Compare commits
1 Commits
main
...
push-pmmln
| Author | SHA1 | Date | |
|---|---|---|---|
|
97f5ffd813 |
@@ -58,53 +58,51 @@
|
||||
pkgs.buildPackages.xorg.lndir
|
||||
pkgs.glibcLocales
|
||||
pkgs.kbd.out
|
||||
self.nixosConfigurations."test-flash-machine-${pkgs.stdenv.hostPlatform.system}".pkgs.perlPackages.ConfigIniFiles
|
||||
self.nixosConfigurations."test-flash-machine-${pkgs.stdenv.hostPlatform.system}".pkgs.perlPackages.FileSlurp
|
||||
self.nixosConfigurations."test-flash-machine-${pkgs.hostPlatform.system}".pkgs.perlPackages.ConfigIniFiles
|
||||
self.nixosConfigurations."test-flash-machine-${pkgs.hostPlatform.system}".pkgs.perlPackages.FileSlurp
|
||||
pkgs.bubblewrap
|
||||
|
||||
self.nixosConfigurations."test-flash-machine-${pkgs.stdenv.hostPlatform.system}".config.system.build.toplevel
|
||||
self.nixosConfigurations."test-flash-machine-${pkgs.stdenv.hostPlatform.system}".config.system.build.diskoScript
|
||||
self.nixosConfigurations."test-flash-machine-${pkgs.stdenv.hostPlatform.system}".config.system.build.diskoScript.drvPath
|
||||
self.nixosConfigurations."test-flash-machine-${pkgs.hostPlatform.system}".config.system.build.toplevel
|
||||
self.nixosConfigurations."test-flash-machine-${pkgs.hostPlatform.system}".config.system.build.diskoScript
|
||||
self.nixosConfigurations."test-flash-machine-${pkgs.hostPlatform.system}".config.system.build.diskoScript.drvPath
|
||||
]
|
||||
++ builtins.map (i: i.outPath) (builtins.attrValues self.inputs);
|
||||
closureInfo = pkgs.closureInfo { rootPaths = dependencies; };
|
||||
in
|
||||
{
|
||||
# Skip flash test on aarch64-linux for now as it's too slow
|
||||
checks =
|
||||
lib.optionalAttrs (pkgs.stdenv.isLinux && pkgs.stdenv.hostPlatform.system != "aarch64-linux")
|
||||
{
|
||||
nixos-test-flash = self.clanLib.test.baseTest {
|
||||
name = "flash";
|
||||
nodes.target = {
|
||||
virtualisation.emptyDiskImages = [ 4096 ];
|
||||
virtualisation.memorySize = 4096;
|
||||
checks = lib.optionalAttrs (pkgs.stdenv.isLinux && pkgs.hostPlatform.system != "aarch64-linux") {
|
||||
nixos-test-flash = self.clanLib.test.baseTest {
|
||||
name = "flash";
|
||||
nodes.target = {
|
||||
virtualisation.emptyDiskImages = [ 4096 ];
|
||||
virtualisation.memorySize = 4096;
|
||||
|
||||
virtualisation.useNixStoreImage = true;
|
||||
virtualisation.writableStore = true;
|
||||
virtualisation.useNixStoreImage = true;
|
||||
virtualisation.writableStore = true;
|
||||
|
||||
environment.systemPackages = [ self.packages.${pkgs.system}.clan-cli ];
|
||||
environment.etc."install-closure".source = "${closureInfo}/store-paths";
|
||||
environment.systemPackages = [ self.packages.${pkgs.system}.clan-cli ];
|
||||
environment.etc."install-closure".source = "${closureInfo}/store-paths";
|
||||
|
||||
nix.settings = {
|
||||
substituters = lib.mkForce [ ];
|
||||
hashed-mirrors = null;
|
||||
connect-timeout = lib.mkForce 3;
|
||||
flake-registry = "";
|
||||
experimental-features = [
|
||||
"nix-command"
|
||||
"flakes"
|
||||
];
|
||||
};
|
||||
};
|
||||
testScript = ''
|
||||
start_all()
|
||||
machine.succeed("echo 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIRWUusawhlIorx7VFeQJHmMkhl9X3QpnvOdhnV/bQNG root@target' > ./test_id_ed25519.pub")
|
||||
# Some distros like to automount disks with spaces
|
||||
