| blob | 21a727dbd97c9d8dce7e486d2c4f0037c271d741 |
1 # this test creates a simple GNU image with docker tools and sees if it executes
3 import ./make-test-python.nix ({ pkgs, ... }: {
4 name = "docker-tools";
5 meta = with pkgs.lib.maintainers; {
6 maintainers = [ lnl7 roberth ];
7 };
9 nodes = {
10 docker = { ... }: {
11 virtualisation = {
12 diskSize = 2048;
13 docker.enable = true;
14 };
15 };
16 };
18 testScript = with pkgs.dockerTools; ''
19 unix_time_second1 = "1970-01-01T00:00:01Z"
21 docker.wait_for_unit("sockets.target")
23 with subtest("includeStorePath"):
24 with subtest("assumption"):
25 docker.succeed("${examples.helloOnRoot} | docker load")
26 docker.succeed("docker run --rm hello | grep -i hello")
27 docker.succeed("docker image rm hello:latest")
28 with subtest("includeStorePath = false; breaks example"):
29 docker.succeed("${examples.helloOnRootNoStore} | docker load")
30 docker.fail("docker run --rm hello | grep -i hello")
31 docker.succeed("docker image rm hello:latest")
32 with subtest("includeStorePath = false; works with mounted store"):
33 docker.succeed("${examples.helloOnRootNoStore} | docker load")
34 docker.succeed("docker run --rm --volume ${builtins.storeDir}:${builtins.storeDir}:ro hello | grep -i hello")
35 docker.succeed("docker image rm hello:latest")
37 with subtest("Ensure Docker images use a stable date by default"):
38 docker.succeed(
39 "docker load --input='${examples.bash}'"
40 )
41 assert unix_time_second1 in docker.succeed(
42 "docker inspect ${examples.bash.imageName} "
43 + "| ${pkgs.jq}/bin/jq -r .[].Created",
44 )
46 docker.succeed("docker run --rm ${examples.bash.imageName} bash --version")
47 # Check imageTag attribute matches image
48 docker.succeed("docker images --format '{{.Tag}}' | grep -F '${examples.bash.imageTag}'")
49 docker.succeed("docker rmi ${examples.bash.imageName}")
51 # The remaining combinations
52 with subtest("Ensure imageTag attribute matches image"):
53 docker.succeed(
54 "docker load --input='${examples.bashNoTag}'"
55 )
56 docker.succeed(
57 "docker images --format '{{.Tag}}' | grep -F '${examples.bashNoTag.imageTag}'"
58 )
59 docker.succeed("docker rmi ${examples.bashNoTag.imageName}:${examples.bashNoTag.imageTag}")
61 docker.succeed(
62 "docker load --input='${examples.bashNoTagLayered}'"
63 )
64 docker.succeed(
65 "docker images --format '{{.Tag}}' | grep -F '${examples.bashNoTagLayered.imageTag}'"
66 )
67 docker.succeed("docker rmi ${examples.bashNoTagLayered.imageName}:${examples.bashNoTagLayered.imageTag}")
69 docker.succeed(
70 "${examples.bashNoTagStreamLayered} | docker load"
71 )
72 docker.succeed(
73 "docker images --format '{{.Tag}}' | grep -F '${examples.bashNoTagStreamLayered.imageTag}'"
74 )
75 docker.succeed(
76 "docker rmi ${examples.bashNoTagStreamLayered.imageName}:${examples.bashNoTagStreamLayered.imageTag}"
77 )
79 docker.succeed(
80 "docker load --input='${examples.nixLayered}'"
81 )
82 docker.succeed("docker images --format '{{.Tag}}' | grep -F '${examples.nixLayered.imageTag}'")
83 docker.succeed("docker rmi ${examples.nixLayered.imageName}")
86 with subtest(
87 "Check if the nix store is correctly initialized by listing "
88 "dependencies of the installed Nix binary"
89 ):
90 docker.succeed(
91 "docker load --input='${examples.nix}'",
92 "docker run --rm ${examples.nix.imageName} nix-store -qR ${pkgs.nix}",
93 "docker rmi ${examples.nix.imageName}",
94 )
96 with subtest(
97 "Ensure (layered) nix store has correct permissions "
98 "and that the container starts when its process does not have uid 0"
99 ):
100 docker.succeed(
101 "docker load --input='${examples.bashLayeredWithUser}'",
