Fix tests broken due to the firewall being enabled by default

2014-04-11 17:15:56 +02:00 · 2014-04-11 17:15:56 +02:00 · 13185280fe
parent 017408e048
commit 13185280fe
16 changed files with 52 additions and 25 deletions
--- a/nixos/modules/services/continuous-integration/jenkins/default.nix
+++ b/nixos/modules/services/continuous-integration/jenkins/default.nix
@ -43,7 +43,7 @@ in {
        default = 8080;
        type = types.uniq types.int;
        description = ''
-          Specifies port number on which the jenkins HTTP interface listens. The default is 8080
+          Specifies port number on which the jenkins HTTP interface listens. The default is 8080.
        '';
      };

--- a/nixos/modules/services/networking/avahi-daemon.nix
+++ b/nixos/modules/services/networking/avahi-daemon.nix
@ -142,6 +142,10 @@ in
    services.dbus.enable = true;
    services.dbus.packages = [avahi];

+    # Enabling Avahi without exposing it in the firewall doesn't make
+    # sense.
+    networking.firewall.allowedUDPPorts = [ 5353 ];
+
  };

 }
--- a/nixos/tests/bittorrent.nix
+++ b/nixos/tests/bittorrent.nix
@ -33,6 +33,8 @@ in
          services.httpd.enable = true;
          services.httpd.adminAddr = "foo@example.org";
          services.httpd.documentRoot = "/tmp";
+
+          networking.firewall.enable = false; # FIXME: figure out what ports we actually need
        };

      router =
@ -50,11 +52,13 @@ in
          virtualisation.vlans = [ 2 ];
          networking.defaultGateway =
            nodes.router.config.networking.interfaces.eth2.ipAddress;
+          networking.firewall.enable = false;
        };

      client2 =
        { config, pkgs, ... }:
        { environment.systemPackages = [ pkgs.transmission ];
+          networking.firewall.enable = false;
        };
    };

@ -66,8 +70,8 @@ in
      # Enable NAT on the router and start miniupnpd.
      $router->waitForUnit("nat");
      $router->succeed(
-          "iptables -t nat -N MINIUPNPD",
-          "iptables -t nat -A PREROUTING -i eth1 -j MINIUPNPD",
+          "iptables -w -t nat -N MINIUPNPD",
+          "iptables -w -t nat -A PREROUTING -i eth1 -j MINIUPNPD",
          "echo 1 > /proc/sys/net/ipv4/ip_forward",
          "miniupnpd -f ${miniupnpdConf nodes}"
      );
--- a/nixos/tests/containers.nix
+++ b/nixos/tests/containers.nix
@ -17,6 +17,8 @@
          config =
            { services.httpd.enable = true;
              services.httpd.adminAddr = "foo@example.org";
+              networking.firewall.allowedTCPPorts = [ 80 ];
+              networking.firewall.allowPing = true;
            };
        };

@ -65,7 +67,7 @@
      $machine->succeed("nixos-container start $id1");

      # Execute commands via the root shell.
-      $machine->succeed("echo uname | nixos-container root-shell $id1") =~ /Linux/;
+      $machine->succeed("nixos-container run $id1 -- uname") =~ /Linux/;
      $machine->succeed("nixos-container set-root-password $id1 foobar");

      # Destroy the containers.
--- a/nixos/tests/firewall.nix
+++ b/nixos/tests/firewall.nix
@ -17,6 +17,7 @@
        { config, pkgs, ... }:
        { services.httpd.enable = true;
          services.httpd.adminAddr = "foo@example.org";
+          networking.firewall.enable = false;
        };
    };

@ -33,7 +34,7 @@
      $walled->succeed("curl -v http://localhost/ >&2");

      # Connections to the firewalled machine should fail.
-      $attacker->fail("curl -v http://walled/ >&2");
+      $attacker->fail("curl --fail --connect-timeout 2 http://walled/ >&2");
      $attacker->fail("ping -c 1 walled >&2");

      # Outgoing connections/pings should still work.
--- a/nixos/tests/installer.nix
+++ b/nixos/tests/installer.nix
@ -79,6 +79,8 @@ let
      virtualisation.writableStore = true;
      virtualisation.pathsInNixDB = channelContents ++ [ pkgs.hello.src ];
      virtualisation.memorySize = 768;
+
+      networking.firewall.allowedTCPPorts = [ 80 ];
    };

  channelContents = [ pkgs.rlwrap ];
--- a/nixos/tests/ipv6.nix
+++ b/nixos/tests/ipv6.nix
@ -12,6 +12,7 @@
        { config, pkgs, ... }:
        { services.httpd.enable = true;
          services.httpd.adminAddr = "foo@example.org";
+          networking.firewall.allowedTCPPorts = [ 80 ];
        };

      router =
--- a/nixos/tests/jenkins.nix
+++ b/nixos/tests/jenkins.nix
@ -3,21 +3,27 @@
 #   2. jenkins user can be extended on both master and slave
 #   3. jenkins service not started on slave node
 { pkgs, ... }:
+
 {
  nodes = {
-    master = { pkgs, config, ... }: {
-        services.jenkins.enable = true;
+
+    master =
+      { config, pkgs, ... }:
+      { services.jenkins.enable = true;

