spindle/engines/microvm/test-spindle-microvm.sh at tan-456/in-diff-view-add-open-full-file-button · tangled.org/core

Monorepo for Tangled tangled.org
core / spindle / engines / microvm / test-spindle-microvm.sh
at tan-456/in-diff-view-add-open-full-file-button 31 kB View raw
dawn nix/microvm: dont capture input of devshell drv, discard it 3d ago
  1#!/usr/bin/env bash
  2set -euo pipefail
  3# dont export big captures like `out=$(run_vm ...)` into the environment.
  4set +a
  5# extglob enables the *(...) pattern strip_ansi uses for pure-bash CSI stripping
  6shopt -s extglob
  7# note: needs `sudo modprobe vhost_vsock`!
  8
  9log() {
 10    printf "\n\033[1;36m>>> %s\033[0m\n" "$*"
 11}
 12
 13_strip_ansi_stream() {
 14    local line
 15    while IFS= read -r line || [ -n "$line" ]; do
 16        line=${line//$'\e'\[*([0-9;])[a-zA-Z]/}
 17        line=${line//$'\e'\([a-zA-Z]/}
 18        printf '%s\n' "$line"
 19    done
 20}
 21
 22strip_ansi() {
 23    if [ "$#" -gt 0 ]; then
 24        local f
 25        for f in "$@"; do
 26            [ -r "$f" ] && _strip_ansi_stream < "$f"
 27        done
 28    else
 29        _strip_ansi_stream
 30    fi
 31}
 32
 33# check_needles OUT NEEDLES...
 34# each needle is an extended regex matched per line (mirrors `grep -qE`).
 35check_needles() {
 36    local out="$1"
 37    shift
 38
 39    local -a lines
 40    mapfile -t lines <<< "$out"
 41
 42    # strip ANSI per line (each line is short, so this stays cheap)
 43    local i l
 44    for i in "${!lines[@]}"; do
 45        l=${lines[i]}
 46        l=${l//$'\e'\[*([0-9;])[a-zA-Z]/}
 47        l=${l//$'\e'\([a-zA-Z]/}
 48        lines[i]=$l
 49    done
 50
 51    local needle missing=0 line hit
 52    for needle in "$@"; do
 53        hit=0
 54        for line in "${lines[@]}"; do
 55            if [[ $line =~ $needle ]]; then
 56                hit=1
 57                break
 58            fi
 59        done
 60        if [ "$hit" -eq 0 ]; then
 61            echo "error: output missing '$needle'" >&2
 62            missing=1
 63        fi
 64    done
 65
 66    if [ "$missing" -ne 0 ]; then
 67        printf '%s\n' "${lines[@]}" >&2
 68        return 1
 69    fi
 70}
 71
 72declare -a TEST_NAMES=()
 73declare -a TEST_STATUSES=()
 74declare -a TEST_TIMES=()
 75SKIP_TEST_RC=200
 76
 77get_time_ms() {
 78    local t="${EPOCHREALTIME:-}"
 79    if [[ "$t" == *.* ]]; then
 80        local secs="${t%.*}"
 81        local subs="${t#*.}"
 82        subs="${subs:0:3}"
 83        while [ "${#subs}" -lt 3 ]; do
 84            subs="${subs}0"
 85        done
 86        echo "${secs}${subs}"
 87    else
 88        echo "$(date +%s)000"
 89    fi
 90}
 91
 92format_duration() {
 93    local ms=$1
 94    local secs=$((ms / 1000))
 95    local rem=$((ms % 1000))
 96    printf "%d.%03ds" "$secs" "$rem"
 97}
 98
 99print_summary() {
100    if [ "${#TEST_NAMES[@]}" -eq 0 ]; then
101        return
102    fi
103    printf "\n"
104    log "test summary"
105    echo "========================================="
106    local passed_count=0
107    local skipped_count=0
108    local failed_count=0
109    local total_time=0
110    for i in "${!TEST_NAMES[@]}"; do
111        local name="${TEST_NAMES[$i]}"
112        local status="${TEST_STATUSES[$i]}"
113        local duration_ms="${TEST_TIMES[$i]}"
114        local duration_str
115        duration_str=$(format_duration "$duration_ms")
116
117        local status_color="\033[0;32m"
118        if [ "$status" = "Failed" ]; then
119            status_color="\033[0;31m"
120            failed_count=$((failed_count + 1))
121        elif [ "$status" = "Skipped" ]; then
122            status_color="\033[0;33m"
123            skipped_count=$((skipped_count + 1))
124        else
125            passed_count=$((passed_count + 1))
126        fi
127        total_time=$((total_time + duration_ms))
128
129        printf "  %-30s %b%-8b\033[0m  %s\n" "$name" "$status_color" "$status" "$duration_str"