102 "docker run -u somebody --rm ${examples.bashLayeredWithUser.imageName} ${pkgs.bash}/bin/bash -c 'test 555 == $(stat --format=%a /nix) && test 555 == $(stat --format=%a /nix/store)'",
103 "docker rmi ${examples.bashLayeredWithUser.imageName}",
104 )
106 with subtest("The nix binary symlinks are intact"):
107 docker.succeed(
108 "docker load --input='${examples.nix}'",
109 "docker run --rm ${examples.nix.imageName} ${pkgs.bash}/bin/bash -c 'test nix == $(readlink ${pkgs.nix}/bin/nix-daemon)'",
110 "docker rmi ${examples.nix.imageName}",
111 )
113 with subtest("The nix binary symlinks are intact when the image is layered"):
114 docker.succeed(
115 "docker load --input='${examples.nixLayered}'",
116 "docker run --rm ${examples.nixLayered.imageName} ${pkgs.bash}/bin/bash -c 'test nix == $(readlink ${pkgs.nix}/bin/nix-daemon)'",
117 "docker rmi ${examples.nixLayered.imageName}",
118 )
120 with subtest("The pullImage tool works"):
121 docker.succeed(
122 "docker load --input='${examples.testNixFromDockerHub}'",
123 "docker run --rm nix:2.2.1 nix-store --version",
124 "docker rmi nix:2.2.1",
125 )
127 with subtest("runAsRoot and entry point work"):
128 docker.succeed(
129 "docker load --input='${examples.nginx}'",
130 "docker run --name nginx -d -p 8000:80 ${examples.nginx.imageName}",
131 )
132 docker.wait_until_succeeds("curl -f http://localhost:8000/")
133 docker.succeed(
134 "docker rm --force nginx",
135 "docker rmi '${examples.nginx.imageName}'",
136 )
138 with subtest("A pulled image can be used as base image"):
139 docker.succeed(
140 "docker load --input='${examples.onTopOfPulledImage}'",
141 "docker run --rm ontopofpulledimage hello",
142 "docker rmi ontopofpulledimage",
143 )
145 with subtest("Regression test for issue #34779"):
146 docker.succeed(
147 "docker load --input='${examples.runAsRootExtraCommands}'",
148 "docker run --rm runasrootextracommands cat extraCommands",
149 "docker run --rm runasrootextracommands cat runAsRoot",
150 "docker rmi '${examples.runAsRootExtraCommands.imageName}'",
151 )
153 with subtest("Ensure Docker images can use an unstable date"):
154 docker.succeed(
155 "docker load --input='${examples.unstableDate}'"
156 )
157 assert unix_time_second1 not in docker.succeed(
158 "docker inspect ${examples.unstableDate.imageName} "
159 + "| ${pkgs.jq}/bin/jq -r .[].Created"
160 )
162 with subtest("Ensure Layered Docker images can use an unstable date"):
163 docker.succeed(
164 "docker load --input='${examples.unstableDateLayered}'"
165 )
166 assert unix_time_second1 not in docker.succeed(
167 "docker inspect ${examples.unstableDateLayered.imageName} "
168 + "| ${pkgs.jq}/bin/jq -r .[].Created"
169 )
171 with subtest("Ensure Layered Docker images work"):
172 docker.succeed(
173 "docker load --input='${examples.layered-image}'",
174 "docker run --rm ${examples.layered-image.imageName}",
175 "docker run --rm ${examples.layered-image.imageName} cat extraCommands",
176 )
178 with subtest("Ensure images built on top of layered Docker images work"):
179 docker.succeed(
180 "docker load --input='${examples.layered-on-top}'",
181 "docker run --rm ${examples.layered-on-top.imageName}",
182 )
184 with subtest("Ensure layered images built on top of layered Docker images work"):
185 docker.succeed(
186 "docker load --input='${examples.layered-on-top-layered}'",
187 "docker run --rm ${examples.layered-on-top-layered.imageName}",
188 )
191 def set_of_layers(image_name):
192 return set(
193 docker.succeed(
194 f"docker inspect {image_name} "
195 + "| ${pkgs.jq}/bin/jq -r '.[] | .RootFS.Layers | .[]'"
196 ).split()
197 )
