If one of the certificates of the chain gets substituted from a binary
cache and the rest is generated locally it might turn out that we get
invalid certificates, which in turn cause tests using this module to
fail.
So let's set allowSubstitutes to false for all derivations that are
involved with certificate/key generation.
Signed-off-by: aszlig <aszlig@nix.build>
For now check that the default client config boots.
Ideas for the future:
- Expand on control via netcat
- Configure a circuit of nodes exercise various configs (e.g., check
that a client node can access a hidden www service). Needs setting up
authoritative directory servers &c.
This change adds NixOS tests for the MPD (Music Player Daemon) module.
Tests include:
- Playing audio locally using ALSA directly.
- Playing audio locally using PulseAudio (backed by ALSA).
- Playing audio from an external client.
- Rejecting an external client when it's not explicitly allowed (default configuration).
refs #41772
A script is used to create a project, and configure a jobset. This
jobset fetches a local file containing a trivial Nix expression. The
test script makes sure this derivation has been successfully built by
Hydra.
While building the container there are a few occasions where stdenvNoCC
is used underneath. During the last staging merge, some change now tries
to build texinfo during the test while building stdenvNoCC.
With this change, I'm adding stdenvNoCC to the closure to make sure that
even when we have future stdenv changes, it doesn't break (well, except
if we do have another variation like stdenvNoCC that overrides stdenv).
I haven't bisected the exact change, but I'd suspect that it could be
one of the commits in #39457.
This fixes the test and it no longer fails with the following error:
error: unable to download 'http://ftpmirror.gnu.org/texinfo/texinfo-6.5.tar.xz': Couldn't resolve host name (6)
builder for '/nix/store/r7sf1wjbnimwgnv276jh59nfnzw40x30-texinfo-6.5.tar.xz.drv' failed with exit code 1
cannot build derivation '/nix/store/5w1pv788ayi1wahyy76i90yqv96ai4h5-texinfo-6.5.drv': 1 dependencies couldn't be built
cannot build derivation '/nix/store/cnsfkf0j5xmm14zzm5a3a66pz66gbc82-stdenv-linux.drv': 1 dependencies couldn't be built
cannot build derivation '/nix/store/11kkhk57ic8kfd7g197sqwgd0pzqfjhl-nixos-system-foo-0-18.09pre-git.drv': 1 dependencies couldn't be built
error: build of '/nix/store/11kkhk57ic8kfd7g197sqwgd0pzqfjhl-nixos-system-foo-0-18.09pre-git.drv' failed
/run/current-system/sw/bin/nixos-container: failed to build initial container configuration
Signed-off-by: aszlig <aszlig@nix.build>
Cc: @aristidb, @edolstra, @chaoflow, @kampfschlaefer
BIND doesn't allow the options section (or any section I'd guess) to be
defined more than once, so whenever you want to set an additional option
you're stuck using weird hacks like this:
services.bind.forwarders = lib.mkForce [ "}; empty-zones-enable no; #" ];
This basically exploits the fact that values coming from the module
options aren't escaped and thus works in a similar vain to how SQL
injection works.
Another option would be to just set configFile to a file that includes
all the options, including zones. That obviously makes the configuration
way less extensible and more awkward to use with the module system.
To make sure this change does work correctly I added a small test just
for that. The test could use some improvements, but better to have a
test rather than none at all. For a future improvement the test could be
merged with the NSD test, because both use the same zone file format.
This change has been reviewed in #40053 and after not getting any
opposition, I'm hereby adding this to master.
Signed-off-by: aszlig <aszlig@nix.build>
Cc: @peti, @edolstra
Closes: #40053
VMs were starving, many of the daemons were unable to complete their
tasks resulting in tests failures.
Turned off verbose output from k8s components as it consumes even more resources, and useful error messages actually drown in debug-clutter
1) Change start-type to ```notify``` when running MariaDB so that we don't have to busy-wait for the
socket to appear.
2) Do not manually create the directory under /run as we can get systemd to do
that for us. This opens up the possibility later for not having to launch as root.
`xsslock` (which was originally packaged in 6cb1d1aaaf)
is a simple screensaver which connects a given screen locker (e.g.
`i3lock`) with `logind`. Whenever `loginctl lock-sessions` is invoked
the locker will be used to lock the screen. This works with its power
management features (e.g. `lid switch`) as well, so the PC can be locked
automatically when the lid is closed.
The module can be used like this:
```
{
services.xserver.enable = true;
programs.xss-lock.enable = true;
programs.xss-lock.lockerCommand = "i3lock";
}
```
`statsd` is a daemon written in `node` to gather statistics over UDP.
The current test ensures that a port is open, but the basic
functionality isn't sufficiently tested.
This patch contains the following changes:
* Simplified port scanning (`waitForOpenPort` rather than `netcat` magic).
* Issue a TCP command to check the health of the `statsd` server.
