`specialArgs` in tests?

thejohncrafter · June 11, 2022, 5:18pm

I developed a system to automatically generate hardening configuration for
systemd services^1.

The idea is to clone nixpkgs, and instrument each test using an object I called
systemdPassthru (I am very open to suggestions for better names), that I can use
to manipulate configuration options.

In practice, a service like this

{ pkgs, ...}:
{
  options = ...;
  config.systemd.services.myservice.serviceConfig = {
    Foo = "Bar";
  };
}

becomes this

{ pkgs, systemdPassthru ...}:
{
  options = ...;
  config.systemd.services.myservice.serviceConfig = {
    Foo = "Bar";
    PrivateDevices = systemdPassthru.myservice.PrivateDevices;
  };
}

This transformation is done autmatically by a tool I wrote in Rust using rnix^2.

In order to make this work, I have do modify two things in nixpkgs:

*** nixpkgs/nixos/tests/make-test-python.nix
--- nixpkgs/nixos/tests/make-test-python.nix -- "hooked" version
***************
*** 1,9 ****
  f: {
    system ? builtins.currentSystem,
    pkgs ? import ../.. { inherit system; },
    ...
  } @ args:
  
! with import ../lib/testing-python.nix { inherit system pkgs; };
  
  makeTest (if pkgs.lib.isFunction f then f (args // { inherit pkgs; inherit (pkgs) lib; }) else f)
--- 1,10 ----
  f: {
+   systemdPassthru,
    system ? builtins.currentSystem,
    pkgs ? import ../.. { inherit system; },
    ...
  } @ args:
  
! with import ../lib/testing-python.nix { inherit system pkgs; specialArgs = { inherit systemdPassthru; }; };
  
  makeTest (if pkgs.lib.isFunction f then f (args // { inherit pkgs; inherit (pkgs) lib; }) else f)

*** output/nixpkgs/nixos/tests/all-tests.nix
--- output/nixpkgs/nixos/tests/all-tests.nix -- "hooked" version
***************
*** 1,4 ****
! { system, pkgs, callTest }:
  # The return value of this function will be an attrset with arbitrary depth and
  # the `anything` returned by callTest at its test leafs.
  # The tests not supported by `system` will be replaced with `{}`, so that
--- 1,4 ----
! { systemdPassthru, system, pkgs, callTest }:
  # The return value of this function will be an attrset with arbitrary depth and
  # the `anything` returned by callTest at its test leafs.
  # The tests not supported by `system` will be replaced with `{}`, so that
***************
*** 15,21 ****
      else if hasAttr "test" val then callTest val
      else mapAttrs (n: s: discoverTests s) val;
    handleTest = path: args:
!     discoverTests (import path ({ inherit system pkgs; } // args));
    handleTestOn = systems: path: args:
      if elem system systems then handleTest path args
      else {};
--- 15,21 ----
      else if hasAttr "test" val then callTest val
      else mapAttrs (n: s: discoverTests s) val;
    handleTest = path: args:
!     discoverTests (import path ({ inherit systemdPassthru system pkgs; } // args));
    handleTestOn = systems: path: args:
      if elem system systems then handleTest path args
      else {};

But some tests don’t work well with this pattern (54 out of 564).

To make systemdPassthru work, I used specialArgs.
I’m wondering if the right thing to do is to make every single test accept specialArgs.
This would allow for some modularity in test instantiation:

let myTests = import <nixpkgs/nixos/tests/all-tests.nix> {
    specialArgs = {
      # Options I pass to some module that expects some special config.
    };
    system = builtins.currentSystem;
    pkgs = import <nixpkgs> { system = builtins.currentSystem; };
    callTest = t: lib.hydraJob t.test;
  };

This is very useful in my case, but even I think the usefulness of this pattern is
arguable outside the scope of my work.

I’m also wondering if the right approach isn’t actually to use _module instead of specialArgs.

In any case, I have to make my generation system work, so I’m looking for some advice
to choose between these options:

Either do this on my side, make a local branch where I modify the 54 misbehaving tests
and use git mail to generate pathches, and add a patch phase to
the workflow of nixos-harden-systemd
This option would trivially work, but it does not feel very satisfactory, at least to me.
Do about the same thing, but make every test accept specialArgs, and commit the result
in nixpkgs. Then derive my special case from this.
Or exactly that, but with _module instead of specialArgs, or with both _module and specialArgs.

What does feel right to you?
I’m of course open to any other suggestion, and willing to discuss this further and give
more information / explain any unclear point of what I’ve done.

This project is funded by the European Commission through nlnet, and I am really grateful to them for the opportunity!

ckie · June 11, 2022, 6:03pm

I’m also wondering if the right approach isn’t actually to use _module instead of specialArgs .

