3e11ff6e0d
This option allows us to turn off stateful generation of Diffie-Hellman parameters, which in some way is still stateful as the generated DH params file is non-deterministic. However what we can avoid with this is to have an increased surface for failures during system startup, because generation of the parameters is done during build-time. Another advantage of this is that we no longer need to take care of cleaning up the files that are no longer used and in my humble opinion I would have preferred that #11505 (which puts the dhparams in the Nix store) would have been merged instead of #22634 (which we have now). Luckily we can still change that and this change gives the user the option to put the dhparams into the Nix store. Beside of the more obvious advantages pointed out here, this also effects test runtime if more services are starting to use this (for example see #39507 and #39288), because generating DH params could take a long time depending on the bit size which adds up to test runtime. If we generate the DH params in a separate derivation, subsequent test runs won't need to wait for DH params generation during bootup. Of course, tests could still mock this by force-disabling the service and adding a service or activation script that places pre-generated DH params in /var/lib/dhparams but this would make tests less readable and the workaround would have to be made for each test affected. Note that the 'stateful' option is still true by default so that we are backwards-compatible with existing systems. Signed-off-by: aszlig <aszlig@nix.build> Cc: @Ekleog, @abbradar, @fpletz
131 lines
3.9 KiB
Nix
131 lines
3.9 KiB
Nix
let
|
|
common = { pkgs, ... }: {
|
|
security.dhparams.enable = true;
|
|
environment.systemPackages = [ pkgs.openssl ];
|
|
};
|
|
|
|
in import ./make-test.nix {
|
|
name = "dhparams";
|
|
|
|
nodes.generation1 = { pkgs, config, ... }: {
|
|
imports = [ common ];
|
|
security.dhparams.params = {
|
|
# Use low values here because we don't want the test to run for ages.
|
|
foo.bits = 16;
|
|
# Also use the old format to make sure the type is coerced in the right
|
|
# way.
|
|
bar = 17;
|
|
};
|
|
|
|
systemd.services.foo = {
|
|
description = "Check systemd Ordering";
|
|
wantedBy = [ "multi-user.target" ];
|
|
unitConfig = {
|
|
# This is to make sure that the dhparams generation of foo occurs
|
|
# before this service so we need this service to start as early as
|
|
# possible to provoke a race condition.
|
|
DefaultDependencies = false;
|
|
|
|
# We check later whether the service has been started or not.
|
|
ConditionPathExists = config.security.dhparams.params.foo.path;
|
|
};
|
|
serviceConfig.Type = "oneshot";
|
|
serviceConfig.RemainAfterExit = true;
|
|
# The reason we only provide an ExecStop here is to ensure that we don't
|
|
# accidentally trigger an error because a file system is not yet ready
|
|
# during very early startup (we might not even have the Nix store
|
|
# available, for example if future changes in NixOS use systemd mount
|
|
# units to do early file system initialisation).
|
|
serviceConfig.ExecStop = "${pkgs.coreutils}/bin/true";
|
|
};
|
|
};
|
|
|
|
nodes.generation2 = {
|
|
imports = [ common ];
|
|
security.dhparams.params.foo.bits = 18;
|
|
};
|
|
|
|
nodes.generation3 = common;
|
|
|
|
nodes.generation4 = {
|
|
imports = [ common ];
|
|
security.dhparams.stateful = false;
|
|
security.dhparams.params.foo2.bits = 18;
|
|
security.dhparams.params.bar2.bits = 19;
|
|
};
|
|
|
|
testScript = { nodes, ... }: let
|
|
getParamPath = gen: name: let
|
|
node = "generation${toString gen}";
|
|
in nodes.${node}.config.security.dhparams.params.${name}.path;
|
|
|
|
assertParamBits = gen: name: bits: let
|
|
path = getParamPath gen name;
|
|
in ''
|
|
$machine->nest('check bit size of ${path}', sub {
|
|
my $out = $machine->succeed('openssl dhparam -in ${path} -text');
|
|
$out =~ /^\s*DH Parameters:\s+\((\d+)\s+bit\)\s*$/m;
|
|
die "bit size should be ${toString bits} but it is $1 instead."
|
|
if $1 != ${toString bits};
|
|
});
|
|
'';
|
|
|
|
switchToGeneration = gen: let
|
|
node = "generation${toString gen}";
|
|
inherit (nodes.${node}.config.system.build) toplevel;
|
|
switchCmd = "${toplevel}/bin/switch-to-configuration test";
|
|
in ''
|
|
$machine->nest('switch to generation ${toString gen}', sub {
|
|
$machine->succeed('${switchCmd}');
|
|
$main::machine = ''$${node};
|
|
});
|
|
'';
|
|
|
|
in ''
|
|
my $machine = $generation1;
|
|
|
|
$machine->waitForUnit('multi-user.target');
|
|
|
|
subtest "verify startup order", sub {
|
|
$machine->succeed('systemctl is-active foo.service');
|
|
};
|
|
|
|
subtest "check bit sizes of dhparam files", sub {
|
|
${assertParamBits 1 "foo" 16}
|
|
${assertParamBits 1 "bar" 17}
|
|
};
|
|
|
|
${switchToGeneration 2}
|
|
|
|
subtest "check whether bit size has changed", sub {
|
|
${assertParamBits 2 "foo" 18}
|
|
};
|
|
|
|
subtest "ensure that dhparams file for 'bar' was deleted", sub {
|
|
$machine->fail('test -e ${getParamPath 1 "bar"}');
|
|
};
|
|
|
|
${switchToGeneration 3}
|
|
|
|
subtest "ensure that 'security.dhparams.path' has been deleted", sub {
|
|
$machine->fail(
|
|
'test -e ${nodes.generation3.config.security.dhparams.path}'
|
|
);
|
|
};
|
|
|
|
${switchToGeneration 4}
|
|
|
|
subtest "check bit sizes dhparam files", sub {
|
|
${assertParamBits 4 "foo2" 18}
|
|
${assertParamBits 4 "bar2" 19}
|
|
};
|
|
|
|
subtest "check whether dhparam files are in the Nix store", sub {
|
|
$machine->succeed(
|
|
'expr match ${getParamPath 4 "foo2"} ${builtins.storeDir}',
|
|
'expr match ${getParamPath 4 "bar2"} ${builtins.storeDir}',
|
|
);
|
|
};
|
|
'';
|
|
}
|