diff options
author | Frederik Rietdijk <fridh@fridh.nl> | 2019-12-15 18:49:26 +0100 |
---|---|---|
committer | Frederik Rietdijk <fridh@fridh.nl> | 2019-12-15 18:49:26 +0100 |
commit | 49b3d9ae6299079b074f195b3de068790052ea0f (patch) | |
tree | a53bf76764a5f96b9676e80fde0da975a7855782 /nixos | |
parent | 47efb03cd34ec49afb2bc7c08fd080ab16a3263e (diff) | |
parent | 3e046ee556190a833cb9583166b25193e8ee1f0c (diff) | |
download | nixlib-49b3d9ae6299079b074f195b3de068790052ea0f.tar nixlib-49b3d9ae6299079b074f195b3de068790052ea0f.tar.gz nixlib-49b3d9ae6299079b074f195b3de068790052ea0f.tar.bz2 nixlib-49b3d9ae6299079b074f195b3de068790052ea0f.tar.lz nixlib-49b3d9ae6299079b074f195b3de068790052ea0f.tar.xz nixlib-49b3d9ae6299079b074f195b3de068790052ea0f.tar.zst nixlib-49b3d9ae6299079b074f195b3de068790052ea0f.zip |
Merge staging into staging-next
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/tasks/filesystems/nfs.nix | 6 | ||||
-rw-r--r-- | nixos/release-combined.nix | 4 | ||||
-rw-r--r-- | nixos/tests/all-tests.nix | 5 | ||||
-rw-r--r-- | nixos/tests/nfs.nix | 90 | ||||
-rw-r--r-- | nixos/tests/nfs/default.nix | 9 | ||||
-rw-r--r-- | nixos/tests/nfs/kerberos.nix | 133 | ||||
-rw-r--r-- | nixos/tests/nfs/simple.nix | 94 |
7 files changed, 247 insertions, 94 deletions
diff --git a/nixos/modules/tasks/filesystems/nfs.nix b/nixos/modules/tasks/filesystems/nfs.nix index e0e8bb1f03de..ddcc0ed8f5a4 100644 --- a/nixos/modules/tasks/filesystems/nfs.nix +++ b/nixos/modules/tasks/filesystems/nfs.nix @@ -25,6 +25,9 @@ let ''; nfsConfFile = pkgs.writeText "nfs.conf" cfg.extraConfig; + requestKeyConfFile = pkgs.writeText "request-key.conf" '' + create id_resolver * * ${pkgs.nfs-utils}/bin/nfsidmap -t 600 %k %d + ''; cfg = config.services.nfs; @@ -57,9 +60,12 @@ in systemd.packages = [ pkgs.nfs-utils ]; + environment.systemPackages = [ pkgs.keyutils ]; + environment.etc = { "idmapd.conf".source = idmapdConfFile; "nfs.conf".source = nfsConfFile; + "request-key.conf".source = requestKeyConfFile; }; systemd.services.nfs-blkmap = diff --git a/nixos/release-combined.nix b/nixos/release-combined.nix index 678ce3c28800..ca9c6f9a7f91 100644 --- a/nixos/release-combined.nix +++ b/nixos/release-combined.nix @@ -120,8 +120,8 @@ in rec { (all nixos.tests.networking.scripted.macvlan) (all nixos.tests.networking.scripted.sit) (all nixos.tests.networking.scripted.vlan) - (all nixos.tests.nfs3) - (all nixos.tests.nfs4) + (all nixos.tests.nfs3.simple) + (all nixos.tests.nfs4.simple) (all nixos.tests.openssh) (all nixos.tests.php-pcre) (all nixos.tests.predictable-interface-names.predictable) diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index 5407a071cadd..9c6778f9ddaa 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -190,8 +190,9 @@ in networkingProxy = handleTest ./networking-proxy.nix {}; nextcloud = handleTest ./nextcloud {}; nexus = handleTest ./nexus.nix {}; - nfs3 = handleTest ./nfs.nix { version = 3; }; - nfs4 = handleTest ./nfs.nix { version = 4; }; + # TODO: Test nfsv3 + Kerberos + nfs3 = handleTest ./nfs { version = 3; }; + nfs4 = handleTest ./nfs { version = 4; }; nghttpx = handleTest ./nghttpx.nix {}; nginx = handleTest ./nginx.nix {}; nginx-sso = handleTest ./nginx-sso.nix {}; diff --git a/nixos/tests/nfs.nix b/nixos/tests/nfs.nix deleted file mode 100644 index 2f655336e757..000000000000 --- a/nixos/tests/nfs.nix +++ /dev/null @@ -1,90 +0,0 @@ -import ./make-test.nix ({ pkgs, version ? 4, ... }: - -let - - client = - { pkgs, ... }: - { fileSystems = pkgs.lib.mkVMOverride - [ { mountPoint = "/data"; - # nfs4 exports the export with fsid=0 as a virtual root directory - device = if (version == 4) then "server:/" else "server:/data"; - fsType = "nfs"; - options = [ "vers=${toString version}" ]; - } - ]; - networking.firewall.enable = false; # FIXME: only open statd - }; - -in - -{ - name = "nfs"; - meta = with pkgs.stdenv.lib.maintainers; { - maintainers = [ eelco ]; - }; - - nodes = - { client1 = client; - client2 = client; - - server = - { ... }: - { services.nfs.server.enable = true; - services.nfs.server.exports = - '' - /data 192.168.1.0/255.255.255.0(rw,no_root_squash,no_subtree_check,fsid=0) - ''; - services.nfs.server.createMountPoints = true; - networking.firewall.enable = false; # FIXME: figure out what ports need to be allowed - }; - }; - - testScript = - '' - $server->waitForUnit("nfs-server"); - $server->succeed("systemctl start network-online.target"); - $server->waitForUnit("network-online.target"); - - startAll; - - $client1->waitForUnit("data.mount"); - $client1->succeed("echo bla > /data/foo"); - $server->succeed("test -e /data/foo"); - - $client2->waitForUnit("data.mount"); - $client2->succeed("echo bla > /data/bar"); - $server->succeed("test -e /data/bar"); - - # Test whether restarting ‘nfs-server’ works correctly. - $server->succeed("systemctl restart nfs-server"); - $client2->succeed("echo bla >> /data/bar"); # will take 90 seconds due to the NFS grace period - - # Test whether we can get a lock. - $client2->succeed("time flock -n -s /data/lock true"); - - # Test locking: client 1 acquires an exclusive lock, so client 2 - # should then fail to acquire a shared lock. - $client1->succeed("flock -x /data/lock -c 'touch locked; sleep 100000' &"); - $client1->waitForFile("locked"); - $client2->fail("flock -n -s /data/lock true"); - - # Test whether client 2 obtains the lock if we reset client 1. - $client2->succeed("flock -x /data/lock -c 'echo acquired; touch locked; sleep 100000' >&2 &"); - $client1->crash; - $client1->start; - $client2->waitForFile("locked"); - - # Test whether locks survive a reboot of the server. - $client1->waitForUnit("data.mount"); - $server->shutdown; - $server->start; - $client1->succeed("touch /data/xyzzy"); - $client1->fail("time flock -n -s /data/lock true"); - - # Test whether unmounting during shutdown happens quickly. - my $t1 = time; - $client1->shutdown; - my $duration = time - $t1; - die "shutdown took too long ($duration seconds)" if $duration > 30; - ''; -}) diff --git a/nixos/tests/nfs/default.nix b/nixos/tests/nfs/default.nix new file mode 100644 index 000000000000..6bc803c91b46 --- /dev/null +++ b/nixos/tests/nfs/default.nix @@ -0,0 +1,9 @@ +{ version ? 4 +, system ? builtins.currentSystem +, pkgs ? import ../../.. { inherit system; } +}: { + simple = import ./simple.nix { inherit version system pkgs; }; +} // pkgs.lib.optionalAttrs (version == 4) { + # TODO: Test kerberos + nfsv3 + kerberos = import ./kerberos.nix { inherit version system pkgs; }; +} diff --git a/nixos/tests/nfs/kerberos.nix b/nixos/tests/nfs/kerberos.nix new file mode 100644 index 000000000000..1f2d0d453ea0 --- /dev/null +++ b/nixos/tests/nfs/kerberos.nix @@ -0,0 +1,133 @@ +import ../make-test-python.nix ({ pkgs, lib, ... }: + +with lib; + +let + krb5 = + { enable = true; + domain_realm."nfs.test" = "NFS.TEST"; + libdefaults.default_realm = "NFS.TEST"; + realms."NFS.TEST" = + { admin_server = "server.nfs.test"; + kdc = "server.nfs.test"; + }; + }; + + hosts = + '' + 192.168.1.1 client.nfs.test + 192.168.1.2 server.nfs.test + ''; + + users = { + users.alice = { + isNormalUser = true; + name = "alice"; + uid = 1000; + }; + }; + +in + +{ + name = "nfsv4-with-kerberos"; + + nodes = { + client = { lib, ... }: + { inherit krb5 users; + + networking.extraHosts = hosts; + networking.domain = "nfs.test"; + networking.hostName = "client"; + + fileSystems = lib.mkVMOverride + { "/data" = { + device = "server.nfs.test:/"; + fsType = "nfs"; + options = [ "nfsvers=4" "sec=krb5p" "noauto" ]; + }; + }; + }; + + server = { lib, ...}: + { inherit krb5 users; + + networking.extraHosts = hosts; + networking.domain = "nfs.test"; + networking.hostName = "server"; + + networking.firewall.allowedTCPPorts = [ + 111 # rpc + 2049 # nfs + 88 # kerberos + 749 # kerberos admin + ]; + + services.kerberos_server.enable = true; + services.kerberos_server.realms = + { "NFS.TEST".acl = + [ { access = "all"; principal = "admin/admin"; } ]; + }; + + services.nfs.server.enable = true; + services.nfs.server.createMountPoints = true; + services.nfs.server.exports = + '' + /data *(rw,no_root_squash,fsid=0,sec=krb5p) + ''; + }; + }; + + testScript = + '' + server.succeed("mkdir -p /data/alice") + server.succeed("chown alice:users /data/alice") + + # set up kerberos database + server.succeed( + "kdb5_util create -s -r NFS.TEST -P master_key", + "systemctl restart kadmind.service kdc.service", + ) + server.wait_for_unit(f"kadmind.service") + server.wait_for_unit(f"kdc.service") + + # create