* Simple script to check if `statsd` receives data over UDP and confirms
the basic functionality of the TCP interface on `8126` for admin
purposes.
In commit 17dd7bcd89 the systemd unit
generator now uses lndir instead of "ln -s", so we need to have lndir
available in the Nix store for the installer tests to be able to build
the units and thus the whole system.
This should fix the installer tests, although I have only tested it with
the "simple" subtest.
Signed-off-by: aszlig <aszlig@nix.build>
Cc: @jtojnar, @xeji, @edolstra
The original `nexus` derivation required `/run/sonatype-work/nexus3`
which explicitly depended on the NixOS path structure.
This would break `nexus` for everyone using `nixpkgs` on a non-NixOS
system, additionally the module never created `/run/sonatype-work`, so
the systemd unit created in `services.nexus` fails as well. The issue
wasn't actively known as the `nixos/nexus` test wasn't registered in
Hydra (see #40257).
This patch contains the following changes:
* Adds `tests.nexus` to `release.nix` to run the test on Hydra.
* Makes JVM parameters configurable: by default all JVM options were located
in `result/bin/nexus.vmoptions` which made it quite hard to patch
these parameters. Now it's possible to override all parameters by
running `VM_OPTS_FILE=custom-nexus.vmoptions ./result/bin/nexus run`
(after patching the `nexus` shell script), additionally it's possible
to override these parameters with `services.nexus.vmoptions`.
* Bumped Nexus from 3.5.1 to 3.11.0
* Run the `nexus` test on Hydra with `callTest` in `nixos/release.nix`,
furthermore the test checks if the UI is available on the specified
port.
* Added myself as maintainer for the NixOS test and the package to have
some more people in case of further breakage.
* Added sufficient disk space to the `nexus` test, otherwise the service
fails with the following errors:
```
com.orientechnologies.orient.core.exception.ODatabaseException: Cannot create database 'accesslog'
com.orientechnologies.orient.core.exception.OLowDiskSpaceException: Error occurred while executing
a write operation to database 'accesslog' due to limited free space on the disk (242 MB). The database
is now working in read-only mode. Please close the database (or stop OrientDB), make room on your hard
drive and then reopen the database. The minimal required space is 256 MB. Required space is now set to
256MB (you can change it by setting parameter storage.diskCache.diskFreeSpaceLimit) .
```
/cc @ironpinguin @xeji
This introduces an option that allows us to turn off stateful generation
of Diffie-Hellman parameters, which in some way is still "stateful" as
the generated DH params file is non-deterministic.
However what we can avoid with this is to have an increased surface for
failures during system startup, because generation of the parameters is
done during build-time.
Aside from adding a NixOS VM test it also restructures the type of the
security.dhparams.params option, so that it's a submodule.
A new defaultBitSize option is also there to allow users to set a
system-wide default.
I added a release notes entry that described what has changed and also
included a few notes for module developers using this module, as the
first usage already popped up in NixOS/nixpkgs#39507.
Thanks to @Ekleog and @abbradar for reviewing.
This allows to set the default bit size for all the Diffie-Hellman
parameters defined in security.dhparams.params and it's particularly
useful so that we can set it to a very low value in tests (so it doesn't
take ages to generate).
Regardless for the use in testing, this also has an impact in production
systems if the owner wants to set all of them to a different size than
2048, they don't need to set it individually for every params that are
set.
I've added a subtest to the "dhparams" NixOS test to ensure this is
working properly.
Signed-off-by: aszlig <aszlig@nix.build>
When trying to run NSD to serve the root zone, one gets the following
error message:
error: illegal name: '.'
This is because the name of the zone is used as the derivation name for
building the zone file. However, Nix doesn't allow derivation names
starting with a period.
So whenever the zone is "." now, the file name generated is "root"
instead of ".".
I also added an assertion that makes sure the user sets
services.nsd.rootServer, otherwise NSD will fail at runtime because it
prevents serving the root zone without an explicit compile-time option.
Tested this by adding a root zone to the "nsd" NixOS VM test.
Signed-off-by: aszlig <aszlig@nix.build>
Cc: @hrdinka, @qknight
The following changes have been applied:
- the property `http.headers.X-Content-Type-Options` must a list of
strings rather than a serialized list
- instead of `/etc/docker/registry/config.yml` the configuration will be
written with `pkgs.writeText` and the store path will be used to run
the registry. This reduces the risk of possible impurities by relying
on the Nix store only.
- cleaned up the property paths to easy readability and reduce the
verbosity.
- enhanced the testcase to ensure that digests can be deleted as well
- the `services.docker-registry.extraConfig` object will be merged with
`registryConfig`
/cc @ironpinguin
Some time ago I fixed the broken package `osquery` (see #39336).
I had to test the package manually by starting the daemon locally,
however this doesn't ensure that the module is still functional.
In order to cover the package *and* the integration with the NixOS
module I thought that adding a testcase might be the best idea.
