diff options
| author | Frédéric Christ <frederic.christ@secunet.com> | 2024-06-12 13:24:42 +0200 |
|---|---|---|
| committer | Frédéric Christ <frederic.christ@secunet.com> | 2024-07-18 10:22:32 +0200 |
| commit | c6f6c282181d5c6fb8f63d95738b97b09f25c945 (patch) | |
| tree | 395de70da15971f1431747cb662427da1b29e5dc | |
| parent | f322e8f25cd0a539d1f306b22fd3c3260e8cb461 (diff) | |
nixos/testing: Add ipv6 configuration
This contribution enables a working IPv6 setup by default. This works
analog to the current automatic IPv4 setup.
| -rw-r--r-- | nixos/doc/manual/release-notes/rl-2411.section.md | 2 | ||||
| -rw-r--r-- | nixos/lib/testing/network.nix | 32 | ||||
| -rw-r--r-- | nixos/modules/virtualisation/qemu-vm.nix | 8 | ||||
| -rw-r--r-- | nixos/tests/firewall.nix | 2 | ||||
| -rw-r--r-- | nixos/tests/ipv6.nix | 2 | ||||
| -rw-r--r-- | nixos/tests/iscsi-root.nix | 6 | ||||
| -rw-r--r-- | nixos/tests/jool.nix | 18 | ||||
| -rw-r--r-- | nixos/tests/mediatomb.nix | 25 | ||||
| -rw-r--r-- | nixos/tests/nat.nix | 24 | ||||
| -rw-r--r-- | nixos/tests/nvmetcfg.nix | 2 | ||||
| -rw-r--r-- | nixos/tests/step-ca.nix | 2 | ||||
| -rw-r--r-- | nixos/tests/vaultwarden.nix | 2 | ||||
| -rw-r--r-- | nixos/tests/vector/dnstap.nix | 2 |
13 files changed, 84 insertions, 43 deletions
diff --git a/nixos/doc/manual/release-notes/rl-2411.section.md b/nixos/doc/manual/release-notes/rl-2411.section.md index 7e1127ba6cb1..d83b5661cafe 100644 --- a/nixos/doc/manual/release-notes/rl-2411.section.md +++ b/nixos/doc/manual/release-notes/rl-2411.section.md @@ -224,6 +224,8 @@ - [`lib.options.mkPackageOptionMD`](https://nixos.org/manual/nixpkgs/unstable#function-library-lib.options.mkPackageOptionMD) is now obsolete; use the identical [`lib.options.mkPackageOption`](https://nixos.org/manual/nixpkgs/unstable#function-library-lib.options.mkPackageOption) instead. +- `nixosTests` now provide a working IPv6 setup for VLAN 1 by default. + - To facilitate dependency injection, the `imgui` package now builds a static archive using vcpkg' CMake rules. The derivation now installs "impl" headers selectively instead of by a wildcard. Use `imgui.src` if you just want to access the unpacked sources. diff --git a/nixos/lib/testing/network.nix b/nixos/lib/testing/network.nix index 0f1615a0ad3b..8e6d383e6257 100644 --- a/nixos/lib/testing/network.nix +++ b/nixos/lib/testing/network.nix @@ -32,10 +32,19 @@ let # Automatically assign IP addresses to requested interfaces. assignIPs = lib.filter (i: i.assignIP) interfaces; ipInterfaces = forEach assignIPs (i: - nameValuePair i.name { ipv4.addresses = - [ { address = "192.168.${toString i.vlan}.${toString config.virtualisation.test.nodeNumber}"; + nameValuePair i.name { + ipv4.addresses = [ + { + address = "192.168.${toString i.vlan}.${toString config.virtualisation.test.nodeNumber}"; prefixLength = 24; - }]; + } + ]; + ipv6.addresses = [ + { + address = "2001:db8:${toString i.vlan}::${toString config.virtualisation.test.nodeNumber}"; + prefixLength = 64; + } + ]; }); qemuOptions = lib.flatten (forEach interfacesNumbered ({ fst, snd }: @@ -53,6 +62,9 @@ let networking.primaryIPAddress = optionalString (ipInterfaces != [ ]) (head (head ipInterfaces).value.ipv4.addresses).address; + networking.primaryIPv6Address = + optionalString (ipInterfaces != [ ]) (head (head ipInterfaces).value.ipv6.addresses).address; + # Put the IP addresses of all VMs in this machine's # /etc/hosts file. If a machine has multiple # interfaces, use the IP address corresponding to @@ -60,12 +72,16 @@ let # virtualisation.vlans option). networking.extraHosts = flip concatMapStrings (attrNames nodes) (m': - let config = nodes.