| 10 Aug 2021 |
 @timdeh:matrix.org | In reply to @blaggacao:matrix.org
I still have the vision to boostrap and manage cryptographic host identity through an identity attestor such as Spiffe/spire or step ca you may want to float this by manveru, as he was brainstorming earlier today how to bootstrap the on prem cluster | 03:21:18 |
| @timdeh:matrix.org | sorry, didn't mean to kill your conversation ๐
| 03:24:39 |
 @kraftnix:matrix.org | so the test is failing because you can't use the standard machine.start() testing framework because the host is NixOS
nix-repl> :b Flake.checks.x86_64-linux.customTestFor-NixOS-attempt
error: builder for '/nix/store/rk1ln00fsbvxblr67q38yylnvg69rq3w-nixos-test-driver-attempt.drv' failed with exit code 1;
last 5 log lines:
> /nix/store/yka1w2y65nf2vl3n52l20qm68z1y2qj8-nixos-test-driver-attempt/test-script:2:12 undefined name 'machine'
> /nix/store/yka1w2y65nf2vl3n52l20qm68z1y2qj8-nixos-test-driver-attempt/test-script:5:1 undefined name 'machine'
> /nix/store/yka1w2y65nf2vl3n52l20qm68z1y2qj8-nixos-test-driver-attempt/test-script:6:1 undefined name 'machine'
> /nix/store/yka1w2y65nf2vl3n52l20qm68z1y2qj8-nixos-test-driver-attempt/test-script:7:1 undefined name 'machine'
> /nix/store/yka1w2y65nf2vl3n52l20qm68z1y2qj8-nixos-test-driver-attempt/test-script:9:6 undefined name 'machine'
For full logs, run 'nix log /nix/store/rk1ln00fsbvxblr67q38yylnvg69rq3w-nixos-test-driver-attempt.drv'.
error: 1 dependencies of derivation '/nix/store/yl5v5rcxv9k1ddjx40dl60hbm9ss6kyg-vm-test-run-attempt.drv' failed to build
I can get the test working if I add change it to NixOS.start() or if in the machine config I add networking.hostName = lib.mkForce "machine";, is there any other way to access the actual hostname easily without this override?
| 03:25:47 |
 @gtrunsec:matrix.org | let me test it | 03:27:35 |
| @kraftnix:matrix.org | this test integration is amazing though, i know what i'll be doing for the next few days now. | 03:39:27 |
| @kraftnix:matrix.org | i have some configs that involve a lot of internal networking + firewalling, this will be so useful for making sure i don't break previously working things | 03:40:47 |
 David Arnold (blaggacao) | In reply to @kraftnix:matrix.org
so the test is failing because you can't use the standard machine.start() testing framework because the host is NixOS
nix-repl> :b Flake.checks.x86_64-linux.customTestFor-NixOS-attempt
error: builder for '/nix/store/rk1ln00fsbvxblr67q38yylnvg69rq3w-nixos-test-driver-attempt.drv' failed with exit code 1;
last 5 log lines:
> /nix/store/yka1w2y65nf2vl3n52l20qm68z1y2qj8-nixos-test-driver-attempt/test-script:2:12 undefined name 'machine'
> /nix/store/yka1w2y65nf2vl3n52l20qm68z1y2qj8-nixos-test-driver-attempt/test-script:5:1 undefined name 'machine'
> /nix/store/yka1w2y65nf2vl3n52l20qm68z1y2qj8-nixos-test-driver-attempt/test-script:6:1 undefined name 'machine'
> /nix/store/yka1w2y65nf2vl3n52l20qm68z1y2qj8-nixos-test-driver-attempt/test-script:7:1 undefined name 'machine'
> /nix/store/yka1w2y65nf2vl3n52l20qm68z1y2qj8-nixos-test-driver-attempt/test-script:9:6 undefined name 'machine'
For full logs, run 'nix log /nix/store/rk1ln00fsbvxblr67q38yylnvg69rq3w-nixos-test-driver-attempt.drv'.
error: 1 dependencies of derivation '/nix/store/yl5v5rcxv9k1ddjx40dl60hbm9ss6kyg-vm-test-run-attempt.drv' failed to build
I can get the test working if I add change it to NixOS.start() or if in the machine config I add networking.hostName = lib.mkForce "machine";, is there any other way to access the actual hostname easily without this override?