130    done
131    echo "-----------------------------------------"
132    local total_tests="${#TEST_NAMES[@]}"
133    local total_time_str
134    total_time_str=$(format_duration "$total_time")
135    printf "  total: %d tests, %d passed, %d skipped, %d failed\n" "$total_tests" "$passed_count" "$skipped_count" "$failed_count"
136    printf "  total execution time: %s\n" "$total_time_str"
137    echo "========================================="
138}
139
140skip_test() {
141    echo "skipped: $*"
142    return "$SKIP_TEST_RC"
143}
144
145host_is_nixos() {
146    [ -e /etc/NIXOS ] && return 0
147    [ -r /etc/os-release ] && grep -q '^ID=nixos$' /etc/os-release
148}
149
150JOBS="${JOBS:-4}"
151while [[ $# -gt 0 ]]; do
152    case "$1" in
153        -j | --jobs)
154            JOBS="$2"
155            shift 2
156            ;;
157        --jobs=*)
158            JOBS="${1#*=}"
159            shift
160            ;;
161        --only)
162            TEST_ONLY="$2"
163            shift 2
164            ;;
165        --only=*)
166            TEST_ONLY="${1#*=}"
167            shift
168            ;;
169        *)
170            echo "unknown argument: $1" >&2
171            echo "usage: $0 [-j N|--jobs N] [--only TEST]" >&2
172            exit 1
173            ;;
174    esac
175done
176if ! [[ "$JOBS" =~ ^[0-9]+$ ]] || [ "$JOBS" -lt 1 ]; then
177    echo "error: --jobs must be a positive integer (got '$JOBS')" >&2
178    exit 1
179fi
180
181pick_free_port() {
182    local port
183    for _ in $(seq 1 50); do
184        port=$(((RANDOM % 16384) + 20000))
185        if ! (exec 3<>"/dev/tcp/127.0.0.1/$port") 2>/dev/null; then
186            echo "$port"
187            return 0
188        fi
189    done
190    echo "error: could not find a free port for the cache" >&2
191    return 1
192}
193
194SUCCESS=0
195rm -rf /tmp/test-spindle-microvm-logs
196
197log "setup local cache & temp environment"
198TEMP_DIR=$(mktemp -d -t test-spindle-microvm-XXXXXX)
199
200if [ ! -e /dev/vsock ]; then
201    echo "error: /dev/vsock is missing; run sudo modprobe vhost_vsock" >&2
202    exit 1
203fi
204
205log "build spindle & microvm image tarball"
206nix develop --command go build -o spindle/spindle-microvm-run ./cmd/spindle-microvm-run
207TARBALL_PATH=$(nix build .#spindle-nixos-image-tarball --no-link --print-out-paths)
208mkdir -p "$TEMP_DIR/image"
209tar -C "$TEMP_DIR/image" -xzf "$TARBALL_PATH"
210IMAGE_SPEC_JSON="$TEMP_DIR/image/spec.json"
211
212log "build alpine microvm image tarball"
213ALPINE_TARBALL_PATH=$(nix build .#spindle-alpine-image-tarball --no-link --print-out-paths)
214mkdir -p "$TEMP_DIR/alpine-image"
215tar -C "$TEMP_DIR/alpine-image" -xzf "$ALPINE_TARBALL_PATH"
216ALPINE_IMAGE_SPEC_JSON="$TEMP_DIR/alpine-image/spec.json"
217
218kill_temp_dir_procs() {
219    if [ -f "$TEMP_DIR/ncps.pid" ]; then
220        kill "$(cat "$TEMP_DIR/ncps.pid")" 2>/dev/null || true
221    fi
222    pkill -TERM -f "$TEMP_DIR" 2>/dev/null || true
223    local i
224    for i in $(seq 1 20); do
225        pgrep -f "$TEMP_DIR" >/dev/null 2>&1 || break
226        sleep 0.25
227    done
228    pkill -KILL -f "$TEMP_DIR" 2>/dev/null || true
229}
230
231collect_logs() {
232    echo "test failed. copying logs to /tmp/test-spindle-microvm-logs"
233    mkdir -p /tmp/test-spindle-microvm-logs
234    local f
235    for f in "$TEMP_DIR"/*; do
236        [ -f "$f" ] && cp "$f" /tmp/test-spindle-microvm-logs/
237    done
238    local work logf
239    for work in "$TEMP_DIR"/work-*; do
240        [ -d "$work" ] || continue
241        for logf in "$work"/*.log; do
242            [ -f "$logf" ] || continue
243            strip_ansi "$logf" > "/tmp/test-spindle-microvm-logs/$(basename "$work")-$(basename "$logf")"
244        done
245    done
246}
247
248CLEANED=0
249cleanup() {
250    [ "$CLEANED" -eq 1 ] && return
251    CLEANED=1
252
253    print_summary
254    log "cleaning up..."