The current testcase does the following things:
* Starts an `osqueryd` service in a test machine with customized logger
path and PID file
* Ensures that the `osqueryd.service` unit is running
* Checks if the customized flags (`pidfile`, `logger_path`) are applied
to `osquery`.
* Performs a simple test query against the `etc_hosts` database to check
if the basic funcitonality of `osquery` (storing system information into
a database) works fine.
The usb_add and usb_del monitor commands have been removed in QEMU
version 2.12 (introduced in 3e3b39f173).
Quote from https://wiki.qemu.org/ChangeLog/2.12#Incompatible_changes:
> The deprecated HMP commands "usb_add" and "usb_del" have been removed.
> Use "device_add" and "device_del" as replacement instead.
So we're doing exactly that and the udisks2 test now works again.
Signed-off-by: aszlig <aszlig@nix.build>
Cc: @edolstra
I'm not sure why 024b501907 used -q 0
because even netcat-openbsd has the -N flag which IMO is the better way
to shutdown the socket on EOF.
Our default netcat implementation has changed once again[1] in
3c3b82234a and we're now using LibreSSL's
implementation, which doesn't have a -q flag.
See https://github.com/NixOS/nixpkgs/pull/39634 for the pull request
introducing the switch.
[1]: https://github.com/NixOS/nixpkgs/pull/19982
Signed-off-by: aszlig <aszlig@nix.build>
Cc: @matthewbauer, @dtzWill, @Mic92
The Nix expression here is really hard to read with multiple (and
unnecessarily) nested lets and it also generates attribute names based
on the derivation generated by makeTest, which will result in these
attribute names:
* vm-test-run-predictableInterfaceNames
* vm-test-run-predictableInterfaceNames-with-networkd
* vm-test-run-unpredictableInterfaceNames
* vm-test-run-unpredictableInterfaceNames-with-networkd
With the refactor the attribute names are now:
* predictable
* predictableNetworkd
* unpredictable
* unpredictableNetworkd
So now the code is even shorter and IMHO slightly more readable.
Signed-off-by: aszlig <aszlig@nix.build>
Cc: @symphorien, @fpletz, @adisbladis
This is a very very very ugly workaround and it's because Chromium seems
to eat keystroke for a few seconds after a new window is created.
I haven't found a better solution yet, so let's at least unbreak the
test until we come up with a better way.
Thanks to @vcunat for bringing this to my attention and also doing the
initial bisect.
The change that brought up this problem was 2b29e40153,
which updated Chromium from version 65.0.3325.181 to version
66.0.3359.117. Unfortunately the upstream changelog[1] is way too large
to actually guess what the breaking change is.
[1]: https://chromium.googlesource.com/chromium/src/+log/65.0.3325.181..66.0.3359.117?pretty=fuller&n=10000
Signed-off-by: aszlig <aszlig@nix.build>
Cc: @bendlas, @vcunat
This option allows us to turn off stateful generation of Diffie-Hellman
parameters, which in some way is still stateful as the generated DH
params file is non-deterministic.
However what we can avoid with this is to have an increased surface for
failures during system startup, because generation of the parameters is
done during build-time.
Another advantage of this is that we no longer need to take care of
cleaning up the files that are no longer used and in my humble opinion I
would have preferred that #11505 (which puts the dhparams in the Nix
store) would have been merged instead of #22634 (which we have now).
Luckily we can still change that and this change gives the user the
option to put the dhparams into the Nix store.
Beside of the more obvious advantages pointed out here, this also
effects test runtime if more services are starting to use this (for
example see #39507 and #39288), because generating DH params could take
a long time depending on the bit size which adds up to test runtime.
If we generate the DH params in a separate derivation, subsequent test
runs won't need to wait for DH params generation during bootup.
Of course, tests could still mock this by force-disabling the service
and adding a service or activation script that places pre-generated DH
params in /var/lib/dhparams but this would make tests less readable and
the workaround would have to be made for each test affected.
Note that the 'stateful' option is still true by default so that we are
backwards-compatible with existing systems.
Signed-off-by: aszlig <aszlig@nix.build>
Cc: @Ekleog, @abbradar, @fpletz
We're going to implement an option which allows us to turn off stateful
handling of Diffie-Hellman parameter files by putting them into the Nix
store.
However, modules now might need a way to reference these files, so we
add a now path option to every param specified, which carries a
read-only value of the path where to find the corresponding DH params
file.
I've also improved the description of security.dhparams.params a bit so
that it uses <warning/> and <note/>.
The NixOS VM test also reflects this change and checks whether the old
way to specify the bit size still works.
Signed-off-by: aszlig <aszlig@nix.build>
Cc: @Ekleog
We're going to make changes to the dhparams module so we really want to
make sure we don't break it, so having a NixOS VM test is to make sure
we don't blow things up and can iterate on it.
Signed-off-by: aszlig <aszlig@nix.build>
Cc: @Ekleog