From f86645566dcbab4cf57c312959844264f3694d69 Mon Sep 17 00:00:00 2001 From: zi3m5f <113244000+zi3m5f@users.noreply.github.com> Date: Wed, 7 Jun 2023 11:34:33 +0200 Subject: [PATCH] nixos/tests/systemd-nspawn-configfile: init Test for presence of all specified options in the generated .nspawn config file. Additionally test for absence of misspelled and fixed option MachineID. --- nixos/tests/all-tests.nix | 1 + nixos/tests/systemd-nspawn-configfile.nix | 128 ++++++++++++++++++++++ 2 files changed, 129 insertions(+) create mode 100644 nixos/tests/systemd-nspawn-configfile.nix diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index e597a26f31bb..5e38b5a0c434 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -744,6 +744,7 @@ in { systemd-networkd-vrf = handleTest ./systemd-networkd-vrf.nix {}; systemd-no-tainted = handleTest ./systemd-no-tainted.nix {}; systemd-nspawn = handleTest ./systemd-nspawn.nix {}; + systemd-nspawn-configfile = handleTest ./systemd-nspawn-configfile.nix {}; systemd-oomd = handleTest ./systemd-oomd.nix {}; systemd-portabled = handleTest ./systemd-portabled.nix {}; systemd-repart = handleTest ./systemd-repart.nix {}; diff --git a/nixos/tests/systemd-nspawn-configfile.nix b/nixos/tests/systemd-nspawn-configfile.nix new file mode 100644 index 000000000000..12ab21b7f9b5 --- /dev/null +++ b/nixos/tests/systemd-nspawn-configfile.nix @@ -0,0 +1,128 @@ +import ./make-test-python.nix ({ lib, ... }: +let + execOptions = [ + "Boot" + "ProcessTwo" + "Parameters" + "Environment" + "User" + "WorkingDirectory" + "PivotRoot" + "Capability" + "DropCapability" + "NoNewPrivileges" + "KillSignal" + "Personality" + "MachineID" + "PrivateUsers" + "NotifyReady" + "SystemCallFilter" + "LimitCPU" + "LimitFSIZE" + "LimitDATA" + "LimitSTACK" + "LimitCORE" + "LimitRSS" + "LimitNOFILE" + "LimitAS" + "LimitNPROC" + "LimitMEMLOCK" + "LimitLOCKS" + "LimitSIGPENDING" + "LimitMSGQUEUE" + "LimitNICE" + "LimitRTPRIO" + "LimitRTTIME" + "OOMScoreAdjust" + "CPUAffinity" + "Hostname" + "ResolvConf" + "Timezone" + "LinkJournal" + "Ephemeral" + "AmbientCapability" + ]; + + filesOptions = [ + "ReadOnly" + "Volatile" + "Bind" + "BindReadOnly" + "TemporaryFileSystem" + "Overlay" + "OverlayReadOnly" + "PrivateUsersChown" + "BindUser" + "Inaccessible" + "PrivateUsersOwnership" + ]; + + networkOptions = [ + "Private" + "VirtualEthernet" + "VirtualEthernetExtra" + "Interface" + "MACVLAN" + "IPVLAN" + "Bridge" + "Zone" + "Port" + ]; + + optionsToConfig = opts: builtins.listToAttrs (map (n: lib.nameValuePair n "testdata") opts); + + grepForOptions = opts: ''node.succeed( + "for o in ${builtins.concatStringsSep " " opts} ; do grep --quiet $o ${configFile} || exit 1 ; done" + )''; + + unitName = "options-test"; + configFile = "/etc/systemd/nspawn/${unitName}.nspawn"; + +in +{ + name = "systemd-nspawn-configfile"; + + nodes = { + node = { pkgs, ... }: { + systemd.nspawn."${unitName}" = { + enable = true; + + execConfig = optionsToConfig execOptions // { + Boot = true; + ProcessTwo = true; + NotifyReady = true; + }; + + filesConfig = optionsToConfig filesOptions // { + ReadOnly = true; + Volatile = "state"; + PrivateUsersChown = true; + PrivateUsersOwnership = "auto"; + }; + + networkConfig = optionsToConfig networkOptions // { + Private = true; + VirtualEthernet = true; + }; + }; + }; + }; + + testScript = '' + start_all() + + node.wait_for_file("${configFile}") + + with subtest("Test for presence of all specified options in config file"): + ${grepForOptions execOptions} + ${grepForOptions filesOptions} + ${grepForOptions networkOptions} + + with subtest("Test for absence of misspelled option 'MachineId' (instead of 'MachineID')"): + node.fail("grep --quiet MachineId ${configFile}") + ''; + + meta.maintainers = [ + lib.maintainers.zi3m5f + ]; +})