wroclaw-git-backups/nix
1
0
Fork 0
mirror of https://github.com/NixOS/nix synced 2025-07-07 14:21:48 +02:00
Code Activity

Merge remote-tracking branch 'obsidian/path-info' into ca-drv-exotic

Browse source
This commit is contained in:
John Ericson 2021-02-25 21:58:41 +00:00
commit 90d76fa399
344 changed files with 12008 additions and 6500 deletions
Download patch file Download diff file Expand all files Collapse all files

16
tests/binary-cache-build-remote.sh Normal file
View file

@ -0,0 +1,16 @@
source common.sh
clearStore
clearCacheCache
# Fails without remote builders
(! nix-build --store "file://$cacheDir" dependencies.nix)
# Succeeds with default store as build remote.
outPath=$(nix-build --store "file://$cacheDir" --builders 'auto - - 1 1' -j0 dependencies.nix)
# Test that the path exactly exists in the destination store.
nix path-info --store "file://$cacheDir" $outPath
# Succeeds without any build capability because no-op
nix-build --store "file://$cacheDir" -j0 dependencies.nix

68
tests/binary-cache.sh
View file

@ -1,15 +1,20 @@
source common.sh
# We can produce drvs directly into the binary cache
clearStore
clearCache
clearCacheCache
nix-instantiate --store "file://$cacheDir" dependencies.nix
# Create the binary cache.
clearStore
clearCache
outPath=$(nix-build dependencies.nix --no-out-link)
nix copy --to file://$cacheDir $outPath
basicTests() {
basicDownloadTests() {
# No uploading tests bcause upload with force HTTP doesn't work.
# By default, a binary cache doesn't support "nix-env -qas", but does
# support installation.
@ -44,12 +49,12 @@ basicTests() {
# Test LocalBinaryCacheStore.
basicTests
basicDownloadTests
# Test HttpBinaryCacheStore.
export _NIX_FORCE_HTTP=1
basicTests
basicDownloadTests
# Test whether Nix notices if the NAR doesn't match the hash in the NAR info.
@ -125,20 +130,18 @@ grep -q "copying path.*input-0" $TEST_ROOT/log
grep -q "copying path.*top" $TEST_ROOT/log
if [ -n "$HAVE_SODIUM" ]; then
# Create a signed binary cache.
clearCache
clearCacheCache
declare -a res=($(nix-store --generate-binary-cache-key test.nixos.org-1 $TEST_ROOT/sk1 $TEST_ROOT/pk1 ))
publicKey="$(cat $TEST_ROOT/pk1)"
nix key generate-secret --key-name test.nixos.org-1 > $TEST_ROOT/sk1
publicKey=$(nix key convert-secret-to-public < $TEST_ROOT/sk1)
res=($(nix-store --generate-binary-cache-key test.nixos.org-1 $TEST_ROOT/sk2 $TEST_ROOT/pk2))
badKey="$(cat $TEST_ROOT/pk2)"
nix key generate-secret --key-name test.nixos.org-1 > $TEST_ROOT/sk2
badKey=$(nix key convert-secret-to-public < $TEST_ROOT/sk2)
res=($(nix-store --generate-binary-cache-key foo.nixos.org-1 $TEST_ROOT/sk3 $TEST_ROOT/pk3))
otherKey="$(cat $TEST_ROOT/pk3)"
nix key generate-secret --key-name foo.nixos.org-1 > $TEST_ROOT/sk3
otherKey=$(nix key convert-secret-to-public < $TEST_ROOT/sk3)
_NIX_FORCE_HTTP= nix copy --to file://$cacheDir?secret-key=$TEST_ROOT/sk1 $outPath
@ -181,14 +184,12 @@ clearCacheCache
nix-store -r $outPath --substituters "file://$cacheDir2 file://$cacheDir" --trusted-public-keys "$publicKey"
fi # HAVE_LIBSODIUM
unset _NIX_FORCE_HTTP
# Test 'nix verify --all' on a binary cache.
nix verify -vvvvv --all --store file://$cacheDir --no-trust
nix store verify -vvvvv --all --store file://$cacheDir --no-trust
# Test local NAR caching.
@ -196,13 +197,13 @@ narCache=$TEST_ROOT/nar-cache
rm -rf $narCache
mkdir $narCache
[[ $(nix cat-store --store "file://$cacheDir?local-nar-cache=$narCache" $outPath/foobar) = FOOBAR ]]
[[ $(nix store cat --store "file://$cacheDir?local-nar-cache=$narCache" $outPath/foobar) = FOOBAR ]]
rm -rfv "$cacheDir/nar"
[[ $(nix cat-store --store "file://$cacheDir?local-nar-cache=$narCache" $outPath/foobar) = FOOBAR ]]
[[ $(nix store cat --store "file://$cacheDir?local-nar-cache=$narCache" $outPath/foobar) = FOOBAR ]]
(! nix cat-store --store file://$cacheDir $outPath/foobar)
(! nix store cat --store file://$cacheDir $outPath/foobar)
# Test NAR listing generation.
@ -239,3 +240,34 @@ nix copy --to "file://$cacheDir?index-debug-info=1&compression=none" $outPath
diff -u \
<(cat $cacheDir/debuginfo/02623eda209c26a59b1a8638ff7752f6b945c26b.debug | jq -S) \
<(echo '{"archive":"../nar/100vxs724qr46phz8m24iswmg9p3785hsyagz0kchf6q6gf06sw6.nar","member":"lib/debug/.build-id/02/623eda209c26a59b1a8638ff7752f6b945c26b.debug"}' | jq -S)
# Test against issue https://github.com/NixOS/nix/issues/3964
#
expr='
with import ./config.nix;
mkDerivation {
name = "multi-output";
buildCommand = "mkdir -p $out; echo foo > $doc; echo $doc > $out/docref";
outputs = ["out" "doc"];
}
'
outPath=$(nix-build --no-out-link -E "$expr")
docPath=$(nix-store -q --references $outPath)
# $ nix-store -q --tree $outPath
# ...-multi-output
# +---...-multi-output-doc
nix copy --to "file://$cacheDir" $outPath
hashpart() {
basename "$1" | cut -c1-32
}
# break the closure of out by removing doc
rm $cacheDir/$(hashpart $docPath).narinfo
nix-store --delete $outPath $docPath
# -vvv is the level that logs during the loop
timeout 60 nix-build --no-out-link -E "$expr" --option substituters "file://$cacheDir" \
--option trusted-binary-caches "file://$cacheDir" --no-require-sigs

4
tests/brotli.sh
View file

@ -9,13 +9,13 @@ outPath=$(nix-build dependencies.nix --no-out-link)
nix copy --to $cacheURI $outPath
HASH=$(nix hash-path $outPath)
HASH=$(nix hash path $outPath)
clearStore
clearCacheCache
nix copy --from $cacheURI $outPath --no-check-sigs
HASH2=$(nix hash-path $outPath)
HASH2=$(nix hash path $outPath)
[[ $HASH = $HASH2 ]]

28
tests/build-remote-input-addressed.sh
View file

@ -3,3 +3,31 @@ source common.sh
file=build-hook.nix
source build-remote.sh
# Add a `post-build-hook` option to the nix conf.
# This hook will be executed both for the local machine and the remote builders
# (because they share the same config).
registerBuildHook () {
# Dummy post-build-hook just to ensure that it's executed correctly.
# (we can't reuse the one from `$PWD/push-to-store.sh` because of
# https://github.com/NixOS/nix/issues/4341)
cat <<EOF > $TEST_ROOT/post-build-hook.sh
#!/bin/sh
echo "Post hook ran successfully"
# Add an empty line to a counter file, just to check that this hook ran properly
echo "" >> $TEST_ROOT/post-hook-counter
EOF
chmod +x $TEST_ROOT/post-build-hook.sh
rm -f $TEST_ROOT/post-hook-counter
echo "post-build-hook = $TEST_ROOT/post-build-hook.sh" >> $NIX_CONF_DIR/nix.conf
}
registerBuildHook
source build-remote.sh
# `build-hook.nix` has four derivations to build, and the hook runs twice for
# each derivation (once on the builder and once on the host), so the counter
# should contain eight lines now
[[ $(cat $TEST_ROOT/post-hook-counter | wc -l) -eq 8 ]]

3
tests/build-remote.sh
View file

@ -14,6 +14,9 @@ builders=(
"ssh-ng://localhost?remote-store=$TEST_ROOT/machine3?system-features=baz - - 1 1 baz"
)
chmod -R +w $TEST_ROOT/machine* || true
rm -rf $TEST_ROOT/machine* || true
# Note: ssh://localhost bypasses ssh, directly invoking nix-store as a
# child process. This allows us to test LegacySSHStore::buildDerivation().
# ssh-ng://... likewise allows us to test RemoteStore::buildDerivation().

12
tests/build.sh Normal file
View file

@ -0,0 +1,12 @@
source common.sh
expectedJSONRegex='\[\{"drvPath":".*multiple-outputs-a.drv","outputs":\{"first":".*multiple-outputs-a-first","second":".*multiple-outputs-a-second"}},\{"drvPath":".*multiple-outputs-b.drv","outputs":\{"out":".*multiple-outputs-b"}}]'
nix build -f multiple-outputs.nix --json a.all b.all | jq --exit-status '
(.[0] |
(.drvPath | match(".*multiple-outputs-a.drv")) and
(.outputs.first | match(".*multiple-outputs-a-first")) and
(.outputs.second | match(".*multiple-outputs-a-second")))
and (.[1] |
(.drvPath | match(".*multiple-outputs-b.drv")) and
(.outputs.out | match(".*multiple-outputs-b")))
'

3
tests/common.sh.in
View file

@ -34,7 +34,6 @@ coreutils=@coreutils@
export dot=@dot@
export SHELL="@bash@"
export PAGER=cat
export HAVE_SODIUM="@HAVE_SODIUM@"
export busybox="@sandbox_shell@"
export version=@PACKAGE_VERSION@
@ -74,7 +73,7 @@ startDaemon() {
# Start the daemon, wait for the socket to appear. !!!
# nix-daemon should have an option to fork into the background.
rm -f $NIX_STATE_DIR/daemon-socket/socket
nix-daemon &
nix daemon &
for ((i = 0; i < 30; i++)); do
if [ -e $NIX_DAEMON_SOCKET_PATH ]; then break; fi
sleep 1

7
tests/compute-levels.sh Normal file
View file

@ -0,0 +1,7 @@
source common.sh
if [[ $(uname -ms) = "Linux x86_64" ]]; then
# x86_64 CPUs must always support the baseline
# microarchitecture level.
nix -vv --version | grep -q "x86_64-v1-linux"
fi

9
tests/config.sh
View file

@ -16,3 +16,12 @@ here=$(readlink -f "$(dirname "${BASH_SOURCE[0]}")")
export NIX_USER_CONF_FILES=$here/config/nix-with-substituters.conf
var=$(nix show-config | grep '^substituters =' | cut -d '=' -f 2 | xargs)
[[ $var == https://example.com ]]
# Test that it's possible to load config from the environment
prev=$(nix show-config | grep '^cores' | cut -d '=' -f 2 | xargs)
export NIX_CONFIG="cores = 4242"$'\n'"experimental-features = nix-command flakes"
exp_cores=$(nix show-config | grep '^cores' | cut -d '=' -f 2 | xargs)
exp_features=$(nix show-config | grep '^experimental-features' | cut -d '=' -f 2 | xargs)
[[ $prev != $exp_cores ]]
[[ $exp_cores == "4242" ]]
[[ $exp_features == "nix-command flakes" ]]

31
tests/content-addressed.nix
View file

@ -15,15 +15,17 @@ rec {
'';
};
rootCA = mkDerivation {
name = "dependent";
outputs = [ "out" "dev" ];
name = "rootCA";
outputs = [ "out" "dev" "foo"];
buildCommand = ''
echo "building a CA derivation"
echo "The seed is ${toString seed}"
mkdir -p $out
echo ${rootLegacy}/hello > $out/dep
# test symlink at root
ln -s $out $out/self
# test symlinks at root
ln -s $out $dev
ln -s $out $foo
'';
__contentAddressed = true;
outputHashMode = "recursive";
@ -34,7 +36,8 @@ rec {
buildCommand = ''
echo "building a dependent derivation"
mkdir -p $out
echo ${rootCA}/hello > $out/dep
cat ${rootCA}/self/dep
echo ${rootCA}/self/dep > $out/dep
'';
__contentAddressed = true;
outputHashMode = "recursive";
@ -51,4 +54,24 @@ rec {
outputHashMode = "recursive";
outputHashAlgo = "sha256";
};
dependentNonCA = mkDerivation {
name = "dependent-non-ca";
buildCommand = ''
echo "Didn't cut-off"
echo "building dependent-non-ca"
mkdir -p $out
echo ${rootCA}/non-ca-hello > $out/dep
'';
};
dependentFixedOutput = mkDerivation {
name = "dependent-fixed-output";
outputHashMode = "recursive";
outputHashAlgo = "sha256";
outputHash = "sha256-QvtAMbUl/uvi+LCObmqOhvNOapHdA2raiI4xG5zI5pA=";
buildCommand = ''
cat ${dependentCA}/dep
echo foo > $out
'';
};
}

68
tests/content-addressed.sh
View file

@ -5,23 +5,63 @@ source common.sh
drv=$(nix-instantiate --experimental-features ca-derivations ./content-addressed.nix -A rootCA --arg seed 1)
nix --experimental-features 'nix-command ca-derivations' show-derivation --derivation "$drv" --arg seed 1
testDerivation () {
buildAttr () {
local derivationPath=$1
local commonArgs=("--experimental-features" "ca-derivations" "./content-addressed.nix" "-A" "$derivationPath" "--no-out-link")
local seedValue=$2
shift; shift
local args=("--experimental-features" "ca-derivations" "./content-addressed.nix" "-A" "$derivationPath" --arg seed "$seedValue" "--no-out-link")
args+=("$@")
nix-build "${args[@]}"
}
testRemoteCache () {
clearCache
local outPath=$(buildAttr dependentNonCA 1)
nix copy --to file://$cacheDir $outPath
clearStore
buildAttr dependentNonCA 1 --option substituters file://$cacheDir --no-require-sigs |& (! grep "building dependent-non-ca")
}
testDeterministicCA () {
[[ $(buildAttr rootCA 1) = $(buildAttr rootCA 2) ]]
}
testCutoffFor () {
local out1 out2
out1=$(nix-build "${commonArgs[@]}" --arg seed 1)
out2=$(nix-build "${commonArgs[@]}" --arg seed 2 "${secondSeedArgs[@]}")
out1=$(buildAttr $1 1)
# The seed only changes the root derivation, and not it's output, so the
# dependent derivations should only need to be built once.
buildAttr rootCA 2
out2=$(buildAttr $1 2 -j0)
test "$out1" == "$out2"
}
testDerivation rootCA
# The seed only changes the root derivation, and not it's output, so the
# dependent derivations should only need to be built once.
secondSeedArgs=(-j0)
# Don't directly build depenentCA, that way we'll make sure we dodn't rely on
# dependent derivations always being already built.
#testDerivation dependentCA
testDerivation transitivelyDependentCA
testCutoff () {
# Don't directly build depenentCA, that way we'll make sure we dodn't rely on
# dependent derivations always being already built.
#testDerivation dependentCA
testCutoffFor transitivelyDependentCA
testCutoffFor dependentNonCA
testCutoffFor dependentFixedOutput
}
nix-instantiate --experimental-features ca-derivations ./content-addressed.nix -A rootCA --arg seed 5
nix-collect-garbage --experimental-features ca-derivations --option keep-derivations true
testGC () {
nix-instantiate --experimental-features ca-derivations ./content-addressed.nix -A rootCA --arg seed 5
nix-collect-garbage --experimental-features ca-derivations --option keep-derivations true
clearStore
buildAttr rootCA 1 --out-link $TEST_ROOT/rootCA
nix-collect-garbage --experimental-features ca-derivations
buildAttr rootCA 1 -j0
}
testNixCommand () {
clearStore
nix build --experimental-features 'nix-command ca-derivations' --file ./content-addressed.nix --no-link
}
# Disabled until we have it properly working
# testRemoteCache
testDeterministicCA
testCutoff
testGC
testNixCommand

