diff --git a/examples/full-nixos/arion-compose.nix b/examples/full-nixos/arion-compose.nix index dac420d..1429355 100644 --- a/examples/full-nixos/arion-compose.nix +++ b/examples/full-nixos/arion-compose.nix @@ -1,9 +1,11 @@ { - services.webserver = { pkgs, ... }: { + services.webserver = { pkgs, lib, ... }: { nixos.useSystemd = true; nixos.configuration.boot.tmpOnTmpfs = true; nixos.configuration.services.nginx.enable = true; nixos.configuration.services.nginx.virtualHosts.localhost.root = "${pkgs.nix.doc}/share/doc/nix/manual"; + nixos.configuration.systemd.services.nginx.serviceConfig.AmbientCapabilities = + lib.mkForce [ "CAP_NET_BIND_SERVICE" ]; service.useHostStore = true; service.ports = [ "8000:80" # host:container diff --git a/examples/nixos-unit/arion-compose.nix b/examples/nixos-unit/arion-compose.nix index 3ef5be3..86a1491 100644 --- a/examples/nixos-unit/arion-compose.nix +++ b/examples/nixos-unit/arion-compose.nix @@ -28,6 +28,9 @@ PATH='${config.systemd.services.nginx.environment.PATH}' echo nginx:x:${toString config.users.users.nginx.uid}:${toString config.users.groups.nginx.gid}:nginx web server user:/var/empty:/bin/sh >>/etc/passwd echo nginx:x:${toString config.users.groups.nginx.gid}:nginx >>/etc/group + echo 'nobody:x:65534:65534:Unprivileged account do not use:/var/empty:/run/current-system/sw/bin/nologin' >>/etc/passwd + echo 'nogroup:x:65534:' >>/etc/group + mkdir -p /run/nginx/ /var/spool/nginx/logs/ ${config.systemd.services.nginx.runner} ''; }; diff --git a/nix/ci.nix b/nix/ci.nix index 0d37467..24569b2 100644 --- a/nix/ci.nix +++ b/nix/ci.nix @@ -6,12 +6,22 @@ in dimension "Nixpkgs version" { "nixos-19_03" = { - nixpkgsSource = "nixpkgs"; - isReferenceNixpkgs = true; + # flyingcircus.io latest long-term support is based off 19.03 + # https://flyingcircus.io/doc/ + # It is nice to have some level of support for their platform, + # but we don't guarantee any support. + nixpkgsSource = "nixos-19.03"; enableDoc = false; + nixosTestIsPerl = true; }; "nixos-19_09" = { nixpkgsSource = "nixos-19.09"; + enableDoc = false; + nixosTestIsPerl = true; + }; + "nixos-20_03" = { + nixpkgsSource = "nixos-20.03"; + isReferenceNixpkgs = true; enableDoc = true; }; "nixos-unstable" = { @@ -19,7 +29,7 @@ dimension "Nixpkgs version" { enableDoc = true; }; } ( - _name: { nixpkgsSource, isReferenceNixpkgs ? false, enableDoc ? true }: + _name: { nixpkgsSource, isReferenceNixpkgs ? false, enableDoc ? true, nixosTestIsPerl ? false }: dimension "System" { @@ -28,7 +38,10 @@ dimension "Nixpkgs version" { } ( system: { isReferenceTarget ? false, enableNixOSTests ? true }: let - pkgs = import ./. { inherit system; nixpkgsSrc = sources.${nixpkgsSource}; }; + pkgs = import ./. { + inherit system nixosTestIsPerl; + nixpkgsSrc = sources.${nixpkgsSource}; + }; in { inherit (pkgs) arion; diff --git a/nix/default.nix b/nix/default.nix index 921b747..3042c7f 100644 --- a/nix/default.nix +++ b/nix/default.nix @@ -1,7 +1,8 @@ { sources ? import ./sources.nix -, nixpkgsName ? "nixos-19.09" +, nixpkgsName ? "nixos-20.03" , nixpkgsSrc ? sources.${nixpkgsName} , system ? builtins.currentSystem +, nixosTestIsPerl ? false , ... }: @@ -11,6 +12,7 @@ import nixpkgsSrc ({ }; overlays = [ # all the packages are defined there: + (_: _: { inherit nixosTestIsPerl; }) (import ./overlay.nix) ]; inherit system; diff --git a/nix/sources.json b/nix/sources.json index dd0a5e8..b21511a 100644 --- a/nix/sources.json +++ b/nix/sources.json @@ -11,16 +11,40 @@ "url": "https://github.com/nmattia/niv/archive/1dd094156b249586b66c16200ecfd365c7428dc0.tar.gz", "url_template": "https://github.com///archive/.tar.gz" }, + "nixos-19.03": { + "branch": "nixos-19.03", + "description": "A read-only mirror of NixOS/nixpkgs tracking the released channels. Send issues and PRs to", + "homepage": "https://github.com/NixOS/nixpkgs", + "owner": "NixOS", + "repo": "nixpkgs-channels", + "rev": "34c7eb7545d155cc5b6f499b23a7cb1c96ab4d59", + "sha256": "11z6ajj108fy2q5g8y4higlcaqncrbjm3dnv17pvif6avagw4mcb", + "type": "tarball", + "url": "https://github.com/NixOS/nixpkgs-channels/archive/34c7eb7545d155cc5b6f499b23a7cb1c96ab4d59.tar.gz", + "url_template": "https://github.com///archive/.tar.gz" + }, "nixos-19.09": { "branch": "nixos-19.09", "description": "A read-only mirror of NixOS/nixpkgs tracking the released channels. Send issues and PRs to", "homepage": "https://github.com/NixOS/nixpkgs", "owner": "NixOS", "repo": "nixpkgs-channels", - "rev": "3ba0d9f75ccffd41e32cfea4046805f8bbab12f5", - "sha256": "0w20drs4mwlq12k1sss1x8adyf5ph5jd52n8wdcgmn4sm60qjmki", + "rev": "ce9f1aaa39ee2a5b76a9c9580c859a74de65ead5", + "sha256": "1s2b9rvpyamiagvpl5cggdb2nmx4f7lpylipd397wz8f0wngygpi", "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs-channels/archive/3ba0d9f75ccffd41e32cfea4046805f8bbab12f5.tar.gz", + "url": "https://github.com/NixOS/nixpkgs-channels/archive/ce9f1aaa39ee2a5b76a9c9580c859a74de65ead5.tar.gz", + "url_template": "https://github.com///archive/.tar.gz" + }, + "nixos-20.03": { + "branch": "nixos-20.03", + "description": "A read-only mirror of NixOS/nixpkgs tracking the released channels. Send issues and PRs to", + "homepage": "https://github.com/NixOS/nixpkgs", + "owner": "NixOS", + "repo": "nixpkgs-channels", + "rev": "04aca9ac24ad24c2dbeb37e1cfa94d8453f07a51", + "sha256": "152k3aisxqd219yvcy6xr8frh0yrs9ycaw1ik04c2lp49d21b8nh", + "type": "tarball", + "url": "https://github.com/NixOS/nixpkgs-channels/archive/04aca9ac24ad24c2dbeb37e1cfa94d8453f07a51.tar.gz", "url_template": "https://github.com///archive/.tar.gz" }, "nixos-unstable": { @@ -29,10 +53,10 @@ "homepage": "https://github.com/NixOS/nixpkgs", "owner": "NixOS", "repo": "nixpkgs-channels", - "rev": "cb4332e3eb6dfdb653f1fc7397a0292df228a533", - "sha256": "1722wphznqhpfny08rcy19l85r2l893ckjc3h1vfivj6aj64fwjr", + "rev": "42f0be81ae05a8fe6d6e8e7f1c28652e7746e046", + "sha256": "1rxb5kmghkzazqcv4d8yczdiv2srs4r7apx4idc276lcikm0hdmf", "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs-channels/archive/cb4332e3eb6dfdb653f1fc7397a0292df228a533.tar.gz", + "url": "https://github.com/NixOS/nixpkgs-channels/archive/42f0be81ae05a8fe6d6e8e7f1c28652e7746e046.tar.gz", "url_template": "https://github.com///archive/.tar.gz", "version": "" }, diff --git a/tests/arion-test-perl/README.md b/tests/arion-test-perl/README.md new file mode 100644 index 0000000..736afb7 --- /dev/null +++ b/tests/arion-test-perl/README.md @@ -0,0 +1,4 @@ + +This test suite exists only to keep tests around for older versions of NixOS. + +This will be removed when 19.09 becomes irrelevant. diff --git a/tests/arion-test-perl/default.nix b/tests/arion-test-perl/default.nix new file mode 100644 index 0000000..34c42b3 --- /dev/null +++ b/tests/arion-test-perl/default.nix @@ -0,0 +1,60 @@ +{ pkgs, ... }: + +let + # To make some prebuilt derivations available in the vm + preEval = modules: import ../../src/nix/eval-composition.nix { + inherit modules; + inherit pkgs; + }; +in +{ + name = "arion-test"; + machine = { pkgs, lib, ... }: { + environment.systemPackages = [ + pkgs.arion + ]; + virtualisation.docker.enable = true; + + # no caches, because no internet + nix.binaryCaches = lib.mkForce []; + + # FIXME: Sandbox seems broken with current version of NixOS test + # w/ writable store. Error: + # machine# error: linking '/nix/store/7r8z2zvhwda85pgpdn5hzzz6hs1njklc-stdenv-linux.drv.chroot/nix/store/6v3y7s4q4wd16hsw393gjpxvcf9159bv-patch-shebangs.sh' to '/nix/store/6v3y7s4q4wd16hsw393gjpxvcf9159bv-patch-shebangs.sh': Operation not permitted + # + # There should be no reason why arion can't run without + # sandboxing, so please re-enable. + nix.useSandbox = false; + + virtualisation.writableStore = true; + virtualisation.pathsInNixDB = [ + # Pre-build the image because we don't want to build the world + # in the vm. + (preEval [ ../../examples/minimal/arion-compose.nix ]).config.out.dockerComposeYaml + (preEval [ ../../examples/full-nixos/arion-compose.nix ]).config.out.dockerComposeYaml + (preEval [ ../../examples/nixos-unit/arion-compose.nix ]).config.out.dockerComposeYaml + pkgs.stdenv + ]; + + virtualisation.memorySize = 512; + }; + testScript = '' + $machine->fail("curl localhost:8000"); + $machine->succeed("docker --version"); + + my $makeSubtest = sub { + my ( $subtestName, $exampleSrc ) = @_; + + subtest $subtestName => sub { + $machine->succeed("rm -rf work && cp -frT $exampleSrc work && cd work && NIX_PATH=nixpkgs='${pkgs.path}' arion up -d"); + $machine->waitUntilSucceeds("curl localhost:8000"); + $machine->succeed("cd work && NIX_PATH=nixpkgs='${pkgs.path}' arion down"); + $machine->waitUntilFails("curl localhost:8000"); + }; + }; + + $makeSubtest->("minimal", "${../../examples/minimal}"); + $makeSubtest->("full-nixos", "${../../examples/full-nixos}"); + $makeSubtest->("nixos-unit", "${../../examples/nixos-unit}"); + ''; +} diff --git a/tests/arion-test/default.nix b/tests/arion-test/default.nix index 5bea4fe..bc1a2e5 100644 --- a/tests/arion-test/default.nix +++ b/tests/arion-test/default.nix @@ -35,27 +35,62 @@ in (preEval [ ../../examples/nixos-unit/arion-compose.nix ]).config.out.dockerComposeYaml pkgs.stdenv ]; + + virtualisation.memorySize = 512; }; testScript = '' - $machine->fail("curl localhost:8000"); - $machine->succeed("docker --version"); + machine.fail("curl localhost:8000") + machine.succeed("docker --version") - my $makeSubtest = sub { - my ( $subtestName, $exampleSrc, @codeRefs ) = @_; + # Tests + # - arion up + # - arion down + # - examples/minimal + with subtest("minimal"): + machine.succeed( + "rm -rf work && cp -frT ${../../examples/minimal} work && cd work && NIX_PATH=nixpkgs='${pkgs.path}' arion up -d" + ) + machine.wait_until_succeeds("curl localhost:8000") + machine.succeed( + "cd work && NIX_PATH=nixpkgs='${pkgs.path}' arion down" + ) + machine.wait_until_fails("curl localhost:8000") - subtest $subtestName => sub { - $machine->succeed("rm -rf work && cp -frT $exampleSrc work && cd work && NIX_PATH=nixpkgs='${pkgs.path}' arion up -d"); - $machine->waitUntilSucceeds("curl localhost:8000"); - $_->() for @codeRefs; - $machine->succeed("cd work && NIX_PATH=nixpkgs='${pkgs.path}' arion down"); - $machine->waitUntilFails("curl localhost:8000"); - }; - }; + # Tests + # - arion exec + # - examples/full-nixos + with subtest("full-nixos"): + machine.succeed( + "rm -rf work && cp -frT ${../../examples/full-nixos} work && cd work && NIX_PATH=nixpkgs='${pkgs.path}' arion up -d" + ) + machine.wait_until_succeeds("curl localhost:8000") - $makeSubtest->("minimal", "${../../examples/minimal}"); - $makeSubtest->("full-nixos", "${../../examples/full-nixos}", sub { - $machine->succeed("cd work && export NIX_PATH=nixpkgs='${pkgs.path}' && (echo 'nix run -f ~/h/arion arion -c arion exec webserver'; echo 'target=world; echo Hello \$target'; echo exit) | script /dev/null | grep 'Hello world'"); - }); - $makeSubtest->("nixos-unit", "${../../examples/nixos-unit}"); + machine.succeed( + """ + set -eux -o pipefail + cd work + export NIX_PATH=nixpkgs='${pkgs.path}' + echo 'target=world; echo Hello $target; exit' \ + | script 'arion exec webserver' \ + | grep 'Hello world' + """ + ), + + machine.succeed( + "cd work && NIX_PATH=nixpkgs='${pkgs.path}' arion down" + ) + machine.wait_until_fails("curl localhost:8000") + + # Tests + # - examples/nixos-unit + with subtest("nixos-unit"): + machine.succeed( + "rm -rf work && cp -frT ${../../examples/nixos-unit} work && cd work && NIX_PATH=nixpkgs='${pkgs.path}' arion up -d" + ) + machine.wait_until_succeeds("curl localhost:8000") + machine.succeed( + "cd work && NIX_PATH=nixpkgs='${pkgs.path}' arion down" + ) + machine.wait_until_fails("curl localhost:8000") ''; } diff --git a/tests/default.nix b/tests/default.nix index cabdb61..cc9ad49 100644 --- a/tests/default.nix +++ b/tests/default.nix @@ -1,11 +1,11 @@ -{ pkgs ? import ../pkgs.nix }: +{ pkgs ? import ../pkgs.nix, nixosTestIsPerl ? false }: let inherit (pkgs) nixosTest recurseIntoAttrs arion; in recurseIntoAttrs { - test = nixosTest ./arion-test; + test = if nixosTestIsPerl then nixosTest ./arion-test-perl else nixosTest ./arion-test; testBuild = arion.build {