Our more thorough parametrised tests uncovered that with the changes for
supporting DynamicUser, we now have the situation that for static users
the root directory within the confined environment is now writable for
the user in question.
This is obviously not what we want and I'd consider that a regression.
However while discussing this with @ju1m and my suggestion being to
set TemporaryFileSystem to "/" (as we had previously), they had an even
better idea[1]:
> The goal is to deny write access to / to non-root users,
>
> * TemporaryFileSystem=/ gives us that through the ownership of / by
> root (instead of the service's user inherited from
> RuntimeDirectory=).
> * ProtectSystem=strict gives us that by mounting / read-only (while
> keeping its ownership to the service's user).
>
> To avoid the incompatibilities of TemporaryFileSystem=/ mentioned
> above, I suggest to mount / read-only in all cases with
> ReadOnlyPaths = [ "+/" ]:
>
> ...
>
> I guess this would require at least two changes to the current tests:
>
> 1. to no longer expect root to be able to write to some paths (like
> /bin) (at least not without first remounting / in read-write
> mode).
> 2. to no longer expect non-root users to fail to write to certain
> paths with a "permission denied" error code, but with a
> "read-only file system" error code.
I like the solution with ReadOnlyPaths even more because it further
reduces the attack surface if the user is root. In chroot-only mode this
is especially useful, since if there are no other bind-mounted paths
involved in the unit configuration, the whole file system within the
confined environment is read-only.
[1]: https://github.com/NixOS/nixpkgs/pull/289593#discussion_r1586794215
Signed-off-by: aszlig <aszlig@nix.build>
This is to make sure that we test all of the DynamicUser/User/Group and
PrivateTmp options in a uniform way. The reason why we need to do this
is because we recently introduced support for the DynamicUser option and
since there are some corner cases where we might end up with more
elevated privileges (eg. writable directories in some cases), we want to
make sure that the environment is as restrictive as with a static
User/Group assignment.
I also removed various checks that try to os.chown(), since with our new
recursive checker those are redundant.
Signed-off-by: aszlig <aszlig@nix.build>
So far the architecture for the tests was that we would use a systemd
socket unit using the Accept option to start a small shell process where
we can pipe commands into by connecting to the socket created by the
socket unit.
This is unnecessary since we can directly use the code snippets from the
individual subtests and systemd will take care of checking the return
code in case we get any assertions[^1].
Another advantage of this is that tests now run in parallel, so we can
do rather expensive things such as looking in /nix to see whether
anything is writable.
The new assert_permissions() function is the main driver behind this and
allows for a more fine-grained way to check whether we got the right
permissions whilst also ignoring irrelevant things such as read-only
empty directories.
Our previous approach also just did a read-only check, which might be
fine in full-apivfs mode where the attack surface already is large, but
in chroot-only mode we really want to make sure nothing is every
writable.
A downside of the new approach is that currently the unit names are
numbered via lib.imap1, which makes it annoying to track its definition.
[^1]: Speaking of assertions, I wrapped the code to be run with pytest's
assertion rewriting, so that we get more useful AssertionErrors.
Signed-off-by: aszlig <aszlig@nix.build>
When experimenting on ways how to refactor the test, I wrote a
significant enough amount of Python to warrant a dedicated Python file.
This commit is mainly to prepare for that and make it easier to track
renames.
Signed-off-by: aszlig <aszlig@nix.build>
The reason why I originally used the "description" attribute was that it
can be easily used to parametrise the tests so that we can specify
common constraints and apply it across a number of different
configurations.
When porting the tests to Python, the description attribute was replaced
by inlining it into the Python code, most probably because it was easier
to do in bulk since using Nix to generate the subtest parts would be
very complicated to do since we also had to please Black (a Python code
formatter that we no longer use in test scripts).
Since we now also want to support DynamicUser in systemd-confinement,
the need to parametrise the tests became apparent again because it's now
easier to refactor our subtests to run both with *and* without
DynamicUser set to true.
