1
0
mirror of https://github.com/systemd/systemd.git synced 2024-10-30 14:55:37 +03:00
Commit Graph

11 Commits

Author SHA1 Message Date
Lennart Poettering
b968890a87 test: rework resolved monitoring test
Let's remove some sleep loops, and instead:

1. Use Type=notify to wait until "resolvectl monitor" successfully
   installed its monitor, so that we know that queries enqueued later
   will definitely be seen.

2. Use "grep -m1" to watch "journalctl -f" output to wait precisely for
   the RR data we want to see, and immediately exit.

This shortens code quite a bit, and should make it more robust.
2022-09-30 14:24:41 +02:00
Luca Boccassi
0e26016e3d resolved notifications: follow-up fixes
Further review comments from: https://github.com/systemd/systemd/pull/22845
2022-09-27 22:34:17 +01:00
Frantisek Sumsal
e3cccd3c2b test: make the resolved notifications check a bit more robust
Let's parse the resolved JSON notifications via `jq` and check them in a
bit more "controlled" manner - e.g. until now the `grep` was checking just
a one gigantic JSON string, as all received notifications via the
varlink socket are terminated by a NUL character, not a newline.

Also, as the notification delivery is asynchronous, retry the check
a couple of times if it fails (spotted in C8S jobs):

```
[ 2891.935879] testsuite-75.sh[36]: + : '--- nss-resolve/nss-myhostname tests'
[ 2891.935988] testsuite-75.sh[36]: + run getent -s resolve hosts ns1.unsigned.test
[ 2891.936542] testsuite-75.sh[177]: + getent -s resolve hosts ns1.unsigned.test
[ 2891.937499] testsuite-75.sh[178]: + tee /tmp/tmp.pqjNvbQ2eS
[ 2891.939977] testsuite-75.sh[178]: 10.0.0.1        ns1.unsigned.test
[ 2891.940258] testsuite-75.sh[36]: + grep -qE '^10\.0\.0\.1\s+ns1\.unsigned\.test' /tmp/tmp.pqjNvbQ2eS
[ 2891.942235] testsuite-75.sh[189]: + grep -qF '[10,0,0,1]'
[ 2891.942577] testsuite-75.sh[188]: + grep -aF ns1.unsigned.test /tmp/notifications.txt
[ 2891.943978] systemd[1]: testsuite-75.service: Child 36 belongs to testsuite-75.service.
[ 2891.944112] systemd[1]: testsuite-75.service: Main process exited, code=exited, status=1/FAILURE
[ 2891.944215] systemd[1]: testsuite-75.service: Failed with result 'exit-code'.
```
2022-09-11 14:29:34 +02:00
Suraj Krishnan
cb456374e0 Implement DNS notifications from resolved via varlink
* The new varlink interface exposes a method to subscribe to DNS
resolutions on the system. The socket permissions are open for owner and
group only.
* Notifications are sent to subscriber(s), if any, after successful
resolution of A and AAAA records.

This feature could be used by applications for auditing/logging services
downstream of the resolver. It could also be used to asynchronously
update the firewall. For example, a system that has a tightly configured
firewall could open up connections selectively to known good hosts based
on a known allow-list of hostnames. Of course, updating the firewall
asynchronously will require other design considerations (such as
queueing packets in the user space while a verdict is made).

See also:
https://lists.freedesktop.org/archives/systemd-devel/2022-August/048202.html
https://lists.freedesktop.org/archives/systemd-devel/2022-February/047441.html
2022-09-09 09:22:57 +01:00
Frantisek Sumsal
615fc2c3ce test: zone-set requires TTL for the first record in the rrset
I'm not sure why this worked previously.
2022-09-05 17:42:52 +02:00
Frantisek Sumsal
e4050ff41e test: mark knot.conf tmpfiles config as optional
Since it got removed in the recent knot release.

See: a6971a4025
2022-09-05 17:27:48 +02:00
Frantisek Sumsal
9c524a07f6 test: reload knotd after committing all zone changes
Otherwise, on Ubuntu, the DS RRs sometimes won't get propagated
correctly to parent zones for some reason, ending in a loop:

```
knotd[70]: info: [test.] DS check, outgoing, remote 10.0.0.1@53, KSK submission check: negative
knotd[70]: info: [signed.test.] DS check, outgoing, remote 10.0.0.1@53, KSK submission check: negative
knotd[70]: info: [test.] DS check, outgoing, remote 10.0.0.1@53, KSK submission check: negative
knotd[70]: info: [signed.test.] DS check, outgoing, remote 10.0.0.1@53, KSK submission check: negative
knotd[70]: info: [test.] DS check, outgoing, remote 10.0.0.1@53, KSK submission check: negative
knotd[70]: info: [signed.test.] DS check, outgoing, remote 10.0.0.1@53, KSK submission check: negative
knotd[70]: info: [test.] DS check, outgoing, remote 10.0.0.1@53, KSK submission check: negative
knotd[70]: info: [signed.test.] DS check, outgoing, remote 10.0.0.1@53, KSK submission check: negative
knotd[70]: info: [test.] DS check, outgoing, remote 10.0.0.1@53, KSK submission check: negative
knotd[70]: info: [signed.test.] DS check, outgoing, remote 10.0.0.1@53, KSK submission check: negative
knotd[70]: info: [test.] DS check, outgoing, remote 10.0.0.1@53, KSK submission check: negative
knotd[70]: info: [signed.test.] DS check, outgoing, remote 10.0.0.1@53, KSK submission check: negative
knotd[70]: info: [test.] DS check, outgoing, remote 10.0.0.1@53, KSK submission check: negative
knotd[70]: info: [signed.test.] DS check, outgoing, remote 10.0.0.1@53, KSK submission check: negative
knotd[70]: info: [test.] DS check, outgoing, remote 10.0.0.1@53, KSK submission check: negative
knotd[70]: info: [signed.test.] DS check, outgoing, remote 10.0.0.1@53, KSK submission check: negative
...
```

causing DNSSEC verification fails. I'm not sure why that happens (yet)...
2022-08-27 11:27:04 +02:00
Frantisek Sumsal
fa17101b8e test: fix delv trust anchors location on Ubuntu
delv on Ubuntu defaults to /etc/bind/bind.keys instead of /etc/bind.keys
when reading trust anchors, so let's create a symlink to make the test
work there as well.

Resolves: #24453
2022-08-27 11:27:04 +02:00
Frantisek Sumsal
57063a4ab2 test: fix typo 2022-08-27 11:27:04 +02:00
Frantisek Sumsal
ad3d0c8a30 test: drop old DS records if present
This makes the test re-runnable without having to go through the cleanup
and setup phases again.
2022-08-27 11:27:02 +02:00
Frantisek Sumsal
fb6f25d7b9 test: Introduce systemd-resolved test suite
Resolves: #19599
2022-07-04 12:21:55 +02:00