From 41bd6d2614749d12ce5ded3e991555b56ea6b2dc Mon Sep 17 00:00:00 2001 From: Maximilian Bosch Date: Sun, 26 Apr 2020 14:24:18 +0200 Subject: [PATCH] nixos/wireguard: test against multiple kernel versions When testing WireGuard updates, I usually run the VM-tests with different kernels to make sure we're not introducing accidental regressions for e.g. older kernels. I figured that we should automate this process to ensure continuously that WireGuard works fine on several kernels. For now I decided to test the latest LTS version (5.4) and the latest kernel (currently 5.6). We can add more kernels in the future, however this seems to significantly slow down evaluation and time. The list can be customized by running a command like this: nix-build nixos/tests/wireguard --arg kernelVersionsToTest '["4.19"]' The `kernelPackages` argument in the tests is null by default to make sure that it's still possible to invoke the test-files directly. In that case the default kernel of NixOS (currently 5.4) is used. --- nixos/tests/all-tests.nix | 3 - nixos/tests/wireguard/basic.nix | 74 +++++++++++++++ nixos/tests/wireguard/default.nix | 90 +++++-------------- nixos/tests/wireguard/generated.nix | 5 +- nixos/tests/wireguard/namespaces.nix | 8 +- nixos/tests/wireguard/wg-quick.nix | 4 + .../networking/wireguard-tools/default.nix | 4 +- 7 files changed, 113 insertions(+), 75 deletions(-) create mode 100644 nixos/tests/wireguard/basic.nix diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index 38e8980b7482..68c9a0ef4c9a 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -324,10 +324,7 @@ in vault = handleTest ./vault.nix {}; victoriametrics = handleTest ./victoriametrics.nix {}; virtualbox = handleTestOn ["x86_64-linux"] ./virtualbox.nix {}; - wg-quick = handleTest ./wireguard/wg-quick.nix {}; wireguard = handleTest ./wireguard {}; - wireguard-generated = handleTest ./wireguard/generated.nix {}; - wireguard-namespaces = handleTest ./wireguard/namespaces.nix {}; wordpress = handleTest ./wordpress.nix {}; xandikos = handleTest ./xandikos.nix {}; xautolock = handleTest ./xautolock.nix {}; diff --git a/nixos/tests/wireguard/basic.nix b/nixos/tests/wireguard/basic.nix new file mode 100644 index 000000000000..25d706ae2e52 --- /dev/null +++ b/nixos/tests/wireguard/basic.nix @@ -0,0 +1,74 @@ +{ kernelPackages ? null }: +import ../make-test-python.nix ({ pkgs, lib, ...} : + let + wg-snakeoil-keys = import ./snakeoil-keys.nix; + peer = (import ./make-peer.nix) { inherit lib; }; + in + { + name = "wireguard"; + meta = with pkgs.stdenv.lib.maintainers; { + maintainers = [ ma27 ]; + }; + + nodes = { + peer0 = peer { + ip4 = "192.168.0.1"; + ip6 = "fd00::1"; + extraConfig = { + boot = lib.mkIf (kernelPackages != null) { inherit kernelPackages; }; + networking.firewall.allowedUDPPorts = [ 23542 ]; + networking.wireguard.interfaces.wg0 = { + ips = [ "10.23.42.1/32" "fc00::1/128" ]; + listenPort = 23542; + + inherit (wg-snakeoil-keys.peer0) privateKey; + + peers = lib.singleton { + allowedIPs = [ "10.23.42.2/32" "fc00::2/128" ]; + + inherit (wg-snakeoil-keys.peer1) publicKey; + }; + }; + }; + }; + + peer1 = peer { + ip4 = "192.168.0.2"; + ip6 = "fd00::2"; + extraConfig = { + boot = lib.mkIf (kernelPackages != null) { inherit kernelPackages; }; + networking.wireguard.interfaces.wg0 = { + ips = [ "10.23.42.2/32" "fc00::2/128" ]; + listenPort = 23542; + allowedIPsAsRoutes = false; + + inherit (wg-snakeoil-keys.peer1) privateKey; + + peers = lib.singleton { + allowedIPs = [ "0.0.0.0/0" "::/0" ]; + endpoint = "192.168.0.1:23542"; + persistentKeepalive = 25; + + inherit (wg-snakeoil-keys.peer0) publicKey; + }; + + postSetup = let inherit (pkgs) iproute; in '' + ${iproute}/bin/ip route replace 10.23.42.1/32 dev wg0 + ${iproute}/bin/ip route replace fc00::1/128 dev wg0 + ''; + }; + }; + }; + }; + + testScript = '' + start_all() + + peer0.wait_for_unit("wireguard-wg0.service") + peer1.wait_for_unit("wireguard-wg0.service") + + peer1.succeed("ping -c5 fc00::1") + peer1.succeed("ping -c5 10.23.42.1") + ''; + } +) diff --git a/nixos/tests/wireguard/default.nix b/nixos/tests/wireguard/default.nix index e3bc31c600f9..dedb321ff2ef 100644 --- a/nixos/tests/wireguard/default.nix +++ b/nixos/tests/wireguard/default.nix @@ -1,71 +1,27 @@ -import ../make-test-python.nix ({ pkgs, lib, ...} : - let - wg-snakeoil-keys = import ./snakeoil-keys.nix; - peer = (import ./make-peer.nix) { inherit lib; }; - in - { - name = "wireguard"; - meta = with pkgs.stdenv.lib.maintainers; { - maintainers = [ ma27 ]; - }; +{ system ? builtins.currentSystem +, config ? { } +, pkgs ? import ../../.. { inherit system config; } +, kernelVersionsToTest ? [ "5.4" "latest" ] +}: - nodes = { - peer0 = peer { - ip4 = "192.168.0.1"; - ip6 = "fd00::1"; - extraConfig = { - networking.firewall.allowedUDPPorts = [ 23542 ]; - networking.wireguard.interfaces.wg0 = { - ips = [ "10.23.42.1/32" "fc00::1/128" ]; - listenPort = 23542; +with pkgs.lib; - inherit (wg-snakeoil-keys.peer0) privateKey; +let + tests = let callTest = p: flip (import p) { inherit system pkgs; }; in { + basic = callTest ./basic.nix; + namespaces = callTest ./namespaces.nix; + wg-quick = callTest ./wg-quick.nix; + generated = callTest ./generated.nix; + }; +in - peers = lib.singleton { - allowedIPs = [ "10.23.42.2/32" "fc00::2/128" ]; - - inherit (wg-snakeoil-keys.peer1) publicKey; - }; - }; - }; - }; - - peer1 = peer { - ip4 = "192.168.0.2"; - ip6 = "fd00::2"; - extraConfig = { - networking.wireguard.interfaces.wg0 = { - ips = [ "10.23.42.2/32" "fc00::2/128" ]; - listenPort = 23542; - allowedIPsAsRoutes = false; - - inherit (wg-snakeoil-keys.peer1) privateKey; - - peers = lib.singleton { - allowedIPs = [ "0.0.0.0/0" "::/0" ]; - endpoint = "192.168.0.1:23542"; - persistentKeepalive = 25; - - inherit (wg-snakeoil-keys.peer0) publicKey; - }; - - postSetup = let inherit (pkgs) iproute; in '' - ${iproute}/bin/ip route replace 10.23.42.1/32 dev wg0 - ${iproute}/bin/ip route replace fc00::1/128 dev wg0 - ''; - }; - }; - }; - }; - - testScript = '' - start_all() - - peer0.wait_for_unit("wireguard-wg0.service") - peer1.wait_for_unit("wireguard-wg0.service") - - peer1.succeed("ping -c5 fc00::1") - peer1.succeed("ping -c5 10.23.42.1") - ''; - } +listToAttrs ( + flip concatMap kernelVersionsToTest (version: + let + v' = replaceStrings [ "." ] [ "_" ] version; + in + flip mapAttrsToList tests (name: test: + nameValuePair "wireguard-${name}-linux-${v'}" (test { kernelPackages = pkgs."linuxPackages_${v'}"; }) + ) + ) ) diff --git a/nixos/tests/wireguard/generated.nix b/nixos/tests/wireguard/generated.nix index a29afd2d4666..cdf15483265c 100644 --- a/nixos/tests/wireguard/generated.nix +++ b/nixos/tests/wireguard/generated.nix @@ -1,4 +1,5 @@ -import ../make-test-python.nix ({ pkgs, ...} : { +{ kernelPackages ? null }: +import ../make-test-python.nix ({ pkgs, lib, ... } : { name = "wireguard-generated"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ ma27 grahamc ]; @@ -6,6 +7,7 @@ import ../make-test-python.nix ({ pkgs, ...} : { nodes = { peer1 = { + boot = lib.mkIf (kernelPackages != null) { inherit kernelPackages; }; networking.firewall.allowedUDPPorts = [ 12345 ]; networking.wireguard.interfaces.wg0 = { ips = [ "10.10.10.1/24" ]; @@ -17,6 +19,7 @@ import ../make-test-python.nix ({ pkgs, ...