255
256    local jobs_pids
257    jobs_pids=$(jobs -p)
258    [ -n "$jobs_pids" ] && kill $jobs_pids 2>/dev/null || true
259
260    kill_temp_dir_procs
261
262    [ "$SUCCESS" -ne 1 ] && collect_logs
263
264    chmod -R +w "$TEMP_DIR" 2>/dev/null || true
265    rm -rf "$TEMP_DIR"
266    echo "done"
267}
268trap cleanup EXIT
269# route signals through the EXIT trap so an interrupt still tears down VMs.
270trap 'exit 130' INT
271trap 'exit 143' TERM
272
273CACHE_PORT=$(pick_free_port)
274./spindle/engines/microvm/start-test-cache.sh "$TEMP_DIR" "$CACHE_PORT"
275source "$TEMP_DIR/env.sh"
276
277run_vm() {
278    local name=""
279    local timeout="60s"
280    local upload=0
281    local upload_url=""
282    local activate=""
283    local no_cache=0
284    local db=""
285    local spec="$IMAGE_SPEC_JSON"
286
287    while [[ $# -gt 0 ]]; do
288        case "$1" in
289            --spec)
290                spec="$2"
291                shift 2
292                ;;
293            --name)
294                name="$2"
295                shift 2
296                ;;
297            --timeout)
298                timeout="$2"
299                shift 2
300                ;;
301            --upload)
302                upload=1
303                shift
304                ;;
305            --upload-url)
306                upload=1
307                upload_url="$2"
308                shift 2
309                ;;
310            --activate)
311                activate="$2"
312                shift 2
313                ;;
314            --no-cache)
315                no_cache=1
316                shift
317                ;;
318            --db)
319                db="$2"
320                shift 2
321                ;;
322            --)
323                shift
324                break
325                ;;
326            *)
327                echo "unknown argument: $1" >&2
328                exit 1
329                ;;
330        esac
331    done
332
333    local work_dir="$TEMP_DIR/work-${name}"
334    mkdir -p "$work_dir"
335
336    local args=(
337        --image-spec "$spec"
338        --work-dir "$work_dir"
339        --exec-timeout "$timeout"
340        --port "${SPINDLE_TEST_VSOCK_PORT:-10240}"
341        --memory-mib 4096
342    )
343
344    if [ "$no_cache" -eq 0 ]; then
345        args+=(
346            --cache-read-url "$CACHE_URL"
347            --cache-trusted-public-key "$CACHE_PUBKEY"
348        )
349    fi
350
351    if [ "$upload" -eq 1 ]; then
352        if [ -z "$upload_url" ]; then
353            upload_url="$CACHE_UPLOAD_URL?secret-key=$CACHE_SECRET_KEY_PATH"
354        fi
355        args+=(
356            --cache-upload-url "$upload_url"
357        )
358    fi
359
360    if [ -n "$activate" ]; then
361        args+=(
362            --activate-config "$activate"
363        )
364    fi
365
366    if [ -n "$db" ]; then
367        args+=(
368            --db "$db"
369        )
370    fi
371
372    local out
373    if ! out=$(spindle/spindle-microvm-run "${args[@]}" -- "$@" 2>&1); then
374        echo "$out" | strip_ansi >&2
375        strip_ansi "$work_dir/serial.log" >&2
376        strip_ansi "$work_dir/qemu.log" >&2
377        return 1
378    fi
379    echo "$out"
380}
381
382run_test_job() {
383    local name="$1"
384    local func="$2"
385    local port="$3"
386    export SPINDLE_TEST_VSOCK_PORT="$port"
387
388    local logfile="$TEMP_DIR/test-${name}.log"
389    local start
390    start=$(get_time_ms)
391    log "[$name] start (vsock port $port)"
392
393    local status="Passed"
394    if "$func" > "$logfile" 2>&1; then
395        status="Passed"
396    else
397        local rc=$?
