Merge staging-next into staging

2025-07-13 13:40:28 +03:00 · 2024-08-29 00:13:35 +00:00 · 2024-08-29 00:13:35 +00:00 · 3a4a3e98a8
commit 3a4a3e98a8
parent ff69785e03 e8d2ddc82e
72 changed files with 5858 additions and 3435 deletions
--- a/nixos/tests/all-tests.nix
+++ b/nixos/tests/all-tests.nix
@ -539,6 +539,7 @@ in {
  loki = handleTest ./loki.nix {};
  luks = handleTest ./luks.nix {};
  lvm2 = handleTest ./lvm2 {};
+  lxc = handleTest ./lxc {};
  lxd = pkgs.recurseIntoAttrs (handleTest ./lxd { inherit handleTestOn; });
  lxd-image-server = handleTest ./lxd-image-server.nix {};
  #logstash = handleTest ./logstash.nix {};
--- a/nixos/tests/incus/container.nix
+++ b/nixos/tests/incus/container.nix
@ -11,8 +11,8 @@ let
    extra;
  };

-  container-image-metadata = releases.incusContainerMeta.${pkgs.stdenv.hostPlatform.system};
-  container-image-rootfs = releases.incusContainerImage.${pkgs.stdenv.hostPlatform.system};
+  container-image-metadata = "${releases.incusContainerMeta.${pkgs.stdenv.hostPlatform.system}}/tarball/nixos-system-${pkgs.stdenv.hostPlatform.system}.tar.xz";
+  container-image-rootfs = "${releases.incusContainerImage.${pkgs.stdenv.hostPlatform.system}}/nixos-lxc-image-${pkgs.stdenv.hostPlatform.system}.squashfs";
 in
 {
  inherit name;
@ -61,7 +61,7 @@ in
    machine.succeed("incus admin init --minimal")

    with subtest("Container image can be imported"):
-        machine.succeed("incus image import ${container-image-metadata}/*/*.tar.xz ${container-image-rootfs} --alias nixos")
+        machine.succeed("incus image import ${container-image-metadata} ${container-image-rootfs} --alias nixos")

    with subtest("Container can be launched and managed"):
        machine.succeed("incus launch nixos container")
--- a/nixos/tests/incus/incusd-options.nix
+++ b/nixos/tests/incus/incusd-options.nix
@ -16,8 +16,12 @@ import ../make-test-python.nix (
      };
    };

-    container-image-metadata = releases.incusContainerMeta.${pkgs.stdenv.hostPlatform.system};
-    container-image-rootfs = releases.incusContainerImage.${pkgs.stdenv.hostPlatform.system};
+    container-image-metadata = "${
+      releases.incusContainerMeta.${pkgs.stdenv.hostPlatform.system}
+    }/tarball/nixos-system-${pkgs.stdenv.hostPlatform.system}.tar.xz";
+    container-image-rootfs = "${
+      releases.incusContainerImage.${pkgs.stdenv.hostPlatform.system}
+    }/nixos-lxc-image-${pkgs.stdenv.hostPlatform.system}.squashfs";
  in
  {
    name = "incusd-options";
@ -87,7 +91,7 @@ import ../make-test-python.nix (
      machine.wait_for_unit("incus-preseed.service")

      with subtest("Container image can be imported"):
-          machine.succeed("incus image import ${container-image-metadata}/*/*.tar.xz ${container-image-rootfs} --alias nixos")
+          machine.succeed("incus image import ${container-image-metadata} ${container-image-rootfs} --alias nixos")