} : { }; peer2 = { + boot = lib.mkIf (kernelPackages != null) { inherit kernelPackages; }; networking.firewall.allowedUDPPorts = [ 12345 ]; networking.wireguard.interfaces.wg0 = { ips = [ "10.10.10.2/24" ]; diff --git a/nixos/tests/wireguard/namespaces.nix b/nixos/tests/wireguard/namespaces.nix index c8a4e3bb52a1..c47175ceafc8 100644 --- a/nixos/tests/wireguard/namespaces.nix +++ b/nixos/tests/wireguard/namespaces.nix @@ -1,3 +1,5 @@ +{ kernelPackages ? null }: + let listenPort = 12345; socketNamespace = "foo"; @@ -13,7 +15,7 @@ let in -import ../make-test-python.nix ({ pkgs, ...} : { +import ../make-test-python.nix ({ pkgs, lib, ... } : { name = "wireguard-with-namespaces"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ asymmetric ]; @@ -23,6 +25,7 @@ import ../make-test-python.nix ({ pkgs, ...} : { # interface should be created in the socketNamespace # and not moved from there peer0 = pkgs.lib.attrsets.recursiveUpdate node { + boot = lib.mkIf (kernelPackages != null) { inherit kernelPackages; }; networking.wireguard.interfaces.wg0 = { preSetup = '' ip netns add ${socketNamespace} @@ -33,6 +36,7 @@ import ../make-test-python.nix ({ pkgs, ...} : { # interface should be created in the init namespace # and moved to the interfaceNamespace peer1 = pkgs.lib.attrsets.recursiveUpdate node { + boot = lib.mkIf (kernelPackages != null) { inherit kernelPackages; }; networking.wireguard.interfaces.wg0 = { preSetup = '' ip netns add ${interfaceNamespace} @@ -43,6 +47,7 @@ import ../make-test-python.nix ({ pkgs, ...} : { # interface should be created in the socketNamespace # and moved to the interfaceNamespace peer2 = pkgs.lib.attrsets.recursiveUpdate node { + boot = lib.mkIf (kernelPackages != null) { inherit kernelPackages; }; networking.wireguard.interfaces.wg0 = { preSetup = '' ip netns add ${socketNamespace} @@ -54,6 +59,7 @@ import ../make-test-python.nix ({ pkgs, ...} : { # interface should be created in the socketNamespace # and moved to the init namespace peer3 = pkgs.lib.attrsets.recursiveUpdate node { + boot = lib.mkIf (kernelPackages != null) { inherit kernelPackages; }; networking.wireguard.interfaces.wg0 = { preSetup = '' ip netns add ${socketNamespace} diff --git a/nixos/tests/wireguard/wg-quick.nix b/nixos/tests/wireguard/wg-quick.nix index 7354dd01a34a..5472d21cd1ec 100644 --- a/nixos/tests/wireguard/wg-quick.nix +++ b/nixos/tests/wireguard/wg-quick.nix @@ -1,3 +1,5 @@ +{ kernelPackages ? null }: + import ../make-test-python.nix ({ pkgs, lib, ... }: let wg-snakeoil-keys = import ./snakeoil-keys.nix; @@ -14,6 +16,7 @@ import ../make-test-python.nix ({ pkgs, lib, ... }: ip4 = "192.168.0.1"; ip6 = "fd00::1"; extraConfig = { + boot = lib.mkIf (kernelPackages != null) { inherit kernelPackages; }; networking.firewall.allowedUDPPorts = [ 23542 ]; networking.wg-quick.interfaces.wg0 = { address = [ "10.23.42.1/32" "fc00::1/128" ]; @@ -34,6 +37,7 @@ import ../make-test-python.nix ({ pkgs, lib, ... }: ip4 = "192.168.0.2"; ip6 = "fd00::2"; extraConfig = { + boot = lib.mkIf (kernelPackages != null) { inherit kernelPackages; }; networking.wg-quick.interfaces.wg0 = { address = [ "10.23.42.2/32" "fc00::2/128" ]; inherit (wg-snakeoil-keys.peer1) privateKey; diff --git a/pkgs/tools/networking/wireguard-tools/default.nix b/pkgs/tools/networking/wireguard-tools/default.nix index 4fac72f7d035..90055a1a4a7c 100644 --- a/pkgs/tools/networking/wireguard-tools/default.nix +++ b/pkgs/tools/networking/wireguard-tools/default.nix @@ -49,9 +49,7 @@ stdenv.mkDerivation rec { passthru = { updateScript = ./update.sh; - tests = { - inherit (nixosTests) wireguard wg-quick wireguard-generated wireguard-namespaces; - }; + tests = nixosTests.wireguard; }; meta = {