docker rmi ${examples.bashLayeredWithUser.imageName}", 229 ) 230 231 with subtest("The nix binary symlinks are intact"): 232 docker.succeed( 233 "docker load --input='${examples.nix}'", 234 "docker run --rm ${examples.nix.imageName} ${pkgs.bash}/bin/bash -c 'test nix == $(readlink ${pkgs.nix}/bin/nix-daemon)'", 235 "docker rmi ${examples.nix.imageName}", 236 ) 237 238 with subtest("The nix binary symlinks are intact when the image is layered"): 239 docker.succeed( 240 "docker load --input='${examples.nixLayered}'", 241 "docker run --rm ${examples.nixLayered.imageName} ${pkgs.bash}/bin/bash -c 'test nix == $(readlink ${pkgs.nix}/bin/nix-daemon)'", 242 "docker rmi ${examples.nixLayered.imageName}", 243 ) 244 245 with subtest("The pullImage tool works"): 246 docker.succeed( 247 "docker load --input='${examples.testNixFromDockerHub}'", 248 "docker run --rm nix:2.2.1 nix-store --version", 249 "docker rmi nix:2.2.1", 250 ) 251 252 with subtest("runAsRoot and entry point work"): 253 docker.succeed( 254 "docker load --input='${examples.nginx}'", 255 "docker run --name nginx -d -p 8000:80 ${examples.nginx.imageName}", 256 ) 257 docker.wait_until_succeeds("curl -f http://localhost:8000/") 258 docker.succeed( 259 "docker rm --force nginx", 260 "docker rmi '${examples.nginx.imageName}'", 261 ) 262 263 with subtest("A pulled image can be used as base image"): 264 docker.succeed( 265 "docker load --input='${examples.onTopOfPulledImage}'", 266 "docker run --rm ontopofpulledimage hello", 267 "docker rmi ontopofpulledimage", 268 ) 269 270 with subtest("Regression test for issue #34779"): 271 docker.succeed( 272 "docker load --input='${examples.runAsRootExtraCommands}'", 273 "docker run --rm runasrootextracommands cat extraCommands", 274 "docker run --rm runasrootextracommands cat runAsRoot", 275 "docker rmi '${examples.runAsRootExtraCommands.imageName}'", 276 ) 277 278 with subtest("Ensure Docker images can use an unstable date"): 279 docker.succeed( 280 "docker load --input='${examples.unstableDate}'" 281 ) 282 assert unix_time_second1 not in docker.succeed( 283 "docker inspect ${examples.unstableDate.imageName} " 284 + "| ${pkgs.jq}/bin/jq -r .[].Created" 285 ) 286 287 with subtest("Ensure Layered Docker images can use an unstable date"): 288 docker.succeed( 289 "docker load --input='${examples.unstableDateLayered}'" 290 ) 291 assert unix_time_second1 not in docker.succeed( 292 "docker inspect ${examples.unstableDateLayered.imageName} " 293 + "| ${pkgs.jq}/bin/jq -r .[].Created" 294 ) 295 296 with subtest("Ensure Layered Docker images work"): 297 docker.succeed( 298 "docker load --input='${examples.layered-image}'", 299 "docker run --rm ${examples.layered-image.imageName}", 300 "docker run --rm ${examples.layered-image.imageName} cat extraCommands", 301 ) 302 303 with subtest("Ensure images built on top of layered Docker images work"): 304 docker.succeed( 305 "docker load --input='${examples.layered-on-top}'", 306 "docker run --rm ${examples.layered-on-top.imageName}", 307 ) 308 309 with subtest("Ensure layered images built on top of layered Docker images work"): 310 docker.succeed( 311 "docker load --input='${examples.layered-on-top-layered}'", 312 "docker run --rm ${examples.layered-on-top-layered.imageName}", 313 ) 314 315 316 def set_of_layers(image_name): 317 return set( 318 docker.succeed( 319 f"docker inspect {image_name} " 320 + "| ${pkgs.jq}/bin/jq -r '.[] | .RootFS.Layers | .