200 with subtest("Ensure layers are shared between images"):
201 docker.succeed(
202 "docker load --input='${examples.another-layered-image}'"
203 )
204 layers1 = set_of_layers("${examples.layered-image.imageName}")
205 layers2 = set_of_layers("${examples.another-layered-image.imageName}")
206 assert bool(layers1 & layers2)
208 with subtest("Ensure order of layers is correct"):
209 docker.succeed(
210 "docker load --input='${examples.layersOrder}'"
211 )
213 for index in 1, 2, 3:
214 assert f"layer{index}" in docker.succeed(
215 f"docker run --rm ${examples.layersOrder.imageName} cat /tmp/layer{index}"
216 )
218 with subtest("Ensure layers unpacked in correct order before runAsRoot runs"):
219 assert "abc" in docker.succeed(
220 "docker load --input='${examples.layersUnpackOrder}'",
221 "docker run --rm ${examples.layersUnpackOrder.imageName} cat /layer-order"
222 )
224 with subtest("Ensure environment variables are correctly inherited"):
225 docker.succeed(
226 "docker load --input='${examples.environmentVariables}'"
227 )
228 out = docker.succeed("docker run --rm ${examples.environmentVariables.imageName} env")
229 env = out.splitlines()
230 assert "FROM_PARENT=true" in env, "envvars from the parent should be preserved"
231 assert "FROM_CHILD=true" in env, "envvars from the child should be preserved"
232 assert "LAST_LAYER=child" in env, "envvars from the child should take priority"
234 with subtest("Ensure environment variables of layered images are correctly inherited"):
235 docker.succeed(
236 "docker load --input='${examples.environmentVariablesLayered}'"
237 )
238 out = docker.succeed("docker run --rm ${examples.environmentVariablesLayered.imageName} env")
239 env = out.splitlines()
240 assert "FROM_PARENT=true" in env, "envvars from the parent should be preserved"
241 assert "FROM_CHILD=true" in env, "envvars from the child should be preserved"
242 assert "LAST_LAYER=child" in env, "envvars from the child should take priority"
244 with subtest(
245 "Ensure inherited environment variables of layered images are correctly resolved"
246 ):
247 # Read environment variables as stored in image config
248 config = docker.succeed(
249 "tar -xOf ${examples.environmentVariablesLayered} manifest.json | ${pkgs.jq}/bin/jq -r .[].Config"
250 ).strip()
251 out = docker.succeed(
252 f"tar -xOf ${examples.environmentVariablesLayered} {config} | ${pkgs.jq}/bin/jq -r '.config.Env | .[]'"
253 )
254 env = out.splitlines()
255 assert (
256 sum(entry.startswith("LAST_LAYER") for entry in env) == 1
257 ), "envvars overridden by child should be unique"
259 with subtest("Ensure image with only 2 layers can be loaded"):
260 docker.succeed(
261 "docker load --input='${examples.two-layered-image}'"
262 )
264 with subtest(
265 "Ensure the bulk layer doesn't miss store paths (regression test for #78744)"
266 ):
267 docker.succeed(
268 "docker load --input='${pkgs.dockerTools.examples.bulk-layer}'",
269 # Ensure the two output paths (ls and hello) are in the layer
270 "docker run bulk-layer ls /bin/hello",
271 )
273 with subtest(
274 "Ensure the bulk layer with a base image respects the number of maxLayers"
275 ):
276 docker.succeed(
277 "docker load --input='${pkgs.dockerTools.examples.layered-bulk-layer}'",
278 # Ensure the image runs correctly
279 "docker run layered-bulk-layer ls /bin/hello",
280 )
282 # Ensure the image has the correct number of layers
283 assert len(set_of_layers("layered-bulk-layer")) == 4
285 with subtest("Ensure only minimal paths are added to the store"):
286 # TODO: make an example that has no store paths, for example by making
287 # busybox non-self-referential.