398        if [ "$rc" -eq "$SKIP_TEST_RC" ]; then
399            status="Skipped"
400        else
401            status="Failed"
402        fi
403    fi
404
405    local duration_ms=$(($(get_time_ms) - start))
406    printf '%s\t%s\n' "$status" "$duration_ms" > "$TEMP_DIR/test-${name}.status"
407
408    local duration_str
409    duration_str=$(format_duration "$duration_ms")
410    if [ "$status" = "Failed" ]; then
411        printf "\n\033[0;31m>>> [%s] FAILED (%s)\033[0m\n" "$name" "$duration_str"
412        strip_ansi "$logfile" || true
413    elif [ "$status" = "Skipped" ]; then
414        printf "\n\033[0;33m>>> [%s] skipped (%s)\033[0m\n" "$name" "$duration_str"
415        strip_ansi "$logfile" || true
416    else
417        printf "\n\033[0;32m>>> [%s] passed (%s)\033[0m\n" "$name" "$duration_str"
418    fi
419}
420
421# schedules every selected test across at most $JOBS concurrent VMs (each on its
422# own vsock port), then aggregates the per-test status files into the summary
423# arrays. returns 1 if any test failed, 0 otherwise.
424run_tests() {
425    local base_port=10240
426    local idx=0
427    local running=0
428
429    for func in "${TESTS[@]}"; do
430        local name="${func#test_}"
431        name="${name//_/-}"
432        if [ -n "${TEST_ONLY:-}" ] && [ "${TEST_ONLY}" != "$name" ]; then
433            continue
434        fi
435
436        run_test_job "$name" "$func" "$((base_port + idx))" &
437        idx=$((idx + 1))
438        running=$((running + 1))
439
440        if [ "$running" -ge "$JOBS" ]; then
441            wait -n || true
442            running=$((running - 1))
443        fi
444    done
445    wait
446
447    local failed=0
448    for func in "${TESTS[@]}"; do
449        local name="${func#test_}"
450        name="${name//_/-}"
451        if [ -n "${TEST_ONLY:-}" ] && [ "${TEST_ONLY}" != "$name" ]; then
452            continue
453        fi
454
455        local statusfile="$TEMP_DIR/test-${name}.status"
456        if [ ! -f "$statusfile" ]; then
457            TEST_NAMES+=("$name")
458            TEST_STATUSES+=("Failed")
459            TEST_TIMES+=(0)
460            failed=1
461            continue
462        fi
463
464        local status duration_ms
465        IFS=$'\t' read -r status duration_ms < "$statusfile"
466        TEST_NAMES+=("$name")
467        TEST_STATUSES+=("$status")
468        TEST_TIMES+=("$duration_ms")
469        if [ "$status" = "Failed" ]; then
470            failed=1
471        fi
472    done
473
474    return "$failed"
475}
476
477test_realize() {
478    local test_store_path
479    test_store_path=$(nix-build -E 'with import <nixpkgs> {}; writeText "test-file" "hello from cache"' --no-out-link)
480    nix copy --to "$CACHE_UPLOAD_URL?secret-key=$CACHE_SECRET_KEY_PATH" "$test_store_path"
481
482    local out
483    out=$(run_vm --name "realize" --timeout "60s" -- /run/current-system/sw/bin/bash -lc '
484set -euo pipefail
485store_path=$1
486cache_url=$(sed -n "s/^extra-substituters = //p" /run/spindle/nix.conf)
487cache_url=${cache_url%% *}
488if [ -z "$cache_url" ]; then
489    echo "error: cache URL not found in /run/spindle/nix.conf" >&2
490    exit 1
491fi
492
493http_version=$(/run/current-system/sw/bin/curl --http2-prior-knowledge -fsS -o /dev/null -w "%{http_version}" "$cache_url/nix-cache-info")
494echo "http_version=$http_version"
495case "$http_version" in
496    2|2.0) ;;
497    *)
498        echo "error: cache proxy did not negotiate HTTP/2 (got $http_version)" >&2
499        exit 1
500        ;;
501esac
502
503/run/current-system/sw/bin/nix-store --realise "$store_path" >/dev/null
504' bash "$test_store_path") || return 1
505
506    check_needles "$out" "^http_version=2(\\.0)?$" || return 1
507    echo "success: store path realized from cache and cache proxy accepted cleartext HTTP/2"
508}
509
510test_build_upload() {
511    local nix_expr='with import <nixpkgs> {}; writeText "uploaded-test-file" "hello from vm upload"'
512    local out
513    out=$(run_vm --name "build-upload" --timeout "120s" --upload -- /run/current-system/sw/bin/bash -l -c "nix-build -E '$nix_expr' --no-out-link") || return 1
514
515    local built_path
516    built_path=$(echo "$out" | strip_ansi | grep -v '\.drv' | grep -o '/nix/store/[a-z0-9]*-uploaded-test-file' | head -n 1 || true)
517    if [ -z "$built_path" ]; then
518        echo "error: could not find built store path in vm output" >&2
519        return 1
520    fi
521    echo "extracted path: $built_path"
