Merge pull request #218126 from mweinelt/kea-dhcp-ddns-test (2dbef07f) · Commits · nix / nixpkgs

nixos/tests/kea.nix

+115 −5

Original line number	Diff line number	Diff line
		# This test verifies DHCPv4 interaction between a client and a router.
		# For successful DHCP allocations a dynamic update request is sent
		# towards a nameserver to allocate a name in the lan.nixos.test zone.
		# We then verify whether client and router can ping each other, and
		# that the nameserver can resolve the clients fqdn to the correct IP
		# address.

		import ./make-test-python.nix ({ pkgs, lib, ...}: {
		meta.maintainers = with lib.maintainers; [ hexa ];

		@@ -8,17 +15,17 @@ import ./make-test-python.nix ({ pkgs, lib, ...}: {
		virtualisation.vlans = [ 1 ];

		networking = {
		useNetworkd = true;
		useDHCP = false;
		firewall.allowedUDPPorts = [ 67 ];
		};

		systemd.network = {
		enable = true;
		networks = {
		"01-eth1" = {
		name = "eth1";
		networkConfig = {
		Address = "10.0.0.1/30";
		Address = "10.0.0.1/29";
		};
		};
		};
		@@ -45,13 +52,115 @@ import ./make-test-python.nix ({ pkgs, lib, ...}: {
		};

		subnet4 = [ {
		subnet = "10.0.0.0/30";
		subnet = "10.0.0.0/29";
		pools = [ {
		pool = "10.0.0.2 - 10.0.0.2";
		pool = "10.0.0.3 - 10.0.0.3";
		} ];
		} ];

		# Enable communication between dhcp4 and a local dhcp-ddns
		# instance.
		# https://kea.readthedocs.io/en/kea-2.2.0/arm/dhcp4-srv.html#ddns-for-dhcpv4
		dhcp-ddns = {
		enable-updates = true;
		};

		ddns-send-updates = true;
		ddns-qualifying-suffix = "lan.nixos.test.";
		};
		};

		services.kea.dhcp-ddns = {
		enable = true;
		settings = {
		forward-ddns = {
		# Configure updates of a forward zone named `lan.nixos.test`
		# hosted at the nameserver at 10.0.0.2
		# https://kea.readthedocs.io/en/kea-2.2.0/arm/ddns.html#adding-forward-dns-servers
		ddns-domains = [ {
		name = "lan.nixos.test.";
		# Use a TSIG key in production!
		key-name = "";
		dns-servers = [ {
		ip-address = "10.0.0.2";
		port = 53;
		} ];
		} ];
		};
		};
		};
		};

		nameserver = { config, pkgs, ... }: {
		virtualisation.vlans = [ 1 ];

		networking = {
		useDHCP = false;
		firewall.allowedUDPPorts = [ 53 ];
		};

		systemd.network = {
		enable = true;
		networks = {
		"01-eth1" = {
		name = "eth1";
		networkConfig = {
		Address = "10.0.0.2/29";
		};
		};
		};
		};

		services.resolved.enable = false;

		# Set up an authoritative nameserver, serving the `lan.nixos.test`
		# zone and configure an ACL that allows dynamic updates from
		# the router's ip address.
		# This ACL is likely insufficient for production usage. Please
		# use TSIG keys.
		services.knot = let
		zone = pkgs.writeTextDir "lan.nixos.test.zone" ''
		@ SOA ns.nixos.test nox.nixos.test 0 86400 7200 3600000 172800
		@ NS nameserver
		nameserver A 10.0.0.3
		router A 10.0.0.1
		'';
		zonesDir = pkgs.buildEnv {
		name = "knot-zones";
		paths = [ zone ];
		};
		in {
		enable = true;
		extraArgs = [
		"-v"
		];
		extraConfig = ''
		server:
		listen: 0.0.0.0@53

		log:
		- target: syslog
		any: debug

		acl:
		- id: dhcp_ddns
		address: 10.0.0.1
		action: update

		template:
		- id: default
		storage: ${zonesDir}
		zonefile-sync: -1
		zonefile-load: difference-no-serial
		journal-content: all

		zone:
		- domain: lan.nixos.test
		file: lan.nixos.test.zone
		acl: [dhcp_ddns]
		'';
		};

		};

		client = { config, pkgs, ... }: {
		@@ -70,6 +179,7 @@ import ./make-test-python.nix ({ pkgs, lib, ...}: {
		router.wait_for_unit("kea-dhcp4-server.service")
		client.wait_for_unit("systemd-networkd-wait-online.service")
		client.wait_until_succeeds("ping -c 5 10.0.0.1")
		router.wait_until_succeeds("ping -c 5 10.0.0.2")
		router.wait_until_succeeds("ping -c 5 10.0.0.3")
		nameserver.wait_until_succeeds("kdig +short client.lan.nixos.test @10.0.0.2 \| grep -q 10.0.0.3")
		'';
		})

nixos/tests/knot.nix

+19 −29

Original line number	Diff line number	Diff line
		@@ -31,7 +31,7 @@ let
		# DO NOT USE pkgs.writeText IN PRODUCTION. This put secrets in the nix store!
		tsigFile = pkgs.writeText "tsig.conf" ''
		key:
		- id: slave_key
		- id: xfr_key
		algorithm: hmac-sha256
		secret: zOYgOgnzx3TGe5J5I/0kxd7gTcxXhLYMEq3Ek3fY37s=
		'';
		@@ -43,7 +43,7 @@ in {


		nodes = {
		master = { lib, ... }: {
		primary = { lib, ... }: {
		imports = [ common ];

