| blob | fcdfa586fd55d555db44e4cdf67aab7d75f878f0 |
1 # this test creates a simple GNU image with docker tools and sees if it executes
3 import ./make-test-python.nix ({ pkgs, ... }:
4 let
5 # nixpkgs#214434: dockerTools.buildImage fails to unpack base images
6 # containing duplicate layers when those duplicate tarballs
7 # appear under the manifest's 'Layers'. Docker can generate images
8 # like this even though dockerTools does not.
9 repeatedLayerTestImage =
10 let
11 # Rootfs diffs for layers 1 and 2 are identical (and empty)
12 layer1 = pkgs.dockerTools.buildImage { name = "empty"; };
13 layer2 = layer1.overrideAttrs (_: { fromImage = layer1; });
14 repeatedRootfsDiffs = pkgs.runCommandNoCC "image-with-links.tar" {
15 nativeBuildInputs = [pkgs.jq];
16 } ''
17 mkdir contents
18 tar -xf "${layer2}" -C contents
19 cd contents
20 first_rootfs=$(jq -r '.[0].Layers[0]' manifest.json)
21 second_rootfs=$(jq -r '.[0].Layers[1]' manifest.json)
22 target_rootfs=$(sha256sum "$first_rootfs" | cut -d' ' -f 1).tar
24 # Replace duplicated rootfs diffs with symlinks to one tarball
25 chmod -R ug+w .
26 mv "$first_rootfs" "$target_rootfs"
27 rm "$second_rootfs"
28 ln -s "../$target_rootfs" "$first_rootfs"
29 ln -s "../$target_rootfs" "$second_rootfs"
31 # Update manifest's layers to use the symlinks' target
32 cat manifest.json | \
33 jq ".[0].Layers[0] = \"$target_rootfs\"" |
34 jq ".[0].Layers[1] = \"$target_rootfs\"" > manifest.json.new
35 mv manifest.json.new manifest.json
37 tar --sort=name --hard-dereference -cf $out .
38 '';
39 in pkgs.dockerTools.buildImage {
40 fromImage = repeatedRootfsDiffs;
41 name = "repeated-layer-test";
42 tag = "latest";
43 copyToRoot = pkgs.bash;
44 # A runAsRoot script is required to force previous layers to be unpacked
45 runAsRoot = ''
46 echo 'runAsRoot has run.'
47 '';
48 };
49 in {
50 name = "docker-tools";
51 meta = with pkgs.lib.maintainers; {
52 maintainers = [ lnl7 roberth ];
53 };
55 nodes = {
56 docker = { ... }: {
57 virtualisation = {
58 diskSize = 3072;
59 docker.enable = true;
60 };
61 };
62 };
64 testScript = with pkgs.dockerTools; ''
65 unix_time_second1 = "1970-01-01T00:00:01Z"
67 docker.wait_for_unit("sockets.target")
69 with subtest("includeStorePath"):
70 with subtest("assumption"):
71 docker.succeed("${examples.helloOnRoot} | docker load")
72 docker.succeed("docker run --rm hello | grep -i hello")
73 docker.succeed("docker image rm hello:latest")
74 with subtest("includeStorePath = false; breaks example"):
75 docker.succeed("${examples.helloOnRootNoStore} | docker load")
76 docker.fail("docker run --rm hello | grep -i hello")
77 docker.succeed("docker image rm hello:latest")
78 with subtest("includeStorePath = false; works with mounted store"):
79 docker.succeed("${examples.helloOnRootNoStore} | docker load")
80 docker.succeed("docker run --rm --volume ${builtins.storeDir}:${builtins.storeDir}:ro hello | grep -i hello")
81 docker.succeed("docker image rm hello:latest")
83 with subtest("Ensure Docker images use a stable date by default"):
84 docker.succeed(
85 "docker load --input='${examples.bash}'"
86 )
87 assert unix_time_second1 in docker.succeed(
88 "docker inspect ${examples.bash.imageName} "
89 + "| ${pkgs.jq}/bin/jq -r .[].Created",
90 )
92 docker.succeed("docker run --rm ${examples.bash.imageName} bash --version")
93 # Check imageTag attribute matches image
94 docker.succeed("docker images --format '{{.Tag}}' | grep -F '${examples.bash.imageTag}'")
95 docker.succeed("docker rmi ${examples.bash.imageName}")
97 # The remaining combinations
98 with subtest("Ensure imageTag attribute matches image"):
99 docker.succeed(
