Merge pull request #218126 from mweinelt/kea-dhcp-ddns-test
nixos/tests/kea: Test dhcp-ddns against knot
This commit is contained in:
commit
2dbef07f09
|
@ -1,3 +1,10 @@
|
||||||
|
# This test verifies DHCPv4 interaction between a client and a router.
|
||||||
|
# For successful DHCP allocations a dynamic update request is sent
|
||||||
|
# towards a nameserver to allocate a name in the lan.nixos.test zone.
|
||||||
|
# We then verify whether client and router can ping each other, and
|
||||||
|
# that the nameserver can resolve the clients fqdn to the correct IP
|
||||||
|
# address.
|
||||||
|
|
||||||
import ./make-test-python.nix ({ pkgs, lib, ...}: {
|
import ./make-test-python.nix ({ pkgs, lib, ...}: {
|
||||||
meta.maintainers = with lib.maintainers; [ hexa ];
|
meta.maintainers = with lib.maintainers; [ hexa ];
|
||||||
|
|
||||||
|
@ -8,17 +15,17 @@ import ./make-test-python.nix ({ pkgs, lib, ...}: {
|
||||||
virtualisation.vlans = [ 1 ];
|
virtualisation.vlans = [ 1 ];
|
||||||
|
|
||||||
networking = {
|
networking = {
|
||||||
useNetworkd = true;
|
|
||||||
useDHCP = false;
|
useDHCP = false;
|
||||||
firewall.allowedUDPPorts = [ 67 ];
|
firewall.allowedUDPPorts = [ 67 ];
|
||||||
};
|
};
|
||||||
|
|
||||||
systemd.network = {
|
systemd.network = {
|
||||||
|
enable = true;
|
||||||
networks = {
|
networks = {
|
||||||
"01-eth1" = {
|
"01-eth1" = {
|
||||||
name = "eth1";
|
name = "eth1";
|
||||||
networkConfig = {
|
networkConfig = {
|
||||||
Address = "10.0.0.1/30";
|
Address = "10.0.0.1/29";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
@ -45,13 +52,115 @@ import ./make-test-python.nix ({ pkgs, lib, ...}: {
|
||||||
};
|
};
|
||||||
|
|
||||||
subnet4 = [ {
|
subnet4 = [ {
|
||||||
subnet = "10.0.0.0/30";
|
subnet = "10.0.0.0/29";
|
||||||
pools = [ {
|
pools = [ {
|
||||||
pool = "10.0.0.2 - 10.0.0.2";
|
pool = "10.0.0.3 - 10.0.0.3";
|
||||||
} ];
|
} ];
|
||||||
} ];
|
} ];
|
||||||
|
|
||||||
|
# Enable communication between dhcp4 and a local dhcp-ddns
|
||||||
|
# instance.
|
||||||
|
# https://kea.readthedocs.io/en/kea-2.2.0/arm/dhcp4-srv.html#ddns-for-dhcpv4
|
||||||
|
dhcp-ddns = {
|
||||||
|
enable-updates = true;
|
||||||
|
};
|
||||||
|
|
||||||
|
ddns-send-updates = true;
|
||||||
|
ddns-qualifying-suffix = "lan.nixos.test.";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
services.kea.dhcp-ddns = {
|
||||||
|
enable = true;
|
||||||
|
settings = {
|
||||||
|
forward-ddns = {
|
||||||
|
# Configure updates of a forward zone named `lan.nixos.test`
|
||||||
|
# hosted at the nameserver at 10.0.0.2
|
||||||
|
# https://kea.readthedocs.io/en/kea-2.2.0/arm/ddns.html#adding-forward-dns-servers
|
||||||
|
ddns-domains = [ {
|
||||||
|
name = "lan.nixos.test.";