machine.succeed('mkdir -p "/mnt/with spaces" && mkfs.ext4 /dev/vdc && mount /dev/vdc "/mnt/with spaces"')
|
||||
machine.succeed("clan flash write --ssh-pubkey ./test_id_ed25519.pub --keymap de --language de_DE.UTF-8 --debug --flake ${self.checks.x86_64-linux.clan-core-for-checks} --yes --disk main /dev/vdc test-flash-machine-${pkgs.stdenv.hostPlatform.system}")
|
||||
'';
|
||||
} { inherit pkgs self; };
|
||||
nix.settings = {
|
||||
substituters = lib.mkForce [ ];
|
||||
hashed-mirrors = null;
|
||||
connect-timeout = lib.mkForce 3;
|
||||
flake-registry = "";
|
||||
experimental-features = [
|
||||
"nix-command"
|
||||
"flakes"
|
||||
];
|
||||
};
|
||||
};
|
||||
testScript = ''
|
||||
start_all()
|
||||
machine.succeed("echo 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIRWUusawhlIorx7VFeQJHmMkhl9X3QpnvOdhnV/bQNG root@target' > ./test_id_ed25519.pub")
|
||||
# Some distros like to automount disks with spaces
|
||||
machine.succeed('mkdir -p "/mnt/with spaces" && mkfs.ext4 /dev/vdc && mount /dev/vdc "/mnt/with spaces"')
|
||||
machine.succeed("clan flash write --ssh-pubkey ./test_id_ed25519.pub --keymap de --language de_DE.UTF-8 --debug --flake ${self.checks.x86_64-linux.clan-core-for-checks} --yes --disk main /dev/vdc test-flash-machine-${pkgs.hostPlatform.system}")
|
||||
'';
|
||||
} { inherit pkgs self; };
|
||||
};
|
||||
};
|
||||
}
|
||||
|
||||
@@ -160,9 +160,9 @@
|
||||
closureInfo = pkgs.closureInfo {
|
||||
rootPaths = [
|
||||
privateInputs.clan-core-for-checks
|
||||
self.nixosConfigurations."test-install-machine-${pkgs.stdenv.hostPlatform.system}".config.system.build.toplevel
|
||||
self.nixosConfigurations."test-install-machine-${pkgs.stdenv.hostPlatform.system}".config.system.build.initialRamdisk
|
||||
self.nixosConfigurations."test-install-machine-${pkgs.stdenv.hostPlatform.system}".config.system.build.diskoScript
|
||||
self.nixosConfigurations."test-install-machine-${pkgs.hostPlatform.system}".config.system.build.toplevel
|
||||
self.nixosConfigurations."test-install-machine-${pkgs.hostPlatform.system}".config.system.build.initialRamdisk
|
||||
self.nixosConfigurations."test-install-machine-${pkgs.hostPlatform.system}".config.system.build.diskoScript
|
||||
pkgs.stdenv.drvPath
|
||||
pkgs.bash.drvPath
|
||||
pkgs.buildPackages.xorg.lndir
|
||||
@@ -215,7 +215,7 @@
|
||||
# Prepare test flake and Nix store
|
||||
flake_dir = prepare_test_flake(
|
||||
temp_dir,
|
||||
"${self.checks.${pkgs.stdenv.hostPlatform.system}.clan-core-for-checks}",
|
||||
"${self.checks.${pkgs.hostPlatform.system}.clan-core-for-checks}",
|
||||
"${closureInfo}"
|
||||
)
|
||||
|
||||
@@ -296,7 +296,7 @@
|
||||
# Prepare test flake and Nix store
|
||||
flake_dir = prepare_test_flake(
|
||||
temp_dir,
|
||||
"${self.checks.${pkgs.stdenv.hostPlatform.system}.clan-core-for-checks}",
|
||||
"${self.checks.${pkgs.hostPlatform.system}.clan-core-for-checks}",
|
||||
"${closureInfo}"
|
||||
)
|
||||
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
|
||||
let
|
||||
|
||||
cli = self.packages.${pkgs.stdenv.hostPlatform.system}.clan-cli-full;
|
||||
cli = self.packages.${pkgs.hostPlatform.system}.clan-cli-full;
|
||||
|
||||
ollama-model = pkgs.callPackage ./qwen3-4b-instruct.nix { };
|
||||
in
|
||||
@@ -53,7 +53,7 @@ in
|
||||
pytest
|
||||
pytest-xdist
|
||||
