nixpkgs/nixos/tests/incus/incusd-options.nix

# this is a set of tests for non-default options. typically the default options
# will be handled by the other tests
import ../make-test-python.nix (
  {
    pkgs,
    lib,
    incus ? pkgs.incus-lts,
    ...
  }:

  let
    releases = import ../../release.nix {
      configuration = {
        # Building documentation makes the test unnecessarily take a longer time:
        documentation.enable = lib.mkForce false;
      };
    };

    container-image-metadata = "${
      releases.incusContainerMeta.${pkgs.stdenv.hostPlatform.system}
    }/tarball/nixos-system-${pkgs.stdenv.hostPlatform.system}.tar.xz";
    container-image-rootfs = "${
      releases.incusContainerImage.${pkgs.stdenv.hostPlatform.system}
    }/nixos-lxc-image-${pkgs.stdenv.hostPlatform.system}.squashfs";
  in
  {
    name = "incusd-options";

    meta = {
      maintainers = lib.teams.lxc.members;
    };

    nodes.machine = {
      virtualisation = {
        cores = 2;
        memorySize = 1024;
        diskSize = 4096;

        incus = {
          enable = true;
          package = incus;
          softDaemonRestart = false;

          preseed = {
            networks = [
              {
                name = "incusbr0";
                type = "bridge";
                config = {
                  "ipv4.address" = "10.0.100.1/24";
                  "ipv4.nat" = "true";
                };
              }
            ];
            profiles = [
              {
                name = "default";
                devices = {
                  eth0 = {
                    name = "eth0";
                    network = "incusbr0";
                    type = "nic";
                  };
                  root = {
                    path = "/";
                    pool = "default";
                    size = "35GiB";
                    type = "disk";
                  };
                };
              }
            ];
            storage_pools = [
              {
                name = "default";
                driver = "dir";
              }
            ];
          };
        };

      };

      networking.nftables.enable = true;

      users.users.testuser = {
        isNormalUser = true;
        shell = pkgs.bashInteractive;
        group = "incus";
        uid = 1000;
      };
    };

    testScript = # python
      ''
        def wait_for_instance(name: str, project: str = "default"):
            def instance_is_up(_) -> bool:
                status, _ = machine.execute(f"incus exec {name} --disable-stdin --force-interactive --project {project} -- /run/current-system/sw/bin/systemctl is-system-running")
                return status == 0

            with machine.nested(f"Waiting for instance {name} to start and be usable"):
              retry(instance_is_up)

        machine.wait_for_unit("incus.service")
        machine.wait_for_unit("incus-preseed.service")

        with subtest("Container image can be imported"):
            machine.succeed("incus image import ${container-image-metadata} ${container-image-rootfs} --alias nixos")

        with subtest("Container can be launched and managed"):
            machine.succeed("incus launch nixos instance1")
            wait_for_instance("instance1")
            machine.succeed("echo true | incus exec instance1 /run/current-system/sw/bin/bash -")

        with subtest("Verify preseed resources created"):
            machine.succeed("incus profile show default")
            machine.succeed("incus network info incusbr0")
            machine.succeed("incus storage show default")

        with subtest("Instance is stopped when softDaemonRestart is disabled and services is stopped"):
            pid = machine.succeed("incus info instance1 | grep 'PID'").split(":")[1].strip()
            machine.succeed(f"ps {pid}")
            machine.succeed("systemctl stop incus")
            machine.fail(f"ps {pid}")

        with subtest("incus-user allows restricted access for users"):
            machine.fail("incus project show user-1000")
            machine.succeed("su - testuser bash -c 'incus list'")
            # a project is created dynamically for the user
            machine.succeed("incus project show user-1000")
            # users shouldn't be able to list storage pools
            machine.fail("su - testuser bash -c 'incus storage list'")

