This patch is heavily inspired by bd0d8ed807 which added
a setcap wrapper for `mtr` in order to allow running `mtr` without
`sudo`. The need for the capability `cap_net_raw` that can be registered using
`setcap` has been documented in the Arch Wiki: https://wiki.archlinux.org/index.php/Capabilities#iftop
A simple testcase has been added which starts two machines, one with a
setcap wrapper for `iftop`, one without. Both testcases monitor the
bandwidth usage of the machine using the options `-t -s 1` once, the
machine with setcap wrapper is expected to succeed, the `iftop` on the
machine without setcap wrapper is expected to return a non-zero exit
code.
* Fix reference CNI plugins
* The plugins were split out of the upstream cni repo around version
0.6.0
* Fix RBAC and DNS tests
* Fix broken apiVersion fields
* Change plugin linking to look in ${package}/bin rather than
${package.plugins}
* Initial work towards a working e2e test
* Test still fails, but at least the expression evaluates now
Continues @srhb's work in #37199Fixes#37199
The psmouse module is for PS/2 mouse only, which doesn't exist outside
x86. But we can test for the mousedev module just as well which is used
for the '-device usb-tablet' emulated by QEMU.
I've started digging into the actual cause of the problem a week ago but
didn't continue fixing this.
The reason why the tests are failing is because
torvalds/linux/commit/72f5e08dbba2d01aa90b592cf76c378ea233b00b has
remapped the location of the TSS into the CPU entry area and we did
update our default kernel to version 4.14 in NixOS/nixpkgs@88530e02b6.
Back to VirtualBox: The guru meditation happens in
selmRCGuestTssPostWriteCheck, which I think is only a followup error. I
believe the right location couldn't be determined by VirtualBox and thus
the write check function triggers that panic because it's reading from
the wrong location.
So the actual problem *only* surfaces whenever we use software
virtualization, which we do for our tests because we don't have nested
virtualization available.
Our tests are also for testing the functionality of VirtualBox itself
and not certain kernel versions or kernel features, so for the time
being and until this is fixed, let's actually use kernel version 4.9 for
the guests within the VM tests. Kernel 4.9 didn't have the mentioned
change of the TSS location and thus the tests succeed.
Signed-off-by: aszlig <aszlig@nix.build>
Cc: @dtzWill
Resolved the following conflicts (by carefully applying patches from the both
branches since the fork point):
pkgs/development/libraries/epoxy/default.nix
pkgs/development/libraries/gtk+/3.x.nix
pkgs/development/python-modules/asgiref/default.nix
pkgs/development/python-modules/daphne/default.nix
pkgs/os-specific/linux/systemd/default.nix
Updated to the latest version of the nixos-v237 branch, which fixes two
things:
* Make sure that systemd looks in /etc for configuration files.
https://github.com/NixOS/systemd/pull/15
* Fix handling of the x-initrd.mount option.
https://github.com/NixOS/systemd/pull/16
I've added NixOS VM tests for both to ensure we won't run into
regressions. The newly added systemd test only tests for that and is by
no means exhaustive, but it's a start.
Personally I only wanted to fix the former issue, because that's the one
I've been debugging. After sending in a pull request for our systemd
fork (https://github.com/NixOS/systemd/pull/17) I got a notice from
@Mic92, that he already fixed this and his fix was even better as it's
even suitable for upstream (so we hopefully can drop that patch
someday).
The reason why the second one came in was simply because it has been
merged before the former, but I thought it would be a good idea to have
tests for that as well.
In addition I've removed the sysconfdir=$out/etc entry to make sure the
default (/etc) is used. Installing is still done to $out, because those
directories that were previously into sysconfdir now get into
factoryconfdir.
Quote from commit NixOS/systemd@98067cc806:
By default systemd should read all its configuration from /etc.
Therefore we rely on -Dsysconfdir=/etc in meson as default value.
Unfortunately this would also lead to installation of systemd's own
configuration files to `/etc` whereas we are limited to /nix/store. To
counter that this commit introduces two new configuration variables
`factoryconfdir` and `factorypkgconfdir` to install systemd's own
configuration into nix store again, while having executables looking
up files in /etc.
Tested this change against all of the NixOS VM tests we have in
nixos/release.nix. Between this change and its parent no new tests were
failing (although a lot of them were flaky).
Signed-off-by: aszlig <aszlig@nix.build>
Cc: @Mic92, @tk-ecotelecom, @edolstra, @fpletz
Fixes: #35415Fixes: #35268
All 5 daemon types can be enabled and configured through the module and the module both creates the ceph.conf required but also creates and enables specific services for each daemon, based on the systemd service files that upstream provides.
The strongswan-swanctl systemd service starts charon-systemd. This implements a IKE daemon
very similar to charon, but it's specifically designed for use with systemd. It uses the
systemd libraries for a native integration.
Instead of using starter and an ipsec.conf based configuration, the daemon is directly
managed by systemd and configured with the swanctl configuration backend.
