nixos/tests/lxc/default.nix at master · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / tests / lxc / default.nix
at master 3.6 kB view raw
  1import ../make-test-python.nix (
  2  { pkgs, lib, ... }:
  3
  4  let
  5    releases = import ../../release.nix {
  6      configuration = {
  7        # Building documentation makes the test unnecessarily take a longer time:
  8        documentation.enable = lib.mkForce false;
  9      };
 10    };
 11
 12    lxc-image-metadata = releases.incusContainerMeta.${pkgs.stdenv.hostPlatform.system};
 13    lxc-image-rootfs = releases.incusContainerImage.${pkgs.stdenv.hostPlatform.system};
 14
 15  in
 16  {
 17    name = "lxc-container-unprivileged";
 18
 19    meta = {
 20      maintainers = lib.teams.lxc.members;
 21    };
 22
 23    nodes.machine =
 24      { lib, pkgs, ... }:
 25      {
 26        virtualisation = {
 27          diskSize = 6144;
 28          cores = 2;
 29          memorySize = 512;
 30          writableStore = true;
 31
 32          lxc = {
 33            enable = true;
 34            unprivilegedContainers = true;
 35            systemConfig = ''
 36              lxc.lxcpath = /tmp/lxc
 37            '';
 38            defaultConfig = ''
 39              lxc.net.0.type = veth
 40              lxc.net.0.link = lxcbr0
 41              lxc.net.0.flags = up
 42              lxc.net.0.hwaddr = 00:16:3e:xx:xx:xx
 43              lxc.idmap = u 0 100000 65536
 44              lxc.idmap = g 0 100000 65536
 45            '';
 46            # Permit user alice to connect to bridge
 47            usernetConfig = ''
 48              @lxc-user veth lxcbr0 10
 49            '';
 50            bridgeConfig = ''
 51              LXC_IPV6_ADDR=""
 52              LXC_IPV6_MASK=""
 53              LXC_IPV6_NETWORK=""
 54              LXC_IPV6_NAT="false"
 55            '';
 56          };
 57        };
 58
 59        # Needed for lxc
 60        environment.systemPackages = with pkgs; [
 61          pkgs.wget
 62          pkgs.dnsmasq
 63        ];
 64
 65        # Create user for test
 66        users.users.alice = {
 67          isNormalUser = true;
 68          password = "test";
 69          description = "Lxc unprivileged user with access to lxcbr0";
 70          extraGroups = [ "lxc-user" ];
 71          subGidRanges = [
 72            {
 73              startGid = 100000;
 74              count = 65536;
 75            }
 76          ];
 77          subUidRanges = [
 78            {
 79              startUid = 100000;
 80              count = 65536;
 81            }
 82          ];
 83        };
 84
 85        users.users.bob = {
 86          isNormalUser = true;
 87          password = "test";
 88          description = "Lxc unprivileged user without access to lxcbr0";
 89          subGidRanges = [
 90            {
 91              startGid = 100000;
 92              count = 65536;
 93            }
 94          ];
 95          subUidRanges = [
 96            {
 97              startUid = 100000;
 98              count = 65536;
 99            }
100          ];
101        };
102      };
103
104    testScript = ''
105      machine.wait_for_unit("lxc-net.service")
106
107      # Copy config files for alice
108      machine.execute("su -- alice -c 'mkdir -p ~/.config/lxc'")
109      machine.execute("su -- alice -c 'cp /etc/lxc/default.conf ~/.config/lxc/'")
110      machine.execute("su -- alice -c 'cp /etc/lxc/lxc.conf ~/.config/lxc/'")
111
112      machine.succeed("su -- alice -c 'lxc-create -t local -n test -- --metadata ${lxc-image-metadata}/*/*.tar.xz --fstree ${lxc-image-rootfs}/*/*.tar.xz'")
113      machine.succeed("su -- alice -c 'lxc-start test'")
114      machine.succeed("su -- alice -c 'lxc-stop test'")
115
116      # Copy config files for bob
117      machine.execute("su -- bob -c 'mkdir -p ~/.config/lxc'")
118      machine.execute("su -- bob -c 'cp /etc/lxc/default.conf ~/.config/lxc/'")
119      machine.execute("su -- bob -c 'cp /etc/lxc/lxc.conf ~/.config/lxc/'")
120
121      machine.fail("su -- bob -c 'lxc-start test'")
122    '';
123  }
124)