Merge branch 'master' into overlayfs-store

2025-07-07 14:21:48 +02:00 · 2023-07-19 15:00:47 +01:00 · 2023-07-19 15:00:47 +01:00 · 21b9e15d25
commit 21b9e15d25
parent 83cfa82e52 b0173716f6
21 changed files with 366 additions and 246 deletions
--- a/tests/local.mk
+++ b/tests/local.mk
@ -120,7 +120,8 @@ nix_tests = \
  path-from-hash-part.sh \
  test-libstoreconsumer.sh \
  toString-path.sh \
-  read-only-store.sh
+  read-only-store.sh \
+  nested-sandboxing.sh

 ifeq ($(HAVE_LIBCPUID), 1)
 	nix_tests += compute-levels.sh
--- a/tests/nested-sandboxing.sh
+++ b/tests/nested-sandboxing.sh
@ -0,0 +1,11 @@
+source common.sh
+# This test is run by `tests/nested-sandboxing/runner.nix` in an extra layer of sandboxing.
+[[ -d /nix/store ]] || skipTest "running this test without Nix's deps being drawn from /nix/store is not yet supported"
+
+requireSandboxSupport
+
+source ./nested-sandboxing/command.sh
+
+expectStderr 100 runNixBuild badStoreUrl 2 | grepQuiet '`sandbox-build-dir` must not contain'
+
+runNixBuild goodStoreUrl 5
--- a/tests/nested-sandboxing/command.sh
+++ b/tests/nested-sandboxing/command.sh
@ -0,0 +1,29 @@
+export NIX_BIN_DIR=$(dirname $(type -p nix))
+# TODO Get Nix and its closure more flexibly
+export EXTRA_SANDBOX="/nix/store $(dirname $NIX_BIN_DIR)"
+
+badStoreUrl () {
+    local altitude=$1
+    echo $TEST_ROOT/store-$altitude
+}
+
+goodStoreUrl () {
+    local altitude=$1
+    echo $("badStoreUrl" "$altitude")?store=/foo-$altitude
+}
+
+# The non-standard sandbox-build-dir helps ensure that we get the same behavior
+# whether this test is being run in a derivation as part of the nix build or
+# being manually run by a developer outside a derivation
+runNixBuild () {
+    local storeFun=$1
+    local altitude=$2
+    nix-build \
+        --no-substitute --no-out-link \
+        --store "$("$storeFun" "$altitude")" \
+        --extra-sandbox-paths "$EXTRA_SANDBOX" \
+        ./nested-sandboxing/runner.nix \
+        --arg altitude "$((altitude - 1))" \
+        --argstr storeFun "$storeFun" \
+        --sandbox-build-dir /build-non-standard
+}
--- a/tests/nested-sandboxing/runner.nix
+++ b/tests/nested-sandboxing/runner.nix
@ -0,0 +1,24 @@
+{ altitude, storeFun }:
+
+with import ../config.nix;
+
+mkDerivation {
+  name = "nested-sandboxing";
+  busybox = builtins.getEnv "busybox";
+  EXTRA_SANDBOX = builtins.getEnv "EXTRA_SANDBOX";
+  buildCommand = if altitude == 0 then ''
+    echo Deep enough! > $out
+  '' else ''
+    cp -r ${../common} ./common
+    cp ${../common.sh} ./common.sh
+    cp ${../config.nix} ./config.nix
+    cp -r ${./.} ./nested-sandboxing
+
+    export PATH=${builtins.getEnv "NIX_BIN_DIR"}:$PATH
+
+    source common.sh
+    source ./nested-sandboxing/command.sh
+
+    runNixBuild ${storeFun} ${toString altitude} >> $out
+  '';
+}
--- a/tests/nixos/nix-copy.nix
+++ b/tests/nixos/nix-copy.nix
@ -79,6 +79,15 @@ in {
    server.copy_from_host("key.pub", "/root/.ssh/authorized_keys")
    server.succeed("systemctl restart sshd")
    client.succeed(f"ssh -o StrictHostKeyChecking=no {server.name} 'echo hello world'")
+    client.succeed(f"ssh -O check {server.name}")
+    client.succeed(f"ssh -O exit {server.name}")
+    client.fail(f"ssh -O check {server.name}")
+
+    # Check that an explicit master will work
+    client.succeed(f"ssh -MNfS /tmp/master {server.name}")
+    client.succeed(f"ssh -S /tmp/master -O check {server.name}")
+    client.succeed("NIX_SSHOPTS='-oControlPath=/tmp/master' nix copy --to ssh://server ${pkgA} >&2")
+    client.succeed(f"ssh -S /tmp/master -O exit {server.name}")

    # Copy the closure of package B from the server to the client, using ssh-ng.
    client.fail("nix-store --check-validity ${pkgB}")