Add docker service, docker test cases

2020-07-08 23:13:14 +02:00 · 2020-07-08 23:13:14 +02:00 · eabf6e1b2c
parent 58020d183b
commit eabf6e1b2c
7 changed files with 245 additions and 2 deletions
--- a/examples/services-agnostic/constructors.nix
+++ b/examples/services-agnostic/constructors.nix
@ -98,4 +98,9 @@ in
    inherit createManagedProcess;
    inherit (pkgs) influxdb;
  };
+
+  docker = import ./docker.nix {
+    inherit createManagedProcess;
+    inherit (pkgs) docker kmod;
+  };
 }
--- a/examples/services-agnostic/docker.nix
+++ b/examples/services-agnostic/docker.nix
@ -0,0 +1,30 @@
+{createManagedProcess, docker, kmod}:
+
+let
+  user = "docker";
+  group = "docker";
+in
+createManagedProcess {
+  name = "docker";
+  foregroundProcess = "${docker}/bin/dockerd";
+  args = [ "--group=${group}" "--host=unix://" "--log-driver=json-file" ];
+  path = [ kmod ];
+
+  credentials = {
+    groups = {
+      "${group}" = {};
+    };
+    users = {
+      "${user}" = {
+        inherit group;
+        description = "Docker user";
+      };
+    };
+  };
+
+  overrides = {
+    sysvinit = {
+      runlevels = [ 3 4 5 ];
+    };
+  };
+}
--- a/examples/services-agnostic/processes.nix
+++ b/examples/services-agnostic/processes.nix
@ -66,4 +66,8 @@ rec {
  simpleInfluxdb = {
    pkg = constructors.simpleInfluxdb {};
  };
+
+  docker = {
+    pkg = constructors.docker;
+  };
 }
--- a/nixproc/create-managed-process/agnostic/generate-docker-container.nix
+++ b/nixproc/create-managed-process/agnostic/generate-docker-container.nix
@ -51,7 +51,7 @@ let
        wrapper = generateForegroundProxy ({
          wrapDaemon = true;
          executable = daemon;
-          inherit name initialize runtimeDir stdenv;
+          inherit name runtimeDir initialize stdenv;
        } // stdenv.lib.optionalAttrs (instanceName != null) {
          inherit instanceName;
        } // stdenv.lib.optionalAttrs (pidFile != null) {
@ -80,6 +80,10 @@ let
    runAsRoot = ''
      ${dockerTools.shadowSetup}

+      # Create a temp dir, because many apps rely on it
+      mkdir -p /tmp
+      chmod 1777 /tmp
+
      ${stdenv.lib.optionalString (credentialsSpec != null) ''
        export PATH=$PATH:${findutils}/bin:${glibc.bin}/bin
        ${dysnomia}/bin/dysnomia-addgroups ${credentialsSpec}
--- a/tests/processes-docker.nix
+++ b/tests/processes-docker.nix
@ -0,0 +1,21 @@
+{ pkgs ? import <nixpkgs> { inherit system; }
+, system ? builtins.currentSystem
+, stateDir ? "/var"
+, runtimeDir ? "${stateDir}/run"
+, logDir ? "${stateDir}/log"
+, cacheDir ? "${stateDir}/cache"
+, tmpDir ? (if stateDir == "/var" then "/tmp" else "${stateDir}/tmp")
+, forceDisableUserChange ? false
+, processManager ? "sysvinit"
+}:
+
+let
+  constructors = import ../examples/services-agnostic/constructors.nix {
+    inherit pkgs stateDir runtimeDir logDir tmpDir cacheDir forceDisableUserChange processManager;
+  };
+in
+rec {
+  docker = {
+    pkg = constructors.docker;
+  };
+}
--- a/tests/webapps-agnostic-docker.nix
+++ b/tests/webapps-agnostic-docker.nix
@ -0,0 +1,179 @@
+{nixpkgs ? <nixpkgs>}:
+
+with import "${nixpkgs}/nixos/lib/testing-python.nix" { system = builtins.currentSystem; };
+
+let
+  dockerProcessEnv = import ../nixproc/create-managed-process/systemd/build-systemd-env.nix {
+    exprFile = ./processes-docker.nix;
+  };
+
+  processesEnvForeground = import ../nixproc/create-managed-process/docker/build-docker-env.nix {
+    exprFile = ../examples/webapps-agnostic/processes.nix;
+    extraParams = {
+      webappMode = "foreground";
+    };
+  };
+
+  processesEnvDaemon = import ../nixproc/create-managed-process/docker/build-docker-env.nix {
+    exprFile = ../examples/webapps-agnostic/processes.nix;
+    extraParams = {
+      webappMode = "daemon";
+    };
+  };
+
+  processesEnvAuto = import ../nixproc/create-managed-process/docker/build-docker-env.nix {
+    exprFile = ../examples/webapps-agnostic/processes.nix;
+  };
+
+  processesEnvAdvanced = import ../nixproc/create-managed-process/docker/build-docker-env.nix {
+    exprFile = ../examples/webapps-agnostic/processes-advanced.nix;
+  };
+
+  processesEnvUnprivileged = import ../nixproc/create-managed-process/docker/build-docker-env.nix {
+    exprFile = ../examples/webapps-agnostic/processes.nix;
+    forceDisableUserChange = true;
+  };
+
+  processesEnvEmpty = import ../nixproc/create-managed-process/docker/build-docker-env.nix {
+    exprFile = ../examples/webapps-agnostic/processes-empty.nix;
+  };
+
+  tools = import ../tools {};
+
+  nix-processmgmt = ./..;
+
+  env = "NIX_PATH=nixpkgs=${nixpkgs} SYSTEMD_TARGET_DIR=/etc/systemd-mutable/system";
+in
+makeTest {
+  machine =
+    {pkgs, ...}:
+
+    {
+      virtualisation.pathsInNixDB = [ pkgs.stdenv ] ++ pkgs.coreutils.all ++ [ dockerProcessEnv processesEnvForeground processesEnvDaemon processesEnvAuto processesEnvAdvanced processesEnvUnprivileged processesEnvEmpty ];
+      virtualisation.writableStore = true;
+      virtualisation.memorySize = 8192;
+      virtualisation.diskSize = 4096;
+
+      users.extraUsers = {
+        webapp = {
+          uid = 1000;
+          group = "users";
+          shell = "/bin/sh";
+          description = "Unprivileged user";
+          home = "/var/empty";
+        };
+      };
+
+      # We can't download any substitutes in a test environment. To make tests
+      # faster, we disable substitutes so that Nix does not waste any time by
+      # attempting to download them.