15
tests/fetchGit.sh
View file

@ -41,6 +41,19 @@ export _NIX_FORCE_HTTP=1
path=$(nix eval --impure --raw --expr "(builtins.fetchGit file://$repo).outPath")
[[ $(cat $path/hello) = world ]]
# Fetch a rev from another branch
git -C $repo checkout -b devtest
echo "different file" >> $TEST_ROOT/git/differentbranch
git -C $repo add differentbranch
git -C $repo commit -m 'Test2'
git -C $repo checkout master
devrev=$(git -C $repo rev-parse devtest)
out=$(nix eval --impure --raw --expr "builtins.fetchGit { url = file://$repo; rev = \"$devrev\"; }" 2>&1) || status=$?
[[ $status == 1 ]]
[[ $out =~ 'Cannot find Git revision' ]]
[[ $(nix eval --raw --expr "builtins.readFile (builtins.fetchGit { url = file://$repo; rev = \"$devrev\"; allRefs = true; } + \"/differentbranch\")") = 'different file' ]]
# In pure eval mode, fetchGit without a revision should fail.
[[ $(nix eval --impure --raw --expr "builtins.readFile (fetchGit file://$repo + \"/hello\")") = world ]]
(! nix eval --raw --expr "builtins.readFile (fetchGit file://$repo + \"/hello\")")
@ -59,6 +72,7 @@ path2=$(nix eval --impure --raw --expr "(builtins.fetchGit file://$repo).outPath
[[ $(nix eval --impure --expr "(builtins.fetchGit file://$repo).revCount") = 2 ]]
[[ $(nix eval --impure --raw --expr "(builtins.fetchGit file://$repo).rev") = $rev2 ]]
[[ $(nix eval --impure --raw --expr "(builtins.fetchGit file://$repo).shortRev") = ${rev2:0:7} ]]
# Fetching with a explicit hash should succeed.
path2=$(nix eval --refresh --raw --expr "(builtins.fetchGit { url = file://$repo; rev = \"$rev2\"; }).outPath")
@ -132,6 +146,7 @@ path2=$(nix eval --impure --raw --expr "(builtins.fetchGit file://$repo).outPath
path3=$(nix eval --impure --raw --expr "(builtins.fetchGit $repo).outPath")
# (check dirty-tree handling was used)
[[ $(nix eval --impure --raw --expr "(builtins.fetchGit $repo).rev") = 0000000000000000000000000000000000000000 ]]
[[ $(nix eval --impure --raw --expr "(builtins.fetchGit $repo).shortRev") = 0000000 ]]
# Committing shouldn't change store path, or switch to using 'master'
git -C $repo commit -m 'Bla5' -a

3
tests/fetchMercurial.sh
View file

@ -15,6 +15,9 @@ hg init $repo
echo '[ui]' >> $repo/.hg/hgrc
echo 'username = Foobar <foobar@example.org>' >> $repo/.hg/hgrc
# Set ui.tweakdefaults to ensure HGPLAIN is being set.
echo 'tweakdefaults = True' >> $repo/.hg/hgrc
echo utrecht > $repo/hello
touch $repo/.hgignore
hg add --cwd $repo hello .hgignore

22
tests/fetchurl.sh
View file

@ -5,27 +5,27 @@ clearStore
# Test fetching a flat file.
hash=$(nix-hash --flat --type sha256 ./fetchurl.sh)
outPath=$(nix-build '<nix/fetchurl.nix>' --argstr url file://$(pwd)/fetchurl.sh --argstr sha256 $hash --no-out-link)
outPath=$(nix-build --expr 'import <nix/fetchurl.nix>' --argstr url file://$(pwd)/fetchurl.sh --argstr sha256 $hash --no-out-link)
cmp $outPath fetchurl.sh
# Now using a base-64 hash.
clearStore
hash=$(nix hash-file --type sha512 --base64 ./fetchurl.sh)
hash=$(nix hash file --type sha512 --base64 ./fetchurl.sh)
outPath=$(nix-build '<nix/fetchurl.nix>' --argstr url file://$(pwd)/fetchurl.sh --argstr sha512 $hash --no-out-link)
outPath=$(nix-build --expr 'import <nix/fetchurl.nix>' --argstr url file://$(pwd)/fetchurl.sh --argstr sha512 $hash --no-out-link)
cmp $outPath fetchurl.sh
# Now using an SRI hash.
clearStore
hash=$(nix hash-file ./fetchurl.sh)
hash=$(nix hash file ./fetchurl.sh)
[[ $hash =~ ^sha256- ]]
outPath=$(nix-build '<nix/fetchurl.nix>' --argstr url file://$(pwd)/fetchurl.sh --argstr hash $hash --no-out-link)
outPath=$(nix-build --expr 'import <nix/fetchurl.nix>' --argstr url file://$(pwd)/fetchurl.sh --argstr hash $hash --no-out-link)
cmp $outPath fetchurl.sh
@ -34,14 +34,14 @@ clearStore
other_store=file://$TEST_ROOT/other_store?store=/fnord/store
hash=$(nix hash-file --type sha256 --base16 ./fetchurl.sh)
hash=$(nix hash file --type sha256 --base16 ./fetchurl.sh)
storePath=$(nix --store $other_store add-to-store --flat ./fetchurl.sh)
storePath=$(nix --store $other_store store add-file ./fetchurl.sh)
outPath=$(nix-build '<nix/fetchurl.nix>' --argstr url file:///no-such-dir/fetchurl.sh --argstr sha256 $hash --no-out-link --substituters $other_store)
outPath=$(nix-build --expr 'import <nix/fetchurl.nix>' --argstr url file:///no-such-dir/fetchurl.sh --argstr sha256 $hash --no-out-link --substituters $other_store)
# Test hashed mirrors with an SRI hash.
nix-build '<nix/fetchurl.nix>' --argstr url file:///no-such-dir/fetchurl.sh --argstr hash $(nix to-sri --type sha256 $hash) \
nix-build --expr 'import <nix/fetchurl.nix>' --argstr url file:///no-such-dir/fetchurl.sh --argstr hash $(nix hash to-sri --type sha256 $hash) \
--no-out-link --substituters $other_store
# Test unpacking a NAR.
@ -55,7 +55,7 @@ nix-store --dump $TEST_ROOT/archive > $nar
hash=$(nix-hash --flat --type sha256 $nar)
outPath=$(nix-build '<nix/fetchurl.nix>' --argstr url file://$nar --argstr sha256 $hash \
outPath=$(nix-build --expr 'import <nix/fetchurl.nix>' --argstr url file://$nar --argstr sha256 $hash \
--arg unpack true --argstr name xyzzy --no-out-link)
echo $outPath | grep -q 'xyzzy'
@ -69,7 +69,7 @@ nix-store --delete $outPath
narxz=$TEST_ROOT/archive.nar.xz
rm -f $narxz
xz --keep $nar
outPath=$(nix-build '<nix/fetchurl.nix>' --argstr url file://$narxz --argstr sha256 $hash \
outPath=$(nix-build --expr 'import <nix/fetchurl.nix>' --argstr url file://$narxz --argstr sha256 $hash \
--arg unpack true --argstr name xyzzy --no-out-link)
test -x $outPath/fetchurl.sh

6
tests/flakes.sh
View file

@ -276,18 +276,18 @@ git -C $flake3Dir commit -m 'Add lockfile'
# Test whether registry caching works.
nix registry list --flake-registry file://$registry | grep -q flake3
mv $registry $registry.tmp
nix-store --gc
nix store gc
nix registry list --flake-registry file://$registry --refresh | grep -q flake3
mv $registry.tmp $registry
# Test whether flakes are registered as GC roots for offline use.
# FIXME: use tarballs rather than git.
rm -rf $TEST_HOME/.cache
nix-store --gc # get rid of copies in the store to ensure they get fetched to our git cache
nix store gc # get rid of copies in the store to ensure they get fetched to our git cache
_NIX_FORCE_HTTP=1 nix build -o $TEST_ROOT/result git+file://$flake2Dir#bar
mv $flake1Dir $flake1Dir.tmp
mv $flake2Dir $flake2Dir.tmp
nix-store --gc
nix store gc
_NIX_FORCE_HTTP=1 nix build -o $TEST_ROOT/result git+file://$flake2Dir#bar
_NIX_FORCE_HTTP=1 nix build -o $TEST_ROOT/result git+file://$flake2Dir#bar --refresh
mv $flake1Dir.tmp $flake1Dir

6
tests/gc-auto.sh
View file

@ -2,9 +2,9 @@ source common.sh
clearStore
garbage1=$(nix add-to-store --name garbage1 ./nar-access.sh)
garbage2=$(nix add-to-store --name garbage2 ./nar-access.sh)
garbage3=$(nix add-to-store --name garbage3 ./nar-access.sh)
garbage1=$(nix store add-path --name garbage1 ./nar-access.sh)
garbage2=$(nix store add-path --name garbage2 ./nar-access.sh)
garbage3=$(nix store add-path --name garbage3 ./nar-access.sh)
ls -l $garbage3
POSIXLY_CORRECT=1 du $garbage3