100 "docker load --input='${examples.bashNoTag}'"
101 )
102 docker.succeed(
103 "docker images --format '{{.Tag}}' | grep -F '${examples.bashNoTag.imageTag}'"
104 )
105 docker.succeed("docker rmi ${examples.bashNoTag.imageName}:${examples.bashNoTag.imageTag}")
107 docker.succeed(
108 "docker load --input='${examples.bashNoTagLayered}'"
109 )
110 docker.succeed(
111 "docker images --format '{{.Tag}}' | grep -F '${examples.bashNoTagLayered.imageTag}'"
112 )
113 docker.succeed("docker rmi ${examples.bashNoTagLayered.imageName}:${examples.bashNoTagLayered.imageTag}")
115 docker.succeed(
116 "${examples.bashNoTagStreamLayered} | docker load"
117 )
118 docker.succeed(
119 "docker images --format '{{.Tag}}' | grep -F '${examples.bashNoTagStreamLayered.imageTag}'"
120 )
121 docker.succeed(
122 "docker rmi ${examples.bashNoTagStreamLayered.imageName}:${examples.bashNoTagStreamLayered.imageTag}"
123 )
125 docker.succeed(
126 "docker load --input='${examples.nixLayered}'"
127 )
128 docker.succeed("docker images --format '{{.Tag}}' | grep -F '${examples.nixLayered.imageTag}'")
129 docker.succeed("docker rmi ${examples.nixLayered.imageName}")
132 with subtest(
133 "Check if the nix store is correctly initialized by listing "
134 "dependencies of the installed Nix binary"
135 ):
136 docker.succeed(
137 "docker load --input='${examples.nix}'",
138 "docker run --rm ${examples.nix.imageName} nix-store -qR ${pkgs.nix}",
139 "docker rmi ${examples.nix.imageName}",
140 )
142 with subtest(
143 "Ensure (layered) nix store has correct permissions "
144 "and that the container starts when its process does not have uid 0"
145 ):
146 docker.succeed(
147 "docker load --input='${examples.bashLayeredWithUser}'",
148 "docker run -u somebody --rm ${examples.bashLayeredWithUser.imageName} ${pkgs.bash}/bin/bash -c 'test 555 == $(stat --format=%a /nix) && test 555 == $(stat --format=%a /nix/store)'",
149 "docker rmi ${examples.bashLayeredWithUser.imageName}",
150 )
152 with subtest("The nix binary symlinks are intact"):
153 docker.succeed(
154 "docker load --input='${examples.nix}'",
155 "docker run --rm ${examples.nix.imageName} ${pkgs.bash}/bin/bash -c 'test nix == $(readlink ${pkgs.nix}/bin/nix-daemon)'",
156 "docker rmi ${examples.nix.imageName}",
157 )
159 with subtest("The nix binary symlinks are intact when the image is layered"):
160 docker.succeed(
161 "docker load --input='${examples.nixLayered}'",
162 "docker run --rm ${examples.nixLayered.imageName} ${pkgs.bash}/bin/bash -c 'test nix == $(readlink ${pkgs.nix}/bin/nix-daemon)'",
163 "docker rmi ${examples.nixLayered.imageName}",
164 )
166 with subtest("The pullImage tool works"):
167 docker.succeed(
168 "docker load --input='${examples.testNixFromDockerHub}'",
169 "docker run --rm nix:2.2.1 nix-store --version",
170 "docker rmi nix:2.2.1",
171 )
173 with subtest("runAsRoot and entry point work"):
174 docker.succeed(
175 "docker load --input='${examples.nginx}'",
176 "docker run --name nginx -d -p 8000:80 ${examples.nginx.imageName}",
177 )
178 docker.wait_until_succeeds("curl -f http://localhost:8000/")
179 docker.succeed(
180 "docker rm --force nginx",
181 "docker rmi '${examples.nginx.imageName}'",
182 )
184 with subtest("A pulled image can be used as base image"):
185 docker.succeed(
186 "docker load --input='${examples.onTopOfPulledImage}'",
187 "docker run --rm ontopofpulledimage hello",
188 "docker rmi ontopofpulledimage",
189 )
191 with subtest("Regression test for issue #34779"):
192 docker.succeed(
193 "docker load --input='${examples.runAsRootExtraCommands}'",
194 "docker run --rm runasrootextracommands cat extraCommands",
195 "docker run --rm runasrootextracommands cat runAsRoot",