522
523    local hash
524    hash=$(basename "$built_path" | cut -d'-' -f1)
525    if ! curl -s -f "$CACHE_URL/${hash}.narinfo" > /dev/null; then
526        echo "error: built store path was not uploaded to the binary cache" >&2
527        return 1
528    fi
529    echo "success: store path uploaded to cache"
530}
531
532test_ssh_store_upload() {
533    if ! host_is_nixos; then
534        skip_test "ssh store upload smoke only runs on nixos hosts"
535    fi
536
537    run_ssh_store_upload_case() {
538        local target="$1"
539        local label="$2"
540        local name="uploaded-test-file-${label}"
541        local content="hello from vm upload via ${label}"
542        local out
543        out=$(run_vm --name "$label" --timeout "180s" --upload-url "$target" -- /run/current-system/sw/bin/bash -l -c "nix-build -E 'with import <nixpkgs> {}; writeText \"$name\" \"$content\"' --no-out-link") || return 1
544
545        local built_path
546        built_path=$(echo "$out" | strip_ansi | grep -v '\.drv' | grep -o "/nix/store/[a-z0-9]*-${name}" | head -n 1 || true)
547        if [ -z "$built_path" ]; then
548            echo "error: could not find built store path in vm output for $label" >&2
549            echo "$out" | strip_ansi >&2
550            return 1
551        fi
552        if [ ! -e "$built_path" ]; then
553            echo "error: uploaded path missing from host store for $label: $built_path" >&2
554            return 1
555        fi
556        if [ "$(cat "$built_path")" != "$content" ]; then
557            echo "error: uploaded path content mismatch for $label" >&2
558            echo "path=$built_path" >&2
559            return 1
560        fi
561        echo "success: store path uploaded to $target via spindle"
562    }
563
564    run_ssh_store_upload_case "ssh-ng://localhost" "ssh-ng-upload"
565    run_ssh_store_upload_case "ssh://localhost" "ssh-upload"
566}
567
568test_networking() {
569    local hello_path
570    hello_path=$(nix-build -E 'with import <nixpkgs> {}; hello' --no-out-link)
571
572    local out
573    out=$(run_vm --name "networking" --timeout "120s" --no-cache -- /run/current-system/sw/bin/bash -c "/run/current-system/sw/bin/curl -I --connect-timeout 1 -m 1 http://10.0.2.2:$CACHE_PORT; /run/current-system/sw/bin/nix-store --realise $hello_path") || return 1
574
575    if echo "$out" | grep -qi -E "unreachable|timeout|failed to connect|timed out" || echo "$out" | grep -q "exited with code"; then
576        echo "success: host network access blocked"
577    else
578        echo "error: guest vm accessed host network or returned unexpected output" >&2
579        echo "$out" | strip_ansi >&2
580        return 1
581    fi
582    echo "success: guest vm reached the internet and substituted hello"
583}
584
585test_substitution_and_no_upload() {
586    local hello_path
587    hello_path=$(nix-build -E 'with import <nixpkgs> {}; hello' --no-out-link)
588
589    local out
590    out=$(run_vm --name "nixpkgs-hello" --timeout "180s" --upload -- /run/current-system/sw/bin/nix-store --realise "$hello_path") || return 1
591
592    # substituted from our proxy, and nothing uploaded back to the cache.
593    check_needles "$out" "copying path.*hello" "cache uploaded: 0" || return 1
594    echo "success: hello package substituted from upstream cache and was not uploaded"
595}
596
597# a pinned registry, reused by the dependency and registry-pin tests.
598ACTIVATION_REGISTRY='"registry": {
599        "nixpkgs": "github:nixos/nixpkgs/nixos-unstable",
600        "my-nixpkgs": "nixpkgs"
601    }'
602
603test_activation_services() {
604    local config='{
605        "services": {
606            "openssh": {
607                "enable": true,
608                "authorizedKeysFiles": ["/etc/ssh/authorized_keys"]
609            }
610        }
611    }'
612    local out
613    out=$(run_vm --name "activation-services" --timeout "300s" --activate "$config" -- /run/current-system/sw/bin/systemctl is-active sshd) || return 1
614    check_needles "$out" "^active$" || return 1
615    echo "success: openssh service active after activation"
616}
617
618test_activation_dependencies() {
619    # pkg-config + openssl as bare dependencies (resolved via the pinned nixpkgs
620    # registry); their job is to prove the activation devshell exports build env
621    # vars like PKG_CONFIG_PATH, not just PATH. hello comes in via the github
622    # flakeref and (separately) the my-nixpkgs alias.
