New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
dnsmasq module: test config on system build #34019
Conversation
This allows catching issues with the configuration earlier on (previously config errors would only be caught at unit start time), and reduces the chance of painful outages. The method isn't 100% reliable (see comment) but it should be a significant improvement already.
sed '/\/etc\//d' ${dnsmasqConf} > dnsmasq.conf | ||
|
||
${dnsmasq}/bin/dnsmasq --test -C dnsmasq.conf && touch $out | ||
echo "dnsmasq config file: ${dnsmasqConf}" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Are you sure, this will not break in sandbox builds? http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=blob;f=src/option.c;h=1a5e359b8cabd045e25db082444035649871bcc4;hb=HEAD#l4842
I see gethostname
here for example.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
gethostname
should just return "localhost" in a sandbox build.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That said, I'm not sure there aren't other ways this could end up failing.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What about files that are not in /etc/
, nixops for example put secrets in /run/keys/
.
Also I am in favor for having this feature I do not see a way,
how this would work in sandbox mode properly for the general case.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah… What about adding an option to opt-in or opt-out of this check, and still test the configuration on startup?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe. If we would allow impure nixos evaluation there are modules that could be tested. nginx for example.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Even that wouldn't be enough, breaking for instance any references to /etc
that aren't valid in the current system but are in the system we're building. Best to just leave the testing for activation time.
Motivation for this change
This allows catching issues with the configuration earlier on
(previously config errors would only be caught at unit start time), and
reduces the chance of painful outages. The method isn't 100% reliable
(see comment) but it should be a significant improvement already.
Things done
build-use-sandbox
innix.conf
on non-NixOS)nix-shell -p nox --run "nox-review wip"
./result/bin/
)I would like to write a test for this but I don't know of a way to assert that a derivation fails to build. Suggestions welcome!