196 "docker rmi '${examples.runAsRootExtraCommands.imageName}'",
197 )
199 with subtest("Ensure Docker images can use an unstable date"):
200 docker.succeed(
201 "docker load --input='${examples.unstableDate}'"
202 )
203 assert unix_time_second1 not in docker.succeed(
204 "docker inspect ${examples.unstableDate.imageName} "
205 + "| ${pkgs.jq}/bin/jq -r .[].Created"
206 )
208 with subtest("Ensure Layered Docker images can use an unstable date"):
209 docker.succeed(
210 "docker load --input='${examples.unstableDateLayered}'"
211 )
212 assert unix_time_second1 not in docker.succeed(
213 "docker inspect ${examples.unstableDateLayered.imageName} "
214 + "| ${pkgs.jq}/bin/jq -r .[].Created"
215 )
217 with subtest("Ensure Layered Docker images work"):
218 docker.succeed(
219 "docker load --input='${examples.layered-image}'",
220 "docker run --rm ${examples.layered-image.imageName}",
221 "docker run --rm ${examples.layered-image.imageName} cat extraCommands",
222 )
224 with subtest("Ensure images built on top of layered Docker images work"):
225 docker.succeed(
226 "docker load --input='${examples.layered-on-top}'",
227 "docker run --rm ${examples.layered-on-top.imageName}",
228 )
230 with subtest("Ensure layered images built on top of layered Docker images work"):
231 docker.succeed(
232 "docker load --input='${examples.layered-on-top-layered}'",
233 "docker run --rm ${examples.layered-on-top-layered.imageName}",
234 )
237 def set_of_layers(image_name):
238 return set(
239 docker.succeed(
240 f"docker inspect {image_name} "
241 + "| ${pkgs.jq}/bin/jq -r '.[] | .RootFS.Layers | .[]'"
242 ).split()
243 )
246 with subtest("Ensure layers are shared between images"):
247 docker.succeed(
248 "docker load --input='${examples.another-layered-image}'"
249 )
250 layers1 = set_of_layers("${examples.layered-image.imageName}")
251 layers2 = set_of_layers("${examples.another-layered-image.imageName}")
252 assert bool(layers1 & layers2)
254 with subtest("Ensure order of layers is correct"):
255 docker.succeed(
256 "docker load --input='${examples.layersOrder}'"
257 )
259 for index in 1, 2, 3:
260 assert f"layer{index}" in docker.succeed(
261 f"docker run --rm ${examples.layersOrder.imageName} cat /tmp/layer{index}"
262 )
264 with subtest("Ensure layers unpacked in correct order before runAsRoot runs"):
265 assert "abc" in docker.succeed(
266 "docker load --input='${examples.layersUnpackOrder}'",
267 "docker run --rm ${examples.layersUnpackOrder.imageName} cat /layer-order"
268 )
270 with subtest("Ensure repeated base layers handled by buildImage"):
271 docker.succeed(
272 "docker load --input='${repeatedLayerTestImage}'",
273 "docker run --rm ${repeatedLayerTestImage.imageName} /bin/bash -c 'exit 0'"
274 )
276 with subtest("Ensure environment variables are correctly inherited"):
277 docker.succeed(
278 "docker load --input='${examples.environmentVariables}'"
279 )
280 out = docker.succeed("docker run --rm ${examples.environmentVariables.imageName} env")
281 env = out.splitlines()
282 assert "FROM_PARENT=true" in env, "envvars from the parent should be preserved"
283 assert "FROM_CHILD=true" in env, "envvars from the child should be preserved"
284 assert "LAST_LAYER=child" in env, "envvars from the child should take priority"
286 with subtest("Ensure environment variables of layered images are correctly inherited"):
287 docker.succeed(
288 "docker load --input='${examples.environmentVariablesLayered}'"
289 )
290 out = docker.succeed("docker run --rm ${examples.environmentVariablesLayered.imageName} env")
291 env = out.splitlines()
292 assert "FROM_PARENT=true" in env, "envvars from the parent should be preserved"