46
tests/github-flakes.nix
View file

@ -1,6 +1,6 @@
{ nixpkgs, system, overlay }:
with import (nixpkgs + "/nixos/lib/testing.nix") {
with import (nixpkgs + "/nixos/lib/testing-python.nix") {
inherit system;
extraConfigurations = [ { nixpkgs.overlays = [ overlay ]; } ];
};
@ -64,6 +64,7 @@ in
makeTest (
{
name = "github-flakes";
nodes =
{ # Impersonate github.com and api.github.com.
@ -113,36 +114,37 @@ makeTest (
};
};
testScript = { nodes }:
''
use POSIX qw(strftime);
testScript = { nodes }: ''
# fmt: off
import json
import time
startAll;
start_all()
$github->waitForUnit("httpd.service");
github.wait_for_unit("httpd.service")
$client->succeed("curl -v https://github.com/ >&2");
client.succeed("curl -v https://github.com/ >&2")
client.succeed("nix registry list | grep nixpkgs")
$client->succeed("nix registry list | grep nixpkgs");
rev = client.succeed("nix flake info nixpkgs --json | jq -r .revision")
assert rev.strip() == "${nixpkgs.rev}", "revision mismatch"
$client->succeed("nix flake info nixpkgs --json | jq -r .revision") eq "${nixpkgs.rev}\n"
or die "revision mismatch";
client.succeed("nix registry pin nixpkgs")
$client->succeed("nix registry pin nixpkgs");
client.succeed("nix flake info nixpkgs --tarball-ttl 0 >&2")
$client->succeed("nix flake info nixpkgs --tarball-ttl 0 >&2");
# Shut down the web server. The flake should be cached on the client.
github.succeed("systemctl stop httpd.service")
# Shut down the web server. The flake should be cached on the client.
$github->succeed("systemctl stop httpd.service");
info = json.loads(client.succeed("nix flake info nixpkgs --json"))
date = time.strftime("%Y%m%d%H%M%S", time.gmtime(info['lastModified']))
assert date == "${nixpkgs.lastModifiedDate}", "time mismatch"
my $date = $client->succeed("nix flake info nixpkgs --json | jq -M .lastModified");
strftime("%Y%m%d%H%M%S", gmtime($date)) eq "${nixpkgs.lastModifiedDate}" or die "time mismatch";
client.succeed("nix build nixpkgs#hello")
$client->succeed("nix build nixpkgs#hello");
# The build shouldn't fail even with --tarball-ttl 0 (the server
# being down should not be a fatal error).
$client->succeed("nix build nixpkgs#fuse --tarball-ttl 0");
'';
# The build shouldn't fail even with --tarball-ttl 0 (the server
# being down should not be a fatal error).
client.succeed("nix build nixpkgs#fuse --tarball-ttl 0")
'';
})

10
tests/hash.sh
View file

@ -2,7 +2,7 @@ source common.sh
try () {
printf "%s" "$2" > $TEST_ROOT/vector
hash=$(nix hash-file --base16 $EXTRA --type "$1" $TEST_ROOT/vector)
hash=$(nix hash file --base16 $EXTRA --type "$1" $TEST_ROOT/vector)
if test "$hash" != "$3"; then
echo "hash $1, expected $3, got $hash"
exit 1
@ -69,17 +69,17 @@ try2 md5 "f78b733a68f5edbdf9413899339eaa4a"
# Conversion.
try3() {
h64=$(nix to-base64 --type "$1" "$2")
h64=$(nix hash to-base64 --type "$1" "$2")
[ "$h64" = "$4" ]
sri=$(nix to-sri --type "$1" "$2")
sri=$(nix hash to-sri --type "$1" "$2")
[ "$sri" = "$1-$4" ]
h32=$(nix-hash --type "$1" --to-base32 "$2")
[ "$h32" = "$3" ]
h16=$(nix-hash --type "$1" --to-base16 "$h32")
[ "$h16" = "$2" ]
h16=$(nix to-base16 --type "$1" "$h64")
h16=$(nix hash to-base16 --type "$1" "$h64")
[ "$h16" = "$2" ]
h16=$(nix to-base16 "$sri")
h16=$(nix hash to-base16 "$sri")
[ "$h16" = "$2" ]
}
try3 sha1 "800d59cfcd3c05e900cb4e214be48f6b886a08df" "vw46m23bizj4n8afrc0fj19wrp7mj3c0" "gA1Zz808BekAy04hS+SPa4hqCN8="

2
tests/init.sh
View file

@ -19,7 +19,9 @@ keep-derivations = false
sandbox = false
experimental-features = nix-command flakes
gc-reserved-space = 0
substituters =
flake-registry = $TEST_ROOT/registry.json
show-trace = true
include nix.conf.extra
EOF

5
tests/lang/eval-okay-search-path.nix
View file

@ -1,10 +1,9 @@
with import ./lib.nix;
with builtins;
assert pathExists <nix/fetchurl.nix>;
assert isFunction (import <nix/fetchurl.nix>);
assert length __nixPath == 6;
assert length (filter (x: x.prefix == "nix") __nixPath) == 1;
assert length __nixPath == 5;
assert length (filter (x: baseNameOf x.path == "dir4") __nixPath) == 1;
import <a.nix> + import <b.nix> + import <c.nix> + import <dir5/c.nix>

4
tests/linux-sandbox.sh
View file

@ -22,9 +22,9 @@ outPath=$(nix-build dependencies.nix --no-out-link --sandbox-paths /nix/store)
nix path-info -r $outPath | grep input-2
nix ls-store -R -l $outPath | grep foobar
nix store ls -R -l $outPath | grep foobar
nix cat-store $outPath/foobar | grep FOOBAR
nix store cat $outPath/foobar | grep FOOBAR
# Test --check without hash rewriting.
nix-build dependencies.nix --no-out-link --check --sandbox-paths /nix/store

8
tests/local.mk
View file

@ -9,7 +9,9 @@ nix_tests = \
local-store.sh remote-store.sh export.sh export-graph.sh \
timeout.sh secure-drv-outputs.sh nix-channel.sh \
multiple-outputs.sh import-derivation.sh fetchurl.sh optimise-store.sh \
binary-cache.sh nix-profile.sh repair.sh dump-db.sh case-hack.sh \
binary-cache.sh \
binary-cache-build-remote.sh \
nix-profile.sh repair.sh dump-db.sh case-hack.sh \
check-reqs.sh pass-as-file.sh tarball.sh restricted.sh \
placeholders.sh nix-shell.sh \
linux-sandbox.sh \
@ -36,7 +38,9 @@ nix_tests = \
describe-stores.sh \
flakes.sh \
content-addressed.sh \
text-hashed-output.sh
text-hashed-output.sh \
build.sh \
compute-levels.sh
# parallel.sh
# build-remote-content-addressed-fixed.sh \

4
tests/misc.sh
View file

@ -17,10 +17,10 @@ nix-env -q --foo 2>&1 | grep "unknown flag"
# Eval Errors.
eval_arg_res=$(nix-instantiate --eval -E 'let a = {} // a; in a.foo' 2>&1 || true)
echo $eval_arg_res | grep "at: (1:15) from string"
echo $eval_arg_res | grep "at «string»:1:15:"
echo $eval_arg_res | grep "infinite recursion encountered"
eval_stdin_res=$(echo 'let a = {} // a; in a.foo' | nix-instantiate --eval -E - 2>&1 || true)
echo $eval_stdin_res | grep "at: (1:15) from stdin"
echo $eval_stdin_res | grep "at «stdin»:1:15:"
echo $eval_stdin_res | grep "infinite recursion encountered"

2
tests/multiple-outputs.sh
View file

@ -58,7 +58,7 @@ outPath2=$(nix-build $(nix-instantiate multiple-outputs.nix -A a.second) --no-ou
# Delete one of the outputs and rebuild it. This will cause a hash
# rewrite.
nix-store --delete $TEST_ROOT/result-second --ignore-liveness
nix store delete $TEST_ROOT/result-second --ignore-liveness
nix-build multiple-outputs.nix -A a.all -o $TEST_ROOT/result
[ "$(cat $TEST_ROOT/result-second/file)" = "second" ]
[ "$(cat $TEST_ROOT/result-second/link/file)" = "first" ]

