diff options
author | Guillaume Girol <symphorien@users.noreply.github.com> | 2021-01-10 21:51:37 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-01-10 21:51:37 +0000 |
commit | 0fbc0976db5b5f36d60d3fdc5c641987cc85096f (patch) | |
tree | c9c54f24fec3ff1ebd7fe217e0d9c378b86e7a61 /nixos/tests/uwsgi.nix | |
parent | d085417683cedabb1eaf420ca0eb128ecfb3a175 (diff) | |
parent | 3a17a9b05eec0189d82ebb84f327f386727474cd (diff) |
Merge pull request #106082 from rnhmjoj/uwsgi
nixos/uwsgi: run with capabilities instead of root
Diffstat (limited to 'nixos/tests/uwsgi.nix')
-rw-r--r-- | nixos/tests/uwsgi.nix | 61 |
1 files changed, 45 insertions, 16 deletions
diff --git a/nixos/tests/uwsgi.nix b/nixos/tests/uwsgi.nix index 1d3db469c3757..80dcde324aad7 100644 --- a/nixos/tests/uwsgi.nix +++ b/nixos/tests/uwsgi.nix @@ -6,31 +6,48 @@ import ./make-test-python.nix ({ pkgs, ... }: }; machine = { pkgs, ... }: { - services.uwsgi.enable = true; - services.uwsgi.plugins = [ "python3" "php" ]; - services.uwsgi.instance = { - type = "emperor"; - vassals.python = { + users.users.hello = + { isSystemUser = true; + group = "hello"; + }; + users.groups.hello = { }; + + services.uwsgi = { + enable = true; + plugins = [ "python3" "php" ]; + capabilities = [ "CAP_NET_BIND_SERVICE" ]; + instance.type = "emperor"; + + instance.vassals.hello = { type = "normal"; - master = true; - workers = 2; - http = ":8000"; + immediate-uid = "hello"; + immediate-gid = "hello"; module = "wsgi:application"; + http = ":80"; + cap = "net_bind_service"; + pythonPackages = self: [ self.flask ]; chdir = pkgs.writeTextDir "wsgi.py" '' from flask import Flask + import subprocess application = Flask(__name__) @application.route("/") def hello(): - return "Hello World!" + return "Hello, World!" + + @application.route("/whoami") + def whoami(): + whoami = "${pkgs.coreutils}/bin/whoami" + proc = subprocess.run(whoami, capture_output=True) + return proc.stdout.decode().strip() ''; - pythonPackages = self: with self; [ flask ]; }; - vassals.php = { + + instance.vassals.php = { type = "normal"; master = true; workers = 2; - http-socket = ":8001"; + http-socket = ":8000"; http-socket-modifier1 = 14; php-index = "index.php"; php-docroot = pkgs.writeTextDir "index.php" '' @@ -44,9 +61,21 @@ import ./make-test-python.nix ({ pkgs, ... }: '' machine.wait_for_unit("multi-user.target") machine.wait_for_unit("uwsgi.service") - machine.wait_for_open_port(8000) - machine.wait_for_open_port(8001) - assert "Hello World" in machine.succeed("curl -fv 127.0.0.1:8000") - assert "Hello World" in machine.succeed("curl -fv 127.0.0.1:8001") + + with subtest("uWSGI has started"): + machine.wait_for_unit("uwsgi.service") + + with subtest("Vassal can bind on port <1024"): + machine.wait_for_open_port(80) + hello = machine.succeed("curl -f http://machine").strip() + assert "Hello, World!" in hello, f"Excepted 'Hello, World!', got '{hello}'" + + with subtest("Vassal is running as dedicated user"): + username = machine.succeed("curl -f http://machine/whoami").strip() + assert username == "hello", f"Excepted 'hello', got '{username}'" + + with subtest("PHP plugin is working"): + machine.wait_for_open_port(8000) + assert "Hello World" in machine.succeed("curl -fv http://machine:8000") ''; }) |