principals + server.succeed( + "kadmin.local add_principal -randkey nfs/server.nfs.test", + "kadmin.local add_principal -randkey nfs/client.nfs.test", + "kadmin.local add_principal -pw admin_pw admin/admin", + "kadmin.local add_principal -pw alice_pw alice", + ) + + # add principals to server keytab + server.succeed("kadmin.local ktadd nfs/server.nfs.test") + server.succeed("systemctl start rpc-gssd.service rpc-svcgssd.service") + server.wait_for_unit(f"rpc-gssd.service") + server.wait_for_unit(f"rpc-svcgssd.service") + + client.wait_for_unit("network-online.target") + + # add principals to client keytab + client.succeed("echo admin_pw | kadmin -p admin/admin ktadd nfs/client.nfs.test") + client.succeed("systemctl start rpc-gssd.service") + client.wait_for_unit("rpc-gssd.service") + + with subtest("nfs share mounts"): + client.succeed("systemctl restart data.mount") + client.wait_for_unit("data.mount") + + with subtest("permissions on nfs share are enforced"): + client.fail("su alice -c 'ls /data'") + client.succeed("su alice -c 'echo alice_pw | kinit'") + client.succeed("su alice -c 'ls /data'") + + client.fail("su alice -c 'echo bla >> /data/foo'") + client.succeed("su alice -c 'echo bla >> /data/alice/foo'") + server.succeed("test -e /data/alice/foo") + + with subtest("uids/gids are mapped correctly on nfs share"): + ids = client.succeed("stat -c '%U %G' /data/alice").split() + expected = ["alice", "users"] + assert ids == expected, f"ids incorrect: got {ids} expected {expected}" + ''; +}) diff --git a/nixos/tests/nfs/simple.nix b/nixos/tests/nfs/simple.nix new file mode 100644 index 000000000000..a1a09ee0f45c --- /dev/null +++ b/nixos/tests/nfs/simple.nix @@ -0,0 +1,94 @@ +import ../make-test-python.nix ({ pkgs, version ? 4, ... }: + +let + + client = + { pkgs, ... }: + { fileSystems = pkgs.lib.mkVMOverride + [ { mountPoint = "/data"; + # nfs4 exports the export with fsid=0 as a virtual root directory + device = if (version == 4) then "server:/" else "server:/data"; + fsType = "nfs"; + options = [ "vers=${toString version}" ]; + } + ]; + networking.firewall.enable = false; # FIXME: only open statd + }; + +in + +{ + name = "nfs"; + meta = with pkgs.stdenv.lib.maintainers; { + maintainers = [ eelco ]; + }; + + nodes = + { client1 = client; + client2 = client; + + server = + { ... }: + { services.nfs.server.enable = true; + services.nfs.server.exports = + '' + /data 192.168.1.0/255.255.255.0(rw,no_root_squash,no_subtree_check,fsid=0) + ''; + services.nfs.server.createMountPoints = true; + networking.firewall.enable = false; # FIXME: figure out what ports need to be allowed + }; + }; + + testScript = + '' + import time + + server.wait_for_unit("nfs-server") + server.succeed("systemctl start network-online.target") + server.wait_for_unit("network-online.target") + + start_all() + + client1.wait_for_unit("data.mount") + client1.succeed("echo bla > /data/foo") + server.succeed("test -e /data/foo") + + client2.wait_for_unit("data.mount") + client2.succeed("echo bla > /data/bar") + server.succeed("test -e /data/bar") + + with subtest("restarting 'nfs-server' works correctly"): + server.succeed("systemctl restart nfs-server") + # will take 90 seconds due to the NFS grace period + client2.succeed("echo bla >> /data/bar") + + with subtest("can get a lock"): + client2.succeed("time flock -n -s /data/lock true") + + with subtest("client 2 fails to acquire lock held by client 1"): + client1.succeed("flock -x /data/lock -c 'touch locked; sleep 100000' &") + client1.wait_for_file("locked") + client2.fail("flock -n -s /data/lock true") + + with subtest("client 2 obtains lock after resetting client 1"): + client2.succeed( + "flock -x /data/lock -c 'echo acquired; touch locked; sleep 100000' >&2 &" + ) + client1.crash() + client1.start() + client2.wait_for_file("locked") + + with subtest("locks survive server reboot"): + client1.wait_for_unit("data.mount") + server.shutdown() + server.start() + client1.succeed("touch /data/xyzzy") + client1.fail("time flock -n -s /data/lock true") + + with subtest("unmounting during shutdown happens quickly"): + t1 = time.monotonic() + client1.shutdown() + duration = time.monotonic() - t1 + assert duration < 30, f"shutdown took too long ({duration} seconds)" + ''; +}) |