We can perform most of the mkdir/ln/rm using systemd-tmpfiles
instead which cleans up the script.
/bin and /home are created by their activation script snippets
usbfs is deprecated and unused.
hwclock seems to be automatically executed by systemd on startup.
The mkswap to prevent hibernation cycles seems to be executed by systemd
as well since the provided regression tests succeeds.
This patch allows creation of files like
/etc/systemd/system/user-.slice.d/limits.conf with
systemd.units."user-.slice.d/limits.conf" = {
text = ''
[Slice]
CPUAccounting=yes
CPUQuota=50%
'';
};
which previously threw an error
Also renames the systemd-unit-path test to sytsemd-misc, and extends it to
test that `systemd.units` can handle directories. In this case we make
sure that resource limits specified in user slices apply.
The tests complained:
/nix/store/nm3nf5y4hzgmy00lw5s6ls68j38y84y0-gjs-1.72.0-installedTests/libexec/installed-tests/gjs/scripts/testCommandLineModules.sh: line 90: gjs-console: command not found
But they still passed.
* nixos/earlyoom: bring the module up to date
Removes deprecated option `ignoreOOMScoreAdjust`, introduces `killHook`
as a replacement for `notificationsCommand`, and adds an `extraArgs`
option for things not covered by the module.
* nixos/earlyoom: add nixos test
* nixos/earlyoom: add reportInterval
Allows setting the interval for logging a memory report. Defaults to
3600 following upstream
(https://github.com/rfjakob/earlyoom/blob/master/earlyoom.default#L5)
to avoid flooding logs.
* nixos/earlyoom: add free{Mem,Swap}KillThreshold
Fixes https://github.com/NixOS/nixpkgs/issues/83504
In https://github.com/NixOS/nixpkgs/pull/142747, the implementation
behind Machine.execute() has been changed to pipe all the command's
output into base64 on the guest machine.
Unfortunately this means that base64 is blocking until stdout is closed,
which in turn means that we now need to make sure that whenever we run a
program in background via "&" we also need to make sure to close stdout,
which we do by redirecting stdout to stderr.
Signed-off-by: aszlig <aszlig@nix.build>
some change in the last 24 hours altered the behaviour of st such that
it now dies with a non-zero exit code when the shell exits, so kill is
now necessary
It was originally impossible to login in toot without having an
interactive shell. I opened https://github.com/ihabunek/toot/pull/180
upstream to fix that and fetch this patch for this test.
The author decided to fix the issue using a slightly different
approach at a3eb5dca24
Because of this upstream fix, our custom patch does not apply anymore.
Using that stdin-based login upstream feature.
pam-ussh allows authorizing using an SSH certificate stored in your
SSH agent, in a similar manner to pam-ssh-agent-auth, but for
certificates rather than raw public keys.
it's really easy to accidentally write the wrong systemd Exec* directive, ones
that works most of the time but fails when users include systemd metacharacters
in arguments that are interpolated into an Exec* directive. add a few functions
analogous to escapeShellArg{,s} and some documentation on how and when to use them.
This adds an option `services.taskserver.openFirewall` to allow the user
to choose whether or not the firewall port should be opened for the
service. This is no longer the case by default.
See also https://github.com/NixOS/nixpkgs/issues/19504.
The cntr sometimes hangs until the 10-hour hydra limit. This behaviour
appears to be an edge-case related to the type of TTY in which the cntr
command runs during test execution. We can work around this by running
the command as a background job.
I additionally added a wait_for_open_port to fix nondeterministic test
failures I observed after fixing the hanging issue.
In issue #157787 @martined wrote:
Trying to use confinement on packages providing their systemd units
with systemd.packages, for example mpd, fails with the following
error:
system-units> ln: failed to create symbolic link
'/nix/store/...-system-units/mpd.service': File exists
This is because systemd-confinement and mpd both provide a mpd.service
file through systemd.packages. (mpd got updated that way recently to
use upstream's service file)
To address this, we now place the unit file containing the bind-mounted
paths of the Nix closure into a drop-in directory instead of using the
name of a unit file directly.
This does come with the implication that the options set in the drop-in
directory won't apply if the main unit file is missing. In practice
however this should not happen for two reasons:
* The systemd-confinement module already sets additional options via
systemd.services and thus we should get a main unit file
* In the unlikely event that we don't get a main unit file regardless
of the previous point, the unit would be a no-op even if the options
of the drop-in directory would apply
Another thing to consider is the order in which those options are
merged, since systemd loads the files from the drop-in directory in
alphabetical order. So given that we have confinement.conf and
overrides.conf, the confinement options are loaded before the NixOS
overrides.
