From 1224368495429216cac2418225e0f46c6f8acbe4 Mon Sep 17 00:00:00 2001 From: Florian Klink Date: Fri, 7 Oct 2022 11:40:33 +0200 Subject: [PATCH 1/3] nixosTests.nscd: init, move DynamicUser test into there nixosTests.systemd is quite heavy, it requires a full graphical system, which is quite a big of a rebuild if the only thing you want to test is whether dynamic users work. This is now moved to an `nscd` test, which tests various NSS lookups, making extra sure that the nscd path is tested, not the fallback path (by hiding /etc/nsswitch.conf and /etc/hosts for getent). nixosTests.resolv is removed. It didn't check for reverse lookups, didn't catch nscd breaking halfway in between, and also had an ambiguous reverse lookup - 192.0.2.1 could either reverse lookup to host-ipv4.example.net, or host-dual.example.net. --- nixos/tests/all-tests.nix | 2 +- nixos/tests/nscd.nix | 93 +++++++++++++++++++++++++++++++++++++++ nixos/tests/resolv.nix | 46 ------------------- nixos/tests/systemd.nix | 6 --- 4 files changed, 94 insertions(+), 53 deletions(-) create mode 100644 nixos/tests/nscd.nix delete mode 100644 nixos/tests/resolv.nix diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index 131936a87c37e..9b573a13d309a 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -440,6 +440,7 @@ in { non-default-filesystems = handleTest ./non-default-filesystems.nix {}; noto-fonts = handleTest ./noto-fonts.nix {}; novacomd = handleTestOn ["x86_64-linux"] ./novacomd.nix {}; + nscd = handleTest ./nscd.nix {}; nsd = handleTest ./nsd.nix {}; nzbget = handleTest ./nzbget.nix {}; nzbhydra2 = handleTest ./nzbhydra2.nix {}; @@ -529,7 +530,6 @@ in { rasdaemon = handleTest ./rasdaemon.nix {}; redis = handleTest ./redis.nix {}; redmine = handleTest ./redmine.nix {}; - resolv = handleTest ./resolv.nix {}; restartByActivationScript = handleTest ./restart-by-activation-script.nix {}; restic = handleTest ./restic.nix {}; retroarch = handleTest ./retroarch.nix {}; diff --git a/nixos/tests/nscd.nix b/nixos/tests/nscd.nix new file mode 100644 index 0000000000000..f9c9fb10e0bd5 --- /dev/null +++ b/nixos/tests/nscd.nix @@ -0,0 +1,93 @@ +import ./make-test-python.nix ({ pkgs, ... }: +let + # build a getent that itself doesn't see anything in /etc/hosts and + # /etc/nsswitch.conf, by using libredirect to steer its own requests to + # /dev/null. + # This means is /has/ to go via nscd to actuallly resolve any of the + # additionally configured hosts. + getent' = pkgs.writeScript "getent-without-etc-hosts" '' + export NIX_REDIRECTS=/etc/hosts=/dev/null:/etc/nsswitch.conf=/dev/null + export LD_PRELOAD=${pkgs.libredirect}/lib/libredirect.so + exec getent $@ + ''; +in +{ + name = "nscd"; + + nodes.machine = { lib, ... }: { + imports = [ common/user-account.nix ]; + networking.extraHosts = '' + 2001:db8::1 somehost.test + 192.0.2.1 somehost.test + ''; + }; + + testScript = '' + start_all() + machine.wait_for_unit("default.target") + + # Regression test for https://github.com/NixOS/nixpkgs/issues/50273 + with subtest("DynamicUser actually allocates a user"): + assert "iamatest" in machine.succeed( + "systemd-run --pty --property=Type=oneshot --property=DynamicUser=yes --property=User=iamatest whoami" + ) + + # Test resolution of somehost.test with getent', to make sure we go via nscd + with subtest("host lookups via nscd"): + # ahosts + output = machine.succeed("${getent'} ahosts somehost.test") + assert "192.0.2.1" in output + assert "2001:db8::1" in output + + # ahostsv4 + output = machine.succeed("${getent'} ahostsv4 somehost.test") + assert "192.0.2.1" in output + assert "2001:db8::1" not in output + + # ahostsv6 + output = machine.succeed("${getent'} ahostsv6 somehost.test") + assert "192.0.2.1" not in output + assert "2001:db8::1" in output + + # reverse lookups (hosts) + assert "somehost.test" in machine.succeed("${getent'} hosts 2001:db8::1") + assert "somehost.test" in machine.succeed("${getent'} hosts 192.0.2.1") + + + # Test host resolution via nss modules works + # We rely on nss-myhostname in this case, which resolves *.localhost and + # _gateway. + # We don't need to use getent' here, as non-glibc nss modules can only be + # discovered via nscd. + with subtest("nss-myhostname provides hostnames (ahosts)"): + # ahosts + output = machine.succeed("getent ahosts foobar.localhost") + assert "::1" in output + assert "127.0.0.1" in output + + # ahostsv4 + output = machine.succeed("getent ahostsv4 foobar.localhost") + assert "::1" not in output + assert "127.0.0.1" in output + + # ahostsv6 + output = machine.succeed("getent ahostsv6 foobar.localhost") + assert "::1" in output + assert "127.0.0.1" not in output + + # ahosts + output = machine.succeed("getent ahosts _gateway") + + # returns something like the following: + # 10.0.2.2 STREAM _gateway + # 10.0.2.2 DGRAM + # 10.0.2.2 RAW + # fe80::2 STREAM + # fe80::2 DGRAM + # fe80::2 RAW + + # Verify we see both ip addresses + assert "10.0.2.2" in output + assert "fe80::2" in output + ''; +}) diff --git a/nixos/tests/resolv.nix b/nixos/tests/resolv.nix deleted file mode 100644 index f0aa7e42aaf35..0000000000000 --- a/nixos/tests/resolv.nix +++ /dev/null @@ -1,46 +0,0 @@ -# Test whether DNS resolving returns multiple records and all address families. -import ./make-test-python.nix ({ pkgs, ... } : { - name = "resolv"; - meta = with pkgs.lib.maintainers; { - maintainers = [ ckauhaus ]; - }; - - nodes.resolv = { ... }: { - networking.extraHosts = '' - # IPv4 only - 192.0.2.1 host-ipv4.example.net - 192.0.2.2 host-ipv4.example.net - # IP6 only - 2001:db8::2:1 host-ipv6.example.net - 2001:db8::2:2 host-ipv6.example.net - # dual stack - 192.0.2.1 host-dual.example.net - 192.0.2.2 host-dual.example.net - 2001:db8::2:1 host-dual.example.net - 2001:db8::2:2 host-dual.example.net - ''; - }; - - testScript = '' - def addrs_in(hostname, addrs): - res = resolv.succeed("getent ahosts {}".format(hostname)) - for addr in addrs: - assert addr in res, "Expected output '{}' not found in\n{}".format(addr, res) - - - start_all() - resolv.wait_for_unit("nscd") - - ipv4 = ["192.0.2.1", "192.0.2.2"] - ipv6 = ["2001:db8::2:1", "2001:db8::2:2"] - - with subtest("IPv4 resolves"): - addrs_in("host-ipv4.example.net", ipv4) - - with subtest("IPv6 resolves"): - addrs_in("host-ipv6.example.net", ipv6) - - with subtest("Dual stack resolves"): - addrs_in("host-dual.example.net", ipv4 + ipv6) - ''; -}) diff --git a/nixos/tests/systemd.nix b/nixos/tests/systemd.nix index 3317823e03f76..3c36291b733d2 100644 --- a/nixos/tests/systemd.nix +++ b/nixos/tests/systemd.nix @@ -87,12 +87,6 @@ import ./make-test-python.nix ({ pkgs, ... }: { machine.succeed("test -e /home/alice/user_conf_read") machine.succeed("test -z $(ls -1 /var/log/journal)") - # Regression test for https://github.com/NixOS/nixpkgs/issues/50273 - with subtest("DynamicUser actually allocates a user"): - assert "iamatest" in machine.succeed( - "systemd-run --pty --property=Type=oneshot --property=DynamicUser=yes --property=User=iamatest whoami" - ) - with subtest("regression test for https://bugs.freedesktop.org/show_bug.cgi?id=77507"): retcode, output = machine.execute("systemctl status testservice1.service") assert retcode in [0, 