Signed-off-by: aszlig <aszlig@nix.build>
Eelco has made several early contributions to NixOS including writing
the samba module among other things, but is more or less inactive these
days.
By my brief inspection, he has not committed to the nixos/ tree since
releasing Nix 2.13 in early 2023 and merging a PR to networking tests
slightly before that. A lot of these tests/modules are actually
unmaintained in practice, so we should update the code to reflect the
practical reality so someone can consider picking them up.
Depending on the startup order of the two machines it might take a few
moments to get both zones transfered, which can lead to SERVFAIL
responses on busy machines.
`nixosTests.misc` is an interesting smoketest as a last (cheap) line of
defense against Nix regressions.
We rework it to accept any arbitrary package manager for Lix.
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
The kernel used on aarch64-linux is built with CONFIG_BLK_DEV_LOOP=y,
so the test previously did not work on aarch64-linux.
The module for Hybla congestion control is available as a loadable
module both on x86_64-linux and aarch64-linux.
This adds an implementation of switch-to-configuration that allows for
closer interaction with the lifecycle of systemd units by using DBus
APIs directly instead of using systemctl. It is disabled by default, but
can be enabled by specifying `{ system.switch = { enable = false; enableNg = true; }; }`.
The change introduced in #308303 refers to the virtualHosts attrset
key which can be any string. The servername is the actual primary
hostname used for the certificate.
This fixes use cases like:
services.nginx.virualHosts.foobar.serverName = "my.fqdn.org";
This is a feature supported out of the box by upstream and allows the
incusd service to be restarted without impacting running
instances. While this does give up a bit of reproducibility, qemu and
lxc for example, there are clear benefits in allowing the host to
apply updates without impacting instances.
Modeled after the zabbly implementation: 2a67c3e260/systemd/incus-startup.service
This will now be the default.
In accordance to the upstream release cycle, we now provide 2 flavours
of the percona mysql ecosystem. The default is the LTS variant,
additionally there is now the floating `percona-server_innovation`
always pointing to the most recent regular release.
- mentioned in release notes
- adapted all depending tests and tools (xtrabackup)
This release belongs to the "innovation" release track of Percona,
making it likely to diverge over time from the LTS release. Hence I just
created a separate packaging expression for this.
Motivation: Allow the sshd package to be built differently to the ssh
package (programs.ssh.package). For example, build sshd(1) without
openssl, but built ssh(1) with OpenSSL support.
Set the default to be programs.ssh.package, to preserve compatibility.
https://github.com/kanidm/kanidm/releases/tag/v1.2.0
Added updatescript, and removed Cargo.lock as no more git deps.
New release process documented here:
a67d1f5160/book/src/support.md
Re-ordered test and removed anonymous login as logout no longer works:
[info]: Ignoring request to logout session - these sessions are not recorded
Notes:
- barf went into contrib/ and officially unsupported.
- verify was removed entirely.
- the makefile is a bit smarter now and doesn't require many
of the previous workarounds.
I am deeply saddened at the fact that I need to do this. I have no
interest in re-litigating everything that has happened over the past
weeks and months, but I want to make my position(s) extremely clear:
The thought of any of my work contributing to someone's death by drone
makes me feel physically ill.
Recent communications from senior members of the NixOS community have
made it clear that leadership is unaware or uninterested in the basics
of how to run and moderate a community in a way that is resilient to bad
actors. The recent post by @edolstra is tone-deaf and gives me no
confidence that the Nix/NixOS community is a place that I want to remain
involved in going forward. I am thus choosing to remove myself from such
a community.
I also hereby resign from the ACME team.