      with subtest("Container can be launched and managed"):
          machine.succeed("incus launch nixos container")
--- a/nixos/tests/lxc/default.nix
+++ b/nixos/tests/lxc/default.nix
@ -0,0 +1,124 @@
+import ../make-test-python.nix (
+  { pkgs, lib, ... }:
+
+  let
+    releases = import ../../release.nix {
+      configuration = {
+        # Building documentation makes the test unnecessarily take a longer time:
+        documentation.enable = lib.mkForce false;
+      };
+    };
+
+    lxc-image-metadata = releases.lxdContainerMeta.${pkgs.stdenv.hostPlatform.system};
+    lxc-image-rootfs = releases.lxdContainerImage.${pkgs.stdenv.hostPlatform.system};
+
+  in
+  {
+    name = "lxc-container-unprivileged";
+
+    meta = {
+      maintainers = lib.teams.lxc.members;
+    };
+
+    nodes.machine =
+      { lib, pkgs, ... }:
+      {
+        virtualisation = {
+          diskSize = 6144;
+          cores = 2;
+          memorySize = 512;
+          writableStore = true;
+
+          lxc = {
+            enable = true;
+            unprivilegedContainers = true;
+            systemConfig = ''
+              lxc.lxcpath = /tmp/lxc
+            '';
+            defaultConfig = ''
+              lxc.net.0.type = veth
+              lxc.net.0.link = lxcbr0
+              lxc.net.0.flags = up
+              lxc.net.0.hwaddr = 00:16:3e:xx:xx:xx
+              lxc.idmap = u 0 100000 65536
+              lxc.idmap = g 0 100000 65536
+            '';
+            # Permit user alice to connect to bridge
+            usernetConfig = ''
+              @lxc-user veth lxcbr0 10
+            '';
+            bridgeConfig = ''
+              LXC_IPV6_ADDR=""
+              LXC_IPV6_MASK=""
+              LXC_IPV6_NETWORK=""
+              LXC_IPV6_NAT="false"
+            '';
+          };
+        };
+
+        # Needed for lxc
+        environment.systemPackages = with pkgs; [
+          pkgs.wget
+          pkgs.dnsmasq
+        ];
+
+        # Create user for test
+        users.users.alice = {
+          isNormalUser = true;
+          password = "test";
+          description = "Lxc unprivileged user with access to lxcbr0";
+          extraGroups = [ "lxc-user" ];
+          subGidRanges = [
+            {
+              startGid = 100000;
+              count = 65536;
+            }
+          ];
+          subUidRanges = [
+            {
+              startUid = 100000;
+              count = 65536;
+            }
+          ];
+        };
+
+        users.users.bob = {
+          isNormalUser = true;
+          password = "test";
+          description = "Lxc unprivileged user without access to lxcbr0";
+          subGidRanges = [
+            {
+              startGid = 100000;
+              count = 65536;
+            }
+          ];
+          subUidRanges = [
+            {
+              startUid = 100000;
+              count = 65536;
+            }
+          ];
+        };
+      };
+
+    testScript = ''
+      machine.wait_for_unit("lxc-net.service")
+
+      # Copy config files for alice
+      machine.execute("su -- alice -c 'mkdir -p ~/.config/lxc'")
+      machine.execute("su -- alice -c 'cp /etc/lxc/default.conf ~/.config/lxc/'")
+      machine.execute("su -- alice -c 'cp /etc/lxc/lxc.conf ~/.config/lxc/'")
+
+      machine.succeed("su -- alice -c 'lxc-create -t local -n test -- --metadata ${lxc-image-metadata}/*/*.tar.xz --fstree ${lxc-image-rootfs}/*/*.tar.xz'")
+      machine.succeed("su -- alice -c 'lxc-start test'")
+      machine.succeed("su -- alice -c 'lxc-stop test'")
+
+      # Copy config files for bob
+      machine.execute("su -- bob -c 'mkdir -p ~/.config/lxc'")
+      machine.execute("su -- bob -c 'cp /etc/lxc/default.conf ~/.config/lxc/'")
+      machine.execute("su -- bob -c 'cp /etc/lxc/lxc.conf ~/.config/lxc/'")
+
+      machine.fail("su -- bob -c 'lxc-start test'")
+    '';
+  }
+)
--- a/nixos/tests/lxd/container.nix
+++ b/nixos/tests/lxd/container.nix
@ -64,7 +64,7 @@ in {

    with subtest("Squashfs image is functional"):
        machine.succeed(
-            "lxc image import ${lxd-image-metadata}/*/*.tar.xz ${lxd-image-rootfs-squashfs} --alias nixos-squashfs"
+            "lxc image import ${lxd-image-metadata}/*/*.tar.xz ${lxd-image-rootfs-squashfs}/nixos-lxc-image-${pkgs.stdenv.hostPlatform.system}.squashfs --alias nixos-squashfs"
        )
        machine.succeed("lxc launch nixos-squashfs container")
        with machine.nested("Waiting for instance to start and be usable"):