diff --git a/examples/full-nixos/arion-compose.nix b/examples/full-nixos/arion-compose.nix index dac420d..1429355 100644 --- a/examples/full-nixos/arion-compose.nix +++ b/examples/full-nixos/arion-compose.nix @@ -1,9 +1,11 @@ { - services.webserver = { pkgs, ... }: { + services.webserver = { pkgs, lib, ... }: { nixos.useSystemd = true; nixos.configuration.boot.tmpOnTmpfs = true; nixos.configuration.services.nginx.enable = true; nixos.configuration.services.nginx.virtualHosts.localhost.root = "${pkgs.nix.doc}/share/doc/nix/manual"; + nixos.configuration.systemd.services.nginx.serviceConfig.AmbientCapabilities = + lib.mkForce [ "CAP_NET_BIND_SERVICE" ]; service.useHostStore = true; service.ports = [ "8000:80" # host:container diff --git a/examples/nixos-unit/arion-compose.nix b/examples/nixos-unit/arion-compose.nix index 3ef5be3..86a1491 100644 --- a/examples/nixos-unit/arion-compose.nix +++ b/examples/nixos-unit/arion-compose.nix @@ -28,6 +28,9 @@ PATH='${config.systemd.services.nginx.environment.PATH}' echo nginx:x:${toString config.users.users.nginx.uid}:${toString config.users.groups.nginx.gid}:nginx web server user:/var/empty:/bin/sh >>/etc/passwd echo nginx:x:${toString config.users.groups.nginx.gid}:nginx >>/etc/group + echo 'nobody:x:65534:65534:Unprivileged account do not use:/var/empty:/run/current-system/sw/bin/nologin' >>/etc/passwd + echo 'nogroup:x:65534:' >>/etc/group + mkdir -p /run/nginx/ /var/spool/nginx/logs/ ${config.systemd.services.nginx.runner} ''; }; diff --git a/nix/ci.nix b/nix/ci.nix index 0d37467..a0193d6 100644 --- a/nix/ci.nix +++ b/nix/ci.nix @@ -1,25 +1,35 @@ let sources = import ./sources.nix; lib = import (sources."nixpkgs" + "/lib"); - inherit (import sources."project.nix" { inherit lib; }) dimension; + inherit (import (sources."project.nix" + "/lib/dimension.nix") { inherit lib; }) dimension; in dimension "Nixpkgs version" { "nixos-19_03" = { - nixpkgsSource = "nixpkgs"; - isReferenceNixpkgs = true; + # flyingcircus.io latest long-term support is based off 19.03 + # https://flyingcircus.io/doc/ + # It is nice to have some level of support for their platform, + # but we don't guarantee any support. + nixpkgsSource = "nixos-19.03"; enableDoc = false; + nixosTestIsPerl = true; }; "nixos-19_09" = { nixpkgsSource = "nixos-19.09"; + enableDoc = false; + nixosTestIsPerl = true; + }; + "nixos-20_03" = { + nixpkgsSource = "nixos-20.03"; + isReferenceNixpkgs = true; enableDoc = true; }; - "nixos-unstable" = { - nixpkgsSource = "nixos-unstable"; - enableDoc = true; - }; + # "nixos-unstable" = { + # nixpkgsSource = "nixos-unstable"; + # enableDoc = true; + # }; } ( - _name: { nixpkgsSource, isReferenceNixpkgs ? false, enableDoc ? true }: + _name: { nixpkgsSource, isReferenceNixpkgs ? false, enableDoc ? true, nixosTestIsPerl ? false }: dimension "System" { @@ -28,7 +38,10 @@ dimension "Nixpkgs version" { } ( system: { isReferenceTarget ? false, enableNixOSTests ? true }: let - pkgs = import ./. { inherit system; nixpkgsSrc = sources.${nixpkgsSource}; }; + pkgs = import ./. { + inherit system nixosTestIsPerl; + nixpkgsSrc = sources.