keydb: init at 6.3.4

This commit is contained in:
Simon Hauser 2024-04-05 12:40:34 +02:00
parent 3541c7628d
commit b3642388fe
No known key found for this signature in database
GPG Key ID: B2E16EBB243E757F
5 changed files with 190 additions and 38 deletions

View File

@ -441,6 +441,7 @@ with lib.maintainers; {
# Verify additions to this team with at least one already existing member of the team. # Verify additions to this team with at least one already existing member of the team.
members = [ members = [
das_j das_j
conni2461
]; ];
scope = "Group registration for packages maintained by Helsinki Systems"; scope = "Group registration for packages maintained by Helsinki Systems";
shortName = "Helsinki Systems employees"; shortName = "Helsinki Systems employees";

View File

@ -338,7 +338,7 @@ in {
after = [ "network.target" ]; after = [ "network.target" ];
serviceConfig = { serviceConfig = {
ExecStart = "${cfg.package}/bin/redis-server /var/lib/${redisName name}/redis.conf ${escapeShellArgs conf.extraParams}"; ExecStart = "${cfg.package}/bin/${cfg.package.serverBin or "redis-server"} /var/lib/${redisName name}/redis.conf ${escapeShellArgs conf.extraParams}";
ExecStartPre = "+"+pkgs.writeShellScript "${redisName name}-prep-conf" (let ExecStartPre = "+"+pkgs.writeShellScript "${redisName name}-prep-conf" (let
redisConfVar = "/var/lib/${redisName name}/redis.conf"; redisConfVar = "/var/lib/${redisName name}/redis.conf";
redisConfRun = "/run/${redisName name}/nixos.conf"; redisConfRun = "/run/${redisName name}/nixos.conf";
@ -391,7 +391,8 @@ in {
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ]; RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ];
RestrictNamespaces = true; RestrictNamespaces = true;
LockPersonality = true; LockPersonality = true;
MemoryDenyWriteExecute = true; # we need to disable MemoryDenyWriteExecute for keydb
MemoryDenyWriteExecute = cfg.package.pname != "keydb";
RestrictRealtime = true; RestrictRealtime = true;
RestrictSUIDSGID = true; RestrictSUIDSGID = true;
PrivateMounts = true; PrivateMounts = true;

View File

@ -1,44 +1,87 @@
import ./make-test-python.nix ({ pkgs, lib, ... }:
{ {
name = "redis"; system ? builtins.currentSystem,
meta.maintainers = with lib.maintainers; [ flokli ]; config ? { },
pkgs ? import ../../.. { inherit system config; },
nodes = { lib ? pkgs.lib,
machine = }:
{ pkgs, lib, ... }: let
makeTest = import ./make-test-python.nix;
{ mkTestName =
services.redis.servers."".enable = true; pkg: "${pkg.pname}_${builtins.replaceStrings [ "." ] [ "" ] (lib.versions.majorMinor pkg.version)}";
services.redis.servers."test".enable = true; redisPackages = {
inherit (pkgs) redis keydb;
users.users = lib.listToAttrs (map (suffix: lib.nameValuePair "member${suffix}" {
createHome = false;
description = "A member of the redis${suffix} group";
isNormalUser = true;
extraGroups = [ "redis${suffix}" ];
}) ["" "-test"]);
};
}; };
makeRedisTest =
{
package,
name ? mkTestName package,
}:
makeTest {
inherit name;
meta.maintainers = [
lib.maintainers.flokli
lib.teams.helsinki-systems.members
];
testScript = { nodes, ... }: let nodes = {
inherit (nodes.machine.config.services) redis; machine =
in '' { lib, ... }:
start_all()
machine.wait_for_unit("redis")
machine.wait_for_unit("redis-test")
# The unnamed Redis server still opens a port for backward-compatibility {
machine.wait_for_open_port(6379) services = {
redis = {
inherit package;
servers."".enable = true;
servers."test".enable = true;
};
};
machine.wait_for_file("${redis.servers."".unixSocket}") users.users = lib.listToAttrs (
machine.wait_for_file("${redis.servers."test".unixSocket}") map
(
suffix:
lib.nameValuePair "member${suffix}" {
createHome = false;
description = "A member of the redis${suffix} group";
isNormalUser = true;
extraGroups = [ "redis${suffix}" ];
}
)
[
""
"-test"
]
);
};
};
# The unix socket is accessible to the redis group testScript =
machine.succeed('su member -c "redis-cli ping | grep PONG"') { nodes, ... }:
machine.succeed('su member-test -c "redis-cli ping | grep PONG"') let
inherit (nodes.machine.services) redis;
in
''
start_all()
machine.wait_for_unit("redis")
machine.wait_for_unit("redis-test")
machine.succeed("redis-cli ping | grep PONG") # The unnamed Redis server still opens a port for backward-compatibility
machine.succeed("redis-cli -s ${redis.servers."".unixSocket} ping | grep PONG") machine.wait_for_open_port(6379)
machine.succeed("redis-cli -s ${redis.servers."test".unixSocket} ping | grep PONG")
''; machine.wait_for_file("${redis.servers."".unixSocket}")
}) machine.wait_for_file("${redis.servers."test".unixSocket}")
# The unix socket is accessible to the redis group
machine.succeed('su member -c "${pkgs.redis}/bin/redis-cli ping | grep PONG"')
machine.succeed('su member-test -c "${pkgs.redis}/bin/redis-cli ping | grep PONG"')
machine.succeed("${pkgs.redis}/bin/redis-cli ping | grep PONG")
machine.succeed("${pkgs.redis}/bin/redis-cli -s ${redis.servers."".unixSocket} ping | grep PONG")
machine.succeed("${pkgs.redis}/bin/redis-cli -s ${
redis.servers."test".unixSocket
} ping | grep PONG")
'';
};
in
lib.mapAttrs (_: package: makeRedisTest { inherit package; }) redisPackages