        with subtest("incus-user allows users to launch instances"):
            machine.succeed("su - testuser bash -c 'incus image import ${container-image-metadata} ${container-image-rootfs} --alias nixos'")
            machine.succeed("su - testuser bash -c 'incus launch nixos instance2'")
            wait_for_instance("instance2", "user-1000")
      '';
  }
)
nixos/incus: add support for soft daemon restart This is a feature supported out of the box by upstream and allows the incusd service to be restarted without impacting running instances. While this does give up a bit of reproducibility, qemu and lxc for example, there are clear benefits in allowing the host to apply updates without impacting instances. Modeled after the zabbly implementation: https://github.com/zabbly/incus/blob/2a67c3e260de5a5d1259ce598d7b4423c49403be/systemd/incus-startup.service This will now be the default. 2024-05-02 07:49:35 -06:00			`# this is a set of tests for non-default options. typically the default options`
			`# will be handled by the other tests`
			`import ../make-test-python.nix (`
nixos/tests/incus: enable testing both LTS and non-LTS 2024-05-09 08:03:07 -06:00			`{`
			`pkgs,`
			`lib,`
			`incus ? pkgs.incus-lts,`
			`...`
			`}:`
nixos/incus: add support for soft daemon restart This is a feature supported out of the box by upstream and allows the incusd service to be restarted without impacting running instances. While this does give up a bit of reproducibility, qemu and lxc for example, there are clear benefits in allowing the host to apply updates without impacting instances. Modeled after the zabbly implementation: https://github.com/zabbly/incus/blob/2a67c3e260de5a5d1259ce598d7b4423c49403be/systemd/incus-startup.service This will now be the default. 2024-05-02 07:49:35 -06:00
			`let`
			`releases = import ../../release.nix {`
			`configuration = {`
			`# Building documentation makes the test unnecessarily take a longer time:`
			`documentation.enable = lib.mkForce false;`
			`};`
			`};`

lxc: added option for unprivileged containers. Added extra option to enable unprivileged containers. This includes a patch to remove the hard-coded path to `lxc-user-nic` and a new security wrapper to set SUID to `lxc-user-nic`. 2024-05-08 05:52:25 -06:00			`container-image-metadata = "${`
			`releases.incusContainerMeta.${pkgs.stdenv.hostPlatform.system}`
			`}/tarball/nixos-system-${pkgs.stdenv.hostPlatform.system}.tar.xz";`
			`container-image-rootfs = "${`
			`releases.incusContainerImage.${pkgs.stdenv.hostPlatform.system}`
			`}/nixos-lxc-image-${pkgs.stdenv.hostPlatform.system}.squashfs";`
nixos/incus: add support for soft daemon restart This is a feature supported out of the box by upstream and allows the incusd service to be restarted without impacting running instances. While this does give up a bit of reproducibility, qemu and lxc for example, there are clear benefits in allowing the host to apply updates without impacting instances. Modeled after the zabbly implementation: https://github.com/zabbly/incus/blob/2a67c3e260de5a5d1259ce598d7b4423c49403be/systemd/incus-startup.service This will now be the default. 2024-05-02 07:49:35 -06:00			`in`
			`{`
			`name = "incusd-options";`

			`meta = {`
			`maintainers = lib.teams.lxc.members;`
			`};`

			`nodes.machine = {`
			`virtualisation = {`
			`cores = 2;`
			`memorySize = 1024;`
			`diskSize = 4096;`

			`incus = {`
			`enable = true;`
nixos/tests/incus: enable testing both LTS and non-LTS 2024-05-09 08:03:07 -06:00			`package = incus;`
nixos/incus: add support for soft daemon restart This is a feature supported out of the box by upstream and allows the incusd service to be restarted without impacting running instances. While this does give up a bit of reproducibility, qemu and lxc for example, there are clear benefits in allowing the host to apply updates without impacting instances. Modeled after the zabbly implementation: https://github.com/zabbly/incus/blob/2a67c3e260de5a5d1259ce598d7b4423c49403be/systemd/incus-startup.service This will now be the default. 2024-05-02 07:49:35 -06:00			`softDaemonRestart = false;`