623    local config='{
624        '"$ACTIVATION_REGISTRY"',
625        "dependencies": [
626            "pkg-config",
627            "openssl",
628            "github:nixos/nixpkgs#hello",
629            "my-nixpkgs#hello"
630        ]
631    }'
632    # dependencies live in the activation devshell now, not systemPackages, so a
633    # step picks them up by sourcing the materialised env (this is what the
634    # engine's RunStep does automatically; the CLI runner does not, so we do it
635    # here).
636    local out
637    out=$(run_vm --name "activation-dependencies" --timeout "600s" --activate "$config" -- /run/current-system/sw/bin/bash -l -c '
638env_file=/run/spindle/devshell-env.sh
639[ -f "$env_file" ] && echo "env_file=present" || echo "env_file=missing"
640
641# mirror RunStep
642. "$env_file"
643export PATH="$PATH:/run/current-system/sw/bin:/nix/var/nix/profiles/default/bin"
644
645set -euo pipefail
646# bare deps: pkg-config must be on PATH, and it must locate openssl through the
647# devshell-provided PKG_CONFIG_PATH (openssls headers live in a separate `dev`
648# output, so this also proves that output got realised into the devshell).
649echo "pkgconfig=$(pkg-config --version)"
650pkg-config --exists openssl && echo "openssl_found=yes"
651echo "openssl_version=$(pkg-config --modversion openssl)"
652inc=$(pkg-config --variable=includedir openssl)
653echo "includedir=$inc"
654[ -f "$inc/openssl/ssl.h" ] && echo "dev_headers=found"
655
656# flakeref + aliased deps
657echo "hello=$(hello)"
658') || return 1
659
660    check_needles "$out" \
661        "env_file=present" "pkgconfig=[0-9]" "openssl_found=yes" \
662        "openssl_version=[0-9]" "dev_headers=found" "hello=Hello, world!" || return 1
663    echo "success: bare (pkg-config + openssl, dev headers found via PKG_CONFIG_PATH), flakeref, and aliased deps all resolved"
664}
665
666test_activation_registry_pin() {
667    # the nixpkgs the image itself was built from; the registry override must NOT
668    # resolve to this. deterministic (locked in the repo flake), so safe to compare.
669    local base_nixpkgs
670    base_nixpkgs=$(nix eval --raw --impure --expr '(builtins.getFlake (toString ./.)).inputs.nixpkgs.outPath')
671
672    local config='{
673        '"$ACTIVATION_REGISTRY"'
674    }'
675    # the pinned nixpkgs must reach the system nix config: resolving it via the
676    # flakes CLI must not error "is not locked", and it must win the <nixpkgs> nixPath.
677    local out
678    out=$(run_vm --name "activation-registry-pin" --timeout "300s" --activate "$config" -- /run/current-system/sw/bin/bash -l -c '
679set -euo pipefail
680echo "lib_version=$(nix eval --raw nixpkgs#lib.version)"
681echo "nix_path=$(nix eval --raw --impure --expr "toString <nixpkgs>")"
682') || return 1
683
684    check_needles "$out" "lib_version=[0-9]" || return 1
685    local clean guest_nixpath
686    clean=$(echo "$out" | strip_ansi)
687    guest_nixpath=$(echo "$clean" | sed -n 's/^nix_path=//p' | head -n1)
688    if [ -z "$guest_nixpath" ] || [ "$guest_nixpath" = "$base_nixpkgs" ]; then
689        echo "error: guest <nixpkgs> nixPath did not resolve to the registry override (got '$guest_nixpath', base '$base_nixpkgs')" >&2
690        return 1
691    fi
692    echo "success: pinned nixpkgs registry reached the guest nix config (flakes CLI + <nixpkgs> nixPath)"
693}
694
695test_activation_cache_substitution() {
696    # a unique path that only exists in the configured (workflow) cache; the host
697    # seeds it so the guest can prove it substitutes through the read proxy.
698    local test_store_path
699    test_store_path=$(nix-build -E 'with import <nixpkgs> {}; writeText "activation-cache-test" "hello from the workflow cache"' --no-out-link)
700    nix copy --to "$CACHE_UPLOAD_URL?secret-key=$CACHE_SECRET_KEY_PATH" "$test_store_path"
701
702    # a trivial config: this test only cares that the read proxy serves the
703    # workflow-cache path during an activated run.
704    local out
705    out=$(run_vm --name "activation-cache-substitution" --timeout "300s" --activate '{}' -- /run/current-system/sw/bin/bash -l -c '
706set -euo pipefail
707store_path=$1
708# the unique path only exists in the configured cache, so realising it proves it
709# was substituted through the read proxy and not built or found elsewhere.