Since we're only setting the BindReadOnlyPaths option, the order isn't
that important since all those paths are merged anyway and we still
don't lose the ability to reset the option since overrides.conf comes
afterwards.
Fixes: https://github.com/NixOS/nixpkgs/issues/157787
Signed-off-by: aszlig <aszlig@nix.build>
Currently the test-watch.service gets started in a loop as long as
/testpath exists, so `rm /testpath /testpath-modified` runs into a race
condition where if the service was just getting activated, it will
create /testpath-modified and make the test fail.
This is fixed by making the service RemainAfterExit so that it only
starts once, and stopping it manually after we remove /testpath.
logrotate.timer is enough for rotating logs. Enabling logrotate.service would
make the service start on every configuration switch, leading to tests failure when
logrotate is enabled.
Also update test to make sure the timer is active and runs the service
on date change.
The test was looking at the wrong interface and relying on silly
behaviour by the dummy driver, which autocreated a `dummy0` interface on
modprobe.
Fix this by making it look at the actual `foo` interface that the test
creates.
Previously the bonding driver would create an initial `bond0` interface
when it was loaded. If the network management integration used that
interface and did not recreate it, it was stuck to the default
`balance-rr` mode.
Deploying systemds modprobe.d configuration sets `max_bonds=0`, so we
don't run into that issue anymore.
Hence we now make sure that we can indeed create `bond0` with `802.3ad`
(LACP), which is a non default mode.
systemd needs this so special characters (like the ones in wireguard
units that appear because they are part of base64) can be escaped using
the \x syntax.
Root of the issue is that `glob()` handles the backslash internally
which is obviously not what we want here.
Also add a test case and fix some perlcritic issues in the subroutine.
There are now multiple combinations of how one can pass either
extraPackages or extraComponents. We now test those passed directly to
the package via an override, and those passed indirectly via the module,
that ultimately results in a second override to the package.
This commit also changes the names of the tests for Hadoop so they use dashes instead of dots,
and makes the default `hadoop` test what would have been `hadoop-all` after the rename.
This change should mean that we're able to run
`nix build github:nixos/nixpkgs/master#nixosTests.hadoop`
which I was unable to do prior to this change.
The test failed with
> Test "test5 user should not be able to run commands under root" failed with
> error: "invalid literal for int() with base 10: ''"
since 2492da88ea.
The reason for this is that `sudo(8)` writes the lecture to the
tty[1] and only as a fallback to stdout[2]. This means that the
`base64 --wrap 0` executed by `machine.execute()` doesn't affect the
text written to the terminal, however the lecture is part of the string
that's read from the VM via `shell.recv()`.
I confirmed the problem in an interactive test session[3]:
>>> command = "sudo -u test5 sudo -n -u root true"
>>> out_command = f"( set -euo pipefail; {command} ) | (base64 --wrap 0; echo)\n"
>>> machine.shell.send(out_command.encode())
84
>>> machine # [ 99.015512] sudo[877]: root : TTY=hvc0 ; PWD=/tmp ; USER=test5 ; COMMAND=/run/wrappers/bin/sudo -n -u root true
machine # [ 99.019373] sudo[877]: pam_unix(sudo:session): session opened for user test5(uid=1005) by (uid=0)
machine # [ 99.038692] sudo[879]: pam_unix(sudo:auth): conversation failed
machine # sudo: a password is required
machine # [ 99.041860] sudo[879]: pam_unix(sudo:auth): auth could not identify password for [test5]
machine # [ 99.046901] sudo[877]: pam_unix(sudo:session): session closed for user test5
>>>
>>> x=machine._next_newline_closed_block_from_shell()
>>> print(x)
<newline>
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
<newline>
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
<newline>
<newline>
<newline>
>>>
Since the lecture isn't strictly necessary to confirm that
`security.sudo` works as expected, I decided to disable lecturing
inside the test, however we may want to fix the underlying problem in
the test-driver at some point.
[1] https://github.com/sudo-project/sudo/blob/SUDO_1_9_9/plugins/sudoers/check.c#L275-L283
[2] https://github.com/sudo-project/sudo/blob/SUDO_1_9_9/src/conversation.c#L95-L120
[3] I replaced each empty line with `<newline>` to make sure these
aren't swallowed by git.
