pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / tests / nfs / kerberos.nix
at master 4.2 kB view raw
1import ../make-test-python.nix ( 2 { pkgs, lib, ... }: 3 4 let 5 security.krb5 = { 6 enable = true; 7 settings = { 8 domain_realm."nfs.test" = "NFS.TEST"; 9 libdefaults.default_realm = "NFS.TEST"; 10 realms."NFS.TEST" = { 11 admin_server = "server.nfs.test"; 12 kdc = "server.nfs.test"; 13 }; 14 }; 15 }; 16 17 hosts = '' 18 192.168.1.1 client.nfs.test 19 192.168.1.2 server.nfs.test 20 ''; 21 22 users = { 23 users.alice = { 24 isNormalUser = true; 25 name = "alice"; 26 uid = 1000; 27 }; 28 }; 29 30 in 31 32 { 33 name = "nfsv4-with-kerberos"; 34 35 nodes = { 36 client = 37 { lib, ... }: 38 { 39 inherit security users; 40 41 networking.extraHosts = hosts; 42 networking.domain = "nfs.test"; 43 networking.hostName = "client"; 44 45 virtualisation.fileSystems = { 46 "/data" = { 47 device = "server.nfs.test:/"; 48 fsType = "nfs"; 49 options = [ 50 "nfsvers=4" 51 "sec=krb5p" 52 "noauto" 53 ]; 54 }; 55 }; 56 }; 57 58 server = 59 { lib, ... }: 60 { 61 inherit security users; 62 63 networking.extraHosts = hosts; 64 networking.domain = "nfs.test"; 65 networking.hostName = "server"; 66 67 networking.firewall.allowedTCPPorts = [ 68 111 # rpc 69 2049 # nfs 70 88 # kerberos 71 749 # kerberos admin 72 ]; 73 74 services.kerberos_server.enable = true; 75 services.kerberos_server.realms = { 76 "NFS.TEST".acl = [ 77 { 78 access = "all"; 79 principal = "admin/admin"; 80 } 81 ]; 82 }; 83 84 services.nfs.server.enable = true; 85 services.nfs.server.createMountPoints = true; 86 services.nfs.server.exports = '' 87 /data *(rw,no_root_squash,fsid=0,sec=krb5p) 88 ''; 89 }; 90 }; 91 92 testScript = '' 93 server.succeed("mkdir -p /data/alice") 94 server.succeed("chown alice:users /data/alice") 95 96 # set up kerberos database 97 server.succeed( 98 "kdb5_util create -s -r NFS.TEST -P master_key", 99 "systemctl restart kadmind.service kdc.service", 100 ) 101 server.wait_for_unit("kadmind.service") 102 server.wait_for_unit("kdc.service") 103 104 # create principals 105 server.succeed( 106 "kadmin.local add_principal -randkey nfs/server.nfs.test", 107 "kadmin.local add_principal -randkey nfs/client.nfs.test", 108 "kadmin.local add_principal -pw admin_pw admin/admin", 109 "kadmin.local add_principal -pw alice_pw alice", 110 ) 111 112 # add principals to server keytab 113 server.succeed("kadmin.local ktadd nfs/server.nfs.test") 114 server.succeed("systemctl start rpc-gssd.service rpc-svcgssd.service") 115 server.wait_for_unit("rpc-gssd.service") 116 server.wait_for_unit("rpc-svcgssd.service") 117 118 client.systemctl("start network-online.target") 119 client.wait_for_unit("network-online.target") 120 121 # add principals to client keytab 122 client.succeed("echo admin_pw | kadmin -p admin/admin ktadd nfs/client.nfs.test") 123 client.succeed("systemctl start rpc-gssd.service") 124 client.wait_for_unit("rpc-gssd.service") 125 126 with subtest("nfs share mounts"): 127 client.succeed("systemctl restart data.mount") 128 client.wait_for_unit("data.mount") 129 130 with subtest("permissions on nfs share are enforced"): 131 client.fail("su alice -c 'ls /data'") 132 client.succeed("su alice -c 'echo alice_pw | kinit'") 133 client.succeed("su alice -c 'ls /data'") 134 135 client.fail("su alice -c 'echo bla >> /data/foo'") 136 client.succeed("su alice -c 'echo bla >> /data/alice/foo'") 137 server.succeed("test -e /data/alice/foo") 138 139 with subtest("uids/gids are mapped correctly on nfs share"): 140 ids = client.succeed("stat -c '%U %G' /data/alice").split() 141 expected = ["alice", "users"] 142 assert ids == expected, f"ids incorrect: got {ids} expected {expected}" 143 ''; 144 145 meta.maintainers = [ lib.maintainers.dblsaiko ]; 146 } 147)