293 assert "FROM_CHILD=true" in env, "envvars from the child should be preserved"
294 assert "LAST_LAYER=child" in env, "envvars from the child should take priority"
296 with subtest(
297 "Ensure inherited environment variables of layered images are correctly resolved"
298 ):
299 # Read environment variables as stored in image config
300 config = docker.succeed(
301 "tar -xOf ${examples.environmentVariablesLayered} manifest.json | ${pkgs.jq}/bin/jq -r .[].Config"
302 ).strip()
303 out = docker.succeed(
304 f"tar -xOf ${examples.environmentVariablesLayered} {config} | ${pkgs.jq}/bin/jq -r '.config.Env | .[]'"
305 )
306 env = out.splitlines()
307 assert (
308 sum(entry.startswith("LAST_LAYER") for entry in env) == 1
309 ), "envvars overridden by child should be unique"
311 with subtest("Ensure image with only 2 layers can be loaded"):
312 docker.succeed(
313 "docker load --input='${examples.two-layered-image}'"
314 )
316 with subtest(
317 "Ensure the bulk layer doesn't miss store paths (regression test for #78744)"
318 ):
319 docker.succeed(
320 "docker load --input='${pkgs.dockerTools.examples.bulk-layer}'",
321 # Ensure the two output paths (ls and hello) are in the layer
322 "docker run bulk-layer ls /bin/hello",
323 )
325 with subtest(
326 "Ensure the bulk layer with a base image respects the number of maxLayers"
327 ):
328 docker.succeed(
329 "docker load --input='${pkgs.dockerTools.examples.layered-bulk-layer}'",
330 # Ensure the image runs correctly
331 "docker run layered-bulk-layer ls /bin/hello",
332 )
334 # Ensure the image has the correct number of layers
335 assert len(set_of_layers("layered-bulk-layer")) == 4
337 with subtest("Ensure only minimal paths are added to the store"):
338 # TODO: make an example that has no store paths, for example by making
339 # busybox non-self-referential.
341 # This check tests that buildLayeredImage can build images that don't need a store.
342 docker.succeed(
343 "docker load --input='${pkgs.dockerTools.examples.no-store-paths}'"
344 )
346 docker.succeed("docker run --rm no-store-paths ls / >/dev/console")
348 # If busybox isn't self-referential, we need this line
349 # docker.fail("docker run --rm no-store-paths ls /nix/store >/dev/console")
350 # However, it currently is self-referential, so we check that it is the
351 # only store path.
352 docker.succeed("diff <(docker run --rm no-store-paths ls /nix/store) <(basename ${pkgs.pkgsStatic.busybox}) >/dev/console")
354 with subtest("Ensure buildLayeredImage does not change store path contents."):
355 docker.succeed(
356 "docker load --input='${pkgs.dockerTools.examples.filesInStore}'",
357 "docker run --rm file-in-store nix-store --verify --check-contents",
358 "docker run --rm file-in-store |& grep 'some data'",
359 )
361 with subtest("Ensure cross compiled image can be loaded and has correct arch."):
362 docker.succeed(
363 "docker load --input='${pkgs.dockerTools.examples.cross}'",
364 )
365 assert (
366 docker.succeed(
367 "docker inspect ${pkgs.dockerTools.examples.cross.imageName} "
368 + "| ${pkgs.jq}/bin/jq -r .[].Architecture"
369 ).strip()
370 == "${if pkgs.stdenv.hostPlatform.system == "aarch64-linux" then "amd64" else "arm64"}"
371 )
373 with subtest("buildLayeredImage doesn't dereference /nix/store symlink layers"):
374 docker.succeed(
375 "docker load --input='${examples.layeredStoreSymlink}'",
376 "docker run --rm ${examples.layeredStoreSymlink.imageName} bash -c 'test -L ${examples.layeredStoreSymlink.passthru.symlink}'",
377 "docker rmi ${examples.layeredStoreSymlink.imageName}",
378 )
380 with subtest("buildImage supports registry/ prefix in image name"):