(cli.pythonRuntime.pkgs.toPythonModule cli)
|
||||
self.legacyPackages.${pkgs.stdenv.hostPlatform.system}.nixosTestLib
|
||||
self.legacyPackages.${pkgs.hostPlatform.system}.nixosTestLib
|
||||
]
|
||||
))
|
||||
];
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
|
||||
let
|
||||
|
||||
cli = self.packages.${pkgs.stdenv.hostPlatform.system}.clan-cli-full;
|
||||
cli = self.packages.${pkgs.hostPlatform.system}.clan-cli-full;
|
||||
in
|
||||
{
|
||||
name = "systemd-abstraction";
|
||||
|
||||
@@ -115,9 +115,9 @@
|
||||
let
|
||||
closureInfo = pkgs.closureInfo {
|
||||
rootPaths = [
|
||||
self.packages.${pkgs.stdenv.hostPlatform.system}.clan-cli
|
||||
self.checks.${pkgs.stdenv.hostPlatform.system}.clan-core-for-checks
|
||||
self.clanInternals.machines.${pkgs.stdenv.hostPlatform.system}.test-update-machine.config.system.build.toplevel
|
||||
self.packages.${pkgs.hostPlatform.system}.clan-cli
|
||||
self.checks.${pkgs.hostPlatform.system}.clan-core-for-checks
|
||||
self.clanInternals.machines.${pkgs.hostPlatform.system}.test-update-machine.config.system.build.toplevel
|
||||
pkgs.stdenv.drvPath
|
||||
pkgs.bash.drvPath
|
||||
pkgs.buildPackages.xorg.lndir
|
||||
@@ -132,7 +132,7 @@
|
||||
imports = [ self.nixosModules.test-update-machine ];
|
||||
};
|
||||
extraPythonPackages = _p: [
|
||||
self.legacyPackages.${pkgs.stdenv.hostPlatform.system}.nixosTestLib
|
||||
self.legacyPackages.${pkgs.hostPlatform.system}.nixosTestLib
|
||||
];
|
||||
|
||||
testScript = ''
|
||||
@@ -154,7 +154,7 @@
|
||||
# Prepare test flake and Nix store
|
||||
flake_dir = prepare_test_flake(
|
||||
temp_dir,
|
||||
"${self.checks.${pkgs.stdenv.hostPlatform.system}.clan-core-for-checks}",
|
||||
"${self.checks.${pkgs.hostPlatform.system}.clan-core-for-checks}",
|
||||
"${closureInfo}"
|
||||
)
|
||||
(flake_dir / ".clan-flake").write_text("") # Ensure .clan-flake exists
|
||||
@@ -226,7 +226,7 @@
|
||||
"--to",
|
||||
"ssh://root@192.168.1.1",
|
||||
"--no-check-sigs",
|
||||
f"${self.packages.${pkgs.stdenv.hostPlatform.system}.clan-cli}",
|
||||
f"${self.packages.${pkgs.hostPlatform.system}.clan-cli}",
|
||||
"--extra-experimental-features", "nix-command flakes",
|
||||
],
|
||||
check=True,
|
||||
@@ -242,7 +242,7 @@
|
||||
"-o", "UserKnownHostsFile=/dev/null",
|
||||
"-o", "StrictHostKeyChecking=no",
|
||||
f"root@192.168.1.1",
|
||||
"${self.packages.${pkgs.stdenv.hostPlatform.system}.clan-cli}/bin/clan",
|
||||
"${self.packages.${pkgs.hostPlatform.system}.clan-cli}/bin/clan",
|
||||
"machines",
|
||||
"update",
|
||||
"--debug",
|
||||
@@ -270,7 +270,7 @@
|
||||
|
||||
# Run clan update command
|
||||
subprocess.run([
|
||||
"${self.packages.${pkgs.stdenv.hostPlatform.system}.clan-cli-full}/bin/clan",
|
||||
"${self.packages.${pkgs.hostPlatform.system}.clan-cli-full}/bin/clan",
|
||||
"machines",
|
||||
"update",
|
||||
"--debug",
|
||||
@@ -297,7 +297,7 @@
|
||||
|
||||
# Run clan update command with --build-host
|
||||
subprocess.run([
|
||||
"${self.packages.${pkgs.stdenv.hostPlatform.system}.clan-cli-full}/bin/clan",
|
||||
"${self.packages.${pkgs.hostPlatform.system}.clan-cli-full}/bin/clan",
|
||||
"machines",
|
||||
"update",
|
||||
"--debug",
|
||||
|
||||
@@ -1,6 +1,3 @@
|
||||
!!! Danger "Experimental"
|
||||
This service is experimental and will change in the future.