289 # This check tests that buildLayeredImage can build images that don't need a store.
290 docker.succeed(
291 "docker load --input='${pkgs.dockerTools.examples.no-store-paths}'"
292 )
294 docker.succeed("docker run --rm no-store-paths ls / >/dev/console")
296 # If busybox isn't self-referential, we need this line
297 # docker.fail("docker run --rm no-store-paths ls /nix/store >/dev/console")
298 # However, it currently is self-referential, so we check that it is the
299 # only store path.
300 docker.succeed("diff <(docker run --rm no-store-paths ls /nix/store) <(basename ${pkgs.pkgsStatic.busybox}) >/dev/console")
302 with subtest("Ensure buildLayeredImage does not change store path contents."):
303 docker.succeed(
304 "docker load --input='${pkgs.dockerTools.examples.filesInStore}'",
305 "docker run --rm file-in-store nix-store --verify --check-contents",
306 "docker run --rm file-in-store |& grep 'some data'",
307 )
309 with subtest("Ensure cross compiled image can be loaded and has correct arch."):
310 docker.succeed(
311 "docker load --input='${pkgs.dockerTools.examples.cross}'",
312 )
313 assert (
314 docker.succeed(
315 "docker inspect ${pkgs.dockerTools.examples.cross.imageName} "
316 + "| ${pkgs.jq}/bin/jq -r .[].Architecture"
317 ).strip()
318 == "${if pkgs.stdenv.hostPlatform.system == "aarch64-linux" then "amd64" else "arm64"}"
319 )
321 with subtest("buildLayeredImage doesn't dereference /nix/store symlink layers"):
322 docker.succeed(
323 "docker load --input='${examples.layeredStoreSymlink}'",
324 "docker run --rm ${examples.layeredStoreSymlink.imageName} bash -c 'test -L ${examples.layeredStoreSymlink.passthru.symlink}'",
325 "docker rmi ${examples.layeredStoreSymlink.imageName}",
326 )
328 with subtest("buildImage supports registry/ prefix in image name"):
329 docker.succeed(
330 "docker load --input='${examples.prefixedImage}'"
331 )
332 docker.succeed(
333 "docker images --format '{{.Repository}}' | grep -F '${examples.prefixedImage.imageName}'"
334 )
336 with subtest("buildLayeredImage supports registry/ prefix in image name"):
337 docker.succeed(
338 "docker load --input='${examples.prefixedLayeredImage}'"
339 )
340 docker.succeed(
341 "docker images --format '{{.Repository}}' | grep -F '${examples.prefixedLayeredImage.imageName}'"
342 )
344 with subtest("buildLayeredImage supports running chown with fakeRootCommands"):
345 docker.succeed(
346 "docker load --input='${examples.layeredImageWithFakeRootCommands}'"
347 )
348 docker.succeed(
349 "docker run --rm ${examples.layeredImageWithFakeRootCommands.imageName} sh -c 'stat -c '%u' /home/alice | grep -E ^1000$'"
350 )
352 with subtest("Ensure docker load on merged images loads all of the constituent images"):
353 docker.succeed(
354 "docker load --input='${examples.mergedBashAndRedis}'"
355 )
356 docker.succeed(
357 "docker images --format '{{.Repository}}-{{.Tag}}' | grep -F '${examples.bash.imageName}-${examples.bash.imageTag}'"
358 )
359 docker.succeed(
360 "docker images --format '{{.Repository}}-{{.Tag}}' | grep -F '${examples.redis.imageName}-${examples.redis.imageTag}'"
361 )
362 docker.succeed("docker run --rm ${examples.bash.imageName} bash --version")
363 docker.succeed("docker run --rm ${examples.redis.imageName} redis-cli --version")