Chrome, Chromium, VSCode, Slack, Signal, Discord, element-desktop,
schildichat.
For the latter two, the feature flag useWayland was removed and a
wrapper script was provided.
The `nix.*` options, apart from options for setting up the
daemon itself, currently provide a lot of setting mappings
for the Nix daemon configuration. The scope of the mapping yields
convience, but the line where an option is considered essential
is blurry. For instance, the `extra-sandbox-paths` mapping is
provided without its primary consumer, and the corresponding
`sandbox-paths` option is also not mapped.
The current system increases the maintenance burden as maintainers have to
closely follow upstream changes. In this case, there are two state versions
of Nix which have to be maintained collectively, with different options
avaliable.
This commit aims to following the standard outlined in RFC 42[1] to
implement a structural setting pattern. The Nix configuration is encoded
at its core as key-value pairs which maps nicely to attribute sets, making
it feasible to express in the Nix language itself. Some existing options are
kept such as `buildMachines` and `registry` which present a simplified interface
to managing the respective settings. The interface is exposed as `nix.settings`.
Legacy configurations are mapped to their corresponding options under `nix.settings`
for backwards compatibility.
Various options settings in other nixos modules and relevant tests have been
updated to use structural setting for consistency.
The generation and validation of the configration file has been modified to
use `writeTextFile` instead of `runCommand` for clarity. Note that validation
is now mandatory as strict checking of options has been pushed down to the
derivation level due to freeformType consuming unmatched options. Furthermore,
validation can not occur when cross-compiling due to current limitations.
A new option `publicHostKey` was added to the `buildMachines`
submodule corresponding to the base64 encoded public host key settings
exposed in the builder syntax. The build machine generation was subsequently
rewritten to use `concatStringsSep` for better performance by grouping
concatenations.
[1] - https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md
It looks like "make-bcache" also registers the devices, so the separate
registration afterwords is unnecessary.
Previously, the separate registration right afterwords didn't cause
a problem, presumably because it won the race with make-bcache's
registration. After 1640359f33 slightly
changed the timing of command execution in tests, the separate
registration often fails with the error message "device already
registered", stopping the test.
Release notes: https://github.com/swaywm/sway/releases/tag/1.7
Notable (backward incompatible) changes:
- The default terminal changed from Alacritty to foot
Known issues:
- `swaynag` will crash when Sway 1.6.1 is still running while the Nix
package (and thus `swaynag`) is already updated to version 1.7.
- The experimental Ozone/Wayland support of Electron apps will be broken
for a while. Electron version 17 should work but the Chromium fixes
haven't yet been backported to Electron version 16.
NixOS module: programs.sway.extraPackages: The "alacritty" package was
replaced with "foot".
VM test: We switched from the OpenGL ES 2.0 renderer to Pixman. The
terminal was also changed to foot but Alacritty is still used for the
XWayland test (since foot doesn't support X11).
Co-authored-by: Patrick Hilhorst <git@hilhorst.be>
Some tests from the `nixos/tests` folder were missing in the `all-tests.nix`
file. This meant they couldn't be run from the `nixosTests` attribute
set and therefore not be linked to their packages.
As written, the nixos/quorum module will simply run forever, and has
been timing out in Hydra. Implement a fix for such by changing the final
statement from a wait_until_succeeds to simply succeed, forcing the test
to succeed or fail instead of run indefinitely.
- Fully get rid of `parseKeyValues` and use systemctl features for that
- Add some regex modifiers recommended by perlcritic
- Get rid of a postfix if
- Sort units when showing their status
- Clean the logic for showing what failed from `elif` to `next`
- Switch from `state` to `substate` for `auto-restart` because that's
actually where the value is stored
- Show status of units with one single systemctl call and get rid of
COLUMNS in favor of --full
- Add a test for failing units
Replace sleep() calls where possible, using wait_for_* methods. This
should provide more robustness in cases where tests are running on a
congested system.
Since dhcpd has been hardened (DynamicUser → NoNewPrivileges) it can't
use a setcap wrapper. Instead, we add the net_admin capability to it's
ambient set and run `ip route` directly. This is also safer that giving
everyone permisison to change the routing table.
Add test coverage for the enableConfiguredRecompile option, checking
that we can compile and exec a new xmonad from a user's local config, as
well as restart the originally configured xmonad.