${nixpkgsSource}; + }; in { inherit (pkgs) arion; diff --git a/nix/default.nix b/nix/default.nix index 921b747..3042c7f 100644 --- a/nix/default.nix +++ b/nix/default.nix @@ -1,7 +1,8 @@ { sources ? import ./sources.nix -, nixpkgsName ? "nixos-19.09" +, nixpkgsName ? "nixos-20.03" , nixpkgsSrc ? sources.${nixpkgsName} , system ? builtins.currentSystem +, nixosTestIsPerl ? false , ... }: @@ -11,6 +12,7 @@ import nixpkgsSrc ({ }; overlays = [ # all the packages are defined there: + (_: _: { inherit nixosTestIsPerl; }) (import ./overlay.nix) ]; inherit system; diff --git a/nix/sources.json b/nix/sources.json index 25118fd..2e83b81 100644 --- a/nix/sources.json +++ b/nix/sources.json @@ -5,10 +5,22 @@ "homepage": "https://github.com/nmattia/niv", "owner": "nmattia", "repo": "niv", - "rev": "1dd094156b249586b66c16200ecfd365c7428dc0", - "sha256": "1b2vjnn8iac5iiqszjc2v1s1ygh0yri998c0k3s4x4kn0dsqik21", + "rev": "98c74a80934123cb4c3bf3314567f67311eb711a", + "sha256": "1w8n54hapd4x9f1am33icvngkqns7m3hl9yair38yqq08ffwg0kn", "type": "tarball", - "url": "https://github.com/nmattia/niv/archive/1dd094156b249586b66c16200ecfd365c7428dc0.tar.gz", + "url": "https://github.com/nmattia/niv/archive/98c74a80934123cb4c3bf3314567f67311eb711a.tar.gz", + "url_template": "https://github.com///archive/.tar.gz" + }, + "nixos-19.03": { + "branch": "nixos-19.03", + "description": "A read-only mirror of NixOS/nixpkgs tracking the released channels. Send issues and PRs to", + "homepage": "https://github.com/NixOS/nixpkgs", + "owner": "NixOS", + "repo": "nixpkgs-channels", + "rev": "34c7eb7545d155cc5b6f499b23a7cb1c96ab4d59", + "sha256": "11z6ajj108fy2q5g8y4higlcaqncrbjm3dnv17pvif6avagw4mcb", + "type": "tarball", + "url": "https://github.com/NixOS/nixpkgs-channels/archive/34c7eb7545d155cc5b6f499b23a7cb1c96ab4d59.tar.gz", "url_template": "https://github.com///archive/.tar.gz" }, "nixos-19.09": { @@ -23,29 +35,41 @@ "url": "https://github.com/NixOS/nixpkgs-channels/archive/3ba0d9f75ccffd41e32cfea4046805f8bbab12f5.tar.gz", "url_template": "https://github.com///archive/.tar.gz" }, + "nixos-20.03": { + "branch": "release-20.03", + "description": "A read-only mirror of NixOS/nixpkgs tracking the released channels. Send issues and PRs to", + "homepage": "https://github.com/NixOS/nixpkgs", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "d6e406ddaea2e690c2f9f1a283e44c3d1c588ba3", + "sha256": "1m8gyrp8cpmnmxv3g2pv1460nz10bb88zqzvj6wmnhqkjgwwj3hm", + "type": "tarball", + "url": "https://github.com/NixOS/nixpkgs/archive/d6e406ddaea2e690c2f9f1a283e44c3d1c588ba3.tar.gz", + "url_template": "https://github.com///archive/.tar.gz" + }, "nixos-unstable": { "branch": "nixos-unstable", "description": "A read-only mirror of NixOS/nixpkgs tracking the released channels. Send issues and PRs