nixos/tests/incus: ensure sysctl rules apply successfully to lxc containers

    configuration = {

      # Building documentation makes the test unnecessarily take a longer time:

      documentation.enable = lib.mkForce false;

      boot.kernel.sysctl."net.ipv4.ip_forward" = "1";

    } // extra;

  };

        with machine.nested("Waiting for instance to start and be usable"):

          retry(instance_is_up)

    def check_sysctl(instance):

        with subtest("systemd sysctl settings are applied"):

            machine.succeed(f"incus exec {instance} -- systemctl status systemd-sysctl")

            sysctl = machine.succeed(f"incus exec {instance} -- sysctl net.ipv4.ip_forward").strip().split(" ")[-1]

            assert "1" == sysctl, f"systemd-sysctl configuration not correctly applied, {sysctl} != 1"

    machine.wait_for_unit("incus.service")

    # no preseed should mean no service

    with subtest("lxc-container generator configures plain container"):

        # reuse the existing container to save some time

        machine.succeed("incus exec container test -- -e /run/systemd/system/service.d/zzz-lxc-service.conf")

        check_sysctl("container")

    with subtest("lxc-container generator configures nested container"):

        machine.execute("incus delete --force container")

        target = machine.succeed("incus exec container readlink -- -f /run/systemd/system/systemd-binfmt.service").strip()

        assert target == "/dev/null", "lxc generator did not correctly mask /run/systemd/system/systemd-binfmt.service"

        check_sysctl("container")

    with subtest("lxc-container generator configures privileged container"):

        machine.execute("incus delete --force container")

        machine.succeed("incus launch nixos container --config security.privileged=true")

          retry(instance_is_up)

        machine.succeed("incus exec container test -- -e /run/systemd/system/service.d/zzz-lxc-service.conf")

        check_sysctl("container")

  '';

})