381 docker.succeed(
382 "docker load --input='${examples.prefixedImage}'"
383 )
384 docker.succeed(
385 "docker images --format '{{.Repository}}' | grep -F '${examples.prefixedImage.imageName}'"
386 )
388 with subtest("buildLayeredImage supports registry/ prefix in image name"):
389 docker.succeed(
390 "docker load --input='${examples.prefixedLayeredImage}'"
391 )
392 docker.succeed(
393 "docker images --format '{{.Repository}}' | grep -F '${examples.prefixedLayeredImage.imageName}'"
394 )
396 with subtest("buildLayeredImage supports running chown with fakeRootCommands"):
397 docker.succeed(
398 "docker load --input='${examples.layeredImageWithFakeRootCommands}'"
399 )
400 docker.succeed(
401 "docker run --rm ${examples.layeredImageWithFakeRootCommands.imageName} sh -c 'stat -c '%u' /home/alice | grep -E ^1000$'"
402 )
404 with subtest("Ensure docker load on merged images loads all of the constituent images"):
405 docker.succeed(
406 "docker load --input='${examples.mergedBashAndRedis}'"
407 )
408 docker.succeed(
409 "docker images --format '{{.Repository}}-{{.Tag}}' | grep -F '${examples.bash.imageName}-${examples.bash.imageTag}'"
410 )
411 docker.succeed(
412 "docker images --format '{{.Repository}}-{{.Tag}}' | grep -F '${examples.redis.imageName}-${examples.redis.imageTag}'"
413 )
414 docker.succeed("docker run --rm ${examples.bash.imageName} bash --version")
415 docker.succeed("docker run --rm ${examples.redis.imageName} redis-cli --version")
416 docker.succeed("docker rmi ${examples.bash.imageName}")
417 docker.succeed("docker rmi ${examples.redis.imageName}")
419 with subtest(
420 "Ensure docker load on merged images loads all of the constituent images (missing tags)"
421 ):
422 docker.succeed(
423 "docker load --input='${examples.mergedBashNoTagAndRedis}'"
424 )
425 docker.succeed(
426 "docker images --format '{{.Repository}}-{{.Tag}}' | grep -F '${examples.bashNoTag.imageName}-${examples.bashNoTag.imageTag}'"
427 )
428 docker.succeed(
429 "docker images --format '{{.Repository}}-{{.Tag}}' | grep -F '${examples.redis.imageName}-${examples.redis.imageTag}'"
430 )
431 # we need to explicitly specify the generated tag here
432 docker.succeed(
433 "docker run --rm ${examples.bashNoTag.imageName}:${examples.bashNoTag.imageTag} bash --version"
434 )
435 docker.succeed("docker run --rm ${examples.redis.imageName} redis-cli --version")
436 docker.succeed("docker rmi ${examples.bashNoTag.imageName}:${examples.bashNoTag.imageTag}")
437 docker.succeed("docker rmi ${examples.redis.imageName}")
439 with subtest("mergeImages preserves owners of the original images"):
440 docker.succeed(
441 "docker load --input='${examples.mergedBashFakeRoot}'"
442 )
443 docker.succeed(
444 "docker run --rm ${examples.layeredImageWithFakeRootCommands.imageName} sh -c 'stat -c '%u' /home/alice | grep -E ^1000$'"
445 )
447 with subtest("The image contains store paths referenced by the fakeRootCommands output"):
448 docker.succeed(
449 "docker run --rm ${examples.layeredImageWithFakeRootCommands.imageName} /hello/bin/layeredImageWithFakeRootCommands-hello"
450 )
452 with subtest("exportImage produces a valid tarball"):
453 docker.succeed(
454 "tar -tf ${examples.exportBash} | grep '\./bin/bash' > /dev/null"
455 )
457 with subtest("layered image fakeRootCommands with fakechroot works"):
458 docker.succeed("${examples.imageViaFakeChroot} | docker load")
459 docker.succeed("docker run --rm image-via-fake-chroot | grep -i hello")
460 docker.succeed("docker image rm image-via-fake-chroot:latest")
462 with subtest("Ensure bare paths in contents are loaded correctly"):
463 docker.succeed(
