diff options
Diffstat (limited to 'nixos/tests/scion/freestanding-deployment/default.nix')
-rw-r--r-- | nixos/tests/scion/freestanding-deployment/default.nix | 140 |
1 files changed, 61 insertions, 79 deletions
diff --git a/nixos/tests/scion/freestanding-deployment/default.nix b/nixos/tests/scion/freestanding-deployment/default.nix index e060f9c312709..55b2322ab02da 100644 --- a/nixos/tests/scion/freestanding-deployment/default.nix +++ b/nixos/tests/scion/freestanding-deployment/default.nix @@ -5,81 +5,8 @@ let buildInputs = [ pkgs.scion ]; - } '' - set -euo pipefail + } (builtins.readFile ./bootstrap.sh); - mkdir /tmp/tutorial-scion-certs && cd /tmp/tutorial-scion-certs - mkdir AS{1..5} - - # Create voting and root keys and (self-signed) certificates for core ASes - pushd AS1 - scion-pki certificate create --not-after=3650d --profile=sensitive-voting <(echo '{"isd_as": "42-ffaa:1:1", "common_name": "42-ffaa:1:1 sensitive voting cert"}') sensitive-voting.pem sensitive-voting.key - scion-pki certificate create --not-after=3650d --profile=regular-voting <(echo '{"isd_as": "42-ffaa:1:1", "common_name": "42-ffaa:1:1 regular voting cert"}') regular-voting.pem regular-voting.key - scion-pki certificate create --not-after=3650d --profile=cp-root <(echo '{"isd_as": "42-ffaa:1:1", "common_name": "42-ffaa:1:1 cp root cert"}') cp-root.pem cp-root.key - popd - - pushd AS2 - scion-pki certificate create --not-after=3650d --profile=cp-root <(echo '{"isd_as": "42-ffaa:1:2", "common_name": "42-ffaa:1:2 cp root cert"}') cp-root.pem cp-root.key - popd - - pushd AS3 - scion-pki certificate create --not-after=3650d --profile=sensitive-voting <(echo '{"isd_as": "42-ffaa:1:3", "common_name": "42-ffaa:1:3 sensitive voting cert"}') sensitive-voting.pem sensitive-voting.key - scion-pki certificate create --not-after=3650d --profile=regular-voting <(echo '{"isd_as": "42-ffaa:1:3", "common_name": "42-ffaa:1:3 regular voting cert"}') regular-voting.pem regular-voting.key - popd - - # Create the TRC (Trust Root Configuration) - mkdir tmp - echo ' - isd = 42 - description = "Demo ISD 42" - serial_version = 1 - base_version = 1 - voting_quorum = 2 - - core_ases = ["ffaa:1:1", "ffaa:1:2", "ffaa:1:3"] - authoritative_ases = ["ffaa:1:1", "ffaa:1:2", "ffaa:1:3"] - cert_files = ["AS1/sensitive-voting.pem", "AS1/regular-voting.pem", "AS1/cp-root.pem", "AS2/cp-root.pem", "AS3/sensitive-voting.pem", "AS3/regular-voting.pem"] - - [validity] - not_before = '$(date +%s)' - validity = "365d"' \ - > trc-B1-S1-pld.tmpl - - scion-pki trc payload --out=tmp/ISD42-B1-S1.pld.der --template trc-B1-S1-pld.tmpl - rm trc-B1-S1-pld.tmpl - - # Sign and bundle the TRC - scion-pki trc sign tmp/ISD42-B1-S1.pld.der AS1/sensitive-voting.{pem,key} --out tmp/ISD42-B1-S1.AS1-sensitive.trc - scion-pki trc sign tmp/ISD42-B1-S1.pld.der AS1/regular-voting.{pem,key} --out tmp/ISD42-B1-S1.AS1-regular.trc - scion-pki trc sign tmp/ISD42-B1-S1.pld.der AS3/sensitive-voting.{pem,key} --out tmp/ISD42-B1-S1.AS3-sensitive.trc - scion-pki trc sign tmp/ISD42-B1-S1.pld.der AS3/regular-voting.