[]'" 321 ).split() 322 ) 323 324 325 with subtest("Ensure layers are shared between images"): 326 docker.succeed( 327 "docker load --input='${examples.another-layered-image}'" 328 ) 329 layers1 = set_of_layers("${examples.layered-image.imageName}") 330 layers2 = set_of_layers("${examples.another-layered-image.imageName}") 331 assert bool(layers1 & layers2) 332 333 with subtest("Ensure order of layers is correct"): 334 docker.succeed( 335 "docker load --input='${examples.layersOrder}'" 336 ) 337 338 for index in 1, 2, 3: 339 assert f"layer{index}" in docker.succeed( 340 f"docker run --rm ${examples.layersOrder.imageName} cat /tmp/layer{index}" 341 ) 342 343 with subtest("Ensure layers unpacked in correct order before runAsRoot runs"): 344 assert "abc" in docker.succeed( 345 "docker load --input='${examples.layersUnpackOrder}'", 346 "docker run --rm ${examples.layersUnpackOrder.imageName} cat /layer-order" 347 ) 348 349 with subtest("Ensure repeated base layers handled by buildImage"): 350 docker.succeed( 351 "docker load --input='${repeatedLayerTestImage}'", 352 "docker run --rm ${repeatedLayerTestImage.imageName} /bin/bash -c 'exit 0'" 353 ) 354 355 with subtest("Ensure environment variables are correctly inherited"): 356 docker.succeed( 357 "docker load --input='${examples.environmentVariables}'" 358 ) 359 out = docker.succeed("docker run --rm ${examples.environmentVariables.imageName} env") 360 env = out.splitlines() 361 assert "FROM_PARENT=true" in env, "envvars from the parent should be preserved" 362 assert "FROM_CHILD=true" in env, "envvars from the child should be preserved" 363 assert "LAST_LAYER=child" in env, "envvars from the child should take priority" 364 365 with subtest("Ensure environment variables of layered images are correctly inherited"): 366 docker.succeed( 367 "docker load --input='${examples.environmentVariablesLayered}'" 368 ) 369 out = docker.succeed("docker run --rm ${examples.environmentVariablesLayered.imageName} env") 370 env = out.splitlines() 371 assert "FROM_PARENT=true" in env, "envvars from the parent should be preserved" 372 assert "FROM_CHILD=true" in env, "envvars from the child should be preserved" 373 assert "LAST_LAYER=child" in env, "envvars from the child should take priority" 374 375 with subtest( 376 "Ensure inherited environment variables of layered images are correctly resolved" 377 ): 378 # Read environment variables as stored in image config 379 config = docker.succeed( 380 "tar -xOf ${examples.environmentVariablesLayered} manifest.json | ${pkgs.jq}/bin/jq -r .[].Config" 381 ).strip() 382 out = docker.succeed( 383 f"tar -xOf ${examples.environmentVariablesLayered} {config} | ${pkgs.jq}/bin/jq -r '.config.Env | .[]'" 384 ) 385 env = out.splitlines() 386 assert ( 387 sum(entry.startswith("LAST_LAYER") for entry in env) == 1 388 ), "envvars overridden by child should be unique" 389 390 with subtest("Ensure image with only 2 layers can be loaded"): 391 docker.succeed( 392 "docker load --input='${examples.two-layered-image}'" 393 ) 394 395 with subtest( 396 "Ensure the bulk layer doesn't miss store paths (regression test for #78744)" 397 ): 398 docker.succeed( 399 "docker load --input='${pkgs.dockerTools.examples.bulk-layer}'", 400 # Ensure the two output paths (ls and hello) are in the layer 401 "docker run bulk-layer ls /bin/hello", 402 ) 403 404 with subtest( 405 "Ensure the bulk layer with a base image respects the number of maxLayers" 406 ): 407 docker.succeed( 408 "docker load --input='${pkgs.dockerTools.examples.layered-bulk-layer}'", 409 # Ensure the image runs correctly 410 "docker run layered-bulk-layer ls /bin/hello", 411 ) 412 413 # Ensure the image has the correct number of layers 414 assert len(set_of_layers("layered-bulk-layer")) == 4 415 416 with subtest("Ensure only minimal paths are added to the store"): 417 # TODO: make an example that has no store paths, for example by making 418 # busybox non-self-referential. 419 420 # This check tests that buildLayeredImage can build images that don't need a store. 