to", "homepage": "https://github.com/NixOS/nixpkgs", "owner": "NixOS", "repo": "nixpkgs-channels", - "rev": "cb4332e3eb6dfdb653f1fc7397a0292df228a533", - "sha256": "1722wphznqhpfny08rcy19l85r2l893ckjc3h1vfivj6aj64fwjr", + "rev": "a2e06fc3423c4be53181b15c28dfbe0bcf67dd73", + "sha256": "0bjx4iq6nyhj47q5zkqsbfgng445xwprrslj1xrv56142jn8n5r9", "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs-channels/archive/cb4332e3eb6dfdb653f1fc7397a0292df228a533.tar.gz", + "url": "https://github.com/NixOS/nixpkgs-channels/archive/a2e06fc3423c4be53181b15c28dfbe0bcf67dd73.tar.gz", "url_template": "https://github.com///archive/.tar.gz", "version": "" }, "nixpkgs": { - "branch": "nixos-19.03", + "branch": "nixos-20.03", "description": "A read-only mirror of NixOS/nixpkgs tracking the released channels. Send issues and PRs to", "homepage": "https://github.com/NixOS/nixpkgs", "owner": "NixOS", "repo": "nixpkgs-channels", - "rev": "d15a31f88a261281cd7c79038ae860c5ed95507d", - "sha256": "038iqfwmppnxq6aa89qm6k98lhwg686bmc9qjifibddm8pcp2wd0", + "rev": "99a3d7a86fce9e9c9f23b3e304d7d2b1270a12b8", + "sha256": "0i40cl3n6600z2lkwrpiy28dcnv2r63fcgfswj91aaf1xfn2chql", "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs-channels/archive/d15a31f88a261281cd7c79038ae860c5ed95507d.tar.gz", + "url": "https://github.com/NixOS/nixpkgs-channels/archive/99a3d7a86fce9e9c9f23b3e304d7d2b1270a12b8.tar.gz", "url_template": "https://github.com///archive/.tar.gz" }, "project.nix": { @@ -54,10 +78,10 @@ "homepage": null, "owner": "hercules-ci", "repo": "project.nix", - "rev": "33e5f3cb25feff4ccd00f8c60a05976e2ee01802", - "sha256": "0c3q3il5h6q3ms8m6da51knvjsfvpz12sh3a3av4d2a5ikm5ncl1", + "rev": "95f26b1cca0414f080172721ab7996ab65b8d968", + "sha256": "1fbpvidq3bdvinxdkk2vvvfjhxmbf45hgy2sgv2pbml4zrckbfdj", "type": "tarball", - "url": "https://github.com/hercules-ci/project.nix/archive/33e5f3cb25feff4ccd00f8c60a05976e2ee01802.tar.gz", + "url": "https://github.com/hercules-ci/project.nix/archive/95f26b1cca0414f080172721ab7996ab65b8d968.tar.gz", "url_template": "https://github.com///archive/.tar.gz" }, "releaser": { @@ -66,10 +90,10 @@ "homepage": null, "owner": "domenkozar", "repo": "releaser", - "rev": "43a4e27654f388e8eacab631e24e26792ff88fe2", - "sha256": "072jlbw0hdc4nvs9frd7wdyzdv4mz2dc5ib35iaqi9rzdafq6822", + "rev": "0be40041273bd93891dd2be300d1f21f9e9a121b", + "sha256": "0ckgcliyi37hvpfp40nmk6r0q5irinkc2cpqs0l85z2a7si66hzh", "type": "tarball", - "url": "https://github.com/domenkozar/releaser/archive/43a4e27654f388e8eacab631e24e26792ff88fe2.tar.gz", + "url": "https://github.com/domenkozar/releaser/archive/0be40041273bd93891dd2be300d1f21f9e9a121b.tar.gz", "url_template": "https://github.com///archive/.tar.gz" } } diff --git a/src/nix/modules/composition/arion-base-image.nix b/src/nix/modules/composition/arion-base-image.nix index 132bc4c..890c60b 100644 --- a/src/nix/modules/composition/arion-base-image.nix +++ b/src/nix/modules/composition/arion-base-image.nix @@ -10,7 +10,7 @@ let tag = lib.head (lib.strings.splitString "-" (baseNameOf builtImage.outPath)); name = "arion-base"; - builtImage = pkgs.dockerTools.buildLayeredImage { + builtImage = pkgs.dockerTools.buildImage { inherit name; contents = pkgs.runCommand "minimal-contents" {} '' mkdir -p $out/bin $out/usr/bin diff --git a/tests/arion-test-perl/README.md b/tests/arion-test-perl/README.md new file mode 100644 index 0000000..736afb7 --- /dev/null +++ b/tests/arion-test-perl/README.md @@ -0,0 +1,4 @@ + +This test suite exists only to keep tests around for older versions of NixOS. + +This will be removed when 19.09 becomes irrelevant. diff --git a/tests/arion-test-perl/default.nix b/tests/arion-test-perl/default.nix new file mode 100644 index 0000000..34c42b3 --- /dev/null +++ b/tests/arion-test-perl/default.nix @@ -0,0 +1,60 @@ +{ pkgs, ... }: + +let + # To make some prebuilt derivations available in the vm + preEval = modules: import ../../src/nix/eval-composition.nix { + inherit modules; + inherit pkgs; + }; +in +{ + name = "arion-test"; + machine = { pkgs, lib, ... }: { + environment.systemPackages = [ + pkgs.arion + ]; + virtualisation.docker.enable = true; + + # no caches, because no internet + nix.binaryCaches = lib.mkForce []; + + # FIXME: Sandbox seems broken with current version of NixOS test + # w/ writable store. Error: + # machine# error: linking '/nix/store/7r8z2zvhwda85pgpdn5hzzz6hs1njklc-stdenv-linux.drv.chroot/nix/store/6v3y7s4q4wd16hsw393gjpxvcf9159bv-patch-shebangs.sh' to '/nix/store/6v3y7s4q4wd16hsw393gjpxvcf9159bv-patch-shebangs.sh': Operation not permitted + # + # There should be no reason why arion can't run without + # sandboxing, so please re-enable. + nix.useSandbox = false; + + virtualisation.writableStore = true; + virtualisation.pathsInNixDB = [ + # Pre-build the image because we don't want to build the world + # in the vm. + (preEval [ ../../examples/minimal/arion-compose.nix ]).config.out.dockerComposeYaml + (preEval [ ../../examples/full-nixos/arion-compose.nix ]).config.out.dockerComposeYaml + (preEval [ ../../examples/nixos-unit/arion-compose.nix ]).config.out.dockerComposeYaml + pkgs.stdenv + ]; + + virtualisation.memorySize = 512; + }; + testScript = '' + $machine->fail("curl localhost:8000"); + $machine->succeed("docker --version"); + + my $makeSubtest = sub { + my ( $subtestName, $exampleSrc ) = @_; + + subtest $subtestName => sub { + $machine->succeed("rm -rf work && cp -frT $exampleSrc work && cd work && NIX_PATH=nixpkgs='${pkgs.path}' arion up -d"); + $machine->waitUntilSucceeds("curl localhost:8000"); + $machine->succeed("cd work && NIX_PATH=nixpkgs='${pkgs.path}' arion down"); + $machine->waitUntilFails("curl localhost:8000"); + }; + }; + + $makeSubtest->("minimal", "${../../examples/minimal}"); + $makeSubtest->("full-nixos", "${../../examples/full-nixos}"); + $makeSubtest->("nixos-unit", "${../../examples/nixos-unit}"); + ''; +} diff --git a/tests/arion-test/default.nix b/tests/arion-test/default.nix index caf892a..bc1a2e5 100644 --- a/tests/arion-test/default.nix +++ b/tests/arion-test/default.nix @@ -35,32 +35,62 @@ in (preEval [ ../../examples/nixos-unit/arion-compose.nix ]).config.out.dockerComposeYaml pkgs.stdenv ]; + + virtualisation.memorySize = 512; }; testScript = '' - $machine->fail("curl localhost:8000"); - $machine->succeed("docker --version"); + machine.fail("curl localhost:8000") + machine.succeed("docker --version") - subtest "minimal", sub { - $machine->succeed("cp -r ${../../examples/minimal} work && cd work && NIX_PATH=nixpkgs='${pkgs.path}' arion