b12f/nixpkgs
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

Merge pull request #218126 from mweinelt/kea-dhcp-ddns-test

Browse source 
nixos/tests/kea: Test dhcp-ddns against knot
This commit is contained in:
Martin Weinelt 2023-03-11 22:58:53 +00:00 committed by GitHub
parent 0bd50d43d2 487b6a38f3
commit 2dbef07f09
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 135 additions and 35 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

120
nixos/tests/kea.nix
View file

@ -1,3 +1,10 @@
# This test verifies DHCPv4 interaction between a client and a router.
# For successful DHCP allocations a dynamic update request is sent
# towards a nameserver to allocate a name in the lan.nixos.test zone.
# We then verify whether client and router can ping each other, and
# that the nameserver can resolve the clients fqdn to the correct IP
# address.
import ./make-test-python.nix ({ pkgs, lib, ...}: { import ./make-test-python.nix ({ pkgs, lib, ...}: {
meta.maintainers = with lib.maintainers; [ hexa ]; meta.maintainers = with lib.maintainers; [ hexa ];
@ -8,17 +15,17 @@ import ./make-test-python.nix ({ pkgs, lib, ...}: {
virtualisation.vlans = [ 1 ]; virtualisation.vlans = [ 1 ];
networking = { networking = {
useNetworkd = true;
useDHCP = false; useDHCP = false;
firewall.allowedUDPPorts = [ 67 ]; firewall.allowedUDPPorts = [ 67 ];
}; };
systemd.network = { systemd.network = {
enable = true;
networks = { networks = {
"01-eth1" = { "01-eth1" = {
name = "eth1"; name = "eth1";
networkConfig = { networkConfig = {
Address = "10.0.0.1/30"; Address = "10.0.0.1/29";
}; };
}; };
}; };
@ -45,13 +52,115 @@ import ./make-test-python.nix ({ pkgs, lib, ...}: {
}; };
subnet4 = [ { subnet4 = [ {
subnet = "10.0.0.0/30"; subnet = "10.0.0.0/29";
pools = [ { pools = [ {
pool = "10.0.0.2 - 10.0.0.2"; pool = "10.0.0.3 - 10.0.0.3";
} ]; } ];
} ]; } ];
# Enable communication between dhcp4 and a local dhcp-ddns
# instance.
# https://kea.readthedocs.io/en/kea-2.2.0/arm/dhcp4-srv.html#ddns-for-dhcpv4
dhcp-ddns = {
enable-updates = true;
};
ddns-send-updates = true;
ddns-qualifying-suffix = "lan.nixos.test.";
}; };
}; };
services.kea.dhcp-ddns = {
enable = true;
settings = {
forward-ddns = {
# Configure updates of a forward zone named `lan.nixos.test`
# hosted at the nameserver at 10.0.0.2
# https://kea.readthedocs.io/en/kea-2.2.0/arm/ddns.html#adding-forward-dns-servers
ddns-domains = [ {
name = "lan.nixos.test.";
# Use a TSIG key in production!
key-name = "";
dns-servers = [ {
ip-address = "10.0.0.2";
port = 53;
} ];
} ];
};
};
};
};
nameserver = { config, pkgs, ... }: {
virtualisation.vlans = [ 1 ];
networking = {
useDHCP = false;
firewall.allowedUDPPorts = [ 53 ];
};
systemd.network = {
enable = true;
networks = {
"01-eth1" = {
name = "eth1";
networkConfig = {
Address = "10.0.0.2/29";
};
};
};
};
services.resolved.enable = false;
# Set up an authoritative nameserver, serving the `lan.nixos.test`
# zone and configure an ACL that allows dynamic updates from
# the router's ip address.
# This ACL is likely insufficient for production usage. Please
# use TSIG keys.
services.knot = let
zone = pkgs.writeTextDir "lan.nixos.test.zone" ''
@ SOA ns.nixos.test nox.nixos.test 0 86400 7200 3600000 172800
@ NS nameserver
nameserver A 10.0.0.3
router A 10.0.0.1
'';
zonesDir = pkgs.buildEnv {
name = "knot-zones";
paths = [ zone ];
};
in {
enable = true;
extraArgs = [
"-v"
];
extraConfig = ''
server:
listen: 0.0.0.0@53
log:
- target: syslog
any: debug
acl:
- id: dhcp_ddns
address: 10.0.0.1
action: update
template:
- id: default
storage: ${zonesDir}
zonefile-sync: -1
zonefile-load: difference-no-serial
journal-content: all
zone:
- domain: lan.nixos.test
file: lan.nixos.test.zone
acl: [dhcp_ddns]
'';
};
}; };
client = { config, pkgs, ... }: { client = { config, pkgs, ... }: {
@ -70,6 +179,7 @@ import ./make-test-python.nix ({ pkgs, lib, ...}: {
router.wait_for_unit("kea-dhcp4-server.service") router.wait_for_unit("kea-dhcp4-server.service")
client.wait_for_unit("systemd-networkd-wait-online.service") client.wait_for_unit("systemd-networkd-wait-online.service")
client.wait_until_succeeds("ping -c 5 10.0.0.1") client.wait_until_succeeds("ping -c 5 10.0.0.1")
router.wait_until_succeeds("ping -c 5 10.0.0.2") router.wait_until_succeeds("ping -c 5 10.0.0.3")
nameserver.wait_until_succeeds("kdig +short client.lan.nixos.test @10.0.0.2 | grep -q 10.0.0.3")
''; '';
}) })