421 docker.succeed( 422 "docker load --input='${pkgs.dockerTools.examples.no-store-paths}'" 423 ) 424 425 docker.succeed("docker run --rm no-store-paths ls / >/dev/console") 426 427 # If busybox isn't self-referential, we need this line 428 # docker.fail("docker run --rm no-store-paths ls /nix/store >/dev/console") 429 # However, it currently is self-referential, so we check that it is the 430 # only store path. 431 docker.succeed("diff <(docker run --rm no-store-paths ls /nix/store) <(basename ${pkgs.pkgsStatic.busybox}) >/dev/console") 432 433 with subtest("Ensure buildLayeredImage does not change store path contents."): 434 docker.succeed( 435 "docker load --input='${pkgs.dockerTools.examples.filesInStore}'", 436 "docker run --rm file-in-store nix-store --verify --check-contents", 437 "docker run --rm file-in-store |& grep 'some data'", 438 ) 439 440 with subtest("Ensure cross compiled image can be loaded and has correct arch."): 441 docker.succeed( 442 "docker load --input='${pkgs.dockerTools.examples.cross}'", 443 ) 444 assert ( 445 docker.succeed( 446 "docker inspect ${pkgs.dockerTools.examples.cross.imageName} " 447 + "| ${pkgs.jq}/bin/jq -r .[].Architecture" 448 ).strip() 449 == "${if pkgs.stdenv.hostPlatform.system == "aarch64-linux" then "amd64" else "arm64"}" 450 ) 451 452 with subtest("buildLayeredImage doesn't dereference /nix/store symlink layers"): 453 docker.succeed( 454 "docker load --input='${examples.layeredStoreSymlink}'", 455 "docker run --rm ${examples.layeredStoreSymlink.imageName} bash -c 'test -L ${examples.layeredStoreSymlink.passthru.symlink}'", 456 "docker rmi ${examples.layeredStoreSymlink.imageName}", 457 ) 458 459 with subtest("buildImage supports registry/ prefix in image name"): 460 docker.succeed( 461 "docker load --input='${examples.prefixedImage}'" 462 ) 463 docker.succeed( 464 "docker images --format '{{.Repository}}' | grep -F '${examples.prefixedImage.imageName}'" 465 ) 466 467 with subtest("buildLayeredImage supports registry/ prefix in image name"): 468 docker.succeed( 469 "docker load --input='${examples.prefixedLayeredImage}'" 470 ) 471 docker.succeed( 472 "docker images --format '{{.Repository}}' | grep -F '${examples.prefixedLayeredImage.imageName}'" 473 ) 474 475 with subtest("buildLayeredImage supports running chown with fakeRootCommands"): 476 docker.succeed( 477 "docker load --input='${examples.layeredImageWithFakeRootCommands}'" 478 ) 479 docker.succeed( 480 "docker run --rm ${examples.layeredImageWithFakeRootCommands.imageName} sh -c 'stat -c '%u' /home/alice | grep -E ^1000$'" 481 ) 482 483 with subtest("Ensure docker load on merged images loads all of the constituent images"): 484 docker.succeed( 485 "docker load --input='${examples.mergedBashAndRedis}'" 486 ) 487 docker.succeed( 488 "docker images --format '{{.Repository}}-{{.Tag}}' | grep -F '${examples.bash.imageName}-${examples.bash.imageTag}'" 489 ) 490 docker.succeed( 491 "docker images --format '{{.Repository}}-{{.Tag}}' | grep -F '${examples.redis.imageName}-${examples.redis.imageTag}'" 492 ) 493 docker.succeed("docker run --rm ${examples.bash.imageName} bash --version") 494 docker.succeed("docker run --rm ${examples.redis.imageName} redis-cli --version") 495 docker.succeed("docker rmi ${examples.bash.imageName}") 496 docker.succeed("docker rmi ${examples.redis.imageName}") 497 498 with subtest( 499 "Ensure docker load on merged images loads all of the constituent images (missing tags)" 500 ): 501 docker.succeed( 502 "docker load --input='${examples.mergedBashNoTagAndRedis}'" 503 ) 504 docker.succeed( 505 "docker images --format '{{.Repository}}-{{.Tag}}' | grep -F '${examples.bashNoTag.imageName}-${examples.bashNoTag.imageTag}'" 506 ) 507 docker.succeed( 508 "docker images --format '{{.Repository}}-{{.Tag}}' | grep -F '${examples.redis.imageName}-${examples.redis.imageTag}'" 509 ) 510 # we need to explicitly specify the generated tag here 511 docker.succeed( 512 "docker run --rm ${examples.bashNoTag.imageName}:${examples.bashNoTag.imageTag} bash --version" 513 ) 514 docker.succeed("docker run --rm ${examples.redis.imageName} redis-cli --version") 515 docker.succeed("docker rmi ${examples.bashNoTag.imageName}:${examples.bashNoTag.imageTag}") 516 docker.succeed("docker rmi ${examples.redis.imageName}") 517 518 with subtest("mergeImages preserves owners of the original images"): 519 docker.succeed( 520 "docker load --input='${examples.mergedBashFakeRoot}'" 521 ) 522 docker.succeed( 523 "docker run --rm ${examples.layeredImageWithFakeRootCommands.imageName} sh -c 'stat -c '%u' /home/alice | grep -E ^1000$'" 524 ) 525 526 with subtest("The image contains store paths referenced by the fakeRootCommands output"): 527 docker.succeed( 528 "docker run --rm ${examples.layeredImageWithFakeRootCommands.imageName} /hello/bin/layeredImageWithFakeRootCommands-hello" 529 ) 530 531 with subtest("mergeImage correctly deals with varying compression schemas in inputs"): 532 docker.succeed("docker load --input='${examples.mergeVaryingCompressor}'") 533 534 for sub_image, tag in [ 535 ("${examples.redis.imageName}", "${examples.redis.imageTag}"), 536 ("${examples.bashUncompressed.imageName}", "${examples.bashUncompressed.imageTag}"), 537 ("${examples.bashZstdCompressed.imageName}", "${examples.bashZstdCompressed.imageTag}"), 538 ]: 539 docker.succeed(f"docker images --format '{{{{.Repository}}}}-{{{{.Tag}}}}' | grep -F '{sub_image}-{tag}'") 540 docker.succeed(f"docker rmi {sub_image}") 541 542 543 with subtest("exportImage produces a valid tarball"): 544 docker.succeed( 545 "tar -tf ${examples.exportBash} | grep '\./bin/bash' > /dev/null" 546 ) 547 548 with subtest("layered image fakeRootCommands with fakechroot works"): 549 docker.succeed("${examples.imageViaFakeChroot} | docker load") 550 docker.succeed("docker run --rm image-via-fake-chroot | grep -i hello") 551 docker.succeed("docker image rm image-via-fake-chroot:latest") 552 553 with subtest("Ensure bare paths in contents are loaded correctly"): 554 docker.succeed( 555 "docker load --input='${examples.build-image-with-path}'", 556 "docker run --rm build-image-with-path bash -c '[[ -e /hello.txt ]]'", 557 "docker rmi build-image-with-path", 558 ) 559 docker.succeed( 560 "${examples.layered-image-with-path} | docker load", 561 "docker run --rm layered-image-with-path bash -c '[[ -e /hello.txt ]]'", 562 "docker rmi layered-image-with-path", 563 ) 564 565 with subtest("Ensure correct architecture is present in manifests."): 566 docker.succeed(""" 567 docker load --input='${examples.build-image-with-architecture}' 568 docker inspect build-image-with-architecture \ 569 | ${pkgs.jq}/bin/jq -er '.[] | select(.Architecture=="arm64").Architecture' 570 docker rmi build-image-with-architecture 571 """) 572 docker.succeed(""" 573 ${examples.layered-image-with-architecture} | docker load 574 docker inspect layered-image-with-architecture \ 575 | ${pkgs.jq}/bin/jq -er '.[] | select(.Architecture=="arm64").Architecture' 576 docker rmi layered-image-with-architecture 577 """) 578 579 with subtest("etc"): 580 docker.succeed("${examples.etc} | docker load") 581 docker.succeed("docker run --rm etc | grep localhost") 582 docker.succeed("docker image rm etc:latest") 583 584 with subtest("image-with-certs"): 585 docker.succeed("<${examples.image-with-certs} docker load") 586 docker.succeed("docker run --rm image-with-certs:latest test -r /etc/ssl/certs/ca-bundle.crt") 587 docker.succeed("docker run --rm image-with-certs:latest test -r /etc/ssl/certs/ca-certificates.crt") 588 docker.succeed("docker run --rm image-with-certs:latest test -r /etc/pki/tls/certs/ca-bundle.crt") 589 docker.succeed("docker image rm image-with-certs:latest") 590 591 with subtest("streamLayeredImage: chown is persistent in fakeRootCommands"): 592 docker.succeed( 593 "${chownTestImage} | docker load", 594 "docker run --rm ${chownTestImage.imageName} | diff /dev/stdin <(echo 12345:12345)" 595 ) 596 597 with subtest("streamLayeredImage: with non-root user"): 598 docker.succeed( 599 "${nonRootTestImage} | docker load", 600 "docker run --rm ${chownTestImage.imageName} | diff /dev/stdin <(echo 12345:12345)" 601 ) 602 ''; 603 } 604)