pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / tests / podman / tls-ghostunnel.nix
at master 5.6 kB view raw
1# This test runs podman as a backend for the Docker CLI. 2import ../make-test-python.nix ( 3 { pkgs, lib, ... }: 4 5 let 6 gen-ca = pkgs.writeScript "gen-ca" '' 7 # Create CA 8 PATH="${pkgs.openssl}/bin:$PATH" 9 openssl genrsa -out ca-key.pem 4096 10 openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -subj '/C=NL/ST=Zuid-Holland/L=The Hague/O=Stevige Balken en Planken B.V./OU=OpSec/CN=Certificate Authority' -out ca.pem 11 12 # Create service 13 openssl genrsa -out podman-key.pem 4096 14 openssl req -subj '/CN=podman' -sha256 -new -key podman-key.pem -out service.csr 15 echo subjectAltName = DNS:podman,IP:127.0.0.1 >> extfile.cnf 16 echo extendedKeyUsage = serverAuth >> extfile.cnf 17 openssl x509 -req -days 365 -sha256 -in service.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out podman-cert.pem -extfile extfile.cnf 18 19 # Create client 20 openssl genrsa -out client-key.pem 4096 21 openssl req -subj '/CN=client' -new -key client-key.pem -out client.csr 22 echo extendedKeyUsage = clientAuth > extfile-client.cnf 23 openssl x509 -req -days 365 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out client-cert.pem -extfile extfile-client.cnf 24 25 # Create CA 2 26 PATH="${pkgs.openssl}/bin:$PATH" 27 openssl genrsa -out ca-2-key.pem 4096 28 openssl req -new -x509 -days 365 -key ca-2-key.pem -sha256 -subj '/C=NL/ST=Zuid-Holland/L=The Hague/O=Stevige Balken en Planken B.V./OU=OpSec/CN=Certificate Authority' -out ca-2.pem 29 30 # Create client signed by CA 2 31 openssl genrsa -out client-2-key.pem 4096 32 openssl req -subj '/CN=client' -new -key client-2-key.pem -out client-2.csr 33 echo extendedKeyUsage = clientAuth > extfile-client.cnf 34 openssl x509 -req -days 365 -sha256 -in client-2.csr -CA ca-2.pem -CAkey ca-2-key.pem -CAcreateserial -out client-2-cert.pem -extfile extfile-client.cnf 35 36 ''; 37 in 38 { 39 name = "podman-tls-ghostunnel"; 40 meta = { 41 maintainers = lib.teams.podman.members ++ [ lib.maintainers.roberth ]; 42 }; 43 44 nodes = { 45 podman = 46 { pkgs, ... }: 47 { 48 virtualisation.podman.enable = true; 49 virtualisation.podman.dockerSocket.enable = true; 50 virtualisation.podman.networkSocket = { 51 enable = true; 52 openFirewall = true; 53 server = "ghostunnel"; 54 tls.cert = "/root/podman-cert.pem"; 55 tls.key = "/root/podman-key.pem"; 56 tls.cacert = "/root/ca.pem"; 57 }; 58 59 environment.systemPackages = [ 60 pkgs.docker-client 61 ]; 62 63 users.users.alice = { 64 isNormalUser = true; 65 home = "/home/alice"; 66 description = "Alice Foobar"; 67 extraGroups = [ "podman" ]; 68 }; 69 70 }; 71 72 client = 73 { ... }: 74 { 75 environment.systemPackages = [ 76 # Installs the docker _client_ only 77 # Normally, you'd want `virtualisation.docker.enable = true;`. 78 pkgs.docker-client 79 ]; 80 environment.variables.DOCKER_HOST = "podman:2376"; 81 environment.variables.DOCKER_TLS_VERIFY = "1"; 82 }; 83 }; 84 85 testScript = '' 86 import shlex 87 88 89 def su_cmd(user, cmd): 90 cmd = shlex.quote(cmd) 91 return f"su {user} -l -c {cmd}" 92 93 def cmd(command): 94 print(f"+{command}") 95 r = os.system(command) 96 if r != 0: 97 raise Exception(f"Command {command} failed with exit code {r}") 98 99 start_all() 100 cmd("${gen-ca}") 101 102 podman.copy_from_host("ca.pem", "/root/ca.pem") 103 podman.copy_from_host("podman-cert.pem", "/root/podman-cert.pem") 104 podman.copy_from_host("podman-key.pem", "/root/podman-key.pem") 105 106 client.copy_from_host("ca.pem", "/root/.docker/ca.pem") 107 # client.copy_from_host("podman-cert.pem", "/root/podman-cert.pem") 108 client.copy_from_host("client-cert.pem", "/root/.docker/cert.pem") 109 client.copy_from_host("client-key.pem", "/root/.docker/key.pem") 110 111 # TODO (ghostunnel): add file watchers so the restart isn't necessary 112 podman.succeed("systemctl reset-failed && systemctl restart ghostunnel-server-podman-socket.service") 113 114 podman.wait_for_unit("sockets.target") 115 podman.wait_for_unit("ghostunnel-server-podman-socket.service") 116 117 with subtest("Root docker cli also works"): 118 podman.succeed("docker version") 119 120 with subtest("A podman member can also still use the docker cli"): 121 podman.succeed(su_cmd("alice", "docker version")) 122 123 with subtest("Run container remotely via docker cli"): 124 client.succeed("docker version") 125 126 # via socket would be nicer 127 podman.succeed("tar cv --files-from /dev/null | podman import - scratchimg") 128 129 client.succeed( 130 "docker run -d --name=sleeping -v /nix/store:/nix/store -v /run/current-system/sw/bin:/bin localhost/scratchimg /bin/sleep 10" 131 ) 132 client.succeed("docker ps | grep sleeping") 133 podman.succeed("docker ps | grep sleeping") 134 client.succeed("docker stop sleeping") 135 client.succeed("docker rm sleeping") 136 137 with subtest("Clients without cert will be denied"): 138 client.succeed("rm /root/.docker/{cert,key}.pem") 139 client.fail("docker version") 140 141 with subtest("Clients with wrong cert will be denied"): 142 client.copy_from_host("client-2-cert.pem", "/root/.docker/cert.pem") 143 client.copy_from_host("client-2-key.pem", "/root/.docker/key.pem") 144 client.fail("docker version") 145 146 ''; 147 } 148)