+      nix.extraOptions = ''
+        substitute = false
+      '';
+
+      environment.systemPackages = [
+        pkgs.stdenv
+        pkgs.docker
+        pkgs.dysnomia
+        tools.build
+        tools.systemd
+        tools.docker
+      ];
+    };
+
+  testScript = ''
+    def check_nginx_redirection():
+        machine.succeed(
+            "curl --fail -H 'Host: webapp.local' http://localhost:8080 | grep 'listening on port: 5000'"
+        )
+
+
+    def check_system_unavailable():
+        machine.fail("curl --fail http://localhost:8080")
+        machine.fail("pgrep -f '/bin/webapp'")
+
+
+    def check_nginx_multi_instance_redirection():
+        machine.succeed(
+            "curl --fail -H 'Host: webapp1.local' http://localhost:8080 | grep 'listening on port: 5000'"
+        )
+        machine.succeed(
+            "curl --fail -H 'Host: webapp5.local' http://localhost:8081 | grep 'listening on port: 6002'"
+        )
+
+
+    start_all()
+
+    machine.succeed("mkdir -p /etc/systemd-mutable/system")
+
+    # Deploy Docker as a systemd unit
+
+    machine.succeed(
+        "${env} nixproc-systemd-switch ${nix-processmgmt}/tests/processes-docker.nix"
+    )
+
+    machine.wait_for_unit("nix-process-docker")
+
+    # Deploy the system with foreground webapp processes
+
+    machine.succeed(
+        '${env} nixproc-docker-switch ${nix-processmgmt}/examples/webapps-agnostic/processes.nix --extra-params \'{ "webappMode" = "foreground"; }\'${""}'
+    )
+
+    machine.succeed("sleep 10")
+    machine.succeed("pgrep -u webapp -f '/bin/webapp$'")
+    check_nginx_redirection()
+
+    # Deploy the system with daemon webapp processes
+
+    machine.succeed(
+        '${env} nixproc-docker-switch ${nix-processmgmt}/examples/webapps-agnostic/processes.nix --extra-params \'{ "webappMode" = "daemon"; }\'${""}'
+    )
+
+    machine.succeed("sleep 10")
+    machine.succeed("pgrep -u webapp -f '/bin/webapp -D$'")
+
+    check_nginx_redirection()
+
+    # Deploy the entire system in auto mode. Should result in foreground webapp processes
+
+    machine.succeed(
+        "${env} nixproc-docker-switch ${nix-processmgmt}/examples/webapps-agnostic/processes.nix"
+    )
+
+    machine.succeed("sleep 10")
+    machine.succeed("pgrep -u webapp -f '/bin/webapp$'")
+
+    check_nginx_redirection()
+
+    # Deploy the advanced example with multiple instances and see if it works
+
+    machine.succeed(
+        "${env} nixproc-docker-switch ${nix-processmgmt}/examples/webapps-agnostic/processes-advanced.nix"
+    )
+
+    machine.succeed("sleep 40")
+    machine.succeed("curl --fail http://localhost:8081")
+
+    check_nginx_multi_instance_redirection()
+
+    # Deploy an instance without changing user privileges
+
+    machine.succeed(
+        "${env} nixproc-docker-switch ${nix-processmgmt}/examples/webapps-agnostic/processes.nix --force-disable-user-change"
+    )
+
+    machine.succeed("sleep 10")
+    machine.succeed("pgrep -u root -f '/bin/webapp$'")
+
+    check_nginx_redirection()
+
+    # Undeploy the system
+
+    machine.succeed(
+        "${env} nixproc-docker-switch ${nix-processmgmt}/examples/webapps-agnostic/processes-empty.nix"
+    )
+
+    check_system_unavailable()
+  '';
+}
--- a/tools/docker/nixproc-docker-switch.in
+++ b/tools/docker/nixproc-docker-switch.in
@ -134,7 +134,7 @@ deployContainer()
        if [ "$(docker ps -a -f "name=$dockerContainerName\$" | wc -l)" = "1" ]
        then
            (
-            cat $configDir/*-docker-createparams
+            cat $configDir/$containerName-docker-createparams
            echo "--name"
            echo "$dockerContainerName"