See also: #307033
Signed-off-by: Andrew Dunham <andrew@du.nham.ca>
This was achieved using the following command:
sd 'wrapGAppsHook\b' wrapGAppsHook3 (rg -l 'wrapGAppsHook\b')
And then manually reverted the following changes:
- alias in top-level.nix
- function name in wrap-gapps-hook.sh
- comment in postFixup of at-spi2-core
- comment in gtk4
- comment in preFixup of 1password-gui/linux.nix
- comment in postFixup of qgis/unwrapped-ltr.nix and qgis/unwrapped.nix
- comment in postFixup of telegram-desktop
- comment in postFixup of fwupd
- buildCommand of mongodb-compass
- postFixup of xflux-gui
- comment in a patch in kdePackages.kde-gtk-config and plasma5Packages.kde-gtk-config
- description of programs.sway.wrapperFeatures.gtk NixOS option (manual rebuild)
This fixes an issue with the test where olcDbDirectory must be a
subdirectory of /var/lib/openldap, but is not configured as such, so the
test fails.
All other tests pass properly.
This test renames server_allowedusers to server-allowed-users.
As a side-effect, since IPs are allocated to machines in alphabetical order,
the IP assigned to server-lazy-socket changed, so the corresponding test had
its IP updated.
Was previously broken due to a missing runtime dependency.
> Error: Failed to start device "vtpm": Failed to validate environment: Required tool 'swtpm' is missing
Without the change the eval fails as:
$ nix build --no-link -f. redlib.tests
error: attribute 'redlib' missing
at pkgs/by-name/re/redlib/package.nix:50:26:
49| passthru.tests = {
50| inherit (nixosTests) redlib;
| ^
51| };
Did you mean redis?
In the replacement arg of gsub() the & symbol is a special character
that need to be escaped. To avoid this, and further issues due to the
variable name possibly being interpreted as a regex, we do a normal
substring replacement.
This fixes issues #279803.
postgresql14Packages.promscale_extension breaks with:
Error:
0: `pgx-0.6.1` shouldn't be used with `cargo-pgx-0.7.4`,
please use `pgx = "~0.7.4"` in your `Cargo.toml`.
However, pinning cargo-pgx to 0_6_1 via the following
buildPgxExtension.override { cargo-pgx = cargo-pgx_0_6_1; }
does not work either, because the build then fails with:
thread 'main' panicked at /build/promscale_extension-0.8.0-vendor.tar.gz/proc-macro2/src/fallback.rs:756:9:
"__mbstate_t_union_(unnamed_at_/nix/store/ij144ma6vs8acil8r9hgr8xkb1dp9azg-glibc-2_39-5-dev/include/bits/types/__mbstate_t_h_16_3)" is not a valid Ident
This seems to be related to [1], which indicates that this is a
problem with newer LLVM / clang toolchains.
At the same time th upstream package is deprecated / archived since
the 2nd of April 2024 [2]. Additionally this package is unfree and
thus very unlikely to be forked. Since we can't expect this to be
fixed, the only sensible thing to do is to remove the package.
[1]: https://github.com/rust-lang/rust-bindgen/issues/2312
[2]: https://github.com/timescale/promscale/issues/1836
Prior to this patch, FreshRSS fails to load with an initial
`authType = "none"` setting, instead providing an error:
"Error during context user init!"
To fix this, this patch changes the freshrss-config service to
setup the initial `defaultUser` when `authType = "none"`
is configured.
This allows us to set things like dependencies in a way that we can
catch typos at eval time.
So instead of
```nix
systemd.services.foo.wants = [ "bar.service" ];
```
we can write
```nix
systemd.services.foo.wants = [ config.systemd.services.bar.name ];
```
which will throw an error if no such service has been defined.
Not all cases can be done like this (eg template services), but in a lot
of cases this will allow to avoid typos.
There is a matching option on the unit option
(`systemd.units."foo.service".name`) as well.
these changes were generated with nixq 0.0.2, by running
nixq ">> lib.mdDoc[remove] Argument[keep]" --batchmode nixos/**.nix
nixq ">> mdDoc[remove] Argument[keep]" --batchmode nixos/**.nix
nixq ">> Inherit >> mdDoc[remove]" --batchmode nixos/**.nix
two mentions of the mdDoc function remain in nixos/, both of which
are inside of comments.
Since lib.mdDoc is already defined as just id, this commit is a no-op as
far as Nix (and the built manual) is concerned.
