119 lines
5.4 KiB
Nix
119 lines
5.4 KiB
Nix
import ../make-test-python.nix ({ pkgs, lib, extra ? {}, ... } :
|
|
|
|
let
|
|
releases = import ../../release.nix {
|
|
configuration = {
|
|
# Building documentation makes the test unnecessarily take a longer time:
|
|
documentation.enable = lib.mkForce false;
|
|
|
|
boot.kernel.sysctl."net.ipv4.ip_forward" = "1";
|
|
} // extra;
|
|
};
|
|
|
|
container-image-metadata = releases.lxdContainerMeta.${pkgs.stdenv.hostPlatform.system};
|
|
container-image-rootfs = releases.lxdContainerImage.${pkgs.stdenv.hostPlatform.system};
|
|
in
|
|
{
|
|
name = "incus-container";
|
|
|
|
meta = {
|
|
maintainers = lib.teams.lxc.members;
|
|
};
|
|
|
|
nodes.machine = { ... }: {
|
|
virtualisation = {
|
|
# Ensure test VM has enough resources for creating and managing guests
|
|
cores = 2;
|
|
memorySize = 1024;
|
|
diskSize = 4096;
|
|
|
|
incus.enable = true;
|
|
};
|
|
networking.nftables.enable = true;
|
|
};
|
|
|
|
testScript = ''
|
|
def instance_is_up(_) -> bool:
|
|
status, _ = machine.execute("incus exec container --disable-stdin --force-interactive /run/current-system/sw/bin/systemctl -- is-system-running")
|
|
return status == 0
|
|
|
|
def set_container(config):
|
|
machine.succeed(f"incus config set container {config}")
|
|
machine.succeed("incus restart container")
|
|
with machine.nested("Waiting for instance to start and be usable"):
|
|
retry(instance_is_up)
|
|
|
|
def check_sysctl(instance):
|
|
with subtest("systemd sysctl settings are applied"):
|
|
machine.succeed(f"incus exec {instance} -- systemctl status systemd-sysctl")
|
|
sysctl = machine.succeed(f"incus exec {instance} -- sysctl net.ipv4.ip_forward").strip().split(" ")[-1]
|
|
assert "1" == sysctl, f"systemd-sysctl configuration not correctly applied, {sysctl} != 1"
|
|
|
|
machine.wait_for_unit("incus.service")
|
|
|
|
# no preseed should mean no service
|
|
machine.fail("systemctl status incus-preseed.service")
|
|
|
|
machine.succeed("incus admin init --minimal")
|
|
|
|
with subtest("Container image can be imported"):
|
|
machine.succeed("incus image import ${container-image-metadata}/*/*.tar.xz ${container-image-rootfs}/*/*.tar.xz --alias nixos")
|
|
|
|
with subtest("Container can be launched and managed"):
|
|
machine.succeed("incus launch nixos container")
|
|
with machine.nested("Waiting for instance to start and be usable"):
|
|
retry(instance_is_up)
|
|
machine.succeed("echo true | incus exec container /run/current-system/sw/bin/bash -")
|
|
|
|
with subtest("Container mounts lxcfs overlays"):
|
|
machine.succeed("incus exec container mount | grep 'lxcfs on /proc/cpuinfo type fuse.lxcfs'")
|
|
machine.succeed("incus exec container mount | grep 'lxcfs on /proc/meminfo type fuse.lxcfs'")
|
|
|
|
with subtest("Container CPU limits can be managed"):
|
|
set_container("limits.cpu 1")
|
|
cpuinfo = machine.succeed("incus exec container grep -- -c ^processor /proc/cpuinfo").strip()
|
|
assert cpuinfo == "1", f"Wrong number of CPUs reported from /proc/cpuinfo, want: 1, got: {cpuinfo}"
|
|
|
|
set_container("limits.cpu 2")
|
|
cpuinfo = machine.succeed("incus exec container grep -- -c ^processor /proc/cpuinfo").strip()
|
|
assert cpuinfo == "2", f"Wrong number of CPUs reported from /proc/cpuinfo, want: 2, got: {cpuinfo}"
|
|
|
|
with subtest("Container memory limits can be managed"):
|
|
set_container("limits.memory 64MB")
|
|
meminfo = machine.succeed("incus exec container grep -- MemTotal /proc/meminfo").strip()
|
|
meminfo_bytes = " ".join(meminfo.split(' ')[-2:])
|
|
assert meminfo_bytes == "62500 kB", f"Wrong amount of memory reported from /proc/meminfo, want: '62500 kB', got: '{meminfo_bytes}'"
|
|
|
|
set_container("limits.memory 128MB")
|
|
meminfo = machine.succeed("incus exec container grep -- MemTotal /proc/meminfo").strip()
|
|
meminfo_bytes = " ".join(meminfo.split(' ')[-2:])
|
|
assert meminfo_bytes == "125000 kB", f"Wrong amount of memory reported from /proc/meminfo, want: '125000 kB', got: '{meminfo_bytes}'"
|
|
|
|
with subtest("lxc-container generator configures plain container"):
|
|
# reuse the existing container to save some time
|
|
machine.succeed("incus exec container test -- -e /run/systemd/system/service.d/zzz-lxc-service.conf")
|
|
check_sysctl("container")
|
|
|
|
with subtest("lxc-container generator configures nested container"):
|
|
machine.execute("incus delete --force container")
|
|
machine.succeed("incus launch nixos container --config security.nesting=true")
|
|
with machine.nested("Waiting for instance to start and be usable"):
|
|
retry(instance_is_up)
|
|
|
|
machine.fail("incus exec container test -- -e /run/systemd/system/service.d/zzz-lxc-service.conf")
|
|
target = machine.succeed("incus exec container readlink -- -f /run/systemd/system/systemd-binfmt.service").strip()
|
|
assert target == "/dev/null", "lxc generator did not correctly mask /run/systemd/system/systemd-binfmt.service"
|
|
|
|
check_sysctl("container")
|
|
|
|
with subtest("lxc-container generator configures privileged container"):
|
|
machine.execute("incus delete --force container")
|
|
machine.succeed("incus launch nixos container --config security.privileged=true")
|
|
with machine.nested("Waiting for instance to start and be usable"):
|
|
retry(instance_is_up)
|
|
|
|
machine.succeed("incus exec container test -- -e /run/systemd/system/service.d/zzz-lxc-service.conf")
|
|
|
|
check_sysctl("container")
|
|
'';
|
|
})
|