${m'}; in + let + config = nodes.${m'}; + hostnames = + optionalString (config.networking.domain != null) "${config.networking.hostName}.${config.networking.domain} " + + "${config.networking.hostName}\n"; + in optionalString (config.networking.primaryIPAddress != "") - ("${config.networking.primaryIPAddress} " + - optionalString (config.networking.domain != null) - "${config.networking.hostName}.${config.networking.domain} " + - "${config.networking.hostName}\n")); + "${config.networking.primaryIPAddress} ${hostnames}" + + optionalString (config.networking.primaryIPv6Address != "") + ("${config.networking.primaryIPv6Address} ${hostnames}")); virtualisation.qemu.options = qemuOptions; boot.initrd.services.udev.rules = concatMapStrings (x: x + "\n") udevRules; diff --git a/nixos/modules/virtualisation/qemu-vm.nix b/nixos/modules/virtualisation/qemu-vm.nix index d1dc6404d4f5..428cca4adcf8 100644 --- a/nixos/modules/virtualisation/qemu-vm.nix +++ b/nixos/modules/virtualisation/qemu-vm.nix @@ -665,6 +665,14 @@ in description = "Primary IP address used in /etc/hosts."; }; + networking.primaryIPv6Address = + mkOption { + type = types.str; + default = ""; + internal = true; + description = "Primary IPv6 address used in /etc/hosts."; + }; + virtualisation.host.pkgs = mkOption { type = options.nixpkgs.pkgs.type; default = pkgs; diff --git a/nixos/tests/firewall.nix b/nixos/tests/firewall.nix index 34e8bda60eef..ad418bb3341f 100644 --- a/nixos/tests/firewall.nix +++ b/nixos/tests/firewall.nix @@ -36,7 +36,7 @@ import ./make-test-python.nix ( { pkgs, nftables, ... } : { }; testScript = { nodes, ... }: let - newSystem = nodes.walled2.config.system.build.toplevel; + newSystem = nodes.walled2.system.build.toplevel; unit = if nftables then "nftables" else "firewall"; in '' start_all() diff --git a/nixos/tests/ipv6.nix b/nixos/tests/ipv6.nix index 7f91457fa5ea..8fa7eec8ffb2 100644 --- a/nixos/tests/ipv6.nix +++ b/nixos/tests/ipv6.nix @@ -39,6 +39,8 @@ import ./make-test-python.nix ({ pkgs, lib, ...} : { { services.httpd.enable = true; services.httpd.adminAddr = "foo@example.org"; networking.firewall.allowedTCPPorts = [ 80 ]; + # disable testing driver's default IPv6 address. + networking.interfaces.eth1.ipv6.addresses = lib.mkForce [ ]; }; router = diff --git a/nixos/tests/iscsi-root.nix b/nixos/tests/iscsi-root.nix index 0d7c48464eec..6953b6ce9a06 100644 --- a/nixos/tests/iscsi-root.nix +++ b/nixos/tests/iscsi-root.nix @@ -59,7 +59,7 @@ import ./make-test-python.nix ( ]; portals = [ { - ip_address = "0.0.0.0"; + ip_address = "[::]"; iser = false; offload = false; port = 3260; @@ -93,7 +93,7 @@ import ./make-test-python.nix ( xfsprogs ]; - system.extraDependencies = [ nodes.initiatorRootDisk.config.system.build.toplevel ]; + system.extraDependencies = [ nodes.initiatorRootDisk.system.build.toplevel ]; nix.settings = { substituters = lib.mkForce []; @@ -108,7 +108,7 @@ import ./make-test-python.nix ( [ "boot.shell_on_fail" "console=tty1" - "ip=${config.networking.primaryIPAddress}:::255.255.255.0::ens9:none" + "ip=${config.networking.primaryIPAddress}:::255.255.255.0::eth1:none" ] ); diff --git a/nixos/tests/jool.nix b/nixos/tests/jool.nix index 93575f07b1c8..37a4ad6ce011 100644 --- a/nixos/tests/jool.nix +++ b/nixos/tests/jool.nix @@ -165,9 +165,12 @@ in virtualisation.vlans = [ 1 ]; networking.interfaces.eth1.ipv6 = { - addresses = [ { address = "2001:db8::8"; prefixLength = 96; } ]; - routes = [ { address = "64:ff9b::"; prefixLength = 96; - via = "2001:db8::1"; } ]; + addresses = lib.mkForce [ { address = "2001:db8::8"; prefixLength = 96; } ]; + routes = lib.mkForce [ { + address = "64:ff9b::"; + prefixLength = 96; + via = "2001:db8::1"; + } ]; }; }; @@ -177,9 +180,12 @@ in virtualisation.vlans = [ 1 ]; networking.interfaces.eth1.ipv6 = { - addresses = [ { address = "2001:db8::9"; prefixLength = 96; } ]; - routes = [ { address = "64:ff9b::"; prefixLength = 96; - via = "2001:db8::1"; } ]; + addresses = lib.mkForce [ { address = "2001:db8::9"; prefixLength = 96; } ]; + routes = lib.mkForce [ { + address = "64:ff9b::"; + prefixLength = 96; + via = "2001:db8::1"; + } ]; }; }; diff --git a/nixos/tests/mediatomb.nix b/nixos/tests/mediatomb.nix index 9c84aa3e92a5..5718a9a4a299 100644 --- a/nixos/tests/mediatomb.nix +++ b/nixos/tests/mediatomb.nix @@ -30,15 +30,22 @@ import ./make-test-python.nix { client = {}; }; - testScript = '' - start_all() + testScript = { nodes, ... }: + let + serverIP = nodes.server.networking.primaryIPAddress; + serverIPv6 = nodes.server.networking.primaryIPv6Address; + in + '' + start_all() - server.wait_for_unit("mediatomb") - server.wait_until_succeeds("nc -z 192.168.1.2 49152") - server.succeed("curl -v --fail http://server:49152/") + server.wait_for_unit("mediatomb") + server.wait_until_succeeds("nc -z ${serverIP} 49152") + server.succeed("curl -v --fail http://${serverIP}:49152/") + server.succeed("curl -v --fail http://[${serverIPv6}]:49152/") - client.wait_for_unit("multi-user.target") - page = client.succeed("curl -v --fail http://server:49152/") - assert "Gerbera" in page and "MediaTomb" not in page - ''; + client.wait_for_unit("multi-user.target") + page = client.succeed("curl -v --fail http://${serverIP}:49152/") + page = client.succeed("curl -v --fail http://[${serverIPv6}]:49152/") + assert "Gerbera" in page and "MediaTomb" not in page + ''; } diff --git a/nixos/tests/nat.nix b/nixos/tests/nat.nix index 8b682a8b3aa7..550c5a2d14f3 100644 --- a/nixos/tests/nat.nix +++ b/nixos/tests/nat.nix @@ -31,7 +31,7 @@ import ./make-test-python.nix ({ pkgs, lib, withFirewall, nftables ? false, ... lib.mkMerge [ { virtualisation.vlans = [ 1 ]; networking.defaultGateway = - (pkgs.lib.head nodes.router.config.networking.interfaces.eth2.ipv4.addresses).address; + (pkgs.lib.head nodes.router.networking.interfaces.eth2.ipv4.addresses).address; networking.nftables.enable = nftables; } ]; @@ -61,8 +61,8 @@ import ./make-test-python.nix ({ pkgs, lib, withFirewall, nftables ? false, ... testScript = { nodes, ... }: let - routerDummyNoNatClosure = nodes.routerDummyNoNat.config.system.build.toplevel; - routerClosure = nodes.router.config.system.build.toplevel; + routerDummyNoNatClosure = nodes.routerDummyNoNat.system.build.toplevel; + routerClosure = nodes.router.system.build.toplevel; in '' client.start() router.start() @@ -72,13 +72,13 @@ import ./make-test-python.nix ({ pkgs, lib, withFirewall, nftables ? false, ... server.wait_for_unit("network.target") server.wait_for_unit("httpd") router.wait_for_unit("network.target") - router.succeed("curl --fail http://server/ >&2") + router.succeed("curl -4 --fail http://server/ >&2") # The client should be also able to connect via the NAT router. router.wait_for_unit("${unit}") client.wait_for_unit("network.target") client.succeed("curl --fail http://server/ >&2") - client.succeed("ping -c 1 server >&2") + client.succeed("ping -4 -c 1 server >&2") # Test whether passive FTP works. server.wait_for_unit("vsftpd") @@ -89,15 +89,15 @@ import ./make-test-python.nix ({ pkgs, lib, withFirewall, nftables ? false, ... client.fail("curl -v -P - ftp://server/foo.txt >&2") # Test ICMP. - client.succeed("ping -c 1 router >&2") - router.succeed("ping -c 1 client >&2") + client.succeed("ping -4 -c 1 router >&2") + router.succeed("ping -4 -c 1 client >&2") # If we turn off NAT, the client shouldn't be able to reach the server. router.succeed( "${routerDummyNoNatClosure}/bin/switch-to-configuration test 2>&1" ) - client.fail("curl --fail --connect-timeout 5 http://server/ >&2") - client.fail("ping -c 1 server >&2") + client.fail("curl -4 --fail --connect-timeout 5 http://server/ >&2") + client.fail("ping -4 -c 1 server >&2") # And make sure that reloading the NAT job works. router.succeed( @@ -109,7 +109,7 @@ import ./make-test-python.nix ({ pkgs, lib, withFirewall, nftables ? false, ... ${lib.optionalString (!withFirewall && !nftables) '' router.succeed("systemctl start nat.service") ''} - client.succeed("curl --fail http://server/ >&2") - client.succeed("ping -c 1 server >&2") + client.succeed("curl -4 --fail http://server/ >&2") + client.succeed("ping -4 -c 1 server >&2") ''; - }) +}) diff --git a/nixos/tests/nvmetcfg.nix b/nixos/tests/nvmetcfg.nix index a4c459a343cf..169e5e9d7b0c 100644 --- a/nixos/tests/nvmetcfg.nix +++ b/nixos/tests/nvmetcfg.nix @@ -27,7 +27,7 @@ import ./make-test-python.nix ({ lib, ... }: { with subtest("Bind subsystem to port"): server.wait_for_unit("network-online.target") - server.succeed("nvmet port add 1 tcp 0.0.0.0:4420") + server.succeed("nvmet port add 1 tcp [::]:4420") server.succeed("nvmet port add-subsystem 1 ${subsystem}") with subtest("Discover and connect to available subsystems"): diff --git a/nixos/tests/step-ca.nix b/nixos/tests/step-ca.nix index 184c35f6b85c..68364e278d56 100644 --- a/nixos/tests/step-ca.nix +++ b/nixos/tests/step-ca.nix @@ -16,7 +16,7 @@ import ./make-test-python.nix ({ pkgs, ... }: { config, pkgs, ... }: { services.step-ca = { enable = true; - address = "0.0.0.0"; + address = "[::]"; port = 8443; openFirewall = true; intermediatePasswordFile = "${test-certificates}/intermediate-password-file"; diff --git a/nixos/tests/vaultwarden.nix b/nixos/tests/vaultwarden.nix index a011afee6017..914bae50df64 100644 --- a/nixos/tests/vaultwarden.nix +++ b/nixos/tests/vaultwarden.nix @@ -133,7 +133,7 @@ let enable = true; dbBackend = backend; config = { - rocketAddress = "0.0.0.0"; + rocketAddress = "::"; rocketPort = 8080; }; }; diff --git a/nixos/tests/vector/dnstap.nix b/nixos/tests/vector/dnstap.nix index 15d643311b60..5143fd938fde 100644 --- a/nixos/tests/vector/dnstap.nix +++ b/nixos/tests/vector/dnstap.nix @@ -49,7 +49,7 @@ in settings = { server = { interface = [ "0.0.0.0" "::" ]; - access-control = [ "192.168.1.0/24 allow" ]; + access-control = [ "192.168.0.0/24 allow" "::/0 allow" ]; domain-insecure = "local"; private-domain = "local"; |