See: https://wiki.strongswan.org/projects/strongswan/wiki/Charon-systemd
Note that the strongswan.conf and swantctl.conf configuration files are automatically
generated based on NixOS options under services.strongswan-swanctl.strongswan and
services.strongswan-swanctl.swanctl respectively.
Use systemd to create the directory for UNIX socket. Also use localhost instead
of 127.0.0.1 as is done in default cupsd.conf so that IPv6 is enabled when
available.
Use systemd to create the directory for UNIX socket. Also use localhost instead
of 127.0.0.1 as is done in default cupsd.conf so that IPv6 is enabled when
available.
Regression introduced by 943592f698.
The lib attribute isn't in scope here, so we need to use pkgs.lib
instead for isFunction.
Signed-off-by: aszlig <aszlig@nix.build>
Cc: @shlevy
Among other things, this will allow *2nix tools to output plain data
while still being composable with the traditional
callPackage/.override interfaces.
We had problems to get borg's own test suite running.
This test is intended to perform a quick smoke test to see whether we
have missed not any important dependency necessary to create backups
with borg.
tested with:
$ nix-build nixos/release.nix -A tests.borgbackup.x86_64-linux
To make the configuration of `yabar` more pleasant and easier to
validate, a NixOS module will be quite helpful.
An example config could look like this:
```
{
programs.yabar = {
enable = true;
bars.top.indicators.exec = "YA_DATE";
};
}
```
The module adds a user-controlled systemd service which runs `yabar` after
starting up X.
apps.plugin requires capabilities for full process monitoring. with
1.9.0, netdata allows multiple directories to search for plugins and the
setuid directory can be specified here.
the module is backwards compatible with older configs. a test is
included that verifies data gathering for the elevated privileges. one
additional attribute is added to make configuration more generic than
including configuration in string form.
This change adds a simple integration test exercising the fetchdocker
Nix code and hocker utilities for the simple `hello-world` docker
container. We exercise:
- Fetching the docker image configuration json
- Fetching the docker image layers
- Building a compositor script
- Loading the `hello-world` docker image into docker using the
compositor script and `docker load`
- Running that loaded container
Fixes#28443
Fixed few invocations to `systemctl` to have an absolute path. Additionally add
LOCALE_ARCHIVE so that perl stops spewing warning messages.
* nghttpx: Add a new NixOS module for the nghttpx proxy server
This change also adds a global `uid` and `gid` for a `nghttpx` user
and group as well as an integration test.
* nixos/nghttpx: fix building manual
In bfe9c928c1 the default kernel has been
updated to version 4.14 and the declarations for allow_signal() and
signal_pending() are no longer exposed via kthread.h, so let's actually
use the right header files.
I've added a condition for kernel 4.10 and upwards to include the
linux/sched/signal.h header file, because that got introduced in version
4.10. Even if the declaration would still reside in kthread.h (I haven't
checked) for version 4.10 it won't hurt and the compilation will still
succeed.
Tested against kernel 4.9 and 4.14 and the build now succeeds.
Signed-off-by: aszlig <aszlig@nix.build>
postage is no longer maintained and has been replaced by the identical pgmanage. See:
https://github.com/workflowproducts/postage#postage-has-been-replaced-with-pgmanage
The following error is raised when a user enables the deprecated `services.postage.enable` option:
Failed assertions:
- services.postage is deprecated in favor of pgmanage. They have the same options so just substitute postage for pgmanage.
* Don't set timezone when it's null
* Don't create the postgres role because the postgresqsl service
already does that.
* Fix documentation
* Add a test suite
Noticed in https://hydra.nixos.org/jobset/nixos/release-17.09#tabs-errors:
````
hydra-eval-jobs returned exit code 1:
building path(s) '/nix/store/wxcbjli7m98yymnxrxkf6pigr7a05zad-id_ed25519.pub'
building '/nix/store/gyig2d7cry98647h0grfilq26cpc1wy8-id_ed25519.pub.drv'...
````
Issue #29774
-s, --script: never prompts for user intervention
Sometimes the NixOS installer tests fail when they invoke parted, e.g.
https://hydra.nixos.org/build/62513826/nixlog/1. But instead of exiting
right there, the tests hang until the Nix builder times out (and kills
the build). With this change the tests would instead fail immediately,
which is preferred.
While at it, use "parted --script" treewide, so nobody gets build
timeout due to parted error (or misuse). (Only nixos/ use it, and only
non-interactive.)
A few instances already use the short option "-s", convert them to long
option "--short".
Add postgis 2.4.0
doesn't remove v2.3.1. There are some big change in 2.4 that people may
don't want. see https://postgis.net/docs/release_notes.html#idm41021
fix test call
modify following recommandation of lsix
Regression introduced by a02bb00156.
The fix is done by disabling writableStore, because the latter will set
up an overlayfs on the Nix store within the VM, which in turn will
discard all the outputs of the resulting output path.
However in runInMachine we actually *want* the contents of the generated
path and also don't want a writable store within the VM (except of
course for $out, which is writable anyway).
I've added a small regression test to verifify the output in
nixos/tests/run-in-machine.nix to make sure this won't break again in
the future.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
* Grants enough privileges to the configured user so that it can run
mysqldump.