{pem,key} --out tmp/ISD42-B1-S1.AS3-regular.trc - - scion-pki trc combine tmp/ISD42-B1-S1.AS{1,3}-{sensitive,regular}.trc --payload tmp/ISD42-B1-S1.pld.der --out ISD42-B1-S1.trc - rm tmp -r - - # Create CA key and certificate for issuing ASes - pushd AS1 - scion-pki certificate create --profile=cp-ca <(echo '{"isd_as": "42-ffaa:1:1", "common_name": "42-ffaa:1:1 CA cert"}') cp-ca.pem cp-ca.key --ca cp-root.pem --ca-key cp-root.key - popd - pushd AS2 - scion-pki certificate create --profile=cp-ca <(echo '{"isd_as": "42-ffaa:1:2", "common_name": "42-ffaa:1:2 CA cert"}') cp-ca.pem cp-ca.key --ca cp-root.pem --ca-key cp-root.key - popd - - # Create AS key and certificate chains - scion-pki certificate create --profile=cp-as <(echo '{"isd_as": "42-ffaa:1:1", "common_name": "42-ffaa:1:1 AS cert"}') AS1/cp-as.pem AS1/cp-as.key --ca AS1/cp-ca.pem --ca-key AS1/cp-ca.key --bundle - scion-pki certificate create --profile=cp-as <(echo '{"isd_as": "42-ffaa:1:2", "common_name": "42-ffaa:1:2 AS cert"}') AS2/cp-as.pem AS2/cp-as.key --ca AS2/cp-ca.pem --ca-key AS2/cp-ca.key --bundle - scion-pki certificate create --profile=cp-as <(echo '{"isd_as": "42-ffaa:1:3", "common_name": "42-ffaa:1:3 AS cert"}') AS3/cp-as.pem AS3/cp-as.key --ca AS1/cp-ca.pem --ca-key AS1/cp-ca.key --bundle - scion-pki certificate create --profile=cp-as <(echo '{"isd_as": "42-ffaa:1:4", "common_name": "42-ffaa:1:4 AS cert"}') AS4/cp-as.pem AS4/cp-as.key --ca AS1/cp-ca.pem --ca-key AS1/cp-ca.key --bundle - scion-pki certificate create --profile=cp-as <(echo '{"isd_as": "42-ffaa:1:5", "common_name": "42-ffaa:1:5 AS cert"}') AS5/cp-as.pem AS5/cp-as.key --ca AS2/cp-ca.pem --ca-key AS2/cp-ca.key --bundle - - for i in {1..5} - do - mkdir -p $out/AS$i - cp AS$i/cp-as.{key,pem} $out/AS$i - done - - mv *.trc $out - ''; imports = hostId: [ ({ services.scion = { @@ -121,9 +48,47 @@ in }; scion04 = { ... }: { imports = (imports 4); + networking.interfaces."lo".ipv4.addresses = [{ address = "172.16.1.1"; prefixLength = 32; }]; + services.scion.scion-ip-gateway = { + enable = true; + config = { + tunnel = { + src_ipv4 = "172.16.1.1"; + }; + }; + trafficConfig = { + ASes = { + "42-ffaa:1:5" = { + Nets = [ + "172.16.100.0/24" + ]; + }; + }; + ConfigVersion = 9001; + }; + }; }; scion05 = { ... }: { imports = (imports 5); + networking.interfaces."lo".ipv4.addresses = [{ address = "172.16.100.1"; prefixLength = 32; }]; + services.scion.scion-ip-gateway = { + enable = true; + config = { + tunnel = { + src_ipv4 = "172.16.100.1"; + }; + }; + trafficConfig = { + ASes = { + "42-ffaa:1:4" = { + Nets = [ + "172.16.1.0/24" + ]; + }; + }; + ConfigVersion = 9001; + }; + }; }; }; testScript = let @@ -131,25 +96,35 @@ in addresses="42-ffaa:1:1 42-ffaa:1:2 42-ffaa:1:3 42-ffaa:1:4 42-ffaa:1:5" timeout=100 wait_for_all() { + ret=0 for as in "$@" do scion showpaths $as --no-probe > /dev/null - return 1 + ret=$? + if [ "$ret" -ne "0" ]; then + break + fi done - return 0 + return $ret } ping_all() { + ret=0 for as in "$@" do scion ping "$as,127.0.0.1" -c 3 + ret=$? + if [ "$ret" -ne "0" ]; then + break + fi done - return 0 + return $ret } for i in $(seq 0 $timeout); do - wait_for_all $addresses && exit 0 - ping_all $addresses && exit 0 sleep 1 + wait_for_all $addresses || continue + ping_all $addresses && exit 0 done + exit 1 ''; in '' @@ -183,9 +158,16 @@ in # Wait for scion-control.service on all instances wait_for_unit("scion-control.service") + # Ensure cert is valid against TRC + succeed("scion-pki certificate verify --trc /etc/scion/certs/*.trc /etc/scion/crypto/as/*.pem >&2") + # Execute pingAll command on all instances succeed("${pingAll} >&2") + # Execute ICMP pings across scion-ip-gateway + scion04.succeed("ping -c 3 172.16.100.1 >&2") + scion05.succeed("ping -c 3 172.16.1.1 >&2") + # Restart all scion services and ping again to test robustness succeed("systemctl restart scion-* >&2") succeed("${pingAll} >&2") |