48
nixos/tests/knot.nix
View file

@ -31,7 +31,7 @@ let
# DO NOT USE pkgs.writeText IN PRODUCTION. This put secrets in the nix store! # DO NOT USE pkgs.writeText IN PRODUCTION. This put secrets in the nix store!
tsigFile = pkgs.writeText "tsig.conf" '' tsigFile = pkgs.writeText "tsig.conf" ''
key: key:
- id: slave_key - id: xfr_key
algorithm: hmac-sha256 algorithm: hmac-sha256
secret: zOYgOgnzx3TGe5J5I/0kxd7gTcxXhLYMEq3Ek3fY37s= secret: zOYgOgnzx3TGe5J5I/0kxd7gTcxXhLYMEq3Ek3fY37s=
''; '';
@ -43,7 +43,7 @@ in {
nodes = { nodes = {
master = { lib, ... }: { primary = { lib, ... }: {
imports = [ common ]; imports = [ common ];
# trigger sched_setaffinity syscall # trigger sched_setaffinity syscall
@ -64,22 +64,17 @@ in {
server: server:
listen: 0.0.0.0@53 listen: 0.0.0.0@53
listen: ::@53 listen: ::@53
automatic-acl: true
acl:
- id: slave_acl
address: 192.168.0.2
key: slave_key
action: transfer
remote: remote:
- id: slave - id: secondary
address: 192.168.0.2@53 address: 192.168.0.2@53
key: xfr_key
template: template:
- id: default - id: default
storage: ${knotZonesEnv} storage: ${knotZonesEnv}
notify: [slave] notify: [secondary]
acl: [slave_acl]
dnssec-signing: on dnssec-signing: on
# Input-only zone files # Input-only zone files
# https://www.knot-dns.cz/docs/2.8/html/operation.html#example-3 # https://www.knot-dns.cz/docs/2.8/html/operation.html#example-3
@ -105,7 +100,7 @@ in {
''; '';
}; };
slave = { lib, ... }: { secondary = { lib, ... }: {
imports = [ common ]; imports = [ common ];
networking.interfaces.eth1 = { networking.interfaces.eth1 = {
ipv4.addresses = lib.mkForce [ ipv4.addresses = lib.mkForce [
@ -122,21 +117,16 @@ in {
server: server:
listen: 0.0.0.0@53 listen: 0.0.0.0@53
listen: ::@53 listen: ::@53
automatic-acl: true
acl:
- id: notify_from_master
address: 192.168.0.1
action: notify
remote: remote:
- id: master - id: primary
address: 192.168.0.1@53 address: 192.168.0.1@53
key: slave_key key: xfr_key
template: template:
- id: default - id: default
master: master master: primary
acl: [notify_from_master]
# zonefileless setup # zonefileless setup
# https://www.knot-dns.cz/docs/2.8/html/operation.html#example-2 # https://www.knot-dns.cz/docs/2.8/html/operation.html#example-2
zonefile-sync: -1 zonefile-sync: -1
@ -174,19 +164,19 @@ in {
}; };
testScript = { nodes, ... }: let testScript = { nodes, ... }: let
master4 = (lib.head nodes.master.config.networking.interfaces.eth1.ipv4.addresses).address; primary4 = (lib.head nodes.primary.config.networking.interfaces.eth1.ipv4.addresses).address;
master6 = (lib.head nodes.master.config.networking.interfaces.eth1.ipv6.addresses).address; primary6 = (lib.head nodes.primary.config.networking.interfaces.eth1.ipv6.addresses).address;
