mirror of
https://github.com/NixOS/nixpkgs.git
synced 2024-11-18 11:40:45 +00:00
151 lines
5.5 KiB
Nix
151 lines
5.5 KiB
Nix
/*
|
|
This test runs podman as a backend for the Docker CLI.
|
|
*/
|
|
import ./make-test-python.nix (
|
|
{ pkgs, lib, ... }:
|
|
|
|
let gen-ca = pkgs.writeScript "gen-ca" ''
|
|
# Create CA
|
|
PATH="${pkgs.openssl}/bin:$PATH"
|
|
openssl genrsa -out ca-key.pem 4096
|
|
openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -subj '/C=NL/ST=Zuid-Holland/L=The Hague/O=Stevige Balken en Planken B.V./OU=OpSec/CN=Certificate Authority' -out ca.pem
|
|
|
|
# Create service
|
|
openssl genrsa -out podman-key.pem 4096
|
|
openssl req -subj '/CN=podman' -sha256 -new -key podman-key.pem -out service.csr
|
|
echo subjectAltName = DNS:podman,IP:127.0.0.1 >> extfile.cnf
|
|
echo extendedKeyUsage = serverAuth >> extfile.cnf
|
|
openssl x509 -req -days 365 -sha256 -in service.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out podman-cert.pem -extfile extfile.cnf
|
|
|
|
# Create client
|
|
openssl genrsa -out client-key.pem 4096
|
|
openssl req -subj '/CN=client' -new -key client-key.pem -out client.csr
|
|
echo extendedKeyUsage = clientAuth > extfile-client.cnf
|
|
openssl x509 -req -days 365 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out client-cert.pem -extfile extfile-client.cnf
|
|
|
|
# Create CA 2
|
|
PATH="${pkgs.openssl}/bin:$PATH"
|
|
openssl genrsa -out ca-2-key.pem 4096
|
|
openssl req -new -x509 -days 365 -key ca-2-key.pem -sha256 -subj '/C=NL/ST=Zuid-Holland/L=The Hague/O=Stevige Balken en Planken B.V./OU=OpSec/CN=Certificate Authority' -out ca-2.pem
|
|
|
|
# Create client signed by CA 2
|
|
openssl genrsa -out client-2-key.pem 4096
|
|
openssl req -subj '/CN=client' -new -key client-2-key.pem -out client-2.csr
|
|
echo extendedKeyUsage = clientAuth > extfile-client.cnf
|
|
openssl x509 -req -days 365 -sha256 -in client-2.csr -CA ca-2.pem -CAkey ca-2-key.pem -CAcreateserial -out client-2-cert.pem -extfile extfile-client.cnf
|
|
|
|
'';
|
|
in
|
|
{
|
|
name = "podman-tls-ghostunnel";
|
|
meta = {
|
|
maintainers = lib.teams.podman.members ++ [ lib.maintainers.roberth ];
|
|
};
|
|
|
|
nodes = {
|
|
podman =
|
|
{ pkgs, ... }:
|
|
{
|
|
virtualisation.podman.enable = true;
|
|
virtualisation.podman.dockerSocket.enable = true;
|
|
virtualisation.podman.networkSocket = {
|
|
enable = true;
|
|
openFirewall = true;
|
|
server = "ghostunnel";
|
|
tls.cert = "/root/podman-cert.pem";
|
|
tls.key = "/root/podman-key.pem";
|
|
tls.cacert = "/root/ca.pem";
|
|
};
|
|
|
|
environment.systemPackages = [
|
|
pkgs.docker-client
|
|
];
|
|
|
|
users.users.alice = {
|
|
isNormalUser = true;
|
|
home = "/home/alice";
|
|
description = "Alice Foobar";
|
|
extraGroups = ["podman"];
|
|
};
|
|
|
|
};
|
|
|
|
client = { ... }: {
|
|
environment.systemPackages = [
|
|
# Installs the docker _client_ only
|
|
# Normally, you'd want `virtualisation.docker.enable = true;`.
|
|
pkgs.docker-client
|
|
];
|
|
environment.variables.DOCKER_HOST = "podman:2376";
|
|
environment.variables.DOCKER_TLS_VERIFY = "1";
|
|
};
|
|
};
|
|
|
|
testScript = ''
|
|
import shlex
|
|
|
|
|
|
def su_cmd(user, cmd):
|
|
cmd = shlex.quote(cmd)
|
|
return f"su {user} -l -c {cmd}"
|
|
|
|
def cmd(command):
|
|
print(f"+{command}")
|
|
r = os.system(command)
|
|
if r != 0:
|
|
raise Exception(f"Command {command} failed with exit code {r}")
|
|
|
|
start_all()
|
|
cmd("${gen-ca}")
|
|
|
|
podman.copy_from_host("ca.pem", "/root/ca.pem")
|
|
podman.copy_from_host("podman-cert.pem", "/root/podman-cert.pem")
|
|
podman.copy_from_host("podman-key.pem", "/root/podman-key.pem")
|
|
|
|
client.copy_from_host("ca.pem", "/root/.docker/ca.pem")
|
|
# client.copy_from_host("podman-cert.pem", "/root/podman-cert.pem")
|
|
client.copy_from_host("client-cert.pem", "/root/.docker/cert.pem")
|
|
client.copy_from_host("client-key.pem", "/root/.docker/key.pem")
|
|
|
|
# TODO (ghostunnel): add file watchers so the restart isn't necessary
|
|
podman.succeed("systemctl reset-failed && systemctl restart ghostunnel-server-podman-socket.service")
|
|
|
|
podman.wait_for_unit("sockets.target")
|
|
podman.wait_for_unit("ghostunnel-server-podman-socket.service")
|
|
|
|
with subtest("Create default network"):
|
|
podman.succeed("docker network create default")
|
|
|
|
with subtest("Root docker cli also works"):
|
|
podman.succeed("docker version")
|
|
|
|
with subtest("A podman member can also still use the docker cli"):
|
|
podman.succeed(su_cmd("alice", "docker version"))
|
|
|
|
with subtest("Run container remotely via docker cli"):
|
|
client.succeed("docker version")
|
|
|
|
# via socket would be nicer
|
|
podman.succeed("tar cvf scratchimg.tar --files-from /dev/null && podman import scratchimg.tar scratchimg")
|
|
|
|
client.succeed(
|
|
"docker run -d --name=sleeping -v /nix/store:/nix/store -v /run/current-system/sw/bin:/bin scratchimg /bin/sleep 10"
|
|
)
|
|
client.succeed("docker ps | grep sleeping")
|
|
podman.succeed("docker ps | grep sleeping")
|
|
client.succeed("docker stop sleeping")
|
|
client.succeed("docker rm sleeping")
|
|
|
|
with subtest("Clients without cert will be denied"):
|
|
client.succeed("rm /root/.docker/{cert,key}.pem")
|
|
client.fail("docker version")
|
|
|
|
with subtest("Clients with wrong cert will be denied"):
|
|
client.copy_from_host("client-2-cert.pem", "/root/.docker/cert.pem")
|
|
client.copy_from_host("client-2-key.pem", "/root/.docker/key.pem")
|
|
client.fail("docker version")
|
|
|
|
'';
|
|
}
|
|
)
|