		# trigger sched_setaffinity syscall
		@@ -64,22 +64,17 @@ in {
		server:
		listen: 0.0.0.0@53
		listen: ::@53

		acl:
		- id: slave_acl
		address: 192.168.0.2
		key: slave_key
		action: transfer
		automatic-acl: true

		remote:
		- id: slave
		- id: secondary
		address: 192.168.0.2@53
		key: xfr_key

		template:
		- id: default
		storage: ${knotZonesEnv}
		notify: [slave]
		acl: [slave_acl]
		notify: [secondary]
		dnssec-signing: on
		# Input-only zone files
		# https://www.knot-dns.cz/docs/2.8/html/operation.html#example-3
		@@ -105,7 +100,7 @@ in {
		'';
		};

		slave = { lib, ... }: {
		secondary = { lib, ... }: {
		imports = [ common ];
		networking.interfaces.eth1 = {
		ipv4.addresses = lib.mkForce [
		@@ -122,21 +117,16 @@ in {
		server:
		listen: 0.0.0.0@53
		listen: ::@53

		acl:
		- id: notify_from_master
		address: 192.168.0.1
		action: notify
		automatic-acl: true

		remote:
		- id: master
		- id: primary
		address: 192.168.0.1@53
		key: slave_key
		key: xfr_key

		template:
		- id: default
		master: master
		acl: [notify_from_master]
		master: primary
		# zonefileless setup
		# https://www.knot-dns.cz/docs/2.8/html/operation.html#example-2
		zonefile-sync: -1
		@@ -174,19 +164,19 @@ in {
		};

		testScript = { nodes, ... }: let
		master4 = (lib.head nodes.master.config.networking.interfaces.eth1.ipv4.addresses).address;
		master6 = (lib.head nodes.master.config.networking.interfaces.eth1.ipv6.addresses).address;
		primary4 = (lib.head nodes.primary.config.networking.interfaces.eth1.ipv4.addresses).address;
		primary6 = (lib.head nodes.primary.config.networking.interfaces.eth1.ipv6.addresses).address;

		slave4 = (lib.head nodes.slave.config.networking.interfaces.eth1.ipv4.addresses).address;
		slave6 = (lib.head nodes.slave.config.networking.interfaces.eth1.ipv6.addresses).address;
		secondary4 = (lib.head nodes.secondary.config.networking.interfaces.eth1.ipv4.addresses).address;
		secondary6 = (lib.head nodes.secondary.config.networking.interfaces.eth1.ipv6.addresses).address;
		in ''
		import re

		start_all()

		client.wait_for_unit("network.target")
		master.wait_for_unit("knot.service")
		slave.wait_for_unit("knot.service")
		primary.wait_for_unit("knot.service")
		secondary.wait_for_unit("knot.service")


		def test(host, query_type, query, pattern):
		@@ -195,7 +185,7 @@ in {
		assert re.search(pattern, out), f'Did not match "{pattern}"'


		for host in ("${master4}", "${master6}", "${slave4}", "${slave6}"):
		for host in ("${primary4}", "${primary6}", "${secondary4}", "${secondary6}"):
		with subtest(f"Interrogate {host}"):
		test(host, "SOA", "example.com", r"start of authority.*noc\.example\.com\.")
		test(host, "A", "example.com", r"has no [^ ]+ record")
		@@ -211,6 +201,6 @@ in {
		test(host, "RRSIG", "www.example.com", r"RR set signature is")
		test(host, "DNSKEY", "example.com", r"DNSSEC key is")

		master.log(master.succeed("systemd-analyze security knot.service \| grep -v '✓'"))
		primary.log(primary.succeed("systemd-analyze security knot.service \| grep -v '✓'"))
		'';
		})

pkgs/servers/dns/knot-dns/default.nix

+1 −1

Original line number	Diff line number	Diff line
		@@ -59,7 +59,7 @@ stdenv.mkDerivation rec {
		passthru.tests = {
		inherit knot-resolver;
		} // lib.optionalAttrs stdenv.isLinux {
		inherit (nixosTests) knot;
		inherit (nixosTests) knot kea;
		# Some dependencies are very version-sensitive, so the might get dropped
		# or embedded after some update, even if the nixPackagers didn't intend to.
		# For non-linux I don't know a good replacement for `ldd`.