mirror of
https://github.com/NixOS/nixpkgs.git
synced 2025-01-21 04:13:12 +00:00
4f0dadbf38
After final improvements to the official formatter implementation, this commit now performs the first treewide reformat of Nix files using it. This is part of the implementation of RFC 166. Only "inactive" files are reformatted, meaning only files that aren't being touched by any PR with activity in the past 2 months. This is to avoid conflicts for PRs that might soon be merged. Later we can do a full treewide reformat to get the rest, which should not cause as many conflicts. A CI check has already been running for some time to ensure that new and already-formatted files are formatted, so the files being reformatted here should also stay formatted. This commit was automatically created and can be verified using nix-builda08b3a4d19
.tar.gz \ --argstr baseRevb32a094368
result/bin/apply-formatting $NIXPKGS_PATH
148 lines
4.1 KiB
Nix
148 lines
4.1 KiB
Nix
import ../make-test-python.nix (
|
|
{ pkgs, lib, ... }:
|
|
|
|
let
|
|
security.krb5 = {
|
|
enable = true;
|
|
settings = {
|
|
domain_realm."nfs.test" = "NFS.TEST";
|
|
libdefaults.default_realm = "NFS.TEST";
|
|
realms."NFS.TEST" = {
|
|
admin_server = "server.nfs.test";
|
|
kdc = "server.nfs.test";
|
|
};
|
|
};
|
|
};
|
|
|
|
hosts = ''
|
|
192.168.1.1 client.nfs.test
|
|
192.168.1.2 server.nfs.test
|
|
'';
|
|
|
|
users = {
|
|
users.alice = {
|
|
isNormalUser = true;
|
|
name = "alice";
|
|
uid = 1000;
|
|
};
|
|
};
|
|
|
|
in
|
|
|
|
{
|
|
name = "nfsv4-with-kerberos";
|
|
|
|
nodes = {
|
|
client =
|
|
{ lib, ... }:
|
|
{
|
|
inherit security users;
|
|
|
|
networking.extraHosts = hosts;
|
|
networking.domain = "nfs.test";
|
|
networking.hostName = "client";
|
|
|
|
virtualisation.fileSystems = {
|
|
"/data" = {
|
|
device = "server.nfs.test:/";
|
|
fsType = "nfs";
|
|
options = [
|
|
"nfsvers=4"
|
|
"sec=krb5p"
|
|
"noauto"
|
|
];
|
|
};
|
|
};
|
|
};
|
|
|
|
server =
|
|
{ lib, ... }:
|
|
{
|
|
inherit security users;
|
|
|
|
networking.extraHosts = hosts;
|
|
networking.domain = "nfs.test";
|
|
networking.hostName = "server";
|
|
|
|
networking.firewall.allowedTCPPorts = [
|
|
111 # rpc
|
|
2049 # nfs
|
|
88 # kerberos
|
|
749 # kerberos admin
|
|
];
|
|
|
|
services.kerberos_server.enable = true;
|
|
services.kerberos_server.realms = {
|
|
"NFS.TEST".acl = [
|
|
{
|
|
access = "all";
|
|
principal = "admin/admin";
|
|
}
|
|
];
|
|
};
|
|
|
|
services.nfs.server.enable = true;
|
|
services.nfs.server.createMountPoints = true;
|
|
services.nfs.server.exports = ''
|
|
/data *(rw,no_root_squash,fsid=0,sec=krb5p)
|
|
'';
|
|
};
|
|
};
|
|
|
|
testScript = ''
|
|
server.succeed("mkdir -p /data/alice")
|
|
server.succeed("chown alice:users /data/alice")
|
|
|
|
# set up kerberos database
|
|
server.succeed(
|
|
"kdb5_util create -s -r NFS.TEST -P master_key",
|
|
"systemctl restart kadmind.service kdc.service",
|
|
)
|
|
server.wait_for_unit("kadmind.service")
|
|
server.wait_for_unit("kdc.service")
|
|
|
|
# create principals
|
|
server.succeed(
|
|
"kadmin.local add_principal -randkey nfs/server.nfs.test",
|
|
"kadmin.local add_principal -randkey nfs/client.nfs.test",
|
|
"kadmin.local add_principal -pw admin_pw admin/admin",
|
|
"kadmin.local add_principal -pw alice_pw alice",
|
|
)
|
|
|
|
# add principals to server keytab
|
|
server.succeed("kadmin.local ktadd nfs/server.nfs.test")
|
|
server.succeed("systemctl start rpc-gssd.service rpc-svcgssd.service")
|
|
server.wait_for_unit("rpc-gssd.service")
|
|
server.wait_for_unit("rpc-svcgssd.service")
|
|
|
|
client.systemctl("start network-online.target")
|
|
client.wait_for_unit("network-online.target")
|
|
|
|
# add principals to client keytab
|
|
client.succeed("echo admin_pw | kadmin -p admin/admin ktadd nfs/client.nfs.test")
|
|
client.succeed("systemctl start rpc-gssd.service")
|
|
client.wait_for_unit("rpc-gssd.service")
|
|
|
|
with subtest("nfs share mounts"):
|
|
client.succeed("systemctl restart data.mount")
|
|
client.wait_for_unit("data.mount")
|
|
|
|
with subtest("permissions on nfs share are enforced"):
|
|
client.fail("su alice -c 'ls /data'")
|
|
client.succeed("su alice -c 'echo alice_pw | kinit'")
|
|
client.succeed("su alice -c 'ls /data'")
|
|
|
|
client.fail("su alice -c 'echo bla >> /data/foo'")
|
|
client.succeed("su alice -c 'echo bla >> /data/alice/foo'")
|
|
server.succeed("test -e /data/alice/foo")
|
|
|
|
with subtest("uids/gids are mapped correctly on nfs share"):
|
|
ids = client.succeed("stat -c '%U %G' /data/alice").split()
|
|
expected = ["alice", "users"]
|
|
assert ids == expected, f"ids incorrect: got {ids} expected {expected}"
|
|
'';
|
|
|
|
meta.maintainers = [ lib.maintainers.dblsaiko ];
|
|
}
|
|
)
|