nixosTests.nscd: init, move DynamicUser test into there

nixosTests.systemd is quite heavy, it requires a full graphical system,
which is quite a big of a rebuild if the only thing you want to test is
whether dynamic users work.

This is now moved to an `nscd` test, which tests various NSS lookups,
making extra sure that the nscd path is tested, not the fallback path
(by hiding /etc/nsswitch.conf and /etc/hosts for getent).

nixosTests.resolv is removed. It didn't check for reverse lookups,
didn't catch nscd breaking halfway in between, and also had an
ambiguous reverse lookup - 192.0.2.1 could either reverse lookup to
host-ipv4.example.net, or host-dual.example.net.

4 files changed, 94 insertions, 53 deletions

diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix
index 131936a87c3..9b573a13d30 100644
--- a/nixos/tests/all-tests.nix
+++ b/nixos/tests/all-tests.nix
@@ -440,6 +440,7 @@ in {
   non-default-filesystems = handleTest ./non-default-filesystems.nix {};
   noto-fonts = handleTest ./noto-fonts.nix {};
   novacomd = handleTestOn ["x86_64-linux"] ./novacomd.nix {};
+  nscd = handleTest ./nscd.nix {};
   nsd = handleTest ./nsd.nix {};
   nzbget = handleTest ./nzbget.nix {};
   nzbhydra2 = handleTest ./nzbhydra2.nix {};
@@ -529,7 +530,6 @@ in {
   rasdaemon = handleTest ./rasdaemon.nix {};
   redis = handleTest ./redis.nix {};
   redmine = handleTest ./redmine.nix {};
-  resolv = handleTest ./resolv.nix {};
   restartByActivationScript = handleTest ./restart-by-activation-script.nix {};
   restic = handleTest ./restic.nix {};
   retroarch = handleTest ./retroarch.nix {};
diff --git a/nixos/tests/nscd.nix b/nixos/tests/nscd.nix
new file mode 100644
index 00000000000..f9c9fb10e0b
--- /dev/null
+++ b/nixos/tests/nscd.nix
@@ -0,0 +1,93 @@
+import ./make-test-python.nix ({ pkgs, ... }:
+let
+  # build a getent that itself doesn't see anything in /etc/hosts and
+  # /etc/nsswitch.conf, by using libredirect to steer its own requests to
+  # /dev/null.
+  # This means is /has/ to go via nscd to actuallly resolve any of the
+  # additionally configured hosts.
+  getent' = pkgs.writeScript "getent-without-etc-hosts" ''
+    export NIX_REDIRECTS=/etc/hosts=/dev/null:/etc/nsswitch.conf=/dev/null
+    export LD_PRELOAD=${pkgs.libredirect}/lib/libredirect.so
+    exec getent $@
+  '';
+in
+{
+  name = "nscd";
+
+  nodes.machine = { lib, ... }: {
+    imports = [ common/user-account.nix ];
+    networking.extraHosts = ''
+      2001:db8::1 somehost.test
+      192.0.2.1 somehost.test
+    '';
+  };
+
+  testScript = ''
+    start_all()
+    machine.wait_for_unit("default.target")
+
+    # Regression test for https://github.com/NixOS/nixpkgs/issues/50273
+    with subtest("DynamicUser actually allocates a user"):
+        assert "iamatest" in machine.succeed(
+            "systemd-run --pty --property=Type=oneshot --property=DynamicUser=yes --property=User=iamatest whoami"
+        )
+
+    # Test resolution of somehost.test with getent', to make sure we go via nscd
+    with subtest("host lookups via nscd"):
+        # ahosts
+        output = machine.succeed("${getent'} ahosts somehost.test")
+        assert "192.0.2.1" in output
+        assert "2001:db8::1" in output
+
+        # ahostsv4
+        output = machine.succeed("${getent'} ahostsv4 somehost.test")
+        assert "192.0.2.1" in output
+        assert "2001:db8::1" not in output
+
+        # ahostsv6
+        output = machine.succeed("${getent'} ahostsv6 somehost.test")
+        assert "192.0.2.1" not in output
+        assert "2001:db8::1" in output
+
+        # reverse lookups (hosts)
+        assert "somehost.test" in machine.succeed("${getent'} hosts 2001:db8::1")
+        assert "somehost.test" in machine.succeed("${getent'} hosts 192.0.2.1")