26
tests/nar-access.sh
View file

@ -9,45 +9,45 @@ cd "$TEST_ROOT"
narFile="$TEST_ROOT/path.nar"
nix-store --dump $storePath > $narFile
# Check that find and ls-nar match.
# Check that find and nar ls match.
( cd $storePath; find . | sort ) > files.find
nix ls-nar -R -d $narFile "" | sort > files.ls-nar
nix nar ls -R -d $narFile "" | sort > files.ls-nar
diff -u files.find files.ls-nar
# Check that file contents of data match.
nix cat-nar $narFile /foo/data > data.cat-nar
nix nar cat $narFile /foo/data > data.cat-nar
diff -u data.cat-nar $storePath/foo/data
# Check that file contents of baz match.
nix cat-nar $narFile /foo/baz > baz.cat-nar
nix nar cat $narFile /foo/baz > baz.cat-nar
diff -u baz.cat-nar $storePath/foo/baz
nix cat-store $storePath/foo/baz > baz.cat-nar
nix store cat $storePath/foo/baz > baz.cat-nar
diff -u baz.cat-nar $storePath/foo/baz
# Test --json.
diff -u \
<(nix ls-nar --json $narFile / | jq -S) \
<(nix nar ls --json $narFile / | jq -S) \
<(echo '{"type":"directory","entries":{"foo":{},"foo-x":{},"qux":{},"zyx":{}}}' | jq -S)
diff -u \
<(nix ls-nar --json -R $narFile /foo | jq -S) \
<(nix nar ls --json -R $narFile /foo | jq -S) \
<(echo '{"type":"directory","entries":{"bar":{"type":"regular","size":0,"narOffset":368},"baz":{"type":"regular","size":0,"narOffset":552},"data":{"type":"regular","size":58,"narOffset":736}}}' | jq -S)
diff -u \
<(nix ls-nar --json -R $narFile /foo/bar | jq -S) \
<(nix nar ls --json -R $narFile /foo/bar | jq -S) \
<(echo '{"type":"regular","size":0,"narOffset":368}' | jq -S)
diff -u \
<(nix ls-store --json $storePath | jq -S) \
<(nix store ls --json $storePath | jq -S) \
<(echo '{"type":"directory","entries":{"foo":{},"foo-x":{},"qux":{},"zyx":{}}}' | jq -S)
diff -u \
<(nix ls-store --json -R $storePath/foo | jq -S) \
<(nix store ls --json -R $storePath/foo | jq -S) \
<(echo '{"type":"directory","entries":{"bar":{"type":"regular","size":0},"baz":{"type":"regular","size":0},"data":{"type":"regular","size":58}}}' | jq -S)
diff -u \
<(nix ls-store --json -R $storePath/foo/bar| jq -S) \
<(nix store ls --json -R $storePath/foo/bar| jq -S) \
<(echo '{"type":"regular","size":0}' | jq -S)
# Test missing files.
nix ls-store --json -R $storePath/xyzzy 2>&1 | grep 'does not exist in NAR'
nix ls-store $storePath/xyzzy 2>&1 | grep 'does not exist'
nix store ls --json -R $storePath/xyzzy 2>&1 | grep 'does not exist in NAR'
nix store ls $storePath/xyzzy 2>&1 | grep 'does not exist'
# Test failure to dump.
if nix-store --dump $storePath >/dev/full ; then

33
tests/nix-build-examples.nix Normal file
View file

@ -0,0 +1,33 @@
with import ./config.nix;
rec {
input0 = mkDerivation {
name = "dependencies-input-0";
buildCommand = "mkdir $out; echo foo > $out/bar";
};
input1 = mkDerivation {
name = "dependencies-input-1";
buildCommand = "mkdir $out; echo FOO > $out/foo";
};
input2 = mkDerivation {
name = "dependencies-input-2";
buildCommand = ''
mkdir $out
echo BAR > $out/bar
echo ${input0} > $out/input0
'';
};
body = mkDerivation {
name = "dependencies-top";
builder = ./dependencies.builder0.sh + "/FOOBAR/../.";
input1 = input1 + "/.";
input2 = "${input2}/.";
input1_drv = input1;
meta.description = "Random test package";
};
}

15
tests/nix-build.sh
View file

@ -26,3 +26,18 @@ outPath2=$(nix-build $(nix-instantiate dependencies.nix)!out --no-out-link)
outPath2=$(nix-store -r $(nix-instantiate --add-root $TEST_ROOT/indirect dependencies.nix)!out)
[[ $outPath = $outPath2 ]]
# The order of the paths on stdout must correspond to the -A options
# https://github.com/NixOS/nix/issues/4197
input0="$(nix-build nix-build-examples.nix -A input0 --no-out-link)"
input1="$(nix-build nix-build-examples.nix -A input1 --no-out-link)"
input2="$(nix-build nix-build-examples.nix -A input2 --no-out-link)"
body="$(nix-build nix-build-examples.nix -A body --no-out-link)"
outPathsA="$(echo $(nix-build nix-build-examples.nix -A input0 -A input1 -A input2 -A body --no-out-link))"
[[ "$outPathsA" = "$input0 $input1 $input2 $body" ]]
# test a different ordering to make sure it fails, not just in 23 out of 24 permutations
outPathsB="$(echo $(nix-build nix-build-examples.nix -A body -A input1 -A input2 -A input0 --no-out-link))"
[[ "$outPathsB" = "$body $input1 $input2 $input0" ]]

80
tests/nix-copy-closure.nix
View file

@ -2,18 +2,19 @@
{ nixpkgs, system, overlay }:
with import (nixpkgs + "/nixos/lib/testing.nix") {
with import (nixpkgs + "/nixos/lib/testing-python.nix") {
inherit system;
extraConfigurations = [ { nixpkgs.overlays = [ overlay ]; } ];
};
makeTest (let pkgA = pkgs.cowsay; pkgB = pkgs.wget; pkgC = pkgs.hello; in {
makeTest (let pkgA = pkgs.cowsay; pkgB = pkgs.wget; pkgC = pkgs.hello; pkgD = pkgs.tmux; in {
name = "nix-copy-closure";
nodes =
{ client =
{ config, lib, pkgs, ... }:
{ virtualisation.writableStore = true;
virtualisation.pathsInNixDB = [ pkgA ];
virtualisation.pathsInNixDB = [ pkgA pkgD.drvPath ];
nix.binaryCaches = lib.mkForce [ ];
};
@ -25,41 +26,52 @@ makeTest (let pkgA = pkgs.cowsay; pkgB = pkgs.wget; pkgC = pkgs.hello; in {
};
};
testScript = { nodes }:
''
startAll;
testScript = { nodes }: ''
# fmt: off
import subprocess
# Create an SSH key on the client.
my $key = `${pkgs.openssh}/bin/ssh-keygen -t ed25519 -f key -N ""`;
$client->succeed("mkdir -m 700 /root/.ssh");
$client->copyFileFromHost("key", "/root/.ssh/id_ed25519");
$client->succeed("chmod 600 /root/.ssh/id_ed25519");
start_all()
# Install the SSH key on the server.
$server->succeed("mkdir -m 700 /root/.ssh");
$server->copyFileFromHost("key.pub", "/root/.ssh/authorized_keys");
$server->waitForUnit("sshd");
$client->waitForUnit("network.target");
$client->succeed("ssh -o StrictHostKeyChecking=no " . $server->name() . " 'echo hello world'");
# Create an SSH key on the client.
subprocess.run([
"${pkgs.openssh}/bin/ssh-keygen", "-t", "ed25519", "-f", "key", "-N", ""
], capture_output=True, check=True)
# Copy the closure of package A from the client to the server.
$server->fail("nix-store --check-validity ${pkgA}");
$client->succeed("nix-copy-closure --to server --gzip ${pkgA} >&2");
$server->succeed("nix-store --check-validity ${pkgA}");
client.succeed("mkdir -m 700 /root/.ssh")
client.copy_from_host("key", "/root/.ssh/id_ed25519")
client.succeed("chmod 600 /root/.ssh/id_ed25519")
# Copy the closure of package B from the server to the client.
$client->fail("nix-store --check-validity ${pkgB}");
$client->succeed("nix-copy-closure --from server --gzip ${pkgB} >&2");
$client->succeed("nix-store --check-validity ${pkgB}");
# Install the SSH key on the server.
server.succeed("mkdir -m 700 /root/.ssh")
server.copy_from_host("key.pub", "/root/.ssh/authorized_keys")
server.wait_for_unit("sshd")
client.wait_for_unit("network.target")
client.succeed(f"ssh -o StrictHostKeyChecking=no {server.name} 'echo hello world'")
# Copy the closure of package C via the SSH substituter.
$client->fail("nix-store -r ${pkgC}");
# FIXME
#$client->succeed(
# "nix-store --option use-ssh-substituter true"
# . " --option ssh-substituter-hosts root\@server"
# . " -r ${pkgC} >&2");
#$client->succeed("nix-store --check-validity ${pkgC}");
'';
# Copy the closure of package A from the client to the server.
server.fail("nix-store --check-validity ${pkgA}")
client.succeed("nix-copy-closure --to server --gzip ${pkgA} >&2")
server.succeed("nix-store --check-validity ${pkgA}")
# Copy the closure of package B from the server to the client.
client.fail("nix-store --check-validity ${pkgB}")
client.succeed("nix-copy-closure --from server --gzip ${pkgB} >&2")
client.succeed("nix-store --check-validity ${pkgB}")
# Copy the closure of package C via the SSH substituter.
client.fail("nix-store -r ${pkgC}")
# Copy the derivation of package D's derivation from the client to the server.
server.fail("nix-store --check-validity ${pkgD.drvPath}")
client.succeed("nix-copy-closure --to server --gzip ${pkgD.drvPath} >&2")
server.succeed("nix-store --check-validity ${pkgD.drvPath}")
# FIXME
# client.succeed(
# "nix-store --option use-ssh-substituter true"
# " --option ssh-substituter-hosts root\@server"
# " -r ${pkgC} >&2"
# )
# client.succeed("nix-store --check-validity ${pkgC}")
'';
})