|
||||
|
||||
This service sets up a certificate authority (CA) that can issue certificates to
|
||||
other machines in your clan. For this the `ca` role is used.
|
||||
It additionally provides a `default` role, that can be applied to all machines
|
||||
|
||||
@@ -1,6 +1,3 @@
|
||||
!!! Danger "Experimental"
|
||||
This service is experimental and will change in the future.
|
||||
|
||||
This module enables hosting clan-internal services easily, which can be resolved
|
||||
inside your VPN. This allows defining a custom top-level domain (e.g. `.clan`)
|
||||
and exposing endpoints from a machine to others, which will be
|
||||
|
||||
@@ -1,83 +1 @@
|
||||
!!! Danger "Experimental"
|
||||
This service is for demonstration purpose only and may change in the future.
|
||||
|
||||
The Hello-World Clan Service is a minimal example showing how to build and register your own service.
|
||||
|
||||
It serves as a reference implementation and is used in clan-core CI tests to ensure compatibility.
|
||||
|
||||
## What it demonstrates
|
||||
|
||||
- How to define a basic Clan-compatible service.
|
||||
- How to structure your service for discovery and configuration.
|
||||
- How Clan services interact with nixos.
|
||||
|
||||
## Testing
|
||||
|
||||
This service demonstrates two levels of testing to ensure quality and stability across releases:
|
||||
|
||||
1. **Unit & Integration Testing** — via [`nix-unit`](https://github.com/nix-community/nix-unit)
|
||||
2. **End-to-End Testing** — via **NixOS VM tests**, which we extended to support **container virtualization** for better performance.
|
||||
|
||||
We highly advocate following the [Practical Testing Pyramid](https://martinfowler.com/articles/practical-test-pyramid.html):
|
||||
|
||||
* Write **unit tests** for core logic and invariants.
|
||||
* Add **one or two end-to-end (E2E)** tests to confirm your service starts and behaves correctly in a real NixOS environment.
|
||||
|
||||
NixOS is **untyped** and frequently changes; tests are the safest way to ensure long-term stability of services.
|
||||
|
||||
```
|
||||
/ \
|
||||
/ \
|
||||
/ E2E \
|
||||
/-------\
|
||||
/ \
|
||||
/Integration\
|
||||
/-------------\
|
||||
/ \
|
||||
/ Unit Tests \
|
||||
-------------------
|
||||
```
|
||||
|
||||
### nix-unit
|
||||
|
||||
We highly advocate the usage of
|
||||
|
||||
[nix-unit](https://github.com/nix-community/nix-unit)
|
||||
|
||||
Example in: tests/eval-tests.nix
|
||||
|
||||
If you use flake-parts you can use the [native integration](https://flake.parts/options/nix-unit.html)
|
||||
|
||||
If nix-unit succeeds you'r nixos evaluation should be mostly correct.
|
||||
|
||||
!!! Tip
|
||||
- Ensure most used 'settings' and variants are tested.
|
||||
- Think about some important edge-cases your system should handle.