So there is an implementation error to say the lest upstream in that fqdn != hostname != node name | 04:14:43 |
| David Arnold (blaggacao) | For example you can't meaningfully run tests for bastion.example.com and basyion.local wired together in the same network. | 04:15:39 |
| David Arnold (blaggacao) | * For example you can't meaningfully run tests for `bastion.example.com` and `bastion.local` wired together in the same network. | 04:15:47 |
| David Arnold (blaggacao) | * For example you can't meaningfully run tests for `bastion.example.com` and `bastion.local` wired together in the same network (without implementing that work around). | 04:16:23 |
| David Arnold (blaggacao) | What's worse, python identifier can't have dashes. So the set of legal hostnames is not RFC1035(?) compiant. Just for tests. | 04:17:13 |
| David Arnold (blaggacao) | * What's worse, python identifier can't have dashes. So the set of legal hostnames (= dns label) is not RFC1035(?) compliant. Just for tests. | 04:17:27 |
| David Arnold (blaggacao) | I find that pretty egocentric of the nixos test framework. | 04:17:52 |
| David Arnold (blaggacao) | * So there is an implementation error to say the least upstream in that `fqdn != hostname != node name` | 04:18:19 |
| David Arnold (blaggacao) | I think a pervasive solution would be machines["<fqdn>"] | 04:19:35 |
| David Arnold (blaggacao) | Good that I'm working on a refactor to the testing framework ๐ | 04:20:02 |
| David Arnold (blaggacao) | In reply to @blaggacao:matrix.org
I think a pervasive solution would be machines["<fqdn>"] We could map that to the co fig's fqdn, but at the same time expose node names as direct identifier's, e.g. machine2... | 04:22:33 |
| David Arnold (blaggacao) | * We could map that to the config's fqdn, but at the same time expose `node names` as direct identifier's, e.g. `machine2`... | 04:22:46 |
| @kraftnix:matrix.org | In reply to @blaggacao:matrix.org
What's worse, python identifier can't have dashes. So the set of legal hostnames (= dns label) is not RFC1035(?) compliant. Just for tests. this bit me not long ago and I renamed a few hosts to camelcase for now ๐ | 12:11:48 |
| @kraftnix:matrix.org | In reply to @blaggacao:matrix.org
We could map that to the config's fqdn, but at the same time expose node names as direct identifier's, e.g. machine2... i like this, you can "somewhat" maintain backwards compatibility by keeping node names as toplevel/direct identifiers but provide fqdns under a dict for when the usecase is required (this should also avoid any host that has `-` in the name causing devos profile tests to fail immediately). | 12:18:27 |
| @gtrunsec:matrix.org | Is there a reason to add an option of disabling TestsAllProfiles? Only customProfilesTest for each host. | 19:10:27 |
| @timdeh:matrix.org | If you have a WIP profile that breaks test? Or maybe some of your profiles use private information that cannot be pulled into test environment (just off top of my head) | 19:14:52 |
| @gtrunsec:matrix.org | In reply to @timdeh:matrix.org
If you have a WIP profile that breaks test? Or maybe some of your profiles use private information that cannot be pulled into test environment (just off top of my head) Not all of them, but the annoying point is that I need to keep all the machineโs private information or special arguments consistent. | 19:21:13 |
 @princemachiavelli:matrix.org | How would I define a host that is a linux container (boot.isContainer) & then add that container to a profile/suite? It looks like the flk vm is more for adhoc testing of full virtual machines since it uses Qemu instead of LXC which expects it's own kernel. | 22:21:17 |
| @timdeh:matrix.org | princemachiavelli:
{ containers.my-coolcontainer = imports = [ ./path-to-host.nix ]; }
| 23:47:14 |
| @timdeh:matrix.org | * princemachiavelli:
{ containers.my-cool-container = imports = [ ./path-to-host.nix ]; }
| 23:47:25 |
| @timdeh:matrix.org | * princemachiavelli:
{ containers.my-cool-container = { imports = [ ./path-to-host.nix ]; }; }
| 23:47:41 |
| @timdeh:matrix.org | ^^^ this would be in a profile | 23:47:49 |
| @timdeh:matrix.org | or you could just define the container as a profile itself and just put your system config for it after my-cool-container = | 23:48:21 |
| @timdeh:matrix.org | * princemachiavelli:
{ containers.my-cool-container.config = { imports = [ ./path-to-host.nix ]; }; }
| 23:48:51 |