24
tests/nix-shell.sh
View file

@ -47,6 +47,14 @@ chmod a+rx $TEST_ROOT/shell.shebang.sh
output=$($TEST_ROOT/shell.shebang.sh abc def)
[ "$output" = "foo bar abc def" ]
# Test nix-shell shebang mode again with metacharacters in the filename.
# First word of filename is chosen to not match any file in the test root.
sed -e "s|@ENV_PROG@|$(type -p env)|" shell.shebang.sh > $TEST_ROOT/spaced\ \\\'\"shell.shebang.sh
chmod a+rx $TEST_ROOT/spaced\ \\\'\"shell.shebang.sh
output=$($TEST_ROOT/spaced\ \\\'\"shell.shebang.sh abc def)
[ "$output" = "foo bar abc def" ]
# Test nix-shell shebang mode for ruby
# This uses a fake interpreter that returns the arguments passed
# This, in turn, verifies the `rc` script is valid and the `load()` script (given using `-e`) is as expected.
@ -54,11 +62,25 @@ sed -e "s|@SHELL_PROG@|$(type -p nix-shell)|" shell.shebang.rb > $TEST_ROOT/shel
chmod a+rx $TEST_ROOT/shell.shebang.rb
output=$($TEST_ROOT/shell.shebang.rb abc ruby)
[ "$output" = '-e load("'"$TEST_ROOT"'/shell.shebang.rb") -- abc ruby' ]
[ "$output" = '-e load(ARGV.shift) -- '"$TEST_ROOT"'/shell.shebang.rb abc ruby' ]
# Test nix-shell shebang mode for ruby again with metacharacters in the filename.
# Note: fake interpreter only space-separates args without adding escapes to its output.
sed -e "s|@SHELL_PROG@|$(type -p nix-shell)|" shell.shebang.rb > $TEST_ROOT/spaced\ \\\'\"shell.shebang.rb
chmod a+rx $TEST_ROOT/spaced\ \\\'\"shell.shebang.rb
output=$($TEST_ROOT/spaced\ \\\'\"shell.shebang.rb abc ruby)
[ "$output" = '-e load(ARGV.shift) -- '"$TEST_ROOT"'/spaced \'\''"shell.shebang.rb abc ruby' ]
# Test 'nix develop'.
nix develop -f shell.nix shellDrv -c bash -c '[[ -n $stdenv ]]'
# Ensure `nix develop -c` preserves stdin
echo foo | nix develop -f shell.nix shellDrv -c cat | grep -q foo
# Ensure `nix develop -c` actually executes the command if stdout isn't a terminal
nix develop -f shell.nix shellDrv -c echo foo |& grep -q foo
# Test 'nix print-dev-env'.
source <(nix print-dev-env -f shell.nix shellDrv)
[[ -n $stdenv ]]

2
tests/plugins.sh
View file

@ -2,6 +2,6 @@ source common.sh
set -o pipefail
res=$(nix eval --expr builtins.anotherNull --option setting-set true --option plugin-files $PWD/plugins/libplugintest*)
res=$(nix --option setting-set true --option plugin-files $PWD/plugins/libplugintest* eval --expr builtins.anotherNull)
[ "$res"x = "nullx" ]

10
tests/pure-eval.sh
View file

@ -15,4 +15,12 @@ nix eval --expr 'assert 1 + 2 == 3; true'
[[ $(nix eval --impure --expr "(import (builtins.fetchurl { url = file://$(pwd)/pure-eval.nix; })).x") == 123 ]]
(! nix eval --expr "(import (builtins.fetchurl { url = file://$(pwd)/pure-eval.nix; })).x")
nix eval --expr "(import (builtins.fetchurl { url = file://$(pwd)/pure-eval.nix; sha256 = \"$(nix hash-file pure-eval.nix --type sha256)\"; })).x"
nix eval --expr "(import (builtins.fetchurl { url = file://$(pwd)/pure-eval.nix; sha256 = \"$(nix hash file pure-eval.nix --type sha256)\"; })).x"
rm -rf $TEST_ROOT/eval-out
nix eval --store dummy:// --write-to $TEST_ROOT/eval-out --expr '{ x = "foo" + "bar"; y = { z = "bla"; }; }'
[[ $(cat $TEST_ROOT/eval-out/x) = foobar ]]
[[ $(cat $TEST_ROOT/eval-out/y/z) = bla ]]
rm -rf $TEST_ROOT/eval-out
(! nix eval --store dummy:// --write-to $TEST_ROOT/eval-out --expr '{ "." = "bla"; }')

4
tests/recursive.sh
View file

@ -7,7 +7,7 @@ clearStore
rm -f $TEST_ROOT/result
export unreachable=$(nix add-to-store ./recursive.sh)
export unreachable=$(nix store add-path ./recursive.sh)
NIX_BIN_DIR=$(dirname $(type -p nix)) nix --experimental-features 'nix-command recursive-nix' build -o $TEST_ROOT/result -L --impure --expr '
with import ./config.nix;
@ -38,7 +38,7 @@ NIX_BIN_DIR=$(dirname $(type -p nix)) nix --experimental-features 'nix-command r
# Add something to the store.
echo foobar > foobar
foobar=$(nix $opts add-to-store ./foobar)
foobar=$(nix $opts store add-path ./foobar)
nix $opts path-info $foobar
nix $opts build $foobar

71
tests/remote-builds.nix
View file

@ -2,7 +2,7 @@
{ nixpkgs, system, overlay }:
with import (nixpkgs + "/nixos/lib/testing.nix") {
with import (nixpkgs + "/nixos/lib/testing-python.nix") {
inherit system;
extraConfigurations = [ { nixpkgs.overlays = [ overlay ]; } ];
};
@ -36,6 +36,7 @@ let
in
{
name = "remote-builds";
nodes =
{ builder1 = builder;
@ -66,44 +67,46 @@ in
};
};
testScript = { nodes }:
''
startAll;
testScript = { nodes }: ''
# fmt: off
import subprocess
# Create an SSH key on the client.
my $key = `${pkgs.openssh}/bin/ssh-keygen -t ed25519 -f key -N ""`;
$client->succeed("mkdir -p -m 700 /root/.ssh");
$client->copyFileFromHost("key", "/root/.ssh/id_ed25519");
$client->succeed("chmod 600 /root/.ssh/id_ed25519");
start_all()
# Install the SSH key on the builders.
$client->waitForUnit("network.target");
foreach my $builder ($builder1, $builder2) {
$builder->succeed("mkdir -p -m 700 /root/.ssh");
$builder->copyFileFromHost("key.pub", "/root/.ssh/authorized_keys");
$builder->waitForUnit("sshd");
$client->succeed("ssh -o StrictHostKeyChecking=no " . $builder->name() . " 'echo hello world'");
}
# Create an SSH key on the client.
subprocess.run([
"${pkgs.openssh}/bin/ssh-keygen", "-t", "ed25519", "-f", "key", "-N", ""
], capture_output=True, check=True)
client.succeed("mkdir -p -m 700 /root/.ssh")
client.copy_from_host("key", "/root/.ssh/id_ed25519")
client.succeed("chmod 600 /root/.ssh/id_ed25519")
# Perform a build and check that it was performed on the builder.
my $out = $client->succeed(
"nix-build ${expr nodes.client.config 1} 2> build-output",
"grep -q Hello build-output"
);
$builder1->succeed("test -e $out");
# Install the SSH key on the builders.
client.wait_for_unit("network.target")
for builder in [builder1, builder2]:
builder.succeed("mkdir -p -m 700 /root/.ssh")
builder.copy_from_host("key.pub", "/root/.ssh/authorized_keys")
builder.wait_for_unit("sshd")
client.succeed(f"ssh -o StrictHostKeyChecking=no {builder.name} 'echo hello world'")
# And a parallel build.
my ($out1, $out2) = split /\s/,
$client->succeed('nix-store -r $(nix-instantiate ${expr nodes.client.config 2})\!out $(nix-instantiate ${expr nodes.client.config 3})\!out');
$builder1->succeed("test -e $out1 -o -e $out2");
$builder2->succeed("test -e $out1 -o -e $out2");
# Perform a build and check that it was performed on the builder.
out = client.succeed(
"nix-build ${expr nodes.client.config 1} 2> build-output",
"grep -q Hello build-output"
)
builder1.succeed(f"test -e {out}")
# And a failing build.
$client->fail("nix-build ${expr nodes.client.config 5}");
# And a parallel build.
paths = client.succeed(r'nix-store -r $(nix-instantiate ${expr nodes.client.config 2})\!out $(nix-instantiate ${expr nodes.client.config 3})\!out')
out1, out2 = paths.split()
builder1.succeed(f"test -e {out1} -o -e {out2}")
builder2.succeed(f"test -e {out1} -o -e {out2}")
# Test whether the build hook automatically skips unavailable builders.
$builder1->block;
$client->succeed("nix-build ${expr nodes.client.config 4}");
'';
# And a failing build.
client.fail("nix-build ${expr nodes.client.config 5}")
# Test whether the build hook automatically skips unavailable builders.
builder1.block()
client.succeed("nix-build ${expr nodes.client.config 4}")
'';
})

