pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / tests / nfs / kerberos.nix
at 23.05-pre 3.9 kB view raw
1import ../make-test-python.nix ({ pkgs, lib, ... }: 2 3with lib; 4 5let 6 krb5 = 7 { enable = true; 8 domain_realm."nfs.test" = "NFS.TEST"; 9 libdefaults.default_realm = "NFS.TEST"; 10 realms."NFS.TEST" = 11 { admin_server = "server.nfs.test"; 12 kdc = "server.nfs.test"; 13 }; 14 }; 15 16 hosts = 17 '' 18 192.168.1.1 client.nfs.test 19 192.168.1.2 server.nfs.test 20 ''; 21 22 users = { 23 users.alice = { 24 isNormalUser = true; 25 name = "alice"; 26 uid = 1000; 27 }; 28 }; 29 30in 31 32{ 33 name = "nfsv4-with-kerberos"; 34 35 nodes = { 36 client = { lib, ... }: 37 { inherit krb5 users; 38 39 networking.extraHosts = hosts; 40 networking.domain = "nfs.test"; 41 networking.hostName = "client"; 42 43 virtualisation.fileSystems = 44 { "/data" = { 45 device = "server.nfs.test:/"; 46 fsType = "nfs"; 47 options = [ "nfsvers=4" "sec=krb5p" "noauto" ]; 48 }; 49 }; 50 }; 51 52 server = { lib, ...}: 53 { inherit krb5 users; 54 55 networking.extraHosts = hosts; 56 networking.domain = "nfs.test"; 57 networking.hostName = "server"; 58 59 networking.firewall.allowedTCPPorts = [ 60 111 # rpc 61 2049 # nfs 62 88 # kerberos 63 749 # kerberos admin 64 ]; 65 66 services.kerberos_server.enable = true; 67 services.kerberos_server.realms = 68 { "NFS.TEST".acl = 69 [ { access = "all"; principal = "admin/admin"; } ]; 70 }; 71 72 services.nfs.server.enable = true; 73 services.nfs.server.createMountPoints = true; 74 services.nfs.server.exports = 75 '' 76 /data *(rw,no_root_squash,fsid=0,sec=krb5p) 77 ''; 78 }; 79 }; 80 81 testScript = 82 '' 83 server.succeed("mkdir -p /data/alice") 84 server.succeed("chown alice:users /data/alice") 85 86 # set up kerberos database 87 server.succeed( 88 "kdb5_util create -s -r NFS.TEST -P master_key", 89 "systemctl restart kadmind.service kdc.service", 90 ) 91 server.wait_for_unit("kadmind.service") 92 server.wait_for_unit("kdc.service") 93 94 # create principals 95 server.succeed( 96 "kadmin.local add_principal -randkey nfs/server.nfs.test", 97 "kadmin.local add_principal -randkey nfs/client.nfs.test", 98 "kadmin.local add_principal -pw admin_pw admin/admin", 99 "kadmin.local add_principal -pw alice_pw alice", 100 ) 101 102 # add principals to server keytab 103 server.succeed("kadmin.local ktadd nfs/server.nfs.test") 104 server.succeed("systemctl start rpc-gssd.service rpc-svcgssd.service") 105 server.wait_for_unit("rpc-gssd.service") 106 server.wait_for_unit("rpc-svcgssd.service") 107 108 client.wait_for_unit("network-online.target") 109 110 # add principals to client keytab 111 client.succeed("echo admin_pw | kadmin -p admin/admin ktadd nfs/client.nfs.test") 112 client.succeed("systemctl start rpc-gssd.service") 113 client.wait_for_unit("rpc-gssd.service") 114 115 with subtest("nfs share mounts"): 116 client.succeed("systemctl restart data.mount") 117 client.wait_for_unit("data.mount") 118 119 with subtest("permissions on nfs share are enforced"): 120 client.fail("su alice -c 'ls /data'") 121 client.succeed("su alice -c 'echo alice_pw | kinit'") 122 client.succeed("su alice -c 'ls /data'") 123 124 client.fail("su alice -c 'echo bla >> /data/foo'") 125 client.succeed("su alice -c 'echo bla >> /data/alice/foo'") 126 server.succeed("test -e /data/alice/foo") 127 128 with subtest("uids/gids are mapped correctly on nfs share"): 129 ids = client.succeed("stat -c '%U %G' /data/alice").split() 130 expected = ["alice", "users"] 131 assert ids == expected, f"ids incorrect: got {ids} expected {expected}" 132 ''; 133})