diff options
| author | Martin Weinelt <mweinelt@users.noreply.github.com> | 2023-03-11 22:58:53 +0000 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-03-11 22:58:53 +0000 |
| commit | 2dbef07f0972d636402035155d2bfaf9cc4507a9 (patch) | |
| tree | 7e2f4d118b9872b0911817bf4fd9423b810ea403 /nixos | |
| parent | 0bd50d43d236c72108eed46c3533a369da41676f (diff) | |
| parent | 487b6a38f3af412550a0bdcdbb384f8635136752 (diff) | |
| download | nixpkgs-2dbef07f0972d636402035155d2bfaf9cc4507a9.tar nixpkgs-2dbef07f0972d636402035155d2bfaf9cc4507a9.tar.gz nixpkgs-2dbef07f0972d636402035155d2bfaf9cc4507a9.tar.bz2 nixpkgs-2dbef07f0972d636402035155d2bfaf9cc4507a9.tar.lz nixpkgs-2dbef07f0972d636402035155d2bfaf9cc4507a9.tar.xz nixpkgs-2dbef07f0972d636402035155d2bfaf9cc4507a9.tar.zst nixpkgs-2dbef07f0972d636402035155d2bfaf9cc4507a9.zip | |
Merge pull request #218126 from mweinelt/kea-dhcp-ddns-test
nixos/tests/kea: Test dhcp-ddns against knot
Diffstat (limited to 'nixos')
| -rw-r--r-- | nixos/tests/kea.nix | 120 | ||||
| -rw-r--r-- | nixos/tests/knot.nix | 48 |
2 files changed, 134 insertions, 34 deletions
diff --git a/nixos/tests/kea.nix b/nixos/tests/kea.nix index b1d5894cc7c..b4095893b48 100644 --- a/nixos/tests/kea.nix +++ b/nixos/tests/kea.nix @@ -1,3 +1,10 @@ +# This test verifies DHCPv4 interaction between a client and a router. +# For successful DHCP allocations a dynamic update request is sent +# towards a nameserver to allocate a name in the lan.nixos.test zone. +# We then verify whether client and router can ping each other, and +# that the nameserver can resolve the clients fqdn to the correct IP +# address. + import ./make-test-python.nix ({ pkgs, lib, ...}: { meta.maintainers = with lib.maintainers; [ hexa ]; @@ -8,17 +15,17 @@ import ./make-test-python.nix ({ pkgs, lib, ...}: { virtualisation.vlans = [ 1 ]; networking = { - useNetworkd = true; useDHCP = false; firewall.allowedUDPPorts = [ 67 ]; }; systemd.network = { + enable = true; networks = { "01-eth1" = { name = "eth1"; networkConfig = { - Address = "10.0.0.1/30"; + Address = "10.0.0.1/29"; }; }; }; @@ -45,13 +52,115 @@ import ./make-test-python.nix ({ pkgs, lib, ...}: { }; subnet4 = [ { - subnet = "10.0.0.0/30"; + subnet = "10.0.0.0/29"; pools = [ { - pool = "10.0.0.2 - 10.0.0.2"; + pool = "10.0.0.3 - 10.0.0.3"; } ]; } ]; + + # Enable communication between dhcp4 and a local dhcp-ddns + # instance. + # https://kea.readthedocs.io/en/kea-2.2.0/arm/dhcp4-srv.html#ddns-for-dhcpv4 + dhcp-ddns = { + enable-updates = true; + }; + + ddns-send-updates = true; + ddns-qualifying-suffix = "lan.nixos.test."; }; }; + + services.kea.dhcp-ddns = { + enable = true; + settings = { + forward-ddns = { + # Configure updates of a forward zone named `lan.nixos.test` + # hosted at the nameserver at 10.0.0.2 + # https://kea.readthedocs.io/en/kea-2.2.0/arm/ddns.html#adding-forward-dns-servers + ddns-domains = [ { + name = "lan.nixos.test."; + # Use a TSIG key in production! + key-name = ""; + dns-servers = [ { + ip-address = "10.0.0.2"; + port = 53; + } ]; + } ]; + }; + }; + }; + }; + + nameserver = { config, pkgs, ... }: { + virtualisation.vlans = [ 1 ]; + + networking = { + useDHCP = false; + firewall.allowedUDPPorts = [ 53 ]; + }; + + systemd.network = { + enable = true; + networks = { + "01-eth1" = { + name = "eth1"; + networkConfig = { + Address = "10.0.0.2/29"; + }; + }; + }; + }; + + services.resolved.enable = false; + + # Set up an authoritative nameserver, serving the `lan.nixos.test` + # zone and configure an ACL that allows dynamic updates from + # the router's ip address. + # This ACL is likely insufficient for production usage. Please + # use TSIG keys. + services.knot = let + zone = pkgs.writeTextDir "lan.nixos.test.zone" '' + @ SOA ns.nixos.test nox.nixos.test 0 86400 7200 3600000 172800 + @ NS nameserver + nameserver A 10.0.0.3 + router A 10.0.0.1 + ''; + zonesDir = pkgs.buildEnv { + name = "knot-zones"; + paths = [ zone ]; + }; + in { + enable = true; + extraArgs = [ + "-v" + ]; + extraConfig = '' + server: + listen: 0.0.0.0@53 + + log: + - target: syslog + any: debug + + acl: + - id: dhcp_ddns + address: 10.0.0.1 + action: update + + template: + - id: default + storage: ${zonesDir} + zonefile-sync: -1 + zonefile-load: difference-no-serial + journal-content: all + + zone: + - domain: lan.nixos.test + file: lan.nixos.test.zone + acl: [dhcp_ddns] + ''; + }; + }; client = { config, pkgs, ... }: { @@ -70,6 +179,7 @@ import ./make-test-python.nix ({ pkgs, lib, ...