14
tests/remote-store.sh
View file

@ -7,6 +7,20 @@ nix --store ssh-ng://localhost?remote-store=$TEST_ROOT/other-store doctor
startDaemon
# Test import-from-derivation through the daemon.
[[ $(nix eval --impure --raw --expr '
with import ./config.nix;
import (
mkDerivation {
name = "foo";
bla = import ./dependencies.nix;
buildCommand = "
echo \\\"hi\\\" > $out
";
}
)
') = hi ]]
storeCleared=1 NIX_REMOTE_=$NIX_REMOTE $SHELL ./user-envs.sh
nix-store --dump-db > $TEST_ROOT/d1

150
tests/setuid.nix
View file

@ -2,12 +2,13 @@
{ nixpkgs, system, overlay }:
with import (nixpkgs + "/nixos/lib/testing.nix") {
with import (nixpkgs + "/nixos/lib/testing-python.nix") {
inherit system;
extraConfigurations = [ { nixpkgs.overlays = [ overlay ]; } ];
};
makeTest {
name = "setuid";
machine =
{ config, lib, pkgs, ... }:
@ -17,94 +18,109 @@ makeTest {
virtualisation.pathsInNixDB = [ pkgs.stdenv pkgs.pkgsi686Linux.stdenv ];
};
testScript = { nodes }:
''
startAll;
testScript = { nodes }: ''
# fmt: off
start_all()
# Copying to /tmp should succeed.
$machine->succeed('nix-build --no-sandbox -E \'(with import <nixpkgs> {}; runCommand "foo" {} "
mkdir -p $out
cp ${pkgs.coreutils}/bin/id /tmp/id
")\' ');
# Copying to /tmp should succeed.
machine.succeed(r"""
nix-build --no-sandbox -E '(with import <nixpkgs> {}; runCommand "foo" {} "
mkdir -p $out
cp ${pkgs.coreutils}/bin/id /tmp/id
")'
""".strip())
$machine->succeed('[[ $(stat -c %a /tmp/id) = 555 ]]');
machine.succeed('[[ $(stat -c %a /tmp/id) = 555 ]]')
$machine->succeed("rm /tmp/id");
machine.succeed("rm /tmp/id")
# Creating a setuid binary should fail.
$machine->fail('nix-build --no-sandbox -E \'(with import <nixpkgs> {}; runCommand "foo" {} "
mkdir -p $out
cp ${pkgs.coreutils}/bin/id /tmp/id
chmod 4755 /tmp/id
")\' ');
# Creating a setuid binary should fail.
machine.fail(r"""
nix-build --no-sandbox -E '(with import <nixpkgs> {}; runCommand "foo" {} "
mkdir -p $out
cp ${pkgs.coreutils}/bin/id /tmp/id
chmod 4755 /tmp/id
")'
""".strip())
$machine->succeed('[[ $(stat -c %a /tmp/id) = 555 ]]');
machine.succeed('[[ $(stat -c %a /tmp/id) = 555 ]]')
$machine->succeed("rm /tmp/id");
machine.succeed("rm /tmp/id")
# Creating a setgid binary should fail.
$machine->fail('nix-build --no-sandbox -E \'(with import <nixpkgs> {}; runCommand "foo" {} "
mkdir -p $out
cp ${pkgs.coreutils}/bin/id /tmp/id
chmod 2755 /tmp/id
")\' ');
# Creating a setgid binary should fail.
machine.fail(r"""
nix-build --no-sandbox -E '(with import <nixpkgs> {}; runCommand "foo" {} "
mkdir -p $out
cp ${pkgs.coreutils}/bin/id /tmp/id
chmod 2755 /tmp/id
")'
""".strip())
$machine->succeed('[[ $(stat -c %a /tmp/id) = 555 ]]');
machine.succeed('[[ $(stat -c %a /tmp/id) = 555 ]]')
$machine->succeed("rm /tmp/id");
machine.succeed("rm /tmp/id")
# The checks should also work on 32-bit binaries.
$machine->fail('nix-build --no-sandbox -E \'(with import <nixpkgs> { system = "i686-linux"; }; runCommand "foo" {} "
mkdir -p $out
cp ${pkgs.coreutils}/bin/id /tmp/id
chmod 2755 /tmp/id
")\' ');
# The checks should also work on 32-bit binaries.
machine.fail(r"""
nix-build --no-sandbox -E '(with import <nixpkgs> { system = "i686-linux"; }; runCommand "foo" {} "
mkdir -p $out
cp ${pkgs.coreutils}/bin/id /tmp/id
chmod 2755 /tmp/id
")'
""".strip())
$machine->succeed('[[ $(stat -c %a /tmp/id) = 555 ]]');
machine.succeed('[[ $(stat -c %a /tmp/id) = 555 ]]')
$machine->succeed("rm /tmp/id");
machine.succeed("rm /tmp/id")
# The tests above use fchmodat(). Test chmod() as well.
$machine->succeed('nix-build --no-sandbox -E \'(with import <nixpkgs> {}; runCommand "foo" { buildInputs = [ perl ]; } "
mkdir -p $out
cp ${pkgs.coreutils}/bin/id /tmp/id
perl -e \"chmod 0666, qw(/tmp/id) or die\"
")\' ');
# The tests above use fchmodat(). Test chmod() as well.
machine.succeed(r"""
nix-build --no-sandbox -E '(with import <nixpkgs> {}; runCommand "foo" { buildInputs = [ perl ]; } "
mkdir -p $out
cp ${pkgs.coreutils}/bin/id /tmp/id
perl -e \"chmod 0666, qw(/tmp/id) or die\"
")'
""".strip())
$machine->succeed('[[ $(stat -c %a /tmp/id) = 666 ]]');
machine.succeed('[[ $(stat -c %a /tmp/id) = 666 ]]')
$machine->succeed("rm /tmp/id");
machine.succeed("rm /tmp/id")
$machine->fail('nix-build --no-sandbox -E \'(with import <nixpkgs> {}; runCommand "foo" { buildInputs = [ perl ]; } "
mkdir -p $out
cp ${pkgs.coreutils}/bin/id /tmp/id
perl -e \"chmod 04755, qw(/tmp/id) or die\"
")\' ');
machine.fail(r"""
nix-build --no-sandbox -E '(with import <nixpkgs> {}; runCommand "foo" { buildInputs = [ perl ]; } "
mkdir -p $out
cp ${pkgs.coreutils}/bin/id /tmp/id
perl -e \"chmod 04755, qw(/tmp/id) or die\"
")'
""".strip())
$machine->succeed('[[ $(stat -c %a /tmp/id) = 555 ]]');
machine.succeed('[[ $(stat -c %a /tmp/id) = 555 ]]')
$machine->succeed("rm /tmp/id");
machine.succeed("rm /tmp/id")
# And test fchmod().
$machine->succeed('nix-build --no-sandbox -E \'(with import <nixpkgs> {}; runCommand "foo" { buildInputs = [ perl ]; } "
mkdir -p $out
cp ${pkgs.coreutils}/bin/id /tmp/id
perl -e \"my \\\$x; open \\\$x, qw(/tmp/id); chmod 01750, \\\$x or die\"
")\' ');
# And test fchmod().
machine.succeed(r"""
nix-build --no-sandbox -E '(with import <nixpkgs> {}; runCommand "foo" { buildInputs = [ perl ]; } "
mkdir -p $out
cp ${pkgs.coreutils}/bin/id /tmp/id
perl -e \"my \\\$x; open \\\$x, qw(/tmp/id); chmod 01750, \\\$x or die\"
")'
""".strip())
$machine->succeed('[[ $(stat -c %a /tmp/id) = 1750 ]]');
machine.succeed('[[ $(stat -c %a /tmp/id) = 1750 ]]')
$machine->succeed("rm /tmp/id");
machine.succeed("rm /tmp/id")
$machine->fail('nix-build --no-sandbox -E \'(with import <nixpkgs> {}; runCommand "foo" { buildInputs = [ perl ]; } "
mkdir -p $out
cp ${pkgs.coreutils}/bin/id /tmp/id
perl -e \"my \\\$x; open \\\$x, qw(/tmp/id); chmod 04777, \\\$x or die\"
")\' ');
machine.fail(r"""
nix-build --no-sandbox -E '(with import <nixpkgs> {}; runCommand "foo" { buildInputs = [ perl ]; } "
mkdir -p $out
cp ${pkgs.coreutils}/bin/id /tmp/id
perl -e \"my \\\$x; open \\\$x, qw(/tmp/id); chmod 04777, \\\$x or die\"
")'
""".strip())
$machine->succeed('[[ $(stat -c %a /tmp/id) = 555 ]]');
$machine->succeed("rm /tmp/id");
'';
machine.succeed('[[ $(stat -c %a /tmp/id) = 555 ]]')
machine.succeed("rm /tmp/id")
'';
}