+
+
+    # Test host resolution via nss modules works
+    # We rely on nss-myhostname in this case, which resolves *.localhost and
+    # _gateway.
+    # We don't need to use getent' here, as non-glibc nss modules can only be
+    # discovered via nscd.
+    with subtest("nss-myhostname provides hostnames (ahosts)"):
+        # ahosts
+        output = machine.succeed("getent ahosts foobar.localhost")
+        assert "::1" in output
+        assert "127.0.0.1" in output
+
+        # ahostsv4
+        output = machine.succeed("getent ahostsv4 foobar.localhost")
+        assert "::1" not in output
+        assert "127.0.0.1" in output
+
+        # ahostsv6
+        output = machine.succeed("getent ahostsv6 foobar.localhost")
+        assert "::1" in output
+        assert "127.0.0.1" not in output
+
+        # ahosts
+        output = machine.succeed("getent ahosts _gateway")
+
+        # returns something like the following:
+        # 10.0.2.2        STREAM _gateway
+        # 10.0.2.2        DGRAM
+        # 10.0.2.2        RAW
+        # fe80::2         STREAM
+        # fe80::2         DGRAM
+        # fe80::2         RAW
+
+        # Verify we see both ip addresses
+        assert "10.0.2.2" in output
+        assert "fe80::2" in output
+  '';
+})
diff --git a/nixos/tests/resolv.nix b/nixos/tests/resolv.nix
deleted file mode 100644
index f0aa7e42aaf..00000000000
--- a/nixos/tests/resolv.nix
+++ /dev/null
@@ -1,46 +0,0 @@
-# Test whether DNS resolving returns multiple records and all address families.
-import ./make-test-python.nix ({ pkgs, ... } : {
-  name = "resolv";
-  meta = with pkgs.lib.maintainers; {
-    maintainers = [ ckauhaus ];
-  };
-
-  nodes.resolv = { ... }: {
-    networking.extraHosts = ''
-      # IPv4 only
-      192.0.2.1 host-ipv4.example.net
-      192.0.2.2 host-ipv4.example.net
-      # IP6 only
-      2001:db8::2:1 host-ipv6.example.net
-      2001:db8::2:2 host-ipv6.example.net
-      # dual stack
-      192.0.2.1 host-dual.example.net
-      192.0.2.2 host-dual.example.net
-      2001:db8::2:1 host-dual.example.net
-      2001:db8::2:2 host-dual.example.net
-    '';
-  };
-
-  testScript = ''
-    def addrs_in(hostname, addrs):
-        res = resolv.succeed("getent ahosts {}".format(hostname))
-        for addr in addrs:
-            assert addr in res, "Expected output '{}' not found in\n{}".format(addr, res)
-
-
-    start_all()
-    resolv.wait_for_unit("nscd")
-
-    ipv4 = ["192.0.2.1", "192.0.2.2"]
-    ipv6 = ["2001:db8::2:1", "2001:db8::2:2"]
-
-    with subtest("IPv4 resolves"):
-        addrs_in("host-ipv4.example.net", ipv4)
-
-    with subtest("IPv6 resolves"):
-        addrs_in("host-ipv6.example.net", ipv6)
-
-    with subtest("Dual stack resolves"):
-        addrs_in("host-dual.example.net", ipv4 + ipv6)
-  '';
-})
diff --git a/nixos/tests/systemd.nix b/nixos/tests/systemd.nix
index 3317823e03f..3c36291b733 100644
--- a/nixos/tests/systemd.nix
+++ b/nixos/tests/systemd.nix
@@ -87,12 +87,6 @@ import ./make-test-python.nix ({ pkgs, ... }: {
         machine.succeed("test -e /home/alice/user_conf_read")
         machine.succeed("test -z $(ls -1 /var/log/journal)")
 
-    # Regression test for https://github.com/NixOS/nixpkgs/issues/50273
-    with subtest("DynamicUser actually allocates a user"):
-        assert "iamatest" in machine.succeed(
-            "systemd-run --pty --property=Type=oneshot --property=DynamicUser=yes --property=User=iamatest whoami"
-        )
-
     with subtest("regression test for https://bugs.freedesktop.org/show_bug.cgi?id=77507"):
         retcode, output = machine.execute("systemctl status testservice1.service")
         assert retcode in [0, 3]  # https://bugs.freedesktop.org/show_bug.cgi?id=77507