710nix-store --realise "$store_path" >/dev/null
711echo "substituted=$(cat "$store_path")"
712' bash "$test_store_path") || return 1
713
714    check_needles "$out" "substituted=hello from the workflow cache" || return 1
715    echo "success: unique path substituted from the workflow cache through the read proxy"
716}
717
718test_activation_docker() {
719    local config='{
720        "virtualisation": {
721            "docker": { "enable": true }
722        }
723    }'
724    # docker.service is up, but the daemon socket can lag a beat behind activation;
725    # wait for it to answer, then pull+run a real image. this drives the slimmed
726    # kernel modules: overlay.ko storage plus bridge/iptables networking out of the
727    # pruned tree, with outbound DNS/network over the guest slirp link.
728    local out
729    out=$(run_vm --name "activation-docker" --timeout "600s" --activate "$config" -- /run/current-system/sw/bin/bash -l -c '
730set -euo pipefail
731echo "docker_unit=$(systemctl is-active docker)"
732for i in $(seq 1 60); do docker info >/dev/null 2>&1 && break; sleep 1; done
733docker info >/dev/null
734echo "storage_driver=$(docker info --format "{{.Driver}}")"
735docker run --rm alpine cat /etc/alpine-release | sed "s/^/alpine_release=/"
736docker run --rm alpine echo container-ran-ok
737') || return 1
738
739    check_needles "$out" \
740        "^docker_unit=active$" "storage_driver=overlay(2|fs)" \
741        "alpine_release=[0-9]+\." "container-ran-ok" || return 1
742    echo "success: docker service active, pulled and ran an alpine container on the overlay storage driver"
743}
744
745test_activation_cached_realize() {
746    local config='{
747        "services": {
748            "openssh": {
749                "enable": true,
750                "authorizedKeysFiles": ["/etc/ssh/authorized_keys"]
751            }
752        }
753    }'
754    local db_path="$TEMP_DIR/activation-cached.db"
755
756    # first run: build the config, upload its closure, and record the toplevel in
757    # the db. nothing cached yet, so this builds from scratch.
758    local out
759    out=$(run_vm --name "activation-cached-first" --timeout "600s" --activate "$config" --db "$db_path" --upload -- /run/current-system/sw/bin/systemctl is-active sshd) || return 1
760    check_needles "$out" "^active$" || return 1
761
762    # second run: same config + db, no upload. must realize the recorded toplevel
763    # from the cache instead of rebuilding, and the cached system must come up.
764    out=$(run_vm --name "activation-cached-second" --timeout "300s" --activate "$config" --db "$db_path" -- /run/current-system/sw/bin/systemctl is-active sshd) || return 1
765
766    check_needles "$out" "realizing cached NixOS config" "^active$" || return 1
767    echo "success: second run realized the cached NixOS config from the cache and sshd came up"
768}
769
770test_alpine() {
771    local hello_path
772    hello_path=$(nix-build -E 'with import <nixpkgs> {}; hello' --no-out-link)
773
774    local out
775    out=$(run_vm --spec "$ALPINE_IMAGE_SPEC_JSON" --name "alpine" --timeout "180s" --no-cache -- /bin/sh -lc '
776set -eu
777export HOME=/workspace
778hello_path=$1
779echo "release=$(cat /etc/alpine-release)"
780echo "user=$(id -un)"
781git version
782bash -c "echo bash=\$BASH_VERSION"
783touch /workspace/write-test
784echo "workspace writable"
785git ls-remote https://tangled.org/@tangled.org/core HEAD >/dev/null
786echo "git over https ok"
787apk add make
788echo "apk ok"
789# substitute a real package from cache.nixos.org over HTTPS and run it
790nix-store --realise "$hello_path" >/dev/null
791echo "ran=$("$hello_path/bin/hello")"
792' sh "$hello_path") || return 1
793
794    check_needles "$out" \
795        "release=" "user=spindle-workflow" "git version" "bash=" \
796        "workspace writable" "git over https ok" "apk ok" "ran=Hello, world!" || return 1
797    echo "success: alpine guest booted, ran as workflow user, wrote workspace, cloned + installed over the network, and substituted+ran a package from cache.nixos.org over HTTPS"
798}
799
800# asserts a store path's narinfo shows up in the local cache, retrying briefly
801# since the post-build-hook enqueues uploads asynchronously.
802cache_has_path() {
803    local path="$1"
804    local hash
805    hash=$(basename "$path" | cut -d'-' -f1)
806    local i
807    for i in $(seq 1 20); do
808        if curl -s -f "$CACHE_URL/${hash}.narinfo" > /dev/null; then
809            return 0
810        fi
811        sleep 0.5
812    done
813    return 1
814}
815
816test_alpine_nix() {
817    local test_store_path
818    test_store_path=$(nix-build -E 'with import <nixpkgs> {}; writeText "alpine-nix-test" "hello from cache to alpine"' --no-out-link)
819    nix copy --to "$CACHE_UPLOAD_URL?secret-key=$CACHE_SECRET_KEY_PATH" "$test_store_path"
820
821    # exercise the full local-cache path: daemon connectivity, substitution,
822    # store-db queries, and a build via *both* the classic (nix-build) and the
823    # new flakes/nix-command (nix build) frontends. the two build derivations
824    # use distinct names so we can confirm each got uploaded back to the cache.