|
||||
|
||||
### NixOS VM / Container Test
|
||||
|
||||
!!! Warning "Early Vars & clanTest"
|
||||
The testing system around vars is experimental
|
||||
|
||||
`clanTest` is still experimental and enables container virtualization by default.
|
||||
This is still early and might have some limitations.
|
||||
|
||||
Some minimal boilerplate is needed to use `clanTest`
|
||||
|
||||
```nix
|
||||
nixosLib = import (inputs.nixpkgs + "/nixos/lib") { }
|
||||
nixosLib.runTest (
|
||||
{ ... }:
|
||||
{
|
||||
imports = [
|
||||
self.modules.nixosTest.clanTest
|
||||
# Example in tests/vm/default.nix
|
||||
testModule
|
||||
];
|
||||
hostPkgs = pkgs;
|
||||
|
||||
# Uncomment if you don't want or cannot use containers
|
||||
# test.useContainers = false;
|
||||
}
|
||||
)
|
||||
```
|
||||
This a test README just to appease the eval warnings if we don't have one
|
||||
@@ -8,7 +8,7 @@
|
||||
{
|
||||
_class = "clan.service";
|
||||
manifest.name = "clan-core/hello-word";
|
||||
manifest.description = "Minimal example clan service that greets the world";
|
||||
manifest.description = "This is a test";
|
||||
manifest.readme = builtins.readFile ./README.md;
|
||||
|
||||
# This service provides two roles: "morning" and "evening". Roles can be
|
||||
|
||||
@@ -26,7 +26,7 @@ in
|
||||
# The hello-world service being tested
|
||||
../../clanServices/hello-world
|
||||
# Required modules
|
||||
../../nixosModules
|
||||
../../nixosModules/clanCore
|
||||
];
|
||||
testName = "hello-world";
|
||||
tests = ./tests/eval-tests.nix;
|
||||
|
||||
@@ -4,7 +4,7 @@
|
||||
...
|
||||
}:
|
||||
let
|
||||
testClan = clanLib.clan {
|
||||
testFlake = clanLib.clan {
|
||||
self = { };
|
||||
# Point to the folder of the module
|
||||
# TODO: make this optional
|
||||
@@ -33,20 +33,10 @@ let
|
||||
};
|
||||
in
|
||||
{
|
||||
/**
|
||||
We highly advocate the usage of:
|
||||
https://github.com/nix-community/nix-unit
|
||||
|
||||
If you use flake-parts you can use the native integration: https://flake.parts/options/nix-unit.html
|
||||
*/
|
||||
test_simple = {
|
||||
# Allows inspection via the nix-repl
|
||||
# Ignored by nix-unit; it only looks at 'expr' and 'expected'
|
||||
inherit testClan;
|
||||
config = testFlake.config;
|
||||
|
||||
# Assert that jon has the
|
||||
# configured greeting in 'environment.etc.hello.text'
|
||||
expr = testClan.config.nixosConfigurations.jon.config.environment.etc."hello".text;
|
||||
expected = "Good evening World!";
|
||||
expr = { };
|
||||
expected = { };
|
||||
};
|
||||
}
|
||||
|
||||
@@ -1,5 +1,8 @@
|
||||
!!! Danger "Experimental"
|
||||
This service is experimental and will change in the future.
|
||||
🚧🚧🚧 Experimental 🚧🚧🚧
|
||||
|
||||
Use at your own risk.
|
||||
|
||||
We are still refining its interfaces, instability and breakages are expected.
|
||||
|
||||
---
|
||||
|
||||
|
||||
@@ -1,6 +1,3 @@
|
||||
!!! Danger "Experimental"
|
||||
This service is experimental and will change in the future.
|
||||
|
||||
## Usage
|
||||
|
||||
```
|
||||
|
||||
@@ -1,5 +1,8 @@
|
||||
!!! Danger "Experimental"
|
||||
This service is experimental and will change in the future.
|
||||
🚧🚧🚧 Experimental 🚧🚧🚧
|
||||
|
||||
Use at your own risk.
|
||||
|
||||
We are still refining its interfaces, instability and breakages are expected.
|
||||
|
||||
---
|
||||
|
||||
|
||||
@@ -56,6 +56,8 @@
|
||||
|
||||
{
|
||||
clanLib,
|
||||
lib,
|
||||
directory,
|
||||
...