364 docker.succeed("docker rmi ${examples.bash.imageName}")
365 docker.succeed("docker rmi ${examples.redis.imageName}")
367 with subtest(
368 "Ensure docker load on merged images loads all of the constituent images (missing tags)"
369 ):
370 docker.succeed(
371 "docker load --input='${examples.mergedBashNoTagAndRedis}'"
372 )
373 docker.succeed(
374 "docker images --format '{{.Repository}}-{{.Tag}}' | grep -F '${examples.bashNoTag.imageName}-${examples.bashNoTag.imageTag}'"
375 )
376 docker.succeed(
377 "docker images --format '{{.Repository}}-{{.Tag}}' | grep -F '${examples.redis.imageName}-${examples.redis.imageTag}'"
378 )
379 # we need to explicitly specify the generated tag here
380 docker.succeed(
381 "docker run --rm ${examples.bashNoTag.imageName}:${examples.bashNoTag.imageTag} bash --version"
382 )
383 docker.succeed("docker run --rm ${examples.redis.imageName} redis-cli --version")
384 docker.succeed("docker rmi ${examples.bashNoTag.imageName}:${examples.bashNoTag.imageTag}")
385 docker.succeed("docker rmi ${examples.redis.imageName}")
387 with subtest("mergeImages preserves owners of the original images"):
388 docker.succeed(
389 "docker load --input='${examples.mergedBashFakeRoot}'"
390 )
391 docker.succeed(
392 "docker run --rm ${examples.layeredImageWithFakeRootCommands.imageName} sh -c 'stat -c '%u' /home/alice | grep -E ^1000$'"
393 )
395 with subtest("The image contains store paths referenced by the fakeRootCommands output"):
396 docker.succeed(
397 "docker run --rm ${examples.layeredImageWithFakeRootCommands.imageName} /hello/bin/layeredImageWithFakeRootCommands-hello"
398 )
400 with subtest("exportImage produces a valid tarball"):
401 docker.succeed(
402 "tar -tf ${examples.exportBash} | grep '\./bin/bash' > /dev/null"
403 )
405 with subtest("layered image fakeRootCommands with fakechroot works"):
406 docker.succeed("${examples.imageViaFakeChroot} | docker load")
407 docker.succeed("docker run --rm image-via-fake-chroot | grep -i hello")
408 docker.succeed("docker image rm image-via-fake-chroot:latest")
410 with subtest("Ensure bare paths in contents are loaded correctly"):
411 docker.succeed(
412 "docker load --input='${examples.build-image-with-path}'",
413 "docker run --rm build-image-with-path bash -c '[[ -e /hello.txt ]]'",
414 "docker rmi build-image-with-path",
415 )
416 docker.succeed(
417 "${examples.layered-image-with-path} | docker load",
418 "docker run --rm layered-image-with-path bash -c '[[ -e /hello.txt ]]'",
419 "docker rmi layered-image-with-path",
420 )
422 with subtest("etc"):
423 docker.succeed("${examples.etc} | docker load")
424 docker.succeed("docker run --rm etc | grep localhost")
425 docker.succeed("docker image rm etc:latest")
427 with subtest("image-with-certs"):
428 docker.succeed("<${examples.image-with-certs} docker load")
429 docker.succeed("docker run --rm image-with-certs:latest test -r /etc/ssl/certs/ca-bundle.crt")
430 docker.succeed("docker run --rm image-with-certs:latest test -r /etc/ssl/certs/ca-certificates.crt")
431 docker.succeed("docker run --rm image-with-certs:latest test -r /etc/pki/tls/certs/ca-bundle.crt")
432 docker.succeed("docker image rm image-with-certs:latest")
434 '';
435 })