825    local out
826    out=$(run_vm --spec "$ALPINE_IMAGE_SPEC_JSON" --name "alpine-nix" --timeout "180s" --upload -- /bin/sh -lc '
827set -eu
828export HOME=/workspace
829store_path=$1
830
831echo "nix_version=$(nix --version | head -n1)"
832{ nix store info >/dev/null 2>&1 || nix store ping >/dev/null 2>&1; } && echo "daemon=ok"
833
834# substitute a path from the cache and query the store db about it
835nix-store --realise "$store_path" >/dev/null
836echo "substituted=$(cat "$store_path")"
837echo "requisites=$(nix-store --query --requisites "$store_path" | wc -l | tr -d " ")"
838nix path-info --json "$store_path" >/dev/null && echo "path_info=ok"
839
840# build via the new CLI; the substituted path is declared as a real input
841# (builtins.storePath) so nix must realise it into the build sandbox first.
842# heredoc is unquoted (the outer guest script is single-quoted, so a quoted
843# delimiter would close it), hence \$ escapes what nix/the builder must expand.
844export DEP="$store_path"
845cat > /workspace/new.nix <<NIXEOF
846let dep = builtins.storePath (builtins.getEnv "DEP"); in
847derivation {
848  name = "alpine-nix-build-new";
849  system = "x86_64-linux";
850  builder = "/bin/sh";
851  # the sandbox only provides the sh builtin shell (no coreutils in PATH), so
852  # stick to builtins: the build only succeeds if nix realised the declared
853  # storePath dependency into the sandbox, where [ -r ] can see it.
854  args = [ "-c" "[ -r \${dep} ] && echo via-nix-build-with-dep > \$out" ];
855}
856NIXEOF
857new_path=$(nix build --impure --file /workspace/new.nix --no-link --print-out-paths)
858echo "new_path=$new_path"
859echo "new_content=$(tr "\n" "|" < "$new_path")"
860
861# build via the classic CLI
862cat > /workspace/old.nix <<NIXEOF
863derivation {
864  name = "alpine-nix-build-old";
865  system = "x86_64-linux";
866  builder = "/bin/sh";
867  args = [ "-c" "echo built-on-alpine > \$out" ];
868}
869NIXEOF
870old_path=$(nix-build /workspace/old.nix --no-out-link)
871echo "old_path=$old_path"
872' sh "$test_store_path") || return 1
873
874    check_needles "$out" \
875        "daemon=ok" "substituted=hello from cache to alpine" "path_info=ok" \
876        "requisites=[1-9][0-9]*" "new_content=via-nix-build-with-dep" || return 1
877
878    local clean new_path old_path
879    clean=$(echo "$out" | strip_ansi)
880    new_path=$(echo "$clean" | grep -o 'new_path=/nix/store/[a-z0-9]*-alpine-nix-build-new' | cut -d= -f2)
881    old_path=$(echo "$clean" | grep -o 'old_path=/nix/store/[a-z0-9]*-alpine-nix-build-old' | cut -d= -f2)
882    if [ -z "$new_path" ] || [ -z "$old_path" ]; then
883        echo "error: could not extract both built store paths from alpine guest output" >&2
884        return 1
885    fi
886    if ! cache_has_path "$new_path"; then
887        echo "error: nix-build (new CLI) output was not uploaded to the cache" >&2
888        return 1
889    fi
890    if ! cache_has_path "$old_path"; then
891        echo "error: nix-build (classic CLI) output was not uploaded to the cache" >&2
892        return 1
893    fi
894    echo "success: alpine guest substituted, queried the store db, built via both CLIs, and uploaded both outputs"
895}
896
897TESTS=(
898    test_alpine
899    test_alpine_nix
900    test_realize
901    test_build_upload
902    test_ssh_store_upload
903    test_networking
904    test_substitution_and_no_upload
905    test_activation_services
906    test_activation_dependencies
907    test_activation_registry_pin
908    test_activation_cache_substitution
909    test_activation_docker
910    test_activation_cached_realize
911)
912
913log "running ${#TESTS[@]} tests"
914if ! run_tests; then
915    exit 1
916fi
917
918SUCCESS=1
919log "passed!!"
Configure Feed

Configure Feed