As I needed a reliable way to wait for recompilation to finish before
proceeding with subsequent test steps, I adjusted the startup behavior
to write a file ("oldXMonad" or "newXMonad") to /etc upon startup, and
replaced some "sleep" calls with "wait_for_file".
This removes `/run/nixos/activation-reload-list` (which we will need in
the future when reworking the reload logic) and makes
`/run/nixos/activation-restart-list` honor `restartIfChanged` and
`reloadIfChanged`. This way activation scripts don't have to bother with
choosing between reloading and restarting.
The tsm-client needs a tsm-server to do anything useful.
Without a server, automated tests can just
check diagnostic outputs for plausibility.
The commit at hand adds two tests:
1.
The command line interface `dsmc` is called,
then it is verified that the program does
* report the correct client version,
* find its configuration file,
* report a connection error.
2.
To check the GUI (and the tsm-client nixos module), we add a
vm test which uses the module to install `tsm-client-withGui`.
To verify that the GUI's basic functionality is present,
we skip over all connection failure related error
messages and open the "Connection Information"
dialog from the main application window.
This dialog presents the node name and the client version;
both are verified by the test.
Note: Our `tsm-client` build recipe consists of two packages:
The "unwrapped" package and the final package.
This commit puts the unwrapped one into the final
package's `passthru` so that tests can access
the original version string that is needed to check
the client version reported by the application.
The test has been broken for some time and the test errors are
non-obvious. None of the current maintainers know how to fix it so it is
better to get rid of it then to keep a continously failing test.
This adds a very minimalistic (in terms of functionality and
dependencies) test for wlroots, Wayland, and related packages.
The Sway test covers more functionality and packages (e.g. XWayland) but
this test has tree advantages:
- Less dependencies: Much fewer rebuilds are required when testing core
changes that need to go through staging.
- Testing wlroots updates: The Sway package isn't immediately updated
after a new wlroots version is released and a lot of other packages
depend on wlroots as well.
- Determining whether a bug only affects Sway or wlroots/TinyWL as well.
Catches failures like https://github.com/NixOS/nixpkgs/issues/149539
that don't happen with AutomaticLoginEnable.
We still have a 0-delay autologin test in gnome-xorg, in case there's
ever an issue that only arises with AutomaticLoginEnable.
One of the subtests in the sudo NixOS test suite was broken: instead of
running the sudo invocation as user 'test2', it was running it as root.
Since root doesn't require a password to use sudo, this was causing
random "broken pipe" errors when trying to pass it a password via stdin.
One use case for Mattermost configuration is doing a "mostly
mutable" configuration where NixOS module options take priority
over Mattermost's config JSON.
Add a preferNixConfig option that prefers configured Nix options
over what's configured in Mattermost config if mutableConfig is set.
Remove the reliance on readFile (it's flake incompatible) and use
jq instead.
Merge Mattermost configs together on Mattermost startup, depending
on configured module options.
Write tests for mutable, mostly mutable, and immutable configurations.
The current test needs Reddit access, which we do not have in testing
environment. This commit tests the settings page of libreddit which does
not require network access. It also test if the service can run on port
80 with the CAP_NET_BIND_SERVICE capability.
A change in QEMU v6.1.0 has somehow caused QEMU to behave differently
enough to cause this test to fail. This commit forces the test to be ran
with QEMU 6.0.0 from Nixpkgs at revision
e1fc1a80a0, which is the commit prior to
the QEMU 6.1.0 version bump.
Co-authored-by: Julio Sueiras <juliosueiras@gmail.com>
Adds a fully fledged NixOS VM integration test which uses jmtpfs and
gvfs to test the functionality of MTP inside of NixOS. It uses USB
device emulation in QEMU to create MTP device(s) which can be tested
against.
Co-authored-by: nixinator <33lockdown33@protonmail.com>
In the process I also found that the CapabilityBoundingSet
was restricting the service from listening on port 80, and
the AmbientCapabilities was ineffective. Fixed appropriately.
Allows configuring many default settings for certificates,
all of which can still be overridden on a per-cert basis.
Some options have been moved into .defaults from security.acme,
namely email, server, validMinDays and renewInterval. These
changes will not break existing configurations thanks to
mkChangedOptionModule.
With this, it is also now possible to configure DNS-01 with
web servers whose virtualHosts utilise enableACME. The only
requirement is you set `acmeRoot = null` for each vhost.