|
||||||
|
# Use a TSIG key in production!
|
||||||
|
key-name = "";
|
||||||
|
dns-servers = [ {
|
||||||
|
ip-address = "10.0.0.2";
|
||||||
|
port = 53;
|
||||||
|
} ];
|
||||||
|
} ];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
nameserver = { config, pkgs, ... }: {
|
||||||
|
virtualisation.vlans = [ 1 ];
|
||||||
|
|
||||||
|
networking = {
|
||||||
|
useDHCP = false;
|
||||||
|
firewall.allowedUDPPorts = [ 53 ];
|
||||||
|
};
|
||||||
|
|
||||||
|
systemd.network = {
|
||||||
|
enable = true;
|
||||||
|
networks = {
|
||||||
|
"01-eth1" = {
|
||||||
|
name = "eth1";
|
||||||
|
networkConfig = {
|
||||||
|
Address = "10.0.0.2/29";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
services.resolved.enable = false;
|
||||||
|
|
||||||
|
# Set up an authoritative nameserver, serving the `lan.nixos.test`
|
||||||
|
# zone and configure an ACL that allows dynamic updates from
|
||||||
|
# the router's ip address.
|
||||||
|
# This ACL is likely insufficient for production usage. Please
|
||||||
|
# use TSIG keys.
|
||||||
|
services.knot = let
|
||||||
|
zone = pkgs.writeTextDir "lan.nixos.test.zone" ''
|
||||||
|
@ SOA ns.nixos.test nox.nixos.test 0 86400 7200 3600000 172800
|
||||||
|
@ NS nameserver
|
||||||
|
nameserver A 10.0.0.3
|
||||||
|
router A 10.0.0.1
|
||||||
|
'';
|
||||||
|
zonesDir = pkgs.buildEnv {
|
||||||
|
name = "knot-zones";
|
||||||
|
paths = [ zone ];
|
||||||
|
};
|
||||||
|
in {
|
||||||
|
enable = true;
|
||||||
|
extraArgs = [
|
||||||
|
"-v"
|
||||||
|
];
|
||||||
|
extraConfig = ''
|
||||||
|
server:
|
||||||
|
listen: 0.0.0.0@53
|
||||||
|
|
||||||
|
log:
|
||||||
|
- target: syslog
|
||||||
|
any: debug
|
||||||
|
|
||||||
|
acl:
|
||||||
|
- id: dhcp_ddns
|
||||||
|
address: 10.0.0.1
|
||||||
|
action: update
|
||||||
|
|
||||||
|
template:
|
||||||
|
- id: default
|
||||||
|
storage: ${zonesDir}
|
||||||
|
zonefile-sync: -1
|
||||||
|
zonefile-load: difference-no-serial
|
||||||
|
journal-content: all
|
||||||
|
|
||||||
|
zone:
|
||||||
|
- domain: lan.nixos.test
|
||||||
|
file: lan.nixos.test.zone
|
||||||
|
acl: [dhcp_ddns]
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
};
|
};
|
||||||
|
|
||||||
client = { config, pkgs, ... }: {
|
client = { config, pkgs, ... }: {
|
||||||
|
@ -70,6 +179,7 @@ import ./make-test-python.nix ({ pkgs, lib, ...}: {
|
||||||
router.wait_for_unit("kea-dhcp4-server.service")
|
router.wait_for_unit("kea-dhcp4-server.service")
|
||||||
client.wait_for_unit("systemd-networkd-wait-online.service")
|
client.wait_for_unit("systemd-networkd-wait-online.service")
|
||||||
client.wait_until_succeeds("ping -c 5 10.0.0.1")
|
client.wait_until_succeeds("ping -c 5 10.0.0.1")
|
||||||
router.wait_until_succeeds("ping -c 5 10.0.0.2")
|
router.wait_until_succeeds("ping -c 5 10.0.0.3")
|
||||||
|
nameserver.wait_until_succeeds("kdig +short client.lan.nixos.test @10.0.0.2 | grep -q 10.0.0.3")
|
||||||
'';
|
'';
|
||||||
})
|
})