* Adds a nixos test.
* Use systemd timers instead of a cronjob (by @fadenb).
* Creates a new user for backups by default, instead of using mysql
user.
* Ensures that backup user has write permissions on backup location.
* Write backup to a temporary file before renaming so that a failed
backup won't overwrite the previous backup, and so that the backup
location will never contain a partial backup.
Breaking changes:
* Renamed period to calendar to reflect the change in how to
configure the backup time.
* A failed backup will no longer result in cron sending an e-mail --
users' monitoring systems must be updated.
Resolves#24728
- add flannel support
- remove deprecated authorizationRBACSuperAdmin option
- rename from deprecated poratalNet to serviceClusterIpRange
- add nodeIp option for kubelet
- kubelet, add br_netfilter to kernelModules
- enable firewall by default
- enable dns by default on node and on master
- disable iptables for docker by default on nodes
- dns, restart on failure
- update tests
and other minor changes
Previously services depending on network-online.target would wait until
dhcpcd times out if it was enabled and a static network address
configuration was used. Setting the default gateway statically is enough
for the networking to be considered online.
This also adjusts the relevant networking tests to wait for
network-online.target instead of just network.target.
This option got introduced in 7904499542
and it didn't check whether mailUser and mailGroup are null, which they
are by default.
Now we're only creating the user if createMailUser is set in conjunction
with mailUser and the group if mailGroup is set as well.
I've added a NixOS VM test so that we can verify whether dovecot works
without any additional options set, so it serves as a regression test
for issue #29466 and other issues that might come up with future changes
to the Dovecot service.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Fixes: #29466
Cc: @qknight, @abbradar, @ixmatus, @siddharthist
Quoting from @FRidh:
Note overridePythonAttrs exists since 17.09. It overrides the call to
buildPythonPackage.
While it's not strictly necessary to do this, because postPatch ends up
in drvAttrs anyway, it's probably better to use overridePythonAttrs so
we don't run into problems when the underlying implementation of
buildPythonPackage changes.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Since 67651d80bc the requests package now
depends on certifi, which in turn provides the CA root certificates that
we need to replace.
It might also be a good idea to actually patch certifi with our version
of cacert by default so that if we want to override and/or add something
we only need to do it once.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Cc: @fpletz, @k0ral, @FRidh
The enableSSL option has been deprecated in
a912a6a291, so we switch to using onlySSL.
I've also explicitly disabled enableACME, because this is the default
and we don't actually want to have ACME enabled for a host which runs an
actual ACME server.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
The test here is pretty basic and only tests nginx, but it should get us
started to write tests for different webservers and different ACME
implementations.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
These modules implement a way to test ACME based on a test instance of
Letsencrypt's Boulder service. The service implementation is in
letsencrypt.nix and the second module (resolver.nix) is a support-module
for the former, but can also be used for tests not involving ACME.
The second module provides a DNS server which hosts a root zone
containing all the zones and /etc/hosts entries (except loopback) in the
entire test network, so this can be very useful for other modules that
need DNS resolution.
Originally, I wrote these modules for the Headcounter deployment, but
I've refactored them a bit to be generally useful to NixOS users. The
original implementation can be found here:
https://github.com/headcounter/deployment/tree/89e7feafb/modules/testing
Quoting parts from the commit message of the initial implementation of
the Letsencrypt module in headcounter/deployment@95dfb31110:
This module is going to be used for tests where we need to
impersonate an ACME service such as the one from Letsencrypt within
VM tests, which is the reason why this module is a bit ugly (I only
care if it's working not if it's beautiful).
While the module isn't used anywhere, it will serve as a pluggable
module for testing whether ACME works properly to fetch certificates
and also as a replacement for our snakeoil certificate generator.
Also quoting parts of the commit where I have refactored the same module
in headcounter/deployment@85fa481b34:
Now we have a fully pluggable module which automatically discovers
in which network it's used via the nodes attribute.
The test environment of Boulder used "dns-test-srv", which is a fake
DNS server that's resolving almost everything to 127.0.0.1. On our
setup this is not useful, so instead we're now running a local BIND
name server which has a fake root zone and uses the mentioned node
attribute to automatically discover other zones in the network of
machines and generate delegations from the root zone to the
respective zones with the primaryIPAddress of the node.
...
We want to use real letsencrypt.org FQDNs here, so we can't get away
with the snakeoil test certificates from the upstream project but
now roll our own.
This not only has the benefit that we can easily pass the snakeoil
certificate to other nodes, but we can (and do) also use it for an
nginx proxy that's now serving HTTPS for the Boulder web front end.
The Headcounter deployment tests are simulating a production scenario
with real IPs and nameservers so it won't need to rely on
networking.extraHost. However in this implementation we don't
necessarily want to do that, so I've added auto-discovery of
networking.extraHosts in the resolver module.
Another change here is that the letsencrypt module now falls back to
using a local resolver, the Headcounter implementation on the other hand
always required to add an extra test node which serves as a resolver.
I could have squashed both modules into the final ACME test, but that
would make it not very reusable, so that's the main reason why I put
these modules in tests/common.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