Yes. See the comment here:

                , # This should only be used for special arguments that need to be evaluated
                  # when resolving module structure (like in imports). For everything else,
                  # there's _module.args. If specialArgs.modulesPath is defined it will be
                  # used as the base path for disabledModules.

It looks like a neat little idea to have defaults for various systemd service options but why make it a module argument? Why not have a systemd.defaultService.serviceConfig.* which can be set to harden everything by default?

There probably will be some extra problems with that approach but they’re all implementation and not inherently flawed design. For example there are still a few packages that take their configruation via the global nixpkgs config (import <nixpkgs> { this = "one"; }) instead of override which makes things

thejohncrafter · June 11, 2022, 7:46pm

ckie:

Yes. See the comment here:

                , # This should only be used for special arguments that need to be evaluated
                  # when resolving module structure (like in imports). For everything else,
                  # there's _module.args. If specialArgs.modulesPath is defined it will be
                  # used as the base path for disabledModules.

Ok, thanks!

To summarize what I want to obtain:
The ultimate goal is to be able to instantiate a given test with an arbitrary configuration. This looks like that:

let
  defaultPassthru =
    # ./output/tests contains the name of each systemd service and for each service
    # the list of the fields that have been hooked
    let tests = builtins.fromJSON (builtins.readFile ./output/tests);
    in lib.mapAttrs (_: value: builtins.listToAttrs (map (name: lib.nameValuePair name false) value.fields)) tests;
  lib = (import <nixpkgs> {}).lib;

  allTestsHooked = import (toString ./output/nixpkgs/nixos/tests/all-tests.nix) {
    systemdPassthru = defaultPassthru // {
      # This is where I need the magic to happen:
      # I want instantiate the tests *with a given set of hardening options*
      "hydra-server" = defaultPassthru."hydra-server" // {
        "ProtectKernelTunables" = true;
      };
    };
    system = builtins.currentSystem;
    pkgs = import (toString ./output/nixpkgs) { system = builtins.currentSystem; };
    callTest = t: lib.hydraJob t.test;
  };
in allTestsHooked.hydra.hydra-unstable

The problem is to pass some global config to every system that will be generated by the tests.
In any case, I need some way to “speak through” the test top-level (nixos/tests/all-tests.nix, nixos/lib/make-test-pyton.nix) down to the nixos modules that I instrumented.

If I understand correctly, you are suggesting to instead pass my arguments through the top-level nixpkgs that I pass to nixos/tests/all-tests.nix?

In more detail, the problems that I encountered, which will hopefully make my train of thought clearer (I don’t want to sound argumentative, I’m just genuinely stuck with my design issues haha):

It looks like essentially, the only point where I can pass any special to the modules that are instantiated is here in nixos/lib/testing-python.nix. The only external variables that are available there come from here (the usable fields are pkgs, config, and specialArgs). If I want to use specialArgs, I need each test to correctly pass any specialArgs I give to it (which does not trivially happen in the 54 cases I mentioned), same goes for config if I remember correctly. Then the only way to pass any argument to the modules without modifying any test is to add some special fields to pkgs which is correctly passed through the whole call hierarchy (hopefully). But then, isn’t using pkgs a bit of a dirty trick? (Well, passing specialArgs is kind of a dirty trick too, I can’t figure out which is better. Using pkgs, which I didn’t think of, has the advantage of being painless.)

The “dual” question is: Will anyone need to pass something to every module like I’m doing right now, or is my use case too special? (Another question: Do we actually want to be able to do that?)

ckie · June 12, 2022, 6:00pm

[Not quoting anything since I’m replying to almost all of it]

I meant that indeed arbitrary pass through across NixOS systems (even the test ones!) for evaluation is probably bad since the nixosTests already do their job for nixpkgs's usecase.

Looking a bit closer testing-python.nix already has an extraConfigurations argument and it seems reasonable to me that you could use that to pass things through. You can make a module that sets all the hardening options you want and pass it through to makeTest. If you’re not calling that directly I guess you should make the caller of makeTest expose extraConfigurations and PR that which seems like a significantly simpler change.

roberth · June 14, 2022, 9:28am

I’m improving the test wiring with the module system:

github.com/NixOS/nixpkgs

nixosTest: modularity and matrix

NixOS:master ← hercules-ci:nixosTest-modular-and-matrix

opened 02:16PM - 06 Jun 22 UTC

roberth

+1005 -207

###### Description of changes Use the module system to replace the NixOS test… framework's custom glue. - NixOS tests can now use `imports` and other module system features. - Type checking for the test arguments. - Tests can now define overrides for interactive use. - Network-wide test setup can now be reusable; example: - A setup with all VMs configured to use a DNS server - Split long, slow tests into multiple tests that import a common module that has most of the setup. - We now have a module for test matrices / parameterized tests. We can stop reinventing the wheel, which we've done in many ways. - Generic support for version matrix + package passthru pattern (TBD) - (TBD) "generated" options reference docs - Implementation cleanup: aspects that had to be wired through all the glue are now in their own files. - `testing/interactive.nix`: just a couple of lines that can be ignored by the other modules, as opposed to wiring it through what is now `testing/run.nix`. - `testing/network.nix`, etc - For supporting containerized tests, the flexibility of the module system will be useful.  All in all, this quite significantly collapses the number of layers and custom expressions that test authors have to deal with. Also, more info in the expanded commit messages. TODO: - [ ] do something about the now-legacy code that's duplicated - [x] maybe not put `name` in `specialArgs`; feasible with some `network.nix` refactoring to make the node `config` skeleton static. - [ ] convert a couple more tests done: - `_3proxy` - `acme` - `adguardhome` - `aesmd` - `agate` - `avahi` - `oci-containers` - `hostname` - [ ] docs in the manual - [ ] do a real example of multi-dimensional matrix; have tested this manually but example was not commit-worthy - [x] test with variant that has extra configuration: `avahi` - [x] test with parameter: `oci-containers` - [ ] demonstrate 2+ orthogonal choices - [ ] demonstrate how to prune irrelevant choices (`matrix.<choice>.enable = false` + `matrix.<choice>.after`) - [x] with enable (`cassandra.passthru.tests.nixos`) - [ ] with nesting (if that works) - [x] add an example that modifies the nixos config directly from `matrix` (as `value.<value>` is a "parallel universe" of the entire test config) -> `avahi` Closes #144110 ###### Things done - Built on platform(s) - [ ] x86_64-linux - [ ] aarch64-linux - [ ] x86_64-darwin - [ ] aarch64-darwin - [ ] For non-Linux: Is `sandbox = true` set in `nix.conf`? (See [Nix manual](https://nixos.org/manual/nix/stable/command-ref/conf-file.html)) - [ ] Tested, as applicable: - [NixOS test(s)](https://nixos.org/manual/nixos/unstable/index.html#sec-nixos-tests) (look inside [nixos/tests](https://github.com/NixOS/nixpkgs/blob/master/nixos/tests)) - and/or [package tests](https://nixos.org/manual/nixpkgs/unstable/#sec-package-tests) - or, for functions and "core" functionality, tests in [lib/tests](https://github.com/NixOS/nixpkgs/blob/master/lib/tests) or [pkgs/test](https://github.com/NixOS/nixpkgs/blob/master/pkgs/test) - made sure NixOS tests are [linked](https://nixos.org/manual/nixpkgs/unstable/#ssec-nixos-tests-linking) to the relevant packages - [ ] Tested compilation of all packages that depend on this change using `nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD"`. Note: all changes have to be committed, also see [nixpkgs-review usage](https://github.com/Mic92/nixpkgs-review#usage) - [ ] Tested basic functionality of all binary files (usually in `./result/bin/`) - [22.11 Release Notes (or backporting 22.05 Release notes)](https://github.com/NixOS/nixpkgs/blob/master/CONTRIBUTING.md#generating-2211-release-notes) - [ ] (Package updates) Added a release notes entry if the change is major or breaking - [ ] (Module updates) Added a release notes entry if the change is significant - [ ] (Module addition) Added a release notes entry if adding a new NixOS module - [ ] (Release notes changes) Ran `nixos/doc/manual/md-to-db.sh` to update generated release notes - [ ] Fits [CONTRIBUTING.md](https://github.com/NixOS/nixpkgs/blob/master/CONTRIBUTING.md).

To add your own configuration to an existing test, you can use the new extend function for tests. defaults and nodes work just like in NixOps.

nixosTests.foo.extend {

  # set any test-level options here, such as `enableOCR`, `meta`, ...

  defaults = { config, lib, ... }: {
    # set any NixOS-level options here, applied to all VMs
  };

  nodes.foo = {
    # set any NixOS-level options here, applied to the `foo` machine only
    # (created if necessary)
  };
}

If nixosTests.foo consists of multiple test cases and/or a test matrix, i.e. multiple derivations, it works exactly the same, requiring no mapAttrs or anything like that.

thejohncrafter · June 14, 2022, 2:44pm

@ckie Yes, passing extraConfiguration seems like a reasonable approach and it seems “PRable” anyway it solves my issues without too much trouble, thanks!

@roberth your solution is brillant! Is it stable enough for me to base my branch on yours? Or should I use the other solution (which works just fine too for me) while waiting for the final merge?

roberth · June 14, 2022, 11:47pm

I expect it to be merged no earlier than two weeks from now.
That may be optimistic considering the obvious dependency on volunteer maintainers. I know the test framework maintainer is positive about the idea, but hasn’t dived into it yet.

I wouldn’t mind if you wired extraConfigurations into all-tests.nix. I can support it in my own PR and when it becomes conceptually redundant, we may deprecate it. The latter won’t happen anytime soon.