|
||||
}:
|
||||
let
|
||||
@@ -298,6 +300,18 @@ in
|
||||
...
|
||||
}:
|
||||
{
|
||||
exports.networking = {
|
||||
peers = lib.mapAttrs (name: _machine: {
|
||||
host.plain =
|
||||
clanLib.vars.getPublicValue {
|
||||
flake = directory;
|
||||
machine = name;
|
||||
generator = "wireguard-network-${instanceName}";
|
||||
file = "prefix";
|
||||
}
|
||||
+ "::1";
|
||||
}) roles.controller.machines;
|
||||
};
|
||||
|
||||
# Controllers connect to all peers and other controllers
|
||||
nixosModule =
|
||||
|
||||
@@ -1,9 +1,12 @@
|
||||
!!! Danger "Experimental"
|
||||
This service is experimental and will change in the future.
|
||||
🚧🚧🚧 Experimental 🚧🚧🚧
|
||||
|
||||
Use at your own risk.
|
||||
|
||||
We are still refining its interfaces, instability and breakages are expected.
|
||||
|
||||
---
|
||||
|
||||
This module sets up [yggdrasil](https://yggdrasil-network.github.io/) across your clan.
|
||||
This module sets up [yggdrasil](https://yggdrasil-network.github.io/) across your clan.
|
||||
|
||||
Yggdrasil is designed to be a future-proof and decentralised alternative to the
|
||||
structured routing protocols commonly used today on the internet. Inside your
|
||||
|
||||
6
devFlake/flake.lock
generated
6
devFlake/flake.lock
generated
@@ -105,11 +105,11 @@
|
||||
},
|
||||
"nixpkgs-dev": {
|
||||
"locked": {
|
||||
"lastModified": 1762168314,
|
||||
"narHash": "sha256-+DX6mIF47gRGoK0mqkTg1Jmcjcup0CAXJFHVkdUx8YA=",
|
||||
"lastModified": 1761853358,
|
||||
"narHash": "sha256-1tBdsBzYJOzVzNOmCFzFMWHw7UUbhkhiYCFGr+OjPTs=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "94fc102d2c15d9c1a861e59de550807c65358e1b",
|
||||
"rev": "262333bca9b49964f8e3cad3af655466597c01d4",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
||||
@@ -51,7 +51,7 @@ Make sure you have the following:
|
||||
**Note:** This creates a new directory in your current location
|
||||
|
||||
```shellSession
|
||||
nix run "https://git.clan.lol/clan/clan-core/archive/main.tar.gz#clan-cli" --refresh -- flakes create
|
||||
nix run https://git.clan.lol/clan/clan-core/archive/main.tar.gz#clan-cli --refresh -- flakes create
|
||||
```
|
||||
|
||||
3. Enter a **name** in the prompt:
|
||||
|
||||
@@ -150,61 +150,10 @@ Those are very similar to NixOS VM tests, as in they run virtualized nixos machi
|
||||
As of now the container test driver is a downstream development in clan-core.
|
||||
Basically everything stated under the NixOS VM tests sections applies here, except some limitations.
|
||||
|
||||
### Using Container Tests vs VM Tests
|
||||
Limitations:
|
||||
|
||||
Container tests are **enabled by default** for all tests using the clan testing framework.
|
||||
They offer significant performance advantages over VM tests:
|
||||
|
||||
- **Faster startup**
|
||||
- **Lower resource usage**: No full kernel boot or hardware emulation overhead
|
||||
|
||||
To control whether a test uses containers or VMs, use the `clan.test.useContainers` option:
|
||||
|
||||
```nix
|
||||
{
|
||||
clan = {
|
||||
directory = ./.;
|
||||
test.useContainers = true; # Use containers (default)
|
||||
# test.useContainers = false; # Use VMs instead
|
||||
};
|
||||
}
|
||||
```
|
||||
|
||||
**When to use VM tests instead of container tests:**
|
||||
|
||||
- Testing kernel features, modules, or boot processes
|
||||
- Testing hardware-specific features
|
||||
- When you need full system isolation
|
||||
|
||||
### System Requirements for Container Tests
|
||||
|
||||
Container tests require the **`uid-range`** system feature** in the Nix sandbox.