			`preseed = {`
			`networks = [`
			`{`
nixos/tests/incus: test incus-user 2024-11-15 21:18:06 -07:00			`name = "incusbr0";`
nixos/incus: add support for soft daemon restart This is a feature supported out of the box by upstream and allows the incusd service to be restarted without impacting running instances. While this does give up a bit of reproducibility, qemu and lxc for example, there are clear benefits in allowing the host to apply updates without impacting instances. Modeled after the zabbly implementation: https://github.com/zabbly/incus/blob/2a67c3e260de5a5d1259ce598d7b4423c49403be/systemd/incus-startup.service This will now be the default. 2024-05-02 07:49:35 -06:00			`type = "bridge";`
			`config = {`
			`"ipv4.address" = "10.0.100.1/24";`
			`"ipv4.nat" = "true";`
			`};`
			`}`
			`];`
			`profiles = [`
			`{`
			`name = "default";`
			`devices = {`
			`eth0 = {`
			`name = "eth0";`
nixos/tests/incus: test incus-user 2024-11-15 21:18:06 -07:00			`network = "incusbr0";`
nixos/incus: add support for soft daemon restart This is a feature supported out of the box by upstream and allows the incusd service to be restarted without impacting running instances. While this does give up a bit of reproducibility, qemu and lxc for example, there are clear benefits in allowing the host to apply updates without impacting instances. Modeled after the zabbly implementation: https://github.com/zabbly/incus/blob/2a67c3e260de5a5d1259ce598d7b4423c49403be/systemd/incus-startup.service This will now be the default. 2024-05-02 07:49:35 -06:00			`type = "nic";`
			`};`
			`root = {`
			`path = "/";`
nixos/tests/incus: test incus-user 2024-11-15 21:18:06 -07:00			`pool = "default";`
nixos/incus: add support for soft daemon restart This is a feature supported out of the box by upstream and allows the incusd service to be restarted without impacting running instances. While this does give up a bit of reproducibility, qemu and lxc for example, there are clear benefits in allowing the host to apply updates without impacting instances. Modeled after the zabbly implementation: https://github.com/zabbly/incus/blob/2a67c3e260de5a5d1259ce598d7b4423c49403be/systemd/incus-startup.service This will now be the default. 2024-05-02 07:49:35 -06:00			`size = "35GiB";`
			`type = "disk";`
			`};`
			`};`
			`}`
			`];`
			`storage_pools = [`
			`{`
nixos/tests/incus: test incus-user 2024-11-15 21:18:06 -07:00			`name = "default";`
nixos/incus: add support for soft daemon restart This is a feature supported out of the box by upstream and allows the incusd service to be restarted without impacting running instances. While this does give up a bit of reproducibility, qemu and lxc for example, there are clear benefits in allowing the host to apply updates without impacting instances. Modeled after the zabbly implementation: https://github.com/zabbly/incus/blob/2a67c3e260de5a5d1259ce598d7b4423c49403be/systemd/incus-startup.service This will now be the default. 2024-05-02 07:49:35 -06:00			`driver = "dir";`
			`}`
			`];`
			`};`
			`};`
nixos/tests/incus: test incus-user 2024-11-15 21:18:06 -07:00
nixos/incus: add support for soft daemon restart This is a feature supported out of the box by upstream and allows the incusd service to be restarted without impacting running instances. While this does give up a bit of reproducibility, qemu and lxc for example, there are clear benefits in allowing the host to apply updates without impacting instances. Modeled after the zabbly implementation: https://github.com/zabbly/incus/blob/2a67c3e260de5a5d1259ce598d7b4423c49403be/systemd/incus-startup.service This will now be the default. 2024-05-02 07:49:35 -06:00			`};`
nixos/tests/incus: test incus-user 2024-11-15 21:18:06 -07:00
nixos/incus: add support for soft daemon restart This is a feature supported out of the box by upstream and allows the incusd service to be restarted without impacting running instances. While this does give up a bit of reproducibility, qemu and lxc for example, there are clear benefits in allowing the host to apply updates without impacting instances. Modeled after the zabbly implementation: https://github.com/zabbly/incus/blob/2a67c3e260de5a5d1259ce598d7b4423c49403be/systemd/incus-startup.service This will now be the default. 2024-05-02 07:49:35 -06:00			`networking.nftables.enable = true;`
nixos/tests/incus: test incus-user 2024-11-15 21:18:06 -07:00
			`users.users.testuser = {`
			`isNormalUser = true;`
			`shell = pkgs.bashInteractive;`
			`group = "incus";`
			`uid = 1000;`
			`};`
nixos/incus: add support for soft daemon restart This is a feature supported out of the box by upstream and allows the incusd service to be restarted without impacting running instances. While this does give up a bit of reproducibility, qemu and lxc for example, there are clear benefits in allowing the host to apply updates without impacting instances. Modeled after the zabbly implementation: https://github.com/zabbly/incus/blob/2a67c3e260de5a5d1259ce598d7b4423c49403be/systemd/incus-startup.service This will now be the default. 2024-05-02 07:49:35 -06:00			`};`

