dnsmasq module: test config on system build #34019
Conversation
This allows catching issues with the configuration earlier on (previously config errors would only be caught at unit start time), and reduces the chance of painful outages. The method isn't 100% reliable (see comment) but it should be a significant improvement already.
| sed '/\/etc\//d' ${dnsmasqConf} > dnsmasq.conf | ||
|
|
||
| ${dnsmasq}/bin/dnsmasq --test -C dnsmasq.conf && touch $out | ||
| echo "dnsmasq config file: ${dnsmasqConf}" |
There was a problem hiding this comment.
Are you sure, this will not break in sandbox builds? http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=blob;f=src/option.c;h=1a5e359b8cabd045e25db082444035649871bcc4;hb=HEAD#l4842
I see gethostname here for example.
There was a problem hiding this comment.
gethostname should just return "localhost" in a sandbox build.
There was a problem hiding this comment.
That said, I'm not sure there aren't other ways this could end up failing.
There was a problem hiding this comment.
What about files that are not in /etc/, nixops for example put secrets in /run/keys/.
Also I am in favor for having this feature I do not see a way,
how this would work in sandbox mode properly for the general case.
There was a problem hiding this comment.
Yeah… What about adding an option to opt-in or opt-out of this check, and still test the configuration on startup?
There was a problem hiding this comment.
Maybe. If we would allow impure nixos evaluation there are modules that could be tested. nginx for example.
There was a problem hiding this comment.
Even that wouldn't be enough, breaking for instance any references to /etc that aren't valid in the current system but are in the system we're building. Best to just leave the testing for activation time.
Motivation for this change
This allows catching issues with the configuration earlier on
(previously config errors would only be caught at unit start time), and
reduces the chance of painful outages. The method isn't 100% reliable
(see comment) but it should be a significant improvement already.
Things done
build-use-sandboxinnix.confon non-NixOS)nix-shell -p nox --run "nox-review wip"./result/bin/)I would like to write a test for this but I don't know of a way to assert that a derivation fails to build. Suggestions welcome!