diff options
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/lib/qemu-common.nix | 2 | ||||
-rw-r--r-- | nixos/modules/hardware/all-firmware.nix | 2 | ||||
-rw-r--r-- | nixos/modules/installer/cd-dvd/iso-image.nix | 4 | ||||
-rw-r--r-- | nixos/modules/profiles/all-hardware.nix | 2 | ||||
-rw-r--r-- | nixos/modules/services/home-automation/home-assistant.nix | 2 | ||||
-rw-r--r-- | nixos/modules/services/misc/sssd.nix | 31 | ||||
-rw-r--r-- | nixos/modules/virtualisation/qemu-vm.nix | 2 | ||||
-rw-r--r-- | nixos/tests/all-tests.nix | 2 | ||||
-rw-r--r-- | nixos/tests/k3s/default.nix | 9 | ||||
-rw-r--r-- | nixos/tests/k3s/multi-node.nix | 137 | ||||
-rw-r--r-- | nixos/tests/k3s/single-node.nix (renamed from nixos/tests/k3s-single-node.nix) | 16 |
11 files changed, 189 insertions, 20 deletions
diff --git a/nixos/lib/qemu-common.nix b/nixos/lib/qemu-common.nix index 250f714be0a7a..fc3dcb24ab9c1 100644 --- a/nixos/lib/qemu-common.nix +++ b/nixos/lib/qemu-common.nix @@ -18,7 +18,7 @@ rec { ]; qemuSerialDevice = if pkgs.stdenv.hostPlatform.isx86 || pkgs.stdenv.hostPlatform.isRiscV then "ttyS0" - else if (with pkgs.stdenv.hostPlatform; isAarch32 || isAarch64 || isPower) then "ttyAMA0" + else if (with pkgs.stdenv.hostPlatform; isAarch || isPower) then "ttyAMA0" else throw "Unknown QEMU serial device for system '${pkgs.stdenv.hostPlatform.system}'"; qemuBinary = qemuPkg: { diff --git a/nixos/modules/hardware/all-firmware.nix b/nixos/modules/hardware/all-firmware.nix index 89a1217dfb313..bd5540646b086 100644 --- a/nixos/modules/hardware/all-firmware.nix +++ b/nixos/modules/hardware/all-firmware.nix @@ -62,7 +62,7 @@ in { alsa-firmware sof-firmware libreelec-dvb-firmware - ] ++ optional (pkgs.stdenv.hostPlatform.isAarch32 || pkgs.stdenv.hostPlatform.isAarch64) raspberrypiWirelessFirmware + ] ++ optional pkgs.stdenv.hostPlatform.isAarch raspberrypiWirelessFirmware ++ optionals (versionOlder config.boot.kernelPackages.kernel.version "4.13") [ rtl8723bs-firmware ] ++ optionals (versionOlder config.boot.kernelPackages.kernel.version "5.16") [ diff --git a/nixos/modules/installer/cd-dvd/iso-image.nix b/nixos/modules/installer/cd-dvd/iso-image.nix index d1ccc6c2072f7..9309fe70a8618 100644 --- a/nixos/modules/installer/cd-dvd/iso-image.nix +++ b/nixos/modules/installer/cd-dvd/iso-image.nix @@ -476,9 +476,9 @@ in isoImage.squashfsCompression = mkOption { default = with pkgs.stdenv.targetPlatform; "xz -Xdict-size 100% " - + lib.optionalString (isx86_32 || isx86_64) "-Xbcj x86" + + lib.optionalString isx86 "-Xbcj x86" # Untested but should also reduce size for these platforms - + lib.optionalString (isAarch32 || isAarch64) "-Xbcj arm" + + lib.optionalString isAarch "-Xbcj arm" + lib.optionalString (isPower && is32bit && isBigEndian) "-Xbcj powerpc" + lib.optionalString (isSparc) "-Xbcj sparc"; description = '' diff --git a/nixos/modules/profiles/all-hardware.nix b/nixos/modules/profiles/all-hardware.nix index 8347453d403b4..af1e3d32a0a29 100644 --- a/nixos/modules/profiles/all-hardware.nix +++ b/nixos/modules/profiles/all-hardware.nix @@ -57,7 +57,7 @@ in # Hyper-V support. "hv_storvsc" - ] ++ lib.optionals (pkgs.stdenv.isAarch32 || pkgs.stdenv.isAarch64) [ + ] ++ lib.optionals pkgs.stdenv.hostPlatform.isAarch [ # Most of the following