The test suite has been revamped to cover these additions
and also to generally make it easier to maintain. Test config
for apache and nginx has been fully standardised, and it
is now much easier to add a new web server if it follows
the same configuration patterns as those two. I have also
optimised the use of switch-to-configuration which should
speed up testing.
Closes#129838
It is possible for the CA to revoke a cert that has not yet
expired. We must run lego to validate this before expiration,
but we must still ignore failures on unexpired certs to retain
compatibility with #85794
Also changed domainHash logic such that a renewal will only
be attempted at all if domains are unchanged, and do a full
run otherwises. Resolves#147540 but will be partially
reverted when go-acme/lego#1532 is resolved + available.
- Add the migrations directory to the package
- Add postgres support to the package
- Add a service for powerdns-admin
Co-authored-by: Zhaofeng Li <hello@zhaofeng.li>
Snapserver expects the arguments `--tcp.bind_to_address` and
`--http.bind_to_address` instead of the `--tcp.address` (and http
equivalent) versions.
This caused the process to listen on `0.0.0.0` (for TCP and HTTP
sockets) regardless of the configuration value. It also never listend on
the IPv6 address `::` as our module system made the user believe.
This commit fixes the above issue and ensures that (at least for the TCP
socket) that our default `::` does indeed allow connections via IPv6
(to localhost aka ::1).
* elk7: 7.11.1 -> 7.16.1
* nixosTests.elk: Improve reliability and compatibility with ELK 7.x
- Use comparisons in jq instead of grepping
- Match for `.hits.total.value` if version >= 7, otherwise it always
passes
- Make curl fail if requests fails
* nixos/filebeat: Add initial module and test
Filebeat is an open source file harvester, mostly used to fetch logs
files and feed them into logstash.
This module can be used instead of journalbeat if used with
`filebeat7` and configured with the `journald` input.
* python3Packages.parsedmarc.tests: Fix breakage
- Don't use the deprecated elasticsearch7-oss package
- Improve jq query robustness and add tracing
* rl-2205: Note the addition of the filebeat service
* elk6: 6.8.3 -> 6.8.21
The latest version includes a fix for CVE-2021-44228.
* nixos/journalbeat: Add a loose dependency on elasticsearch
Avoid unnecssary back-off when elasticsearch is running on the same
host.
Otherwise, `postfix_up{path="/var/lib/postfix/queue/public/showq"}` will
always be `0` indicating an postfix outage because this is a unix domain
socket that cannot be connected to:
2021/12/03 14:50:46 Failed to scrape showq socket: dial unix /var/lib/postfix/queue/public/showq: socket: address family not supported by protocol
Add `systemd.network.networks.*.dhcpServerStaticLeaseConfig` to allow
for configuring static DHCP leases through the `[DHCPServerStaticLease]`
section. See systemd.network(5) of systemd 249 for details.
Also adds the NixOS test `systemd-networkd-dhcpserver-static-lease` to
test the assignment of static leases.
This reverts commit 57961d2b83, reversing
changes made to b04f913afc.
(I.e. this reverts PR #141192.)
While well-intended, this change does unfortunately introduce very
serious regressions that are especially disruptive/noticeable on desktop
systems (e.g. users of Sway will loose their graphical session when
running "nixos-rebuild switch").
Therefore, this change has to be reverted ASAP instead of trying to fix
it in "production".
Note: An updated version should be extensively discussed, reviewed, and
tested before re-landing this change as an earlier version also had to
be reverted for the exact same issues [0].
Fix: #146727
[0]: https://github.com/NixOS/nixpkgs/pull/73871#issuecomment-559783752
the default hasn't been changed since 2009
this can improve our test performances
nixos/tests: remove explicit memorySize <1024
1024MiB is now the default
This should mirror the behavior we implement for sudo: The TERMINFO and
TERMINFO_DIRS variables are inherited from the normal user's
environment, so terminfo files installed in the user's profile can be
found by ncurses applications running as root.
This fixes: https://github.com/NixOS/nixpkgs/issues/119066.
When `djbdns` is repeatedly queried it will crash with:
```
mmap: tinydns (842): VmData 331776 exceed data ulimit 300000. Update limits or use boot option ignore_rlimit_data.
```
So we increase the softlimit from 300000 to 4500000 as suggested in
the issue.
The `tinydns` NixOS test has been extended with testing for the faulty
behaviour.