|
||||
This feature allows Nix to allocate a range of UIDs for containers to use, enabling `systemd-nspawn` containers to run properly inside the Nix build sandbox.
|
||||
|
||||
**Configuration:**
|
||||
|
||||
The `uid-range` feature requires the `auto-allocate-uids` setting to be enabled in your Nix configuration.
|
||||
|
||||
To verify or enable it, add to your `/etc/nix/nix.conf` or NixOS configuration:
|
||||
|
||||
```nix
|
||||
settings.experimental-features = [
|
||||
"auto-allocate-uids"
|
||||
];
|
||||
|
||||
nix.settings.auto-allocate-uids = true;
|
||||
nix.settings.system-features = [ "uid-range" ];
|
||||
```
|
||||
|
||||
**Technical details:**
|
||||
|
||||
- Container tests set `requiredSystemFeatures = [ "uid-range" ];` in their derivation (see `lib/test/container-test-driver/driver-module.nix:98`)
|
||||
- Without this feature, containers cannot properly manage user namespaces and will fail to start
|
||||
|
||||
### Limitations
|
||||
|
||||
- Cannot run in interactive mode, however while the container test runs, it logs a nsenter command that can be used to log into each of the containers.
|
||||
- Early implementation and limited by features.
|
||||
- Cannot run in interactive mode, however while the container test runs, it logs a nsenter command that can be used to log into each of the container.
|
||||
- setuid binaries don't work
|
||||
|
||||
### Where to find examples for NixOS container tests
|
||||
|
||||
|
||||
18
flake.lock
generated
18
flake.lock
generated
@@ -51,11 +51,11 @@
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1762040540,
|
||||
"narHash": "sha256-z5PlZ47j50VNF3R+IMS9LmzI5fYRGY/Z5O5tol1c9I4=",
|
||||
"lastModified": 1760948891,
|
||||
"narHash": "sha256-TmWcdiUUaWk8J4lpjzu4gCGxWY6/Ok7mOK4fIFfBuU4=",
|
||||
"owner": "hercules-ci",
|
||||
"repo": "flake-parts",
|
||||
"rev": "0010412d62a25d959151790968765a70c436598b",
|
||||
"rev": "864599284fc7c0ba6357ed89ed5e2cd5040f0c04",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
@@ -71,11 +71,11 @@
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1762039661,
|
||||
"narHash": "sha256-oM5BwAGE78IBLZn+AqxwH/saqwq3e926rNq5HmOulkc=",
|
||||
"lastModified": 1761339987,
|
||||
"narHash": "sha256-IUaawVwItZKi64IA6kF6wQCLCzpXbk2R46dHn8sHkig=",
|
||||
"owner": "nix-darwin",
|
||||
"repo": "nix-darwin",
|
||||
"rev": "c3c8c9f2a5ed43175ac4dc030308756620e6e4e4",
|
||||
"rev": "7cd9aac79ee2924a85c211d21fafd394b06a38de",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
@@ -115,10 +115,10 @@
|
||||
"nixpkgs": {
|
||||
"locked": {
|
||||
"lastModified": 315532800,
|
||||
"narHash": "sha256-LDT9wuUZtjPfmviCcVWif5+7j4kBI2mWaZwjNNeg4eg=",
|
||||
"rev": "a7fc11be66bdfb5cdde611ee5ce381c183da8386",
|
||||
"narHash": "sha256-yDxtm0PESdgNetiJN5+MFxgubBcLDTiuSjjrJiyvsvM=",
|
||||
"rev": "d7f52a7a640bc54c7bb414cca603835bf8dd4b10",
|
||||
"type": "tarball",
|
||||
"url": "https://releases.nixos.org/nixpkgs/nixpkgs-25.11pre887438.a7fc11be66bd/nixexprs.tar.xz"
|
||||
"url": "https://releases.nixos.org/nixpkgs/nixpkgs-25.11pre871443.d7f52a7a640b/nixexprs.tar.xz"
|
||||
},
|
||||
"original": {
|
||||
"type": "tarball",
|
||||
|
||||
@@ -18,7 +18,7 @@ let
|
||||
inputs.data-mesher.nixosModules.data-mesher
|
||||
];
|
||||
config = {
|
||||
clan.core.clanPkgs = lib.mkDefault self.packages.${pkgs.stdenv.hostPlatform.system};
|
||||
clan.core.clanPkgs = lib.mkDefault self.packages.${pkgs.hostPlatform.system};
|
||||
};
|
||||
};