falls into two categories: # - early KMS / early display # - early storage (e.g. USB) support diff --git a/nixos/modules/services/home-automation/home-assistant.nix b/nixos/modules/services/home-automation/home-assistant.nix index 2cff5051c757f..1d76d2fd39c68 100644 --- a/nixos/modules/services/home-automation/home-assistant.nix +++ b/nixos/modules/services/home-automation/home-assistant.nix @@ -92,7 +92,7 @@ in { "default_config" "met" "esphome" - ] ++ optionals (pkgs.stdenv.hostPlatform.isAarch32 || pkgs.stdenv.hostPlatform.isAarch64) [ + ] ++ optionals pkgs.stdenv.hostPlatform.isAarch [ # Use the platform as an indicator that we might be running on a RaspberryPi and include # relevant components "rpi_power" diff --git a/nixos/modules/services/misc/sssd.nix b/nixos/modules/services/misc/sssd.nix index 386281e2b7cca..873c3b7351934 100644 --- a/nixos/modules/services/misc/sssd.nix +++ b/nixos/modules/services/misc/sssd.nix @@ -38,6 +38,15 @@ in { For this to work, the <literal>ssh</literal> SSS service must be enabled in the sssd configuration. ''; }; + + kcm = mkOption { + type = types.bool; + default = false; + description = '' + Whether to use SSS as a Kerberos Cache Manager (KCM). + Kerberos will be configured to cache credentials in SSS. + ''; + }; }; }; config = mkMerge [ @@ -79,6 +88,28 @@ in { services.dbus.packages = [ pkgs.sssd ]; }) + (mkIf cfg.kcm { + systemd.services.sssd-kcm = { + description = "SSSD Kerberos Cache Manager"; + requires = [ "sssd-kcm.socket" ]; + serviceConfig = { + ExecStartPre = "-${pkgs.sssd}/bin/sssd --genconf-section=kcm"; + ExecStart = "${pkgs.sssd}/libexec/sssd/sssd_kcm --uid 0 --gid 0"; + }; + restartTriggers = [ + config.environment.etc."sssd/sssd.conf".source + ]; + }; + systemd.sockets.sssd-kcm = { + description = "SSSD Kerberos Cache Manager responder socket"; + wantedBy = [ "sockets.target" ]; + # Matches the default in MIT krb5 and Heimdal: + # https://github.com/krb5/krb5/blob/krb5-1.19.3-final/src/include/kcm.h#L43 + listenStreams = [ "/var/run/.heim_org.h5l.kcm-socket" ]; + }; + krb5.libdefaults.default_ccache_name = "KCM:"; + }) + (mkIf cfg.sshAuthorizedKeysIntegration { # Ugly: sshd refuses to start if a store path is given because /nix/store is group-writable. # So indirect by a symlink. diff --git a/nixos/modules/virtualisation/qemu-vm.nix b/nixos/modules/virtualisation/qemu-vm.nix index e87f540fd57cb..5b2d81eeb68fc 100644 --- a/nixos/modules/virtualisation/qemu-vm.nix +++ b/nixos/modules/virtualisation/qemu-vm.nix @@ -870,7 +870,7 @@ in (mkIf pkgs.stdenv.hostPlatform.isx86 [ "-usb" "-device usb-tablet,bus=usb-bus.0" ]) - (mkIf (pkgs.stdenv.isAarch32 || pkgs.stdenv.isAarch64) [ + (mkIf pkgs.stdenv.hostPlatform.isAarch [ "-device virtio-gpu-pci" "-device usb-ehci,id=usb0" "-device usb-kbd" "-device usb-tablet" ]) (let diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index b0dd7ca0766fe..ff54a327424e8 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -254,7 +254,7 @@ in { jibri = handleTest ./jibri.nix {}; jirafeau = handleTest ./jirafeau.nix {}; jitsi-meet = handleTest ./jitsi-meet.nix {}; - k3s-single-node = handleTest ./k3s-single-node.nix {}; + k3s = handleTest ./k3s {}; kafka = handleTest ./kafka.nix {}; kanidm = handleTest ./kanidm.nix {}; kbd-setfont-decompress = handleTest ./kbd-setfont-decompress.nix {}; diff --git a/nixos/tests/k3s/default.nix b/nixos/tests/k3s/default.nix new file mode 100644 index 0000000000000..07d93c41c7a68 --- /dev/null +++ b/nixos/tests/k3s/default.nix @@ -0,0 +1,9 @@ +{ system ? builtins.currentSystem +, pkgs ? import ../../.. { inherit system; } +}: +{ + # Run a single node k3s cluster and verify a pod can run + single-node = import ./single-node.nix { inherit system pkgs; }; + # Run a multi-node k3s cluster and verify pod networking works across nodes + multi-node = import ./multi-node.nix { inherit system pkgs; }; +} diff --git a/nixos/tests/k3s/multi-node.nix b/nixos/tests/k3s/multi-node.nix new file mode 100644 index 0000000000000..afb8c78f2339e --- /dev/null +++ b/nixos/tests/k3s/multi-node.nix @@ -0,0 +1,137 @@ +import ../make-test-python.nix ({ pkgs, ... }: + let + imageEnv = pkgs.buildEnv { + name = "k3s-pause-image-env"; + paths = with pkgs; [ tini bashInteractive coreutils socat ]; + }; + pauseImage = pkgs.dockerTools.streamLayeredImage { + name = "test.local/pause"; + tag = "local"; + contents = imageEnv; + config.Entrypoint = [ "/bin/tini" "--" "/bin/sleep" "inf" ]; + }; + # A daemonset that responds 'server' on port 8000 + networkTestDaemonset = pkgs.writeText "test.yml" '' + apiVersion: apps/v1 + kind: DaemonSet + metadata: + name: test + labels: + name: test + spec: + selector: + matchLabels: + name: test + template: + metadata: + labels: + name: test + spec: + containers: + - name: test + image: test.local/pause:local + imagePullPolicy: Never + resources: + limits: + memory: 20Mi + command: ["socat", "TCP4-LISTEN:8000,fork", "EXEC:echo server"] + ''; + tokenFile = pkgs.writeText "token" "p@s$w0rd"; + in + { + name = "k3s-multi-node"; + + nodes = { + server = { pkgs, ... }: { + environment.systemPackages = with pkgs; [ gzip jq ]; + # k3s uses enough resources the default vm fails. + virtualisation.memorySize = 1536; + virtualisation.diskSize = 4096; + + services.k3s = { + inherit tokenFile; + enable = true; + role = "server"; + package = pkgs.k3s; + extraFlags = "--no-deploy coredns,servicelb,traefik,local-storage,metrics-server --pause-image test.local/pause:local --node-ip 192.168.1.1"; + }; + networking.firewall.allowedTCPPorts = [ 6443 ]; + networking.firewall.allowedUDPPorts = [ 8472 ]; + networking.firewall.trustedInterfaces = [ "flannel.1" ]; + networking.useDHCP = false; + networking.defaultGateway = "192.168.1.1"; + networking.interfaces.eth1.ipv4.addresses = pkgs.lib.mkForce [ + { address = "192.168.1.1"; prefixLength = 24; } + ]; + }; + + agent = { pkgs, ... }: { + virtualisation.memorySize = 1024; + virtualisation.diskSize = 2048; + services.k3s = { + inherit tokenFile; + enable = true; + role = "agent"; + serverAddr = "https://192.168.1.1:6443"; + extraFlags = "--pause-image test.local/pause:local --node-ip 192.168.1.2"; + }; + networking.firewall.allowedTCPPorts = [ 6443 ]; + networking.firewall.allowedUDPPorts = [ 8472 ]; + networking.firewall.trustedInterfaces = [ "flannel.1" ]; + networking.useDHCP = false; + networking.defaultGateway = "192.168.1.2"; + networking.interfaces.eth1.ipv4.addresses = pkgs.lib.mkForce [ + { address = "192.168.1.2"; prefixLength = 24; } + ]; + }; + }; + + meta = with pkgs.lib.maintainers; { + maintainers = [ euank ]; + }; + + testScript = '' + start_all() + machines = [server, agent] + for m in machines: + m.wait_for_unit("k3s") + + # wait for the agent to show up + server.wait_until_succeeds("k3s kubectl get node agent") + + for m in machines: + m.succeed("k3s check-config") + m.succeed( + "${pauseImage} | k3s ctr image import -" + ) + + server.succeed("k3s kubectl cluster-info") + # Also wait for our service account to show up; it takes a sec + server.wait_until_succeeds("k3s kubectl get serviceaccount default") + + # Now create a pod on each node via a daemonset and verify they can talk to each other. + server.succeed("k3s kubectl apply -f ${networkTestDaemonset}") + server.wait_until_succeeds(f'[ "$(k3s kubectl get ds test -o json | jq .status.numberReady)" -eq {len(machines)} ]') + + # Get pod IPs + pods = server.succeed("k3s kubectl get po -o json | jq '.items[].metadata.name' -r").splitlines() + pod_ips = [server.succeed(f"k3s kubectl get po {name} -o json | jq '.status.podIP' -cr").strip() for name in pods] + + # Verify each server can ping each pod ip + for pod_ip in pod_ips: + server.succeed(f"ping -c 1 {pod_ip}") + agent.succeed(f"ping -c 1 {pod_ip}") + + # Verify the pods can talk to each other + resp = server.wait_until_succeeds(f"k3s kubectl exec {pods[0]} -- socat TCP:{pod_ips[1]}:8000 -") + assert resp.strip() == "server" + resp = server.wait_until_succeeds(f"k3s kubectl exec {pods[1]} -- socat TCP:{pod_ips[0]}:8000 -") + assert resp.strip() == "server" + + # Cleanup + server.succeed("k3s kubectl delete -f ${networkTestDaemonset}") + + for m in machines: + m.shutdown() + ''; + }) diff --git a/nixos/tests/k3s-single-node.nix b/nixos/tests/k3s/single-node.nix index fb6510ee087bc..27e1e455e6415 100644 --- a/nixos/tests/k3s-single-node.nix +++ b/nixos/tests/k3s/single-node.nix @@ -1,5 +1,4 @@ -import ./make-test-python.nix ({ pkgs, ... }: - +import ../make-test-python.nix ({ pkgs, ... }: let imageEnv = pkgs.buildEnv { name = "k3s-pause-image-env"; @@ -11,20 +10,12 @@ import ./make-test-python.nix ({ pkgs, ... }: contents = imageEnv; config.Entrypoint = [ "/bin/tini" "--" "/bin/sleep" "inf" ]; }; - # Don't use the default service account because there's a race where it may - # not be created yet; make our own instead. testPodYaml = pkgs.writeText "test.yml" '' apiVersion: v1 - kind: ServiceAccount - metadata: - name: test - --- - apiVersion: v1 kind: Pod metadata: name: test spec: - serviceAccountName: test containers: - name: test image: test.local/pause:local @@ -66,13 +57,14 @@ import ./make-test-python.nix ({ pkgs, ... }: machine.wait_for_unit("k3s") machine.succeed("k3s kubectl cluster-info") machine.fail("sudo -u noprivs k3s kubectl cluster-info") - # FIXME: this fails with the current nixos kernel config; once it passes, we should uncomment it - # machine.succeed("k3s check-config") + machine.succeed("k3s check-config") machine.succeed( "${pauseImage} | k3s ctr image import -" ) + # Also wait for our service account to show up; it takes a sec + machine.wait_until_succeeds("k3s kubectl get serviceaccount default") machine.succeed("k3s kubectl apply -f ${testPodYaml}") machine.succeed("k3s kubectl wait --for 'condition=Ready' pod/test") machine.succeed("k3s kubectl delete -f ${testPodYaml}") |