slave4 = (lib.head nodes.slave.config.networking.interfaces.eth1.ipv4.addresses).address; secondary4 = (lib.head nodes.secondary.config.networking.interfaces.eth1.ipv4.addresses).address;
slave6 = (lib.head nodes.slave.config.networking.interfaces.eth1.ipv6.addresses).address; secondary6 = (lib.head nodes.secondary.config.networking.interfaces.eth1.ipv6.addresses).address;
in '' in ''
import re import re
start_all() start_all()
client.wait_for_unit("network.target") client.wait_for_unit("network.target")
master.wait_for_unit("knot.service") primary.wait_for_unit("knot.service")
slave.wait_for_unit("knot.service") secondary.wait_for_unit("knot.service")
def test(host, query_type, query, pattern): def test(host, query_type, query, pattern):
@ -195,7 +185,7 @@ in {
assert re.search(pattern, out), f'Did not match "{pattern}"' assert re.search(pattern, out), f'Did not match "{pattern}"'
for host in ("${master4}", "${master6}", "${slave4}", "${slave6}"): for host in ("${primary4}", "${primary6}", "${secondary4}", "${secondary6}"):
with subtest(f"Interrogate {host}"): with subtest(f"Interrogate {host}"):
test(host, "SOA", "example.com", r"start of authority.*noc\.example\.com\.") test(host, "SOA", "example.com", r"start of authority.*noc\.example\.com\.")
test(host, "A", "example.com", r"has no [^ ]+ record") test(host, "A", "example.com", r"has no [^ ]+ record")
@ -211,6 +201,6 @@ in {
test(host, "RRSIG", "www.example.com", r"RR set signature is") test(host, "RRSIG", "www.example.com", r"RR set signature is")
test(host, "DNSKEY", "example.com", r"DNSSEC key is") test(host, "DNSKEY", "example.com", r"DNSSEC key is")
master.log(master.succeed("systemd-analyze security knot.service | grep -v ''")) primary.log(primary.succeed("systemd-analyze security knot.service | grep -v ''"))
''; '';
}) })

2
pkgs/servers/dns/knot-dns/default.nix
View file

@ -59,7 +59,7 @@ stdenv.mkDerivation rec {
passthru.tests = { passthru.tests = {
inherit knot-resolver; inherit knot-resolver;
} // lib.optionalAttrs stdenv.isLinux { } // lib.optionalAttrs stdenv.isLinux {
inherit (nixosTests) knot; inherit (nixosTests) knot kea;
# Some dependencies are very version-sensitive, so the might get dropped # Some dependencies are very version-sensitive, so the might get dropped
# or embedded after some update, even if the nixPackagers didn't intend to. # or embedded after some update, even if the nixPackagers didn't intend to.
# For non-linux I don't know a good replacement for `ldd`. # For non-linux I don't know a good replacement for `ldd`.