2
tests/shell.nix
View file

@ -50,7 +50,7 @@ let pkgs = rec {
# ruby "interpreter" that outputs "$@"
ruby = runCommand "ruby" {} ''
mkdir -p $out/bin
echo 'printf -- "$*"' > $out/bin/ruby
echo 'printf %s "$*"' > $out/bin/ruby
chmod a+rx $out/bin/ruby
'';

48
tests/signing.sh
View file

@ -17,40 +17,40 @@ info=$(nix path-info --json $outPath)
[[ $info =~ 'cache1.example.org' ]]
[[ $info =~ 'cache2.example.org' ]]
# Test "nix verify".
nix verify -r $outPath
# Test "nix store verify".
nix store verify -r $outPath
expect 2 nix verify -r $outPath --sigs-needed 1
expect 2 nix store verify -r $outPath --sigs-needed 1
nix verify -r $outPath --sigs-needed 1 --trusted-public-keys $pk1
nix store verify -r $outPath --sigs-needed 1 --trusted-public-keys $pk1
expect 2 nix verify -r $outPath --sigs-needed 2 --trusted-public-keys $pk1
expect 2 nix store verify -r $outPath --sigs-needed 2 --trusted-public-keys $pk1
nix verify -r $outPath --sigs-needed 2 --trusted-public-keys "$pk1 $pk2"
nix store verify -r $outPath --sigs-needed 2 --trusted-public-keys "$pk1 $pk2"
nix verify --all --sigs-needed 2 --trusted-public-keys "$pk1 $pk2"
nix store verify --all --sigs-needed 2 --trusted-public-keys "$pk1 $pk2"
# Build something unsigned.
outPath2=$(nix-build simple.nix --no-out-link)
nix verify -r $outPath
nix store verify -r $outPath
# Verify that the path did not get signed but does have the ultimate bit.
info=$(nix path-info --json $outPath2)
[[ $info =~ '"ultimate":true' ]]
(! [[ $info =~ 'signatures' ]])
# Test "nix verify".
nix verify -r $outPath2
# Test "nix store verify".
nix store verify -r $outPath2
expect 2 nix verify -r $outPath2 --sigs-needed 1
expect 2 nix store verify -r $outPath2 --sigs-needed 1
expect 2 nix verify -r $outPath2 --sigs-needed 1 --trusted-public-keys $pk1
expect 2 nix store verify -r $outPath2 --sigs-needed 1 --trusted-public-keys $pk1
# Test "nix sign-paths".
nix sign-paths --key-file $TEST_ROOT/sk1 $outPath2
# Test "nix store sign".
nix store sign --key-file $TEST_ROOT/sk1 $outPath2
nix verify -r $outPath2 --sigs-needed 1 --trusted-public-keys $pk1
nix store verify -r $outPath2 --sigs-needed 1 --trusted-public-keys $pk1
# Build something content-addressed.
outPathCA=$(IMPURE_VAR1=foo IMPURE_VAR2=bar nix-build ./fixed.nix -A good.0 --no-out-link)
@ -59,12 +59,12 @@ outPathCA=$(IMPURE_VAR1=foo IMPURE_VAR2=bar nix-build ./fixed.nix -A good.0 --no
# Content-addressed paths don't need signatures, so they verify
# regardless of --sigs-needed.
nix verify $outPathCA
nix verify $outPathCA --sigs-needed 1000
nix store verify $outPathCA
nix store verify $outPathCA --sigs-needed 1000
# Check that signing a content-addressed path doesn't overflow validSigs
nix sign-paths --key-file $TEST_ROOT/sk1 $outPathCA
nix verify -r $outPathCA --sigs-needed 1000 --trusted-public-keys $pk1
nix store sign --key-file $TEST_ROOT/sk1 $outPathCA
nix store verify -r $outPathCA --sigs-needed 1000 --trusted-public-keys $pk1
# Copy to a binary cache.
nix copy --to file://$cacheDir $outPath2
@ -76,7 +76,7 @@ info=$(nix path-info --store file://$cacheDir --json $outPath2)
(! [[ $info =~ 'cache2.example.org' ]])
# Verify that adding a signature to a path in a binary cache works.
nix sign-paths --store file://$cacheDir --key-file $TEST_ROOT/sk2 $outPath2
nix store sign --store file://$cacheDir --key-file $TEST_ROOT/sk2 $outPath2
info=$(nix path-info --store file://$cacheDir --json $outPath2)
[[ $info =~ 'cache1.example.org' ]]
[[ $info =~ 'cache2.example.org' ]]
@ -89,17 +89,17 @@ rm -rf $TEST_ROOT/store0
# But succeed if we supply the public keys.
nix copy --to $TEST_ROOT/store0 $outPath --trusted-public-keys $pk1
expect 2 nix verify --store $TEST_ROOT/store0 -r $outPath
expect 2 nix store verify --store $TEST_ROOT/store0 -r $outPath
nix verify --store $TEST_ROOT/store0 -r $outPath --trusted-public-keys $pk1
nix verify --store $TEST_ROOT/store0 -r $outPath --sigs-needed 2 --trusted-public-keys "$pk1 $pk2"
nix store verify --store $TEST_ROOT/store0 -r $outPath --trusted-public-keys $pk1
nix store verify --store $TEST_ROOT/store0 -r $outPath --sigs-needed 2 --trusted-public-keys "$pk1 $pk2"
# It should also succeed if we disable signature checking.
(! nix copy --to $TEST_ROOT/store0 $outPath2)
nix copy --to $TEST_ROOT/store0?require-sigs=false $outPath2
# But signatures should still get copied.
nix verify --store $TEST_ROOT/store0 -r $outPath2 --trusted-public-keys $pk1
nix store verify --store $TEST_ROOT/store0 -r $outPath2 --trusted-public-keys $pk1
# Content-addressed stuff can be copied without signatures.
nix copy --to $TEST_ROOT/store0 $outPathCA

2
tests/ssh-relay.sh
View file

@ -11,6 +11,6 @@ store+=$remote_store
store+=$remote_store
store+=$remote_store
out=$(nix add-to-store --store "$store" $TEST_ROOT/hello.sh)
out=$(nix store add-path --store "$store" $TEST_ROOT/hello.sh)
[ foo = $(< $out) ]

2
tests/tarball.sh
View file

@ -10,7 +10,7 @@ mkdir -p $tarroot
cp dependencies.nix $tarroot/default.nix
cp config.nix dependencies.builder*.sh $tarroot/
hash=$(nix hash-path $tarroot)
hash=$(nix hash path $tarroot)
test_tarball() {
local ext="$1"