nixos/tests/incus: test incus-user 2024-11-15 21:18:06 -07:00			`testScript = # python`
			`''`
			`def wait_for_instance(name: str, project: str = "default"):`
			`def instance_is_up(_) -> bool:`
			`status, _ = machine.execute(f"incus exec {name} --disable-stdin --force-interactive --project {project} -- /run/current-system/sw/bin/systemctl is-system-running")`
			`return status == 0`

			`with machine.nested(f"Waiting for instance {name} to start and be usable"):`
			`retry(instance_is_up)`

			`machine.wait_for_unit("incus.service")`
			`machine.wait_for_unit("incus-preseed.service")`

			`with subtest("Container image can be imported"):`
			`machine.succeed("incus image import ${container-image-metadata} ${container-image-rootfs} --alias nixos")`

			`with subtest("Container can be launched and managed"):`
			`machine.succeed("incus launch nixos instance1")`
			`wait_for_instance("instance1")`
			`machine.succeed("echo true \| incus exec instance1 /run/current-system/sw/bin/bash -")`

			`with subtest("Verify preseed resources created"):`
			`machine.succeed("incus profile show default")`
			`machine.succeed("incus network info incusbr0")`
			`machine.succeed("incus storage show default")`

			`with subtest("Instance is stopped when softDaemonRestart is disabled and services is stopped"):`
			`pid = machine.succeed("incus info instance1 \| grep 'PID'").split(":")[1].strip()`
			`machine.succeed(f"ps {pid}")`
			`machine.succeed("systemctl stop incus")`
			`machine.fail(f"ps {pid}")`

			`with subtest("incus-user allows restricted access for users"):`
			`machine.fail("incus project show user-1000")`
			`machine.succeed("su - testuser bash -c 'incus list'")`
			`# a project is created dynamically for the user`
			`machine.succeed("incus project show user-1000")`
			`# users shouldn't be able to list storage pools`
			`machine.fail("su - testuser bash -c 'incus storage list'")`

			`with subtest("incus-user allows users to launch instances"):`
			`machine.succeed("su - testuser bash -c 'incus image import ${container-image-metadata} ${container-image-rootfs} --alias nixos'")`
			`machine.succeed("su - testuser bash -c 'incus launch nixos instance2'")`
			`wait_for_instance("instance2", "user-1000")`
			`'';`
nixos/incus: add support for soft daemon restart This is a feature supported out of the box by upstream and allows the incusd service to be restarted without impacting running instances. While this does give up a bit of reproducibility, qemu and lxc for example, there are clear benefits in allowing the host to apply updates without impacting instances. Modeled after the zabbly implementation: https://github.com/zabbly/incus/blob/2a67c3e260de5a5d1259ce598d7b4423c49403be/systemd/incus-startup.service This will now be the default. 2024-05-02 07:49:35 -06:00			`}`
			`)`