|
||||||
|
|
|
@ -31,7 +31,7 @@ let
|
||||||
# DO NOT USE pkgs.writeText IN PRODUCTION. This put secrets in the nix store!
|
# DO NOT USE pkgs.writeText IN PRODUCTION. This put secrets in the nix store!
|
||||||
tsigFile = pkgs.writeText "tsig.conf" ''
|
tsigFile = pkgs.writeText "tsig.conf" ''
|
||||||
key:
|
key:
|
||||||
- id: slave_key
|
- id: xfr_key
|
||||||
algorithm: hmac-sha256
|
algorithm: hmac-sha256
|
||||||
secret: zOYgOgnzx3TGe5J5I/0kxd7gTcxXhLYMEq3Ek3fY37s=
|
secret: zOYgOgnzx3TGe5J5I/0kxd7gTcxXhLYMEq3Ek3fY37s=
|
||||||
'';
|
'';
|
||||||
|
@ -43,7 +43,7 @@ in {
|
||||||
|
|
||||||
|
|
||||||
nodes = {
|
nodes = {
|
||||||
master = { lib, ... }: {
|
primary = { lib, ... }: {
|
||||||
imports = [ common ];
|
imports = [ common ];
|
||||||
|
|
||||||
# trigger sched_setaffinity syscall
|
# trigger sched_setaffinity syscall
|
||||||
|
@ -64,22 +64,17 @@ in {
|
||||||
server:
|
server:
|
||||||
listen: 0.0.0.0@53
|
listen: 0.0.0.0@53
|
||||||
listen: ::@53
|
listen: ::@53
|
||||||
|
automatic-acl: true
|
||||||
acl:
|
|
||||||
- id: slave_acl
|
|
||||||
address: 192.168.0.2
|
|
||||||
key: slave_key
|
|
||||||
action: transfer
|
|
||||||
|
|
||||||
remote:
|
remote:
|
||||||
- id: slave
|
- id: secondary
|
||||||
address: 192.168.0.2@53
|
address: 192.168.0.2@53
|
||||||
|
key: xfr_key
|
||||||
|
|
||||||
template:
|
template:
|
||||||
- id: default
|
- id: default
|
||||||
storage: ${knotZonesEnv}
|
storage: ${knotZonesEnv}
|
||||||
notify: [slave]
|
notify: [secondary]
|
||||||
acl: [slave_acl]
|
|
||||||
dnssec-signing: on
|
dnssec-signing: on
|
||||||
# Input-only zone files
|
# Input-only zone files
|
||||||
# https://www.knot-dns.cz/docs/2.8/html/operation.html#example-3
|
# https://www.knot-dns.cz/docs/2.8/html/operation.html#example-3
|
||||||
|
@ -105,7 +100,7 @@ in {
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
slave = { lib, ... }: {
|
secondary = { lib, ... }: {
|
||||||
imports = [ common ];
|
imports = [ common ];
|
||||||
networking.interfaces.eth1 = {
|
networking.interfaces.eth1 = {
|
||||||
ipv4.addresses = lib.mkForce [
|
ipv4.addresses = lib.mkForce [
|
||||||
|
@ -122,21 +117,16 @@ in {
|
||||||
server:
|
server:
|
||||||
listen: 0.0.0.0@53
|
listen: 0.0.0.0@53
|
||||||
listen: ::@53
|
listen: ::@53
|
||||||
|
automatic-acl: true
|
||||||
acl:
|
|
||||||
- id: notify_from_master
|
|
||||||
address: 192.168.0.1
|
|
||||||
action: notify
|
|
||||||
|
|
||||||
remote:
|
remote:
|
||||||
- id: master
|
- id: primary
|
||||||
address: 192.168.0.1@53
|
address: 192.168.0.1@53
|
||||||
key: slave_key
|
key: xfr_key
|
||||||
|
|
||||||
template:
|
template:
|
||||||
- id: default
|
- id: default
|
||||||
master: master
|
master: primary
|
||||||
acl: [notify_from_master]
|
|
||||||
# zonefileless setup
|
# zonefileless setup
|
||||||
# https://www.knot-dns.cz/docs/2.8/html/operation.html#example-2
|
# https://www.knot-dns.cz/docs/2.8/html/operation.html#example-2
|
||||||
zonefile-sync: -1
|
zonefile-sync: -1
|
||||||
|
@ -174,19 +164,19 @@ in {
|
||||||
};
|
};
|
||||||
|
|
||||||
testScript = { nodes, ... }: let
|
testScript = { nodes, ... }: let
|
||||||
master4 = (lib.head nodes.master.config.networking.interfaces.eth1.ipv4.addresses).address;
|