}: { router.wait_for_unit("kea-dhcp4-server.service") client.wait_for_unit("systemd-networkd-wait-online.service") client.wait_until_succeeds("ping -c 5 10.0.0.1") - router.wait_until_succeeds("ping -c 5 10.0.0.2") + router.wait_until_succeeds("ping -c 5 10.0.0.3") + nameserver.wait_until_succeeds("kdig +short client.lan.nixos.test @10.0.0.2 | grep -q 10.0.0.3") ''; }) diff --git a/nixos/tests/knot.nix b/nixos/tests/knot.nix index 203fd03fac2..2ecbf69194b 100644 --- a/nixos/tests/knot.nix +++ b/nixos/tests/knot.nix @@ -31,7 +31,7 @@ let # DO NOT USE pkgs.writeText IN PRODUCTION. This put secrets in the nix store! tsigFile = pkgs.writeText "tsig.conf" '' key: - - id: slave_key + - id: xfr_key algorithm: hmac-sha256 secret: zOYgOgnzx3TGe5J5I/0kxd7gTcxXhLYMEq3Ek3fY37s= ''; @@ -43,7 +43,7 @@ in { nodes = { - master = { lib, ... }: { + primary = { lib, ... }: { imports = [ common ]; # trigger sched_setaffinity syscall @@ -64,22 +64,17 @@ in { server: listen: 0.0.0.0@53 listen: ::@53 - - acl: - - id: slave_acl - address: 192.168.0.2 - key: slave_key - action: transfer + automatic-acl: true remote: - - id: slave + - id: secondary address: 192.168.0.2@53 + key: xfr_key template: - id: default storage: ${knotZonesEnv} - notify: [slave] - acl: [slave_acl] + notify: [secondary] dnssec-signing: on # Input-only zone files # https://www.knot-dns.cz/docs/2.8/html/operation.html#example-3 @@ -105,7 +100,7 @@ in { ''; }; - slave = { lib, ... }: { + secondary = { lib, ... }: { imports = [ common ]; networking.interfaces.eth1 = { ipv4.addresses = lib.mkForce [ @@ -122,21 +117,16 @@ in { server: listen: 0.0.0.0@53 listen: ::@53 - - acl: - - id: notify_from_master - address: 192.168.0.1 - action: notify + automatic-acl: true remote: - - id: master + - id: primary address: 192.168.0.1@53 - key: slave_key + key: xfr_key template: - id: default - master: master - acl: [notify_from_master] + master: primary # zonefileless setup # https://www.knot-dns.cz/docs/2.8/html/operation.html#example-2 zonefile-sync: -1 @@ -174,19 +164,19 @@ in { }; testScript = { nodes, ... }: let - master4 = (lib.head nodes.master.config.networking.interfaces.eth1.ipv4.addresses).address; - master6 = (lib.head nodes.master.config.networking.interfaces.eth1.ipv6.addresses).address; + primary4 = (lib.head nodes.primary.config.networking.interfaces.eth1.ipv4.addresses).address; + primary6 = (lib.head nodes.primary.config.networking.interfaces.eth1.ipv6.addresses).address; - slave4 = (lib.head nodes.slave.config.networking.interfaces.eth1.ipv4.addresses).address; - slave6 = (lib.head nodes.slave.config.networking.interfaces.eth1.ipv6.addresses).address; + secondary4 = (lib.head nodes.secondary.config.networking.interfaces.eth1.ipv4.addresses).address; + secondary6 = (lib.head nodes.secondary.config.networking.interfaces.eth1.ipv6.addresses).address; in '' import re start_all() client.wait_for_unit("network.target") - master.wait_for_unit("knot.service") - slave.wait_for_unit("knot.service") + primary.wait_for_unit("knot.service") + secondary.wait_for_unit("knot.service") def test(host, query_type, query, pattern): @@ -195,7 +185,7 @@ in { assert re.search(pattern, out), f'Did not match "{pattern}"' - for host in ("${master4}", "${master6}", "${slave4}", "${slave6}"): + for host in ("${primary4}", "${primary6}", "${secondary4}", "${secondary6}"): with subtest(f"Interrogate {host}"): test(host, "SOA", "example.com", r"start of authority.*noc\.example\.com\.") test(host, "A", "example.com", r"has no [^ ]+ record") @@ -211,6 +201,6 @@ in { test(host, "RRSIG", "www.example.com", r"RR set signature is") test(host, "DNSKEY", "example.com", r"DNSSEC key is") - master.log(master.succeed("systemd-analyze security knot.service | grep -v '✓'")) + primary.log(primary.succeed("systemd-analyze security knot.service | grep -v '✓'")) ''; }) |