464 "docker load --input='${examples.build-image-with-path}'",
465 "docker run --rm build-image-with-path bash -c '[[ -e /hello.txt ]]'",
466 "docker rmi build-image-with-path",
467 )
468 docker.succeed(
469 "${examples.layered-image-with-path} | docker load",
470 "docker run --rm layered-image-with-path bash -c '[[ -e /hello.txt ]]'",
471 "docker rmi layered-image-with-path",
472 )
474 with subtest("Ensure correct architecture is present in manifests."):
475 docker.succeed("""
476 docker load --input='${examples.build-image-with-architecture}'
477 docker inspect build-image-with-architecture \
478 | ${pkgs.jq}/bin/jq -er '.[] | select(.Architecture=="arm64").Architecture'
479 docker rmi build-image-with-architecture
480 """)
481 docker.succeed("""
482 ${examples.layered-image-with-architecture} | docker load
483 docker inspect layered-image-with-architecture \
484 | ${pkgs.jq}/bin/jq -er '.[] | select(.Architecture=="arm64").Architecture'
485 docker rmi layered-image-with-architecture
486 """)
488 with subtest("etc"):
489 docker.succeed("${examples.etc} | docker load")
490 docker.succeed("docker run --rm etc | grep localhost")
491 docker.succeed("docker image rm etc:latest")
493 with subtest("image-with-certs"):
494 docker.succeed("<${examples.image-with-certs} docker load")
495 docker.succeed("docker run --rm image-with-certs:latest test -r /etc/ssl/certs/ca-bundle.crt")
496 docker.succeed("docker run --rm image-with-certs:latest test -r /etc/ssl/certs/ca-certificates.crt")
497 docker.succeed("docker run --rm image-with-certs:latest test -r /etc/pki/tls/certs/ca-bundle.crt")
498 docker.succeed("docker image rm image-with-certs:latest")
500 with subtest("buildNixShellImage: Can build a basic derivation"):
501 docker.succeed(
502 "${examples.nix-shell-basic} | docker load",
503 "docker run --rm nix-shell-basic bash -c 'buildDerivation && $out/bin/hello' | grep '^Hello, world!$'"
504 )
506 with subtest("buildNixShellImage: Runs the shell hook"):
507 docker.succeed(
508 "${examples.nix-shell-hook} | docker load",
509 "docker run --rm -it nix-shell-hook | grep 'This is the shell hook!'"
510 )
512 with subtest("buildNixShellImage: Sources stdenv, making build inputs available"):
513 docker.succeed(
514 "${examples.nix-shell-inputs} | docker load",
515 "docker run --rm -it nix-shell-inputs | grep 'Hello, world!'"
516 )
518 with subtest("buildNixShellImage: passAsFile works"):
519 docker.succeed(
520 "${examples.nix-shell-pass-as-file} | docker load",
521 "docker run --rm -it nix-shell-pass-as-file | grep 'this is a string'"
522 )
524 with subtest("buildNixShellImage: run argument works"):
525 docker.succeed(
526 "${examples.nix-shell-run} | docker load",
527 "docker run --rm -it nix-shell-run | grep 'This shell is not interactive'"
528 )
530 with subtest("buildNixShellImage: command argument works"):
531 docker.succeed(
532 "${examples.nix-shell-command} | docker load",
533 "docker run --rm -it nix-shell-command | grep 'This shell is interactive'"
534 )
536 with subtest("buildNixShellImage: home directory is writable by default"):
537 docker.succeed(
538 "${examples.nix-shell-writable-home} | docker load",
539 "docker run --rm -it nix-shell-writable-home"
540 )
542 with subtest("buildNixShellImage: home directory can be made non-existent"):
543 docker.succeed(
544 "${examples.nix-shell-nonexistent-home} | docker load",
545 "docker run --rm -it nix-shell-nonexistent-home"
546 )
548 with subtest("buildNixShellImage: can build derivations"):
549 docker.succeed(
550 "${examples.nix-shell-build-derivation} | docker load",
551 "docker run --rm -it nix-shell-build-derivation"
552 )
553 '';
554 })