3] # https://bugs.freedesktop.org/show_bug.cgi?id=77507 From f08b8d6cfabc0ebd47c2ad90e7080619facc1106 Mon Sep 17 00:00:00 2001 From: Florian Klink Date: Mon, 10 Oct 2022 08:05:47 +0200 Subject: [PATCH 2/3] nixosTests.nscd: test unscd as well This shows that external nss module resolution is broken with unscd. --- nixos/tests/nscd.nix | 167 +++++++++++++++++++++++++------------------ 1 file changed, 98 insertions(+), 69 deletions(-) diff --git a/nixos/tests/nscd.nix b/nixos/tests/nscd.nix index f9c9fb10e0bd5..e3daf31f6dc18 100644 --- a/nixos/tests/nscd.nix +++ b/nixos/tests/nscd.nix @@ -14,80 +14,109 @@ in { name = "nscd"; - nodes.machine = { lib, ... }: { + nodes.machine = { pkgs, ... }: { imports = [ common/user-account.nix ]; networking.extraHosts = '' 2001:db8::1 somehost.test 192.0.2.1 somehost.test ''; + + specialisation = { + withUnscd.configuration = { ... }: { + services.nscd.package = pkgs.unscd; + }; + }; }; - testScript = '' - start_all() - machine.wait_for_unit("default.target") - - # Regression test for https://github.com/NixOS/nixpkgs/issues/50273 - with subtest("DynamicUser actually allocates a user"): - assert "iamatest" in machine.succeed( - "systemd-run --pty --property=Type=oneshot --property=DynamicUser=yes --property=User=iamatest whoami" - ) - - # Test resolution of somehost.test with getent', to make sure we go via nscd - with subtest("host lookups via nscd"): - # ahosts - output = machine.succeed("${getent'} ahosts somehost.test") - assert "192.0.2.1" in output - assert "2001:db8::1" in output - - # ahostsv4 - output = machine.succeed("${getent'} ahostsv4 somehost.test") - assert "192.0.2.1" in output - assert "2001:db8::1" not in output - - # ahostsv6 - output = machine.succeed("${getent'} ahostsv6 somehost.test") - assert "192.0.2.1" not in output - assert "2001:db8::1" in output - - # reverse lookups (hosts) - assert "somehost.test" in machine.succeed("${getent'} hosts 2001:db8::1") - assert "somehost.test" in machine.succeed("${getent'} hosts 192.0.2.1") - - - # Test host resolution via nss modules works - # We rely on nss-myhostname in this case, which resolves *.localhost and - # _gateway. - # We don't need to use getent' here, as non-glibc nss modules can only be - # discovered via nscd. - with subtest("nss-myhostname provides hostnames (ahosts)"): - # ahosts - output = machine.succeed("getent ahosts foobar.localhost") - assert "::1" in output - assert "127.0.0.1" in output - - # ahostsv4 - output = machine.succeed("getent ahostsv4 foobar.localhost") - assert "::1" not in output - assert "127.0.0.1" in output - - # ahostsv6 - output = machine.succeed("getent ahostsv6 foobar.localhost") - assert "::1" in output - assert "127.0.0.1" not in output - - # ahosts - output = machine.succeed("getent ahosts _gateway") - - # returns something like the following: - # 10.0.2.2 STREAM _gateway - # 10.0.2.2 DGRAM - # 10.0.2.2 RAW - # fe80::2 STREAM - # fe80::2 DGRAM - # fe80::2 RAW - - # Verify we see both ip addresses - assert "10.0.2.2" in output - assert "fe80::2" in output - ''; + testScript = { nodes, ... }: + let + specialisations = "${nodes.machine.system.build.toplevel}/specialisation"; + in + '' + # Regression test for https://github.com/NixOS/nixpkgs/issues/50273 + def test_dynamic_user(): + with subtest("DynamicUser actually allocates a user"): + assert "iamatest" in machine.succeed( + "systemd-run --pty --property=Type=oneshot --property=DynamicUser=yes --property=User=iamatest whoami" + ) + + # Test resolution of somehost.test with getent', to make sure we go via nscd + def test_host_lookups(): + with subtest("host