up -d"); - $machine->waitUntilSucceeds("curl localhost:8000"); - $machine->succeed("cd work && NIX_PATH=nixpkgs='${pkgs.path}' arion down && rm -rf work"); - $machine->waitUntilFails("curl localhost:8000"); - }; + # Tests + # - arion up + # - arion down + # - examples/minimal + with subtest("minimal"): + machine.succeed( + "rm -rf work && cp -frT ${../../examples/minimal} work && cd work && NIX_PATH=nixpkgs='${pkgs.path}' arion up -d" + ) + machine.wait_until_succeeds("curl localhost:8000") + machine.succeed( + "cd work && NIX_PATH=nixpkgs='${pkgs.path}' arion down" + ) + machine.wait_until_fails("curl localhost:8000") - subtest "full-nixos", sub { - $machine->succeed("cp -r ${../../examples/full-nixos} work && cd work && NIX_PATH=nixpkgs='${pkgs.path}' arion up -d"); - $machine->waitUntilSucceeds("curl localhost:8000"); - # Also test exec with defaultExec - $machine->succeed("cd work && export NIX_PATH=nixpkgs='${pkgs.path}' && (echo 'nix run -f ~/h/arion arion -c arion exec webserver'; echo 'target=world; echo Hello \$target'; echo exit) | script /dev/null | grep 'Hello world'"); - $machine->succeed("cd work && NIX_PATH=nixpkgs='${pkgs.path}' arion down && rm -rf work"); - $machine->waitUntilFails("curl localhost:8000"); - }; + # Tests + # - arion exec + # - examples/full-nixos + with subtest("full-nixos"): + machine.succeed( + "rm -rf work && cp -frT ${../../examples/full-nixos} work && cd work && NIX_PATH=nixpkgs='${pkgs.path}' arion up -d" + ) + machine.wait_until_succeeds("curl localhost:8000") - subtest "nixos-unit", sub { - $machine->succeed("cp -r ${../../examples/nixos-unit} work && cd work && NIX_PATH=nixpkgs='${pkgs.path}' arion up -d"); - $machine->waitUntilSucceeds("curl localhost:8000"); - $machine->succeed("cd work && NIX_PATH=nixpkgs='${pkgs.path}' arion down && rm -rf work"); - $machine->waitUntilFails("curl localhost:8000"); - }; + machine.succeed( + """ + set -eux -o pipefail + cd work + export NIX_PATH=nixpkgs='${pkgs.path}' + echo 'target=world; echo Hello $target; exit' \ + | script 'arion exec webserver' \ + | grep 'Hello world' + """ + ), + + machine.succeed( + "cd work && NIX_PATH=nixpkgs='${pkgs.path}' arion down" + ) + machine.wait_until_fails("curl localhost:8000") + + # Tests + # - examples/nixos-unit + with subtest("nixos-unit"): + machine.succeed( + "rm -rf work && cp -frT ${../../examples/nixos-unit} work && cd work && NIX_PATH=nixpkgs='${pkgs.path}' arion up -d" + ) + machine.wait_until_succeeds("curl localhost:8000") + machine.succeed( + "cd work && NIX_PATH=nixpkgs='${pkgs.path}' arion down" + ) + machine.wait_until_fails("curl localhost:8000") ''; } diff --git a/tests/default.nix b/tests/default.nix index cabdb61..cc9ad49 100644 --- a/tests/default.nix +++ b/tests/default.nix @@ -1,11 +1,11 @@ -{ pkgs ? import ../pkgs.nix }: +{ pkgs ? import ../pkgs.nix, nixosTestIsPerl ? false }: let inherit (pkgs) nixosTest recurseIntoAttrs arion; in recurseIntoAttrs { - test = nixosTest ./arion-test; + test = if nixosTestIsPerl then nixosTest ./arion-test-perl else nixosTest ./arion-test; testBuild = arion.build {