        # should have no effect
        services.jenkinsSlave.enable = true;

        users.extraUsers.jenkins.extraGroups = [ "users" ];
      };
-    slave = { pkgs, config, ... }: {
-        services.jenkinsSlave.enable = true;
+
+    slave =
+      { config, pkgs, ... }:
+      { services.jenkinsSlave.enable = true;

        users.extraUsers.jenkins.extraGroups = [ "users" ];
      };
+
  };

  testScript = ''
--- a/nixos/tests/mumble.nix
+++ b/nixos/tests/mumble.nix
@ -11,6 +11,7 @@ in
    server = { config, pkgs, ... }: {
      services.murmur.enable       = true;
      services.murmur.registerName = "NixOS tests";
+      networking.firewall.allowedTCPPorts = [ config.services.murmur.port ];
    };

    client1 = client;
--- a/nixos/tests/mysql-replication.nix
+++ b/nixos/tests/mysql-replication.nix
@ -15,10 +15,11 @@ in
        services.mysql.replication.role = "master";
        services.mysql.initialDatabases = [ { name = "testdb"; schema = ./testdb.sql; } ];
        services.mysql.initialScript = pkgs.writeText "initmysql"
-        ''
-          create user '${replicateUser}'@'%' identified by '${replicatePassword}';
-          grant replication slave on *.* to '${replicateUser}'@'%';
-        '';
+          ''
+            create user '${replicateUser}'@'%' identified by '${replicatePassword}';
+            grant replication slave on *.* to '${replicateUser}'@'%';
+          '';
+        networking.firewall.allowedTCPPorts = [ 3306 ];
      };

    slave1 =
--- a/nixos/tests/nat.nix
+++ b/nixos/tests/nat.nix
@ -12,6 +12,7 @@
    { client =
        { config, pkgs, nodes, ... }:
        { virtualisation.vlans = [ 1 ];
+          networking.firewall.allowPing = true;
          networking.defaultGateway =
            nodes.router.config.networking.interfaces.eth2.ipAddress;
        };
@ -19,6 +20,7 @@
      router =
        { config, pkgs, ... }:
        { virtualisation.vlans = [ 2 1 ];
+          networking.firewall.allowPing = true;
          networking.nat.enable = true;
          networking.nat.internalIPs = [ "192.168.1.0/24" ];
          networking.nat.externalInterface = "eth1";
@ -27,6 +29,7 @@
      server =
        { config, pkgs, ... }:
        { virtualisation.vlans = [ 2 ];
+          networking.firewall.enable = false;
          services.httpd.enable = true;
          services.httpd.adminAddr = "foo@example.org";
          services.vsftpd.enable = true;
--- a/nixos/tests/nfs.nix
+++ b/nixos/tests/nfs.nix
@ -13,6 +13,7 @@ let
            options = "vers=${toString version}";
          }
        ];
+      networking.firewall.enable = false; # FIXME: only open statd
    };

 in
@ -31,6 +32,7 @@ in
              /data 192.168.1.0/255.255.255.0(rw,no_root_squash,no_subtree_check,fsid=0)
            '';
          services.nfs.server.createMountPoints = true;
+          networking.firewall.enable = false; # FIXME: figure out what ports need to be allowed
        };
    };

--- a/nixos/tests/printing.nix
+++ b/nixos/tests/printing.nix
@ -17,6 +17,7 @@
              Allow from all
            </Location>
          '';
+        networking.firewall.allowedTCPPorts = [ 631 ];
      };

    client =
@ -37,7 +38,7 @@
      $client->succeed("lpstat -H") =~ "/var/run/cups/cups.sock" or die;
      $client->succeed("curl --fail http://localhost:631/");
      $client->succeed("curl --fail http://server:631/");
-      $server->fail("curl --fail http://client:631/");
+      $server->fail("curl --fail --connect-timeout 2  http://client:631/");

      # Add a HP Deskjet printer connected via USB to the server.
      $server->succeed("lpadmin -p DeskjetLocal -v usb://HP/Deskjet%205400%20series?serial=TH93I152S123XY -m 'drv:///sample.drv/deskjet.ppd' -E");
--- a/nixos/tests/proxy.nix
+++ b/nixos/tests/proxy.nix
@ -5,12 +5,10 @@ let
  backend =
    { config, pkgs, ... }:

-    {
-      services.openssh.enable = true;
-
-      services.httpd.enable = true;
+    { services.httpd.enable = true;
      services.httpd.adminAddr = "foo@example.org";
      services.httpd.documentRoot = "${pkgs.valgrind}/share/doc/valgrind/html";
+      networking.firewall.allowedTCPPorts = [ 80 ];
    };

 in
@ -21,8 +19,7 @@ in
    { proxy =
        { config, pkgs, nodes, ... }:

-        {
-          services.httpd.enable = true;
+        { services.httpd.enable = true;
          services.httpd.adminAddr = "bar@example.org";
          services.httpd.extraModules = ["proxy_balancer"];

@ -50,6 +47,8 @@ in
              # For testing; don't want to wait forever for dead backend servers.
              ProxyTimeout      5
            '';
+
+          networking.firewall.allowedTCPPorts = [ 80 ];
        };

      backend1 = backend;
--- a/nixos/tests/quake3.nix
+++ b/nixos/tests/quake3.nix
@ -37,6 +37,7 @@ rec {
                "'+map q3dm7' '+addbot grunt' '+addbot daemia' 2> /tmp/log";
            };
          nixpkgs.config.packageOverrides = overrides;
+          networking.firewall.allowedUDPPorts = [ 27960 ];
        };

      client1 = client;
--- a/nixos/tests/tomcat.nix
+++ b/nixos/tests/tomcat.nix
@ -5,13 +5,12 @@
    server =
      { pkgs, config, ... }:

-      {
-        services.tomcat.enable = true;
+      { services.tomcat.enable = true;
        services.httpd.enable = true;
        services.httpd.adminAddr = "foo@bar.com";
-        services.httpd.extraSubservices = [
-          { serviceType = "tomcat-connector"; }
-        ];
+        services.httpd.extraSubservices =
+          [ { serviceType = "tomcat-connector"; } ];
+        networking.firewall.allowedTCPPorts = [ 80 ];
      };

    client = { };