Instead of only testing the runner registration, which doesn't tell us
all that much, we now test a (very simple) but actual workflow directly
runner on the host (type `:host`).
For this to work, we cache the official `actions/checkout` action from
GitHub as FOD and essentially mirror one version of it to Forgejo as
part of the test.
Since Forgejo does not yet provide an API endpoint for the workflow status
(whether a workflow is running, failed or successful), we have to resort
to parsing html for now.
It has some rather over the top poll logic, but I feel like will work
for quite some time without issues going unnoticed or whatever (TM).
This is essentially a response to a bug I found in
`services.gitea-actions-runner`, because we had no way to test that
module besides the runner registration (which, again, doesn't really
tell us all that much).
We inherited almost all of this test from `nixos/tests/gitea` when we
decided to split.
This change saves some resources (just 2 instead of 3 VMs) and is (IMHO)
easier to follow and improve upon.
new versions of akkoma require the upload base url to be specified in
order for updates to work properly.
this will be a breaking change in 24.05, but for now a reasonable
default is set.
Changed
- Connection identifier is now included in the error log if we can't forward a
- seqno request.
- Garbage collection time for source entries has been increased from 5 to 30 minutes
- for now.
- The router implementation has been changed to use regular locks instead of an
- always readable concurrency primitive for all but the actual routing table. This
- should reduce the memory consumption a bit.
- Public key and shared secret for a destination are now saved on the router, instead
- of maintaining a separate mapping for them. This slightly reduces memory consumption
- of the router, and ensures stale data is properly cleaned up when all routes to
- a subnet are removed.
- Hello packets now set the interval in which the next Hello will be sent properly
- in centiseconds.
- IHU packets now set the interval properly in centiseconds.
- IHU packets now set an RX cost. For now this is the link cost, in the future
- this will be set properly.
- Route expiration time is now calculated from the interval received in updates.
- Ip address derivation from public keys now uses the blake3 hash algorithm.
Fixed
- Don't try to forward seqno requests to a peer if we know its connection is dead.
Previously, it was not possible to run tests on an overridden derivation, because
the derivation under test was always pulled from pkgs.
With this change, the following will return the same test:
postgresql_jit.tests
and
(postgresql.override { jitSupport = true; }).tests
- use normal VM nodes for target, with some extra trickery
- rename preBootCommands to postBootCommands to match its actual intent
- rename VMs to installer and target, so they're not all called machine
- set platforms on non-UEFI tests properly
- add missing packages for systemd-boot test
- fix initrd secrets leaking into the store and having wrong paths
We forgot to set two version related ldflags in our packaging and this
should prevent this from going unnoticed again.
Further details are in dab7aa20ed.
this commit also does a tiny bit more, namely:
- removing unnecessary ping's to the hosts own ip
- and simplifying a few pieces of code like changing `{ inherit (pkgs) lib pkgs; };` to `{ inherit lib pkgs; };`
- new maxUploadSize option
- new dataDir option (with ReadWritePaths systemd support)
- admin page reports correct free disk space (instead of /nix/store)
- fix example configuration in documentation
- now podcast creation and file upload are tested during NixOS test
- move castopod from audio to web-apps folder
- verbose logging from the browser test
The main idea behind that was to be able to do more sophisticated
merging for stuff that goes into `postgresql.conf`:
`shared_preload_libraries` is a comma-separated list in a `types.str`
and thus not mergeable. With this change, the option accepts both a
comma-separated string xor a list of strings.
This can be implemented rather quick using `coercedTo` +
freeform modules. The interface still behaves equally, but it allows to
merge declarations for this option together.
One side-effect was that I had to change the `attrsOf (oneOf ...)` part into
a submodule to allow declaring options for certain things. While at it,
I decided to move `log_line_prefix` and `port` into this structure as
well.
Redis shards list must be consistent between Centrifugo nodes. Before
this change, NixOS tests were using invalid configurtaion since
shards[hash(ch)] may select different Redis shard instance on each
Centrifugo node. We don’t currently have any tests that exposed this
behavior though.
