Files
shadow/docker-compose.yml
T
Pierre Warnier e29b06c461 e2e: add end-to-end deployment tests (#102)
Add automated deployment testing in Docker that simulates a real
system-wide installation: build from source, install replacing GNU
shadow-utils, then run 97 assertions covering:

- Symlink dispatch and multicall dispatch (all 14 tools)
- Setuid bits and non-root privilege enforcement
- Full user lifecycle (useradd → chpasswd → usermod → pwck → userdel)
- Full group lifecycle (groupadd → groupmod → groupdel → grpck)
- Individual tool tests (chage, chfn, chsh, passwd -l/-u)
- PAM authentication (su with known password via expect)
- nscd cache invalidation
- Landlock sandboxing (when kernel supports it)
- Ansible integration (user/group modules as real-world consumer)

New files:
- docker/Dockerfile.e2e — multi-stage build + debian:trixie runtime
- tests/e2e/deploy-test.sh — bash test harness with 97 assertions
- tests/e2e/ansible-test.yml — Ansible playbook integration test
- .dockerignore — prevent sending target/ and .git/ to Docker

Modified:
- docker-compose.yml — add e2e service (no changes to existing services)
- Cargo.toml — add pam feature forwarding to root package
- shadow-core/pam.rs — add #[link(name = "pam")] for linker

Closes #109, closes #110, closes #111, closes #112, closes #113
Refs #102
2026-04-03 13:22:55 +02:00

72 lines
1.9 KiB
YAML

# Usage:
# docker compose run --rm debian # shell on Debian Trixie
# docker compose run --rm debian cargo test
# docker compose run --rm alpine cargo test
# docker compose run --rm fedora cargo test
# docker compose up --build # build all images
# docker compose run --rm e2e # end-to-end deployment tests
# docker compose run --rm e2e bash # debug e2e interactively
#
# The cargo registry cache is shared across Debian/Alpine (same CARGO_HOME path).
# Fedora uses a separate cache (rustup installs to /root/.cargo).
# Each distro gets its own target dir (different libc/toolchain = different binaries).
x-common: &common
working_dir: /workspace
security_opt:
- seccomp:unconfined
cap_add:
- SYS_ADMIN
services:
debian:
<<: *common
build:
context: .
dockerfile: docker/Dockerfile.debian
volumes:
- .:/workspace
- cargo-cache:/usr/local/cargo/registry
- target-debian:/workspace/target
alpine:
<<: *common
build:
context: .
dockerfile: docker/Dockerfile.alpine
volumes:
- .:/workspace
- cargo-cache:/usr/local/cargo/registry
- target-alpine:/workspace/target
fedora:
<<: *common
build:
context: .
dockerfile: docker/Dockerfile.fedora
volumes:
- .:/workspace
- cargo-cache-fedora:/root/.cargo/registry
- target-fedora:/workspace/target
# End-to-end deployment test — self-contained, no shared volumes.
# Builds shadow-rs from source, installs system-wide, runs ~100 assertions.
e2e:
build:
context: .
dockerfile: docker/Dockerfile.e2e
security_opt:
- seccomp:unconfined
- "no-new-privileges:false"
cap_add:
- SYS_ADMIN
tmpfs:
- /tmp
volumes:
cargo-cache:
cargo-cache-fedora:
target-debian:
target-alpine:
target-fedora: