| blob | 0f67010863efc49460e133becae3df42cdabc431 |
1 import ../make-test-python.nix (
2 { pkgs, lib, ... }:
4 let
5 releases = import ../../release.nix {
6 configuration = {
7 # Building documentation makes the test unnecessarily take a longer time:
8 documentation.enable = lib.mkForce false;
9 };
10 };
12 lxc-image-metadata = releases.lxdContainerMeta.${pkgs.stdenv.hostPlatform.system};
13 lxc-image-rootfs = releases.lxdContainerImage.${pkgs.stdenv.hostPlatform.system};
15 in
16 {
17 name = "lxc-container-unprivileged";
19 meta = {
20 maintainers = lib.teams.lxc.members;
21 };
23 nodes.machine =
24 { lib, pkgs, ... }:
25 {
26 virtualisation = {
27 diskSize = 6144;
28 cores = 2;
29 memorySize = 512;
30 writableStore = true;
32 lxc = {
33 enable = true;
34 unprivilegedContainers = true;
35 systemConfig = ''
36 lxc.lxcpath = /tmp/lxc
37 '';
38 defaultConfig = ''
39 lxc.net.0.type = veth
40 lxc.net.0.link = lxcbr0
41 lxc.net.0.flags = up
42 lxc.net.0.hwaddr = 00:16:3e:xx:xx:xx
43 lxc.idmap = u 0 100000 65536
44 lxc.idmap = g 0 100000 65536
45 '';
46 # Permit user alice to connect to bridge
47 usernetConfig = ''
48 @lxc-user veth lxcbr0 10
49 '';
50 bridgeConfig = ''
51 LXC_IPV6_ADDR=""
52 LXC_IPV6_MASK=""
53 LXC_IPV6_NETWORK=""
54 LXC_IPV6_NAT="false"
55 '';
56 };
57 };
59 # Needed for lxc
60 environment.systemPackages = with pkgs; [
61 pkgs.wget
62 pkgs.dnsmasq
63 ];
65 # Create user for test
66 users.users.alice = {
67 isNormalUser = true;
68 password = "test";
69 description = "Lxc unprivileged user with access to lxcbr0";
70 extraGroups = [ "lxc-user" ];
71 subGidRanges = [
72 {
73 startGid = 100000;
74 count = 65536;
75 }
76 ];
77 subUidRanges = [
78 {
79 startUid = 100000;
80 count = 65536;
81 }
82 ];
83 };
85 users.users.bob = {
86 isNormalUser = true;
87 password = "test";
88 description = "Lxc unprivileged user without access to lxcbr0";
89 subGidRanges = [
90 {
91 startGid = 100000;
92 count = 65536;
93 }
94 ];
95 subUidRanges = [
96 {
97 startUid = 100000;
98 count = 65536;
99 }
100 ];
101 };
102 };
104 testScript = ''
105 machine.wait_for_unit("lxc-net.service")
107 # Copy config files for alice
108 machine.execute("su -- alice -c 'mkdir -p ~/.config/lxc'")
109 machine.execute("su -- alice -c 'cp /etc/lxc/default.conf ~/.config/lxc/'")
110 machine.execute("su -- alice -c 'cp /etc/lxc/lxc.conf ~/.config/lxc/'")
112 machine.succeed("su -- alice -c 'lxc-create -t local -n test -- --metadata ${lxc-image-metadata}/*/*.tar.xz --fstree ${lxc-image-rootfs}/*/*.tar.xz'")
113 machine.succeed("su -- alice -c 'lxc-start test'")
114 machine.succeed("su -- alice -c 'lxc-stop test'")
116 # Copy config files for bob
117 machine.execute("su -- bob -c 'mkdir -p ~/.config/lxc'")
118 machine.execute("su -- bob -c 'cp /etc/lxc/default.conf ~/.config/lxc/'")
119 machine.execute("su -- bob -c 'cp /etc/lxc/lxc.conf ~/.config/lxc/'")
121 machine.fail("su -- bob -c 'lxc-start test'")
122 '';
123 }
124 )