View File

@ -0,0 +1,106 @@
{
stdenv,
lib,
fetchFromGitHub,
libuuid,
curl,
pkg-config,
withSystemd ? lib.meta.availableOn stdenv.hostPlatform systemd,
systemd,
tlsSupport ? !stdenv.hostPlatform.isStatic,
openssl,
jemalloc,
which,
tcl,
tcltls,
ps,
getconf,
nixosTests,
}:
stdenv.mkDerivation rec {
pname = "keydb";
version = "6.3.4";
src = fetchFromGitHub {
owner = "snapchat";
repo = "keydb";
rev = "v${version}";
hash = "sha256-j6qgK6P3Fv+b6k9jwKQ5zW7XLkKbXXcmHKBCQYvwEIU=";
};
postPatch = ''
substituteInPlace deps/lua/src/Makefile \
--replace-fail "ar rcu" "${stdenv.cc.targetPrefix}ar rcu"
substituteInPlace src/Makefile \
--replace-fail "as --64 -g" "${stdenv.cc.targetPrefix}as --64 -g"
'';
nativeBuildInputs = [ pkg-config ];
buildInputs = [
jemalloc
curl
libuuid
] ++ lib.optionals tlsSupport [ openssl ] ++ lib.optionals withSystemd [ systemd ];
makeFlags =
[
"PREFIX=${placeholder "out"}"
"AR=${stdenv.cc.targetPrefix}ar"
"RANLIB=${stdenv.cc.targetPrefix}ranlib"
"USEASM=${if stdenv.isx86_64 then "true" else "false"}"
]
++ lib.optionals (!tlsSupport) [ "BUILD_TLS=no" ]
++ lib.optionals withSystemd [ "USE_SYSTEMD=yes" ]
++ lib.optionals (!stdenv.isx86_64) [ "MALLOC=libc" ];
enableParallelBuilding = true;
hardeningEnable = lib.optionals (!stdenv.isDarwin) [ "pie" ];
# darwin currently lacks a pure `pgrep` which is extensively used here
doCheck = !stdenv.isDarwin;
nativeCheckInputs = [
which
tcl
ps
] ++ lib.optionals stdenv.hostPlatform.isStatic [ getconf ] ++ lib.optionals tlsSupport [ tcltls ];
checkPhase = ''
runHook preCheck
# disable test "Connect multiple replicas at the same time": even
# upstream find this test too timing-sensitive
substituteInPlace tests/integration/replication.tcl \
--replace-fail 'foreach mdl {no yes}' 'foreach mdl {}'
substituteInPlace tests/support/server.tcl \
--replace-fail 'exec /usr/bin/env' 'exec env'
sed -i '/^proc wait_load_handlers_disconnected/{n ; s/wait_for_condition 50 100/wait_for_condition 50 500/; }' \
tests/support/util.tcl
patchShebangs ./utils/gen-test-certs.sh
${if tlsSupport then "./utils/gen-test-certs.sh" else ""}
./runtest \
--no-latency \
--timeout 2000 \
--clients $NIX_BUILD_CORES \
--tags -leaks ${if tlsSupport then "--tls" else ""}
runHook postCheck
'';
passthru.tests.redis = nixosTests.redis;
passthru.serverBin = "keydb-server";
meta = with lib; {
homepage = "https://keydb.dev";
description = "A Multithreaded Fork of Redis";
license = licenses.bsd3;
platforms = platforms.all;
changelog = "https://github.com/Snapchat/KeyDB/raw/v${version}/00-RELEASENOTES";
maintainers = teams.helsinki-systems.members;
mainProgram = "keydb-cli";
};
}

View File

@ -85,6 +85,7 @@ stdenv.mkDerivation (finalAttrs: {
''; '';
passthru.tests.redis = nixosTests.redis; passthru.tests.redis = nixosTests.redis;
passthru.serverBin = "redis-server";
meta = with lib; { meta = with lib; {
homepage = "https://redis.io"; homepage = "https://redis.io";