|
||||
in
|
||||
|
||||
@@ -30,5 +30,5 @@ let
|
||||
in
|
||||
{
|
||||
# Note this might jump back and worth as kernel get added or removed.
|
||||
boot.kernelPackages = lib.mkIf (lib.meta.availableOn pkgs.stdenv.hostPlatform pkgs.zfs) latestKernelPackage;
|
||||
boot.kernelPackages = lib.mkIf (lib.meta.availableOn pkgs.hostPlatform pkgs.zfs) latestKernelPackage;
|
||||
}
|
||||
|
||||
@@ -245,7 +245,7 @@ class SecretStore(StoreBase):
|
||||
output_dir / "activation" / generator.name / file.name
|
||||
)
|
||||
out_file.parent.mkdir(parents=True, exist_ok=True)
|
||||
out_file.write_bytes(file.value)
|
||||
out_file.write_bytes(self.get(generator, file.name))
|
||||
if "partitioning" in phases:
|
||||
for generator in vars_generators:
|
||||
for file in generator.files:
|
||||
@@ -254,7 +254,7 @@ class SecretStore(StoreBase):
|
||||
output_dir / "partitioning" / generator.name / file.name
|
||||
)
|
||||
out_file.parent.mkdir(parents=True, exist_ok=True)
|
||||
out_file.write_bytes(file.value)
|
||||
out_file.write_bytes(self.get(generator, file.name))
|
||||
|
||||
hash_data = self.generate_hash(machine)
|
||||
if hash_data:
|
||||
|
||||
@@ -246,7 +246,7 @@ class SecretStore(StoreBase):
|
||||
)
|
||||
# chmod after in case it doesn't have u+w
|
||||
target_path.touch(mode=0o600)
|
||||
target_path.write_bytes(file.value)
|
||||
target_path.write_bytes(self.get(generator, file.name))
|
||||
target_path.chmod(file.mode)
|
||||
|
||||
if "partitioning" in phases:
|
||||
@@ -260,7 +260,7 @@ class SecretStore(StoreBase):
|
||||
)
|
||||
# chmod after in case it doesn't have u+w
|
||||
target_path.touch(mode=0o600)
|
||||
target_path.write_bytes(file.value)
|
||||
target_path.write_bytes(self.get(generator, file.name))
|
||||
target_path.chmod(file.mode)
|
||||
|
||||
@override
|
||||
|
||||
@@ -211,7 +211,7 @@ class ClanSelectError(ClanError):
|
||||
|
||||
def __str__(self) -> str:
|
||||
if self.description:
|
||||
return f"{self.msg} Reason: {self.description}. Use flag '--debug' to see full nix trace."
|
||||
return f"{self.msg} Reason: {self.description}"
|
||||
return self.msg
|
||||
|
||||
def __repr__(self) -> str:
|
||||
|
||||
@@ -59,7 +59,9 @@ def upload_sources(machine: Machine, ssh: Host, upload_inputs: bool) -> str:
|
||||
if not has_path_inputs and not upload_inputs:
|
||||
# Just copy the flake to the remote machine, we can substitute other inputs there.
|
||||
path = flake_data["path"]
|
||||
remote_url = f"ssh-ng://{remote_url_base}"
|
||||
if machine._class_ == "darwin":
|
||||
remote_program_params = "?remote-program=bash -lc 'exec nix-daemon --stdio'"
|
||||
remote_url = f"ssh-ng://{remote_url_base}{remote_program_params}"
|
||||
cmd = nix_command(
|
||||
[
|
||||
"copy",
|
||||
|
||||
Reference in New Issue
Block a user