primary4 = (lib.head nodes.primary.config.networking.interfaces.eth1.ipv4.addresses).address;
|
||||||
master6 = (lib.head nodes.master.config.networking.interfaces.eth1.ipv6.addresses).address;
|
primary6 = (lib.head nodes.primary.config.networking.interfaces.eth1.ipv6.addresses).address;
|
||||||
|
|
||||||
slave4 = (lib.head nodes.slave.config.networking.interfaces.eth1.ipv4.addresses).address;
|
secondary4 = (lib.head nodes.secondary.config.networking.interfaces.eth1.ipv4.addresses).address;
|
||||||
slave6 = (lib.head nodes.slave.config.networking.interfaces.eth1.ipv6.addresses).address;
|
secondary6 = (lib.head nodes.secondary.config.networking.interfaces.eth1.ipv6.addresses).address;
|
||||||
in ''
|
in ''
|
||||||
import re
|
import re
|
||||||
|
|
||||||
start_all()
|
start_all()
|
||||||
|
|
||||||
client.wait_for_unit("network.target")
|
client.wait_for_unit("network.target")
|
||||||
master.wait_for_unit("knot.service")
|
primary.wait_for_unit("knot.service")
|
||||||
slave.wait_for_unit("knot.service")
|
secondary.wait_for_unit("knot.service")
|
||||||
|
|
||||||
|
|
||||||
def test(host, query_type, query, pattern):
|
def test(host, query_type, query, pattern):
|
||||||
|
@ -195,7 +185,7 @@ in {
|
||||||
assert re.search(pattern, out), f'Did not match "{pattern}"'
|
assert re.search(pattern, out), f'Did not match "{pattern}"'
|
||||||
|
|
||||||
|
|
||||||
for host in ("${master4}", "${master6}", "${slave4}", "${slave6}"):
|
for host in ("${primary4}", "${primary6}", "${secondary4}", "${secondary6}"):
|
||||||
with subtest(f"Interrogate {host}"):
|
with subtest(f"Interrogate {host}"):
|
||||||
test(host, "SOA", "example.com", r"start of authority.*noc\.example\.com\.")
|
test(host, "SOA", "example.com", r"start of authority.*noc\.example\.com\.")
|
||||||
test(host, "A", "example.com", r"has no [^ ]+ record")
|
test(host, "A", "example.com", r"has no [^ ]+ record")
|
||||||
|
@ -211,6 +201,6 @@ in {
|
||||||
test(host, "RRSIG", "www.example.com", r"RR set signature is")
|
test(host, "RRSIG", "www.example.com", r"RR set signature is")
|
||||||
test(host, "DNSKEY", "example.com", r"DNSSEC key is")
|
test(host, "DNSKEY", "example.com", r"DNSSEC key is")
|
||||||
|
|
||||||
master.log(master.succeed("systemd-analyze security knot.service | grep -v '✓'"))
|
primary.log(primary.succeed("systemd-analyze security knot.service | grep -v '✓'"))
|
||||||
'';
|
'';
|
||||||
})
|
})
|
||||||
|
|
|
@ -59,7 +59,7 @@ stdenv.mkDerivation rec {
|
||||||
passthru.tests = {
|
passthru.tests = {
|
||||||
inherit knot-resolver;
|
inherit knot-resolver;
|
||||||
} // lib.optionalAttrs stdenv.isLinux {
|
} // lib.optionalAttrs stdenv.isLinux {
|
||||||
inherit (nixosTests) knot;
|
inherit (nixosTests) knot kea;
|
||||||
# Some dependencies are very version-sensitive, so the might get dropped
|
# Some dependencies are very version-sensitive, so the might get dropped
|
||||||
# or embedded after some update, even if the nixPackagers didn't intend to.
|
# or embedded after some update, even if the nixPackagers didn't intend to.
|
||||||
# For non-linux I don't know a good replacement for `ldd`.
|
# For non-linux I don't know a good replacement for `ldd`.
|
||||||
|
|
Loading…
Reference in a new issue