lookups via nscd"): + # ahosts + output = machine.succeed("${getent'} ahosts somehost.test") + assert "192.0.2.1" in output + assert "2001:db8::1" in output + + # ahostsv4 + output = machine.succeed("${getent'} ahostsv4 somehost.test") + assert "192.0.2.1" in output + assert "2001:db8::1" not in output + + # ahostsv6 + output = machine.succeed("${getent'} ahostsv6 somehost.test") + assert "192.0.2.1" not in output + assert "2001:db8::1" in output + + # reverse lookups (hosts) + assert "somehost.test" in machine.succeed("${getent'} hosts 2001:db8::1") + assert "somehost.test" in machine.succeed("${getent'} hosts 192.0.2.1") + + # Test host resolution via nss modules works + # We rely on nss-myhostname in this case, which resolves *.localhost and + # _gateway. + # We don't need to use getent' here, as non-glibc nss modules can only be + # discovered via nscd. + def test_nss_myhostname(): + with subtest("nss-myhostname provides hostnames (ahosts)"): + # ahosts + output = machine.succeed("getent ahosts foobar.localhost") + assert "::1" in output + assert "127.0.0.1" in output + + # ahostsv4 + output = machine.succeed("getent ahostsv4 foobar.localhost") + assert "::1" not in output + assert "127.0.0.1" in output + + # ahostsv6 + output = machine.succeed("getent ahostsv6 foobar.localhost") + assert "::1" in output + assert "127.0.0.1" not in output + + # ahosts + output = machine.succeed("getent ahosts _gateway") + + # returns something like the following: + # 10.0.2.2 STREAM _gateway + # 10.0.2.2 DGRAM + # 10.0.2.2 RAW + # fe80::2 STREAM + # fe80::2 DGRAM + # fe80::2 RAW + + # Verify we see both ip addresses + assert "10.0.2.2" in output + assert "fe80::2" in output + + start_all() + machine.wait_for_unit("default.target") + + # Test all tests with glibc-nscd. + test_dynamic_user() + test_host_lookups() + test_nss_myhostname() + + with subtest("unscd"): + machine.succeed('${specialisations}/withUnscd/bin/switch-to-configuration test') + machine.wait_for_unit("default.target") + + # known to fail, unscd doesn't load external NSS modules + # test_dynamic_user() + + test_host_lookups() + + # known to fail, unscd doesn't load external NSS modules + # test_nss_myhostname() + ''; }) From dea764781475e72a97bf2bb31e8d791b275e4d49 Mon Sep 17 00:00:00 2001 From: Florian Klink Date: Fri, 14 Oct 2022 11:26:48 +0200 Subject: [PATCH 3/3] nixosTests.nscd: drop _gateway lookups This has shown to be flaky in the VM test, at least when running on the aarch64 ofborg builder(s). I assume it's some flakyness in systemd-networkd not being fully up, or at least not up to the point that it properly replies to the _gateway request. This part of the test is supposed to test external (non-glibc) nss module lookup for the host database works, which is already sufficiently covered in the previous checks (for *.localhost). Drop these redundant checks. We're not integration-testing networkd here. --- nixos/tests/nscd.nix | 15 --------------- 1 file changed, 15 deletions(-) diff --git a/nixos/tests/nscd.nix b/nixos/tests/nscd.nix index e3daf31f6dc18..7bb6d90c3d4e0 100644 --- a/nixos/tests/nscd.nix +++ b/nixos/tests/nscd.nix @@ -84,21 +84,6 @@ in assert "::1" in output assert "127.0.0.1" not in output - # ahosts - output = machine.succeed("getent ahosts _gateway") - - # returns something like the following: - # 10.0.2.2 STREAM _gateway - # 10.0.2.2 DGRAM - # 10.0.2.2 RAW - # fe80::2 STREAM - # fe80::2 DGRAM - # fe80::2 RAW - - # Verify we see both ip addresses - assert "10.0.2.2" in output - assert "fe80::2" in output - start_all() machine.wait_for_unit("default.target")