diff options
Diffstat (limited to 'test/units')
32 files changed, 1244 insertions, 811 deletions
diff --git a/test/units/TEST-02-UNITTESTS.sh b/test/units/TEST-02-UNITTESTS.sh index 6392425..4448643 100755 --- a/test/units/TEST-02-UNITTESTS.sh +++ b/test/units/TEST-02-UNITTESTS.sh @@ -95,6 +95,20 @@ export -f run_test find /usr/lib/systemd/tests/unit-tests/ -maxdepth 1 -type f -name "${TESTS_GLOB}" -print0 | xargs -0 -I {} --max-procs="$MAX_QUEUE_SIZE" bash -ec "run_test {}" +# Write all pending messages, so they don't get mixed with the summaries below +journalctl --sync + +# No need for full test logs in this case +if [[ -s /skipped-tests ]]; then + : "=== SKIPPED TESTS ===" + cat /skipped-tests +fi + +if [[ -s /failed ]]; then + : "=== FAILED TESTS ===" + cat /failed +fi + # Test logs are sometimes lost, as the system shuts down immediately after journalctl --sync diff --git a/test/units/TEST-04-JOURNAL.bsod.sh b/test/units/TEST-04-JOURNAL.bsod.sh index 83feb89..802d474 100755 --- a/test/units/TEST-04-JOURNAL.bsod.sh +++ b/test/units/TEST-04-JOURNAL.bsod.sh @@ -4,12 +4,12 @@ set -eux set -o pipefail if systemd-detect-virt -cq; then - echo "This test requires a VM, skipping the test" | tee --append /skipped + echo "This test requires a VM, skipping the test" exit 0 fi if [[ ! -x /usr/lib/systemd/systemd-bsod ]]; then - echo "systemd-bsod is not installed, skipping the test" | tee --append /skipped + echo "systemd-bsod is not installed, skipping the test" exit 0 fi diff --git a/test/units/TEST-04-JOURNAL.stopped-socket-activation.sh b/test/units/TEST-04-JOURNAL.stopped-socket-activation.sh new file mode 100755 index 0000000..083f5fa --- /dev/null +++ b/test/units/TEST-04-JOURNAL.stopped-socket-activation.sh @@ -0,0 +1,10 @@ +#!/usr/bin/env bash +# SPDX-License-Identifier: LGPL-2.1-or-later +set -eux +set -o pipefail + +systemctl stop systemd-journald.service +systemd-cat date + +# shellcheck disable=SC2016 +timeout 30 bash -xec 'until test "$(systemctl show -p SubState --value systemd-journald.service)" = "running"; do sleep 1; done' diff --git a/test/units/TEST-07-PID1.exec-context.sh b/test/units/TEST-07-PID1.exec-context.sh index a3379ef..cf39af0 100755 --- a/test/units/TEST-07-PID1.exec-context.sh +++ b/test/units/TEST-07-PID1.exec-context.sh @@ -186,27 +186,27 @@ if ! systemd-detect-virt -cq; then ) # We should fail with EPERM when trying to bind to a socket not on the allow list - # (nc exits with 2 in that case) + # (ncat exits with 2 in that case) systemd-run --wait -p SuccessExitStatus="1 2" --pipe "${ARGUMENTS[@]}" \ - bash -xec 'timeout 1s nc -l 127.0.0.1 9999; exit 42' + bash -xec 'timeout 1s ncat -l 127.0.0.1 9999; exit 42' systemd-run --wait -p SuccessExitStatus="1 2" --pipe "${ARGUMENTS[@]}" \ - bash -xec 'timeout 1s nc -l ::1 9999; exit 42' + bash -xec 'timeout 1s ncat -l ::1 9999; exit 42' systemd-run --wait -p SuccessExitStatus="1 2" --pipe "${ARGUMENTS[@]}" \ - bash -xec 'timeout 1s nc -6 -u -l ::1 9999; exit 42' + bash -xec 'timeout 1s ncat -6 -u -l ::1 9999; exit 42' systemd-run --wait -p SuccessExitStatus="1 2" --pipe "${ARGUMENTS[@]}" \ - bash -xec 'timeout 1s nc -4 -l 127.0.0.1 6666; exit 42' + bash -xec 'timeout 1s ncat -4 -l 127.0.0.1 6666; exit 42' systemd-run --wait -p SuccessExitStatus="1 2" --pipe -p SocketBindDeny=any \ - bash -xec 'timeout 1s nc -l 127.0.0.1 9999; exit 42' + bash -xec 'timeout 1s ncat -l 127.0.0.1 9999; exit 42' # Consequently, we should succeed when binding to a socket on the allow list # and keep listening on it until we're killed by `timeout` (EC 124) systemd-run --wait --pipe -p SuccessExitStatus=124 "${ARGUMENTS[@]}" \ - bash -xec 'timeout 1s nc -4 -l 127.0.0.1 1234; exit 1' + bash -xec 'timeout 1s ncat -4 -l 127.0.0.1 1234; exit 1' systemd-run --wait --pipe -p SuccessExitStatus=124 "${ARGUMENTS[@]}" \ - bash -xec 'timeout 1s nc -4 -u -l 127.0.0.1 5678; exit 1' + bash -xec 'timeout 1s ncat -4 -u -l 127.0.0.1 5678; exit 1' systemd-run --wait --pipe -p SuccessExitStatus=124 "${ARGUMENTS[@]}" \ - bash -xec 'timeout 1s nc -6 -l ::1 1234; exit 1' + bash -xec 'timeout 1s ncat -6 -l ::1 1234; exit 1' systemd-run --wait --pipe -p SuccessExitStatus=124 "${ARGUMENTS[@]}" \ - bash -xec 'timeout 1s nc -6 -l ::1 6666; exit 1' + bash -xec 'timeout 1s ncat -6 -l ::1 6666; exit 1' fi losetup -d "$LODEV" diff --git a/test/units/TEST-07-PID1.issue-2467.sh b/test/units/TEST-07-PID1.issue-2467.sh index de0577b..083a1e7 100755 --- a/test/units/TEST-07-PID1.issue-2467.sh +++ b/test/units/TEST-07-PID1.issue-2467.sh @@ -8,7 +8,7 @@ set -o pipefail rm -f /tmp/nonexistent systemctl start issue2467.socket -nc -i20 -w20 -U /run/test.ctl || : +ncat -i20 -w20 -U /run/test.ctl || : # TriggerLimitIntervalSec= by default is set to 2s. A "sleep 10" should give # systemd enough time even on slower machines, to reach the trigger limit. diff --git a/test/units/TEST-07-PID1.issue-3171.sh b/test/units/TEST-07-PID1.issue-3171.sh index 374df54..e1a4b64 100755 --- a/test/units/TEST-07-PID1.issue-3171.sh +++ b/test/units/TEST-07-PID1.issue-3171.sh @@ -30,21 +30,21 @@ EOF systemctl start issue-3171.socket systemctl is-active issue-3171.socket [[ "$(stat --format='%G' /run/issue-3171.socket)" == adm ]] -echo A | nc -w1 -U /run/issue-3171.socket +echo A | ncat -w1 -U /run/issue-3171.socket mv $U ${U}.disabled systemctl daemon-reload systemctl is-active issue-3171.socket [[ "$(stat --format='%G' /run/issue-3171.socket)" == adm ]] -echo B | nc -w1 -U /run/issue-3171.socket && exit 1 +echo B | ncat -w1 -U /run/issue-3171.socket && exit 1 mv ${U}.disabled $U systemctl daemon-reload systemctl is-active issue-3171.socket -echo C | nc -w1 -U /run/issue-3171.socket && exit 1 +echo C | ncat -w1 -U /run/issue-3171.socket && exit 1 [[ "$(stat --format='%G' /run/issue-3171.socket)" == adm ]] systemctl restart issue-3171.socket systemctl is-active issue-3171.socket -echo D | nc -w1 -U /run/issue-3171.socket +echo D | ncat -w1 -U /run/issue-3171.socket [[ "$(stat --format='%G' /run/issue-3171.socket)" == adm ]] diff --git a/test/units/TEST-07-PID1.issue-31752.sh b/test/units/TEST-07-PID1.issue-31752.sh new file mode 100755 index 0000000..89ec07e --- /dev/null +++ b/test/units/TEST-07-PID1.issue-31752.sh @@ -0,0 +1,44 @@ +#!/usr/bin/env bash +# SPDX-License-Identifier: LGPL-2.1-or-later +# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*- +# ex: ts=8 sw=4 sts=4 et filetype=sh + +set -eux +set -o pipefail + +# shellcheck source=test/units/util.sh +. "$(dirname "$0")"/util.sh + +# Make sure NeedDaemonReload= considers newly created drop-ins. +# Issue: https://github.com/systemd/systemd/issues/31752 + +UNIT=test-issue-31752.service + +cleanup() { + rm -rf /run/systemd/system/"$UNIT" /run/systemd/system/"$UNIT".d + systemctl daemon-reload +} + +trap cleanup EXIT + +cat > /run/systemd/system/"$UNIT" <<EOF +[Service] +ExecStart=/usr/bin/true +RemainAfterExit=yes +EOF + +systemctl daemon-reload +systemctl start "$UNIT" +assert_eq "$(systemctl show -P NeedDaemonReload "$UNIT")" no + +mkdir /run/systemd/system/"$UNIT".d +cat > /run/systemd/system/"$UNIT".d/desc.conf <<EOF +[Unit] +Description=Test NeedDaemonReload status after creating drop-in +EOF + +assert_eq "$(systemctl show -P NeedDaemonReload "$UNIT")" yes + +rm /run/systemd/system/"$UNIT".d/desc.conf + +assert_eq "$(systemctl show -P NeedDaemonReload "$UNIT")" no diff --git a/test/units/TEST-07-PID1.issue-33672.sh b/test/units/TEST-07-PID1.issue-33672.sh new file mode 100755 index 0000000..370497c --- /dev/null +++ b/test/units/TEST-07-PID1.issue-33672.sh @@ -0,0 +1,40 @@ +#!/usr/bin/env bash +# SPDX-License-Identifier: LGPL-2.1-or-later +# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*- +# ex: ts=8 sw=4 sts=4 et filetype=sh + +set -eux +set -o pipefail + +# shellcheck source=test/units/util.sh +. "$(dirname "$0")"/util.sh + +# systemctl status always shows daemon-reload warning for a masked service with drop-ins +# Issue: https://github.com/systemd/systemd/issues/33672 + +UNIT=test-23-NeedDaemonReload.service + +cleanup() { + rm -rf /run/systemd/system/"$UNIT" /run/systemd/system/"$UNIT".d + systemctl daemon-reload +} + +trap cleanup EXIT + +cat > /run/systemd/system/"$UNIT" <<EOF +[Service] +ExecStart=/usr/bin/true +EOF + +mkdir /run/systemd/system/"$UNIT".d +cat > /run/systemd/system/"$UNIT".d/desc.conf <<EOF +[Unit] +Description=Test NeedDaemonReload status of a masked unit with drop-ins +EOF + +systemctl daemon-reload +systemctl unmask "$UNIT" +assert_eq "$(systemctl show -P NeedDaemonReload "$UNIT")" no + +systemctl mask "$UNIT" +assert_eq "$(systemctl show -P NeedDaemonReload "$UNIT")" no diff --git a/test/units/TEST-09-REBOOT.sh b/test/units/TEST-09-REBOOT.sh index 85630b6..014ea31 100755 --- a/test/units/TEST-09-REBOOT.sh +++ b/test/units/TEST-09-REBOOT.sh @@ -17,7 +17,11 @@ systemd-cat journalctl --list-boots run_subtests if [[ "$REBOOT_COUNT" -lt "$NUM_REBOOT" ]]; then + SYSTEMCTL_SKIP_AUTO_SOFT_REBOOT=1 + export SYSTEMCTL_SKIP_AUTO_SOFT_REBOOT systemctl_final reboot + # Now block until the reboot killing spree kills us. + exec sleep infinity elif [[ "$REBOOT_COUNT" -gt "$NUM_REBOOT" ]]; then assert_not_reached fi diff --git a/test/units/TEST-13-NSPAWN.nspawn.sh b/test/units/TEST-13-NSPAWN.nspawn.sh index 7901e98..ad11468 100755 --- a/test/units/TEST-13-NSPAWN.nspawn.sh +++ b/test/units/TEST-13-NSPAWN.nspawn.sh @@ -179,6 +179,10 @@ elif [[ $1 == initgroups ]]; then fi EOF chmod +x "$root/bin/getent" + # The useradd is important here so the user is added to /etc/passwd. If the user is not in /etc/passwd, + # bash will end up loading libnss_systemd.so which breaks when libnss_systemd.so is built with sanitizers + # as bash isn't invoked with the necessary environment variables for that. + useradd --root="$root" --uid 1000 --user-group --create-home testuser systemd-nspawn --directory="$root" bash -xec '[[ $USER == root ]]' systemd-nspawn --directory="$root" --user=testuser bash -xec '[[ $USER == testuser ]]' @@ -672,8 +676,10 @@ fi EOF chmod +x "$root/bin/getent" - mkdir -p "$root/home/testuser" - chown 1010:1010 "$root/home/testuser" + # The useradd is important here so the user is added to /etc/passwd. If the user is not in /etc/passwd, + # bash will end up loading libnss_systemd.so which breaks when libnss_systemd.so is built with sanitizers + # as bash isn't invoked with the necessary environment variables for that. + useradd --root="$root" --uid 1010 --user-group --create-home testuser cmd='PERMISSIONS=$(stat -c "%u:%g" /home/testuser/file); if [[ $PERMISSIONS != "1010:1010" ]]; then echo "*** wrong permissions: $PERMISSIONS"; return 1; fi; touch /home/testuser/other_file' if ! SYSTEMD_LOG_TARGET=console \ @@ -702,7 +708,7 @@ EOF testcase_notification_socket() { # https://github.com/systemd/systemd/issues/4944 local root - local cmd='echo a | nc -U -u -w 1 /run/host/notify' + local cmd='echo a | ncat -U -u -w 1 /run/host/notify' root="$(mktemp -d /var/lib/machines/TEST-13-NSPAWN.check_notification_socket.XXX)" create_dummy_container "$root" @@ -937,6 +943,17 @@ matrix_run_one() { return 0 } +testcase_api_vfs() { + local api_vfs_writable + + for api_vfs_writable in yes no network; do + matrix_run_one no no $api_vfs_writable + matrix_run_one yes no $api_vfs_writable + matrix_run_one no yes $api_vfs_writable + matrix_run_one yes yes $api_vfs_writable + done +} + testcase_check_os_release() { # https://github.com/systemd/systemd/issues/29185 local base common_opts root @@ -967,11 +984,46 @@ testcase_check_os_release() { rm -fr "$root" "$base" } -run_testcases +testcase_ip_masquerade() { + local root + + if ! command -v networkctl >/dev/null; then + echo "This test requires systemd-networkd, skipping..." + return 0 + fi + + systemctl unmask systemd-networkd.service + systemctl edit --runtime --stdin systemd-networkd.service --drop-in=debug.conf <<EOF +[Service] +Environment=SYSTEMD_LOG_LEVEL=debug +EOF + systemctl start systemd-networkd.service + + root="$(mktemp -d /var/lib/machines/TEST-13-NSPAWN.ip_masquerade.XXX)" + create_dummy_container "$root" + + systemd-run --unit=nspawn-hoge.service \ + systemd-nspawn \ + --register=no \ + --directory="$root" \ + --ephemeral \ + --machine=hoge \ + --network-veth \ + bash -x -c "ip link set host0 up; sleep 30s" + + /usr/lib/systemd/systemd-networkd-wait-online -i ve-hoge --timeout 30s + + # Check IPMasquerade= for ve-* and friends enabled IP forwarding. + [[ "$(cat /proc/sys/net/ipv4/conf/all/forwarding)" == "1" ]] + [[ "$(cat /proc/sys/net/ipv4/conf/default/forwarding)" == "1" ]] + [[ "$(cat /proc/sys/net/ipv6/conf/all/forwarding)" == "1" ]] + [[ "$(cat /proc/sys/net/ipv6/conf/default/forwarding)" == "1" ]] -for api_vfs_writable in yes no network; do - matrix_run_one no no $api_vfs_writable - matrix_run_one yes no $api_vfs_writable - matrix_run_one no yes $api_vfs_writable - matrix_run_one yes yes $api_vfs_writable -done + systemctl stop nspawn-hoge.service || : + systemctl stop systemd-networkd.service + systemctl mask systemd-networkd.service + + rm -fr "$root" +} + +run_testcases diff --git a/test/units/TEST-17-UDEV.credentials.sh b/test/units/TEST-17-UDEV.credentials.sh index 42d3883..2552dc6 100755 --- a/test/units/TEST-17-UDEV.credentials.sh +++ b/test/units/TEST-17-UDEV.credentials.sh @@ -5,7 +5,7 @@ set -eux set -o pipefail if [[ $(systemctl is-enabled systemd-udev-load-credentials.service) == not-found ]]; then - echo "Missing systemd-udev-load-credentials.service" >>/skipped + echo "Missing systemd-udev-load-credentials.service" exit 0 fi diff --git a/test/units/TEST-19-CGROUP.delegate.sh b/test/units/TEST-19-CGROUP.delegate.sh index 022515f..7f3a705 100755 --- a/test/units/TEST-19-CGROUP.delegate.sh +++ b/test/units/TEST-19-CGROUP.delegate.sh @@ -5,6 +5,8 @@ set -o pipefail # Test cgroup delegation in the unified hierarchy +# shellcheck source=test/units/test-control.sh +. "$(dirname "$0")"/test-control.sh # shellcheck source=test/units/util.sh . "$(dirname "$0")"/util.sh @@ -13,104 +15,109 @@ if [[ "$(get_cgroup_hierarchy)" != unified ]]; then exit 0 fi -at_exit() { - set +e - userdel -r test +testcase_controllers() { + systemd-run --wait \ + --unit=test-0.service \ + --property="DynamicUser=1" \ + --property="Delegate=" \ + test -w /sys/fs/cgroup/system.slice/test-0.service/ -a \ + -w /sys/fs/cgroup/system.slice/test-0.service/cgroup.procs -a \ + -w /sys/fs/cgroup/system.slice/test-0.service/cgroup.subtree_control + + systemd-run --wait \ + --unit=test-1.service \ + --property="DynamicUser=1" \ + --property="Delegate=memory pids" \ + grep -q memory /sys/fs/cgroup/system.slice/test-1.service/cgroup.controllers + + systemd-run --wait \ + --unit=test-2.service \ + --property="DynamicUser=1" \ + --property="Delegate=memory pids" \ + grep -q pids /sys/fs/cgroup/system.slice/test-2.service/cgroup.controllers + + # "io" is not among the controllers enabled by default for all units, verify that + grep -qv io /sys/fs/cgroup/system.slice/cgroup.controllers + + # Run a service with "io" enabled, and verify it works + systemd-run --wait \ + --unit=test-3.service \ + --property="IOAccounting=yes" \ + --property="Slice=system-foo-bar-baz.slice" \ + grep -q io /sys/fs/cgroup/system.slice/system-foo.slice/system-foo-bar.slice/system-foo-bar-baz.slice/test-3.service/cgroup.controllers + + # We want to check if "io" is removed again from the controllers + # list. However, PID 1 (rightfully) does this asynchronously. In order + # to force synchronization on this, let's start a short-lived service + # which requires PID 1 to refresh the cgroup tree, so that we can + # verify that this all works. + systemd-run --wait --unit=test-4.service true + + # And now check again, "io" should have vanished + grep -qv io /sys/fs/cgroup/system.slice/cgroup.controllers } -systemd-run --wait \ - --unit=test-0.service \ - --property="DynamicUser=1" \ - --property="Delegate=" \ - test -w /sys/fs/cgroup/system.slice/test-0.service/ -a \ - -w /sys/fs/cgroup/system.slice/test-0.service/cgroup.procs -a \ - -w /sys/fs/cgroup/system.slice/test-0.service/cgroup.subtree_control +testcase_attributes() { + # Test if delegation also works for some of the more recent attrs the kernel might or might not support + for attr in cgroup.threads memory.oom.group memory.reclaim ; do + if grep -q "$attr" /sys/kernel/cgroup/delegate ; then + systemd-run --wait \ + --unit=test-0.service \ + --property="MemoryAccounting=1" \ + --property="DynamicUser=1" \ + --property="Delegate=" \ + test -w /sys/fs/cgroup/system.slice/test-0.service/ -a \ + -w /sys/fs/cgroup/system.slice/test-0.service/"$attr" + fi + done +} -# Test if this also works for some of the more recent attrs the kernel might or might not support -for attr in cgroup.threads memory.oom.group memory.reclaim ; do +testcase_scope_unpriv_delegation() { + # Check that unprivileged delegation works for scopes + useradd test + trap "userdel -r test" RETURN + systemd-run --uid=test \ + --property="User=test" \ + --property="Delegate=yes" \ + --slice workload.slice \ + --unit test-workload0.scope\ + --scope \ + test -w /sys/fs/cgroup/workload.slice/test-workload0.scope -a \ + -w /sys/fs/cgroup/workload.slice/test-workload0.scope/cgroup.procs -a \ + -w /sys/fs/cgroup/workload.slice/test-workload0.scope/cgroup.subtree_control +} - if grep -q "$attr" /sys/kernel/cgroup/delegate ; then +testcase_subgroup() { + # Verify that DelegateSubgroup= affects ownership correctly + unit="test-subgroup-$RANDOM.service" + systemd-run --wait \ + --unit="$unit" \ + --property="DynamicUser=1" \ + --property="Delegate=pids" \ + --property="DelegateSubgroup=foo" \ + test -w "/sys/fs/cgroup/system.slice/$unit" -a \ + -w "/sys/fs/cgroup/system.slice/$unit/foo" + + # Check that for the subgroup also attributes that aren't covered by + # regular (i.e. main cgroup) delegation ownership rules are delegated properly + if test -f /sys/fs/cgroup/cgroup.max.depth; then + unit="test-subgroup-$RANDOM.service" systemd-run --wait \ - --unit=test-0.service \ - --property="MemoryAccounting=1" \ + --unit="$unit" \ --property="DynamicUser=1" \ - --property="Delegate=" \ - test -w /sys/fs/cgroup/system.slice/test-0.service/ -a \ - -w /sys/fs/cgroup/system.slice/test-0.service/"$attr" + --property="Delegate=pids" \ + --property="DelegateSubgroup=zzz" \ + test -w "/sys/fs/cgroup/system.slice/$unit/zzz/cgroup.max.depth" fi -done - -systemd-run --wait \ - --unit=test-1.service \ - --property="DynamicUser=1" \ - --property="Delegate=memory pids" \ - grep -q memory /sys/fs/cgroup/system.slice/test-1.service/cgroup.controllers - -systemd-run --wait \ - --unit=test-2.service \ - --property="DynamicUser=1" \ - --property="Delegate=memory pids" \ - grep -q pids /sys/fs/cgroup/system.slice/test-2.service/cgroup.controllers - -# "io" is not among the controllers enabled by default for all units, verify that -grep -qv io /sys/fs/cgroup/system.slice/cgroup.controllers - -# Run a service with "io" enabled, and verify it works -systemd-run --wait \ - --unit=test-3.service \ - --property="IOAccounting=yes" \ - --property="Slice=system-foo-bar-baz.slice" \ - grep -q io /sys/fs/cgroup/system.slice/system-foo.slice/system-foo-bar.slice/system-foo-bar-baz.slice/test-3.service/cgroup.controllers - -# We want to check if "io" is removed again from the controllers -# list. However, PID 1 (rightfully) does this asynchronously. In order -# to force synchronization on this, let's start a short-lived service -# which requires PID 1 to refresh the cgroup tree, so that we can -# verify that this all works. -systemd-run --wait --unit=test-4.service true - -# And now check again, "io" should have vanished -grep -qv io /sys/fs/cgroup/system.slice/cgroup.controllers - -# Check that unprivileged delegation works for scopes -useradd test ||: -systemd-run --uid=test \ - --property="User=test" \ - --property="Delegate=yes" \ - --slice workload.slice \ - --unit test-workload0.scope\ - --scope \ - test -w /sys/fs/cgroup/workload.slice/test-workload0.scope -a \ - -w /sys/fs/cgroup/workload.slice/test-workload0.scope/cgroup.procs -a \ - -w /sys/fs/cgroup/workload.slice/test-workload0.scope/cgroup.subtree_control - -# Verify that DelegateSubgroup= affects ownership correctly -unit="test-subgroup-$RANDOM.service" -systemd-run --wait \ - --unit="$unit" \ - --property="DynamicUser=1" \ - --property="Delegate=pids" \ - --property="DelegateSubgroup=foo" \ - test -w "/sys/fs/cgroup/system.slice/$unit" -a \ - -w "/sys/fs/cgroup/system.slice/$unit/foo" - -# Check that for the subgroup also attributes that aren't covered by -# regular (i.e. main cgroup) delegation ownership rules are delegated properly -if test -f /sys/fs/cgroup/cgroup.max.depth; then + + # Check that the invoked process itself is also in the subgroup unit="test-subgroup-$RANDOM.service" systemd-run --wait \ --unit="$unit" \ --property="DynamicUser=1" \ --property="Delegate=pids" \ - --property="DelegateSubgroup=zzz" \ - test -w "/sys/fs/cgroup/system.slice/$unit/zzz/cgroup.max.depth" -fi + --property="DelegateSubgroup=bar" \ + grep -q -x -F "0::/system.slice/$unit/bar" /proc/self/cgroup +} -# Check that the invoked process itself is also in the subgroup -unit="test-subgroup-$RANDOM.service" -systemd-run --wait \ - --unit="$unit" \ - --property="DynamicUser=1" \ - --property="Delegate=pids" \ - --property="DelegateSubgroup=bar" \ - grep -q -x -F "0::/system.slice/$unit/bar" /proc/self/cgroup +run_testcases diff --git a/test/units/TEST-26-SYSTEMCTL.sh b/test/units/TEST-26-SYSTEMCTL.sh index ae7a5d6..1471f3f 100755 --- a/test/units/TEST-26-SYSTEMCTL.sh +++ b/test/units/TEST-26-SYSTEMCTL.sh @@ -343,6 +343,12 @@ systemctl cat "$UNIT_NAME" systemctl help "$UNIT_NAME" systemctl service-watchdogs systemctl service-watchdogs "$(systemctl service-watchdogs)" +# Ensure that the enablement symlinks can still be removed after the user is gone, to avoid having leftovers +systemctl enable "$UNIT_NAME" +systemctl stop "$UNIT_NAME" +rm -f "/usr/lib/systemd/system/$UNIT_NAME" +systemctl daemon-reload +systemctl disable "$UNIT_NAME" # show/set-environment # Make sure PATH is set diff --git a/test/units/TEST-29-PORTABLE.sh b/test/units/TEST-29-PORTABLE.sh index 27c24a0..41dce4d 100755 --- a/test/units/TEST-29-PORTABLE.sh +++ b/test/units/TEST-29-PORTABLE.sh @@ -354,6 +354,18 @@ portablectl detach --now --runtime --enable /tmp/rootdir minimal-app0 portablectl "${ARGS[@]}" attach --copy=symlink --now --runtime /tmp/rootdir minimal-app0 portablectl detach --now --runtime --enable /tmp/rootdir minimal-app0 +# The wrong file should be ignored, given the right one has the xattr set +trap 'rm -rf /var/cache/wrongext' EXIT +mkdir -p /var/cache/wrongext/usr/lib/extension-release.d /var/cache/wrongext/usr/lib/systemd/system/ +echo "[Service]" > /var/cache/wrongext/usr/lib/systemd/system/app0.service +touch /var/cache/wrongext/usr/lib/extension-release.d/extension-release.wrongext_somethingwrong.txt +cp /tmp/rootdir/usr/lib/os-release /var/cache/wrongext/usr/lib/extension-release.d/extension-release.app0 +setfattr -n user.extension-release.strict -v "false" /var/cache/wrongext/usr/lib/extension-release.d/extension-release.app0 +portablectl "${ARGS[@]}" attach --runtime --extension /var/cache/wrongext /tmp/rootdir app0 +status="$(portablectl is-attached --extension wrongext rootdir)" +[[ "${status}" == "attached-runtime" ]] +portablectl detach --runtime --extension /var/cache/wrongext /tmp/rootdir app0 + umount /tmp/rootdir umount /tmp/app0 umount /tmp/app1 diff --git a/test/units/TEST-43-PRIVATEUSER-UNPRIV.sh b/test/units/TEST-43-PRIVATEUSER-UNPRIV.sh index 165af47..f8a2a62 100755 --- a/test/units/TEST-43-PRIVATEUSER-UNPRIV.sh +++ b/test/units/TEST-43-PRIVATEUSER-UNPRIV.sh @@ -6,13 +6,13 @@ set -o pipefail # shellcheck source=test/units/util.sh . "$(dirname "$0")"/util.sh -install_extension_images - if [[ "$(sysctl -ne kernel.apparmor_restrict_unprivileged_userns)" -eq 1 ]]; then echo "Cannot create unprivileged user namespaces" >/skipped exit 77 fi +install_extension_images + systemd-analyze log-level debug runas testuser systemd-run --wait --user --unit=test-private-users \ diff --git a/test/units/TEST-45-TIMEDATE.sh b/test/units/TEST-45-TIMEDATE.sh index dff3ed0..420ebef 100755 --- a/test/units/TEST-45-TIMEDATE.sh +++ b/test/units/TEST-45-TIMEDATE.sh @@ -218,7 +218,7 @@ assert_ntp() { assert_timedated_signal() { local timestamp="${1:?}" local value="${2:?}" - local args=(-q -n 1 --since="$timestamp" -p info _SYSTEMD_UNIT="busctl-monitor.service") + local args=(-q -n 1 --since="$timestamp" -p info -t busctl) journalctl --sync @@ -298,7 +298,7 @@ assert_timesyncd_signal() { local timestamp="${1:?}" local property="${2:?}" local value="${3:?}" - local args=(-q --since="$timestamp" -p info _SYSTEMD_UNIT="busctl-monitor.service") + local args=(-q --since="$timestamp" -p info -t busctl) journalctl --sync diff --git a/test/units/TEST-54-CREDS.sh b/test/units/TEST-54-CREDS.sh index fe410d5..89d6dcd 100755 --- a/test/units/TEST-54-CREDS.sh +++ b/test/units/TEST-54-CREDS.sh @@ -273,8 +273,11 @@ rm -rf /tmp/ts54-creds # Check that globs work as expected mkdir -p /run/credstore echo -n a >/run/credstore/test.creds.first -echo -n b >/run/credstore/test.creds.second +# Make sure that when multiple credentials of the same name are found, the first one is used (/etc/credstore +# is searched before /run/credstore). +echo -n ignored >/run/credstore/test.creds.second mkdir -p /etc/credstore +echo -n b >/etc/credstore/test.creds.second echo -n c >/etc/credstore/test.creds.third systemd-run -p "ImportCredential=test.creds.*" \ --unit=test-54-ImportCredential.service \ diff --git a/test/units/TEST-55-OOMD-testbloat.service b/test/units/TEST-55-OOMD-testbloat.service index ba4f2bc..70c8772 100644 --- a/test/units/TEST-55-OOMD-testbloat.service +++ b/test/units/TEST-55-OOMD-testbloat.service @@ -3,8 +3,8 @@ Description=Create a lot of memory pressure [Service] -# A VERY small memory.high will cause the 'stress' (trying to use a lot of memory) +# A VERY small memory.high will cause the 'stress-ng' (trying to use a lot of memory) # to throttle and be put under heavy pressure. MemoryHigh=3M Slice=TEST-55-OOMD-workload.slice -ExecStart=stress --timeout 3m --vm 10 --vm-bytes 200M --vm-keep --vm-stride 1 +ExecStart=stress-ng --timeout 3m --vm 10 --vm-bytes 200M --vm-keep diff --git a/test/units/TEST-55-OOMD-testmunch.service b/test/units/TEST-55-OOMD-testmunch.service index 5659906..79bd018 100644 --- a/test/units/TEST-55-OOMD-testmunch.service +++ b/test/units/TEST-55-OOMD-testmunch.service @@ -5,4 +5,4 @@ Description=Create some memory pressure [Service] MemoryHigh=12M Slice=TEST-55-OOMD-workload.slice -ExecStart=stress --timeout 3m --vm 10 --vm-bytes 200M --vm-keep --vm-stride 1 +ExecStart=stress-ng --timeout 3m --vm 10 --vm-bytes 200M --vm-keep diff --git a/test/units/TEST-55-OOMD.sh b/test/units/TEST-55-OOMD.sh index b04ebca..944067c 100755 --- a/test/units/TEST-55-OOMD.sh +++ b/test/units/TEST-55-OOMD.sh @@ -6,14 +6,6 @@ set -o pipefail # shellcheck source=test/units/util.sh . "$(dirname "$0")"/util.sh -. /etc/os-release -# OpenSUSE does not have the stress tool packaged. It does have stress-ng but the stress-ng does not support -# --vm-stride which this test uses. -if [[ "$ID" =~ "opensuse" ]]; then - echo "Skipping due to missing stress package in OpenSUSE" >>/skipped - exit 77 -fi - systemd-analyze log-level debug # Ensure that the init.scope.d drop-in is applied on boot diff --git a/test/units/TEST-58-REPART.sh b/test/units/TEST-58-REPART.sh index 8a014ac..e5f9c1f 100755 --- a/test/units/TEST-58-REPART.sh +++ b/test/units/TEST-58-REPART.sh @@ -161,7 +161,7 @@ $imgs/zzz1 : start= 2048, size= 1775576, type=933AC7E1-2EB4-4F13-B844 $imgs/zzz2 : start= 1777624, size= 131072, type=0657FD6D-A4AB-43C4-84E5-0933C84B4F4F, uuid=78C92DB8-3D2B-4823-B0DC-792B78F66F1E, name=\"swap\"" systemd-repart --offline="$OFFLINE" \ - --definitions="$defs" \ + --definitions="$defs" \ --empty=create \ --size=50M \ --seed="$seed" \ @@ -358,14 +358,14 @@ label-id: 1D2CE291-7CCE-4F7D-BC83-FDB49AD74EBD device: $imgs/zzz unit: sectors first-lba: 2048 -last-lba: 6389726 +last-lba: 6422494 $imgs/zzz1 : start= 2048, size= 591856, type=933AC7E1-2EB4-4F13-B844-0E14E2AEF915, uuid=4980595D-D74A-483A-AA9E-9903879A0EE5, name=\"home-first\", attrs=\"GUID:59\" $imgs/zzz2 : start= 593904, size= 591856, type=${root_guid}, uuid=${root_uuid}, name=\"root-${architecture}\", attrs=\"GUID:59\" $imgs/zzz3 : start= 1185760, size= 591864, type=${root_guid}, uuid=${root_uuid2}, name=\"root-${architecture}-2\", attrs=\"GUID:59\" $imgs/zzz4 : start= 1777624, size= 131072, type=0657FD6D-A4AB-43C4-84E5-0933C84B4F4F, uuid=78C92DB8-3D2B-4823-B0DC-792B78F66F1E, name=\"swap\" $imgs/zzz5 : start= 1908696, size= 2285568, type=0FC63DAF-8483-4772-8E79-3D69D8477DE4, uuid=A0A1A2A3-A4A5-A6A7-A8A9-AAABACADAEAF, name=\"custom_label\" $imgs/zzz6 : start= 4194264, size= 2097152, type=0FC63DAF-8483-4772-8E79-3D69D8477DE4, uuid=2A1D97E1-D0A3-46CC-A26E-ADC643926617, name=\"block-copy\" -$imgs/zzz7 : start= 6291416, size= 98304, type=0FC63DAF-8483-4772-8E79-3D69D8477DE4, uuid=7B93D1F2-595D-4CE3-B0B9-837FBD9E63B0, name=\"luks-format-copy\"" +$imgs/zzz7 : start= 6291416, size= 131072, type=0FC63DAF-8483-4772-8E79-3D69D8477DE4, uuid=7B93D1F2-595D-4CE3-B0B9-837FBD9E63B0, name=\"luks-format-copy\"" if systemd-detect-virt --quiet --container; then echo "Skipping encrypt mount tests in container." @@ -423,7 +423,7 @@ EOF --json=pretty \ "$imgs/zzz") - diff -u <(echo "$output") - <<EOF + diff -u - <<EOF <(echo "$output") [ { "type" : "swap", @@ -484,7 +484,7 @@ EOF --json=pretty \ "$imgs/zzz") - diff -u <(echo "$output") - <<EOF + diff -u - <<EOF <(echo "$output") [ { "type" : "swap", @@ -566,8 +566,8 @@ EOF output=$(sfdisk --dump "$imgs/zzz") assert_in "$imgs/zzz1 : start= 2048, size= 20480, type=C12A7328-F81F-11D2-BA4B-00A0C93EC93B, uuid=39107B09-615D-48FB-BA37-C663885FCE67, name=\"esp\"" "$output" - assert_in "$imgs/zzz2 : start= 22528, size= 20480, type=${root_guid}, uuid=${root_uuid}, name=\"root-${architecture}\", attrs=\"GUID:59\"" "$output" - assert_in "$imgs/zzz3 : start= 43008, size= 20480, type=${usr_guid}, uuid=${usr_uuid}, name=\"usr-${architecture}\", attrs=\"GUID:60\"" "$output" + assert_in "$imgs/zzz2 : start= 22528, size= 65536, type=${root_guid}, uuid=${root_uuid}, name=\"root-${architecture}\", attrs=\"GUID:59\"" "$output" + assert_in "$imgs/zzz3 : start= 88064, size= 65536, type=${usr_guid}, uuid=${usr_uuid}, name=\"usr-${architecture}\", attrs=\"GUID:60\"" "$output" if systemd-detect-virt --quiet --container; then echo "Skipping second part of copy blocks tests in container." @@ -1198,7 +1198,8 @@ EOF --json=pretty \ "$imgs/zzz") - diff -u <(echo "$output1" | grep -E "(offset|raw_size|raw_padding)") <(echo "$output2" | grep -E "(offset|raw_size|raw_padding)") + diff -u <(echo "$output1" | grep -E "(offset|raw_size|raw_padding)") \ + <(echo "$output2" | grep -E "(offset|raw_size|raw_padding)") } test_sector() { @@ -1287,6 +1288,49 @@ testcase_dropped_partitions() { [[ "$(sfdisk -q -l "$image" | grep -c "$image")" -eq 2 ]] } +testcase_random_seed() { + local defs imgs output + + # For issue #34257 + + defs="$(mktemp --directory "/tmp/test-repart.defs.XXXXXXXXXX")" + imgs="$(mktemp --directory "/var/tmp/test-repart.imgs.XXXXXXXXXX")" + # shellcheck disable=SC2064 + trap "rm -rf '$defs' '$imgs'" RETURN + chmod 0755 "$defs" + + tee "$defs/root.conf" <<EOF +[Partition] +Type=root +EOF + + tee "$defs/home.conf" <<EOF +[Partition] +Type=home +Label=home-first +EOF + + tee "$defs/swap.conf" <<EOF +[Partition] +Type=swap +SizeMaxBytes=64M +PaddingMinBytes=92M +EOF + + systemd-repart --offline="$OFFLINE" \ + --definitions="$defs" \ + --empty=create \ + --size=1G \ + --dry-run=no \ + --seed=random \ + --offline="$OFFLINE" \ + --json=pretty \ + "$imgs/zzz" + + sfdisk -d "$imgs/zzz" + [[ "$(sfdisk -d "$imgs/zzz" | grep -F 'uuid=' | awk '{ print $8 }' | sort -u | wc -l)" == "3" ]] +} + OFFLINE="yes" run_testcases diff --git a/test/units/TEST-64-UDEV-STORAGE.sh b/test/units/TEST-64-UDEV-STORAGE.sh index 5ddddf5..431b530 100755 --- a/test/units/TEST-64-UDEV-STORAGE.sh +++ b/test/units/TEST-64-UDEV-STORAGE.sh @@ -231,8 +231,8 @@ testcase_nvme_subsystem() { /dev/disk/by-id/nvme-QEMU_NVMe_Ctrl_deadbeef_16 /dev/disk/by-id/nvme-QEMU_NVMe_Ctrl_deadbeef_17 # Shared namespaces - /dev/disk/by-path/pci-*-nvme-16 - /dev/disk/by-path/pci-*-nvme-17 + /dev/disk/by-path/*pci*-nvme-16 + /dev/disk/by-path/*pci*-nvme-17 ) udevadm wait --settle --timeout=30 "${expected_symlinks[@]}" diff --git a/test/units/TEST-69-SHUTDOWN.py b/test/units/TEST-69-SHUTDOWN.py index eb790f4..d044164 100755 --- a/test/units/TEST-69-SHUTDOWN.py +++ b/test/units/TEST-69-SHUTDOWN.py @@ -9,6 +9,13 @@ import pexpect def main(): + # TODO: drop once https://bugs.debian.org/1075733 is fixed + with open("/usr/lib/os-release") as f: + for line in f: + if line.startswith("ID="): + if "debian" in line: + sys.exit(77) + logger = logging.getLogger("test-shutdown") consoles = [] diff --git a/test/units/TEST-70-TPM2.cryptsetup.sh b/test/units/TEST-70-TPM2.cryptsetup.sh index cb7c8b1..b5dd4df 100755 --- a/test/units/TEST-70-TPM2.cryptsetup.sh +++ b/test/units/TEST-70-TPM2.cryptsetup.sh @@ -210,7 +210,7 @@ Format=ext4 CopyFiles=/tmp/dditest:/ Encrypt=tpm2 EOF - PASSWORD=passphrase systemd-repart --tpm2-device-key=/tmp/srk.pub --definitions=/tmp/dditest --empty=create --size=50M /tmp/dditest.raw --tpm2-pcrs= + PASSWORD=passphrase systemd-repart --tpm2-device-key=/tmp/srk.pub --definitions=/tmp/dditest --empty=create --size=80M /tmp/dditest.raw --tpm2-pcrs= DEVICE="$(systemd-dissect --attach /tmp/dditest.raw)" udevadm wait --settle --timeout=10 "$DEVICE"p1 systemd-cryptsetup attach dditest "$DEVICE"p1 - tpm2-device=auto,headless=yes diff --git a/test/units/TEST-70-TPM2.pcrlock.sh b/test/units/TEST-70-TPM2.pcrlock.sh index fd51161..10fa7a9 100755 --- a/test/units/TEST-70-TPM2.pcrlock.sh +++ b/test/units/TEST-70-TPM2.pcrlock.sh @@ -89,6 +89,11 @@ systemd-cryptenroll --unlock-key-file=/tmp/pcrlockpwd --tpm2-device=auto --tpm2- systemd-cryptsetup attach pcrlock "$img" - tpm2-device=auto,tpm2-pcrlock=/var/lib/systemd/pcrlock.json,headless systemd-cryptsetup detach pcrlock +# Ensure systemd-pcrlock not crashing on empty variant directory +mkdir -p /var/lib/pcrlock.d/123-empty.pcrlock.d +"$SD_PCRLOCK" predict --pcr="$PCRS" +rm -rf /var/lib/pcrlock.d/123-empty.pcrlock.d + # Measure something into PCR 16 (the "debug" PCR), which should make the activation fail "$SD_PCREXTEND" --pcr=16 test70 diff --git a/test/units/TEST-73-LOCALE.sh b/test/units/TEST-73-LOCALE.sh index 18539b8..0617bd0 100755 --- a/test/units/TEST-73-LOCALE.sh +++ b/test/units/TEST-73-LOCALE.sh @@ -657,6 +657,24 @@ testcase_locale_gen_leading_space() { # running on. export SYSTEMD_KBD_MODEL_MAP=/usr/lib/systemd/tests/testdata/test-keymap-util/kbd-model-map +# On Debian and derivatives writing calls to localed are blocked as other tools are used to change settings, +# override that policy +mkdir -p /etc/dbus-1/system.d/ +cat >/etc/dbus-1/system.d/systemd-localed-read-only.conf <<EOF +<?xml version="1.0"?> +<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN" + "https://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd"> +<busconfig> + <policy user="root"> + <allow send_destination="org.freedesktop.locale1" send_interface="org.freedesktop.locale1" send_member="SetLocale"/> + <allow send_destination="org.freedesktop.locale1" send_interface="org.freedesktop.locale1" send_member="SetVConsoleKeyboard"/> + <allow send_destination="org.freedesktop.locale1" send_interface="org.freedesktop.locale1" send_member="SetX11Keyboard"/> + </policy> +</busconfig> +EOF +trap 'rm -f /etc/dbus-1/system.d/systemd-localed-read-only.conf' EXIT +systemctl reload dbus.service + enable_debug run_testcases diff --git a/test/units/TEST-74-AUX-UTILS.detect-virt.sh b/test/units/TEST-74-AUX-UTILS.detect-virt.sh new file mode 100755 index 0000000..fe1db4d --- /dev/null +++ b/test/units/TEST-74-AUX-UTILS.detect-virt.sh @@ -0,0 +1,7 @@ +#!/usr/bin/env bash +# SPDX-License-Identifier: LGPL-2.1-or-later +set -eux +set -o pipefail + +SYSTEMD_IN_CHROOT=1 systemd-detect-virt --chroot +(! SYSTEMD_IN_CHROOT=0 systemd-detect-virt --chroot) diff --git a/test/units/TEST-74-AUX-UTILS.firstboot.sh b/test/units/TEST-74-AUX-UTILS.firstboot.sh index 7bab009..d9e5f59 100755 --- a/test/units/TEST-74-AUX-UTILS.firstboot.sh +++ b/test/units/TEST-74-AUX-UTILS.firstboot.sh @@ -14,6 +14,7 @@ fi at_exit() { if [[ -n "${ROOT:-}" ]]; then ls -lR "$ROOT" + grep -r . "$ROOT/etc" || : rm -fr "$ROOT" fi @@ -83,15 +84,42 @@ grep -q "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "$ROOT/etc/machine-id" rm -fv "$ROOT/etc/passwd" "$ROOT/etc/shadow" systemd-firstboot --root="$ROOT" --root-password=foo grep -q "^root:x:0:0:" "$ROOT/etc/passwd" -grep -q "^root:" "$ROOT/etc/shadow" +grep -q "^root:[^!*]" "$ROOT/etc/shadow" rm -fv "$ROOT/etc/passwd" "$ROOT/etc/shadow" echo "foo" >root.passwd systemd-firstboot --root="$ROOT" --root-password-file=root.passwd grep -q "^root:x:0:0:" "$ROOT/etc/passwd" -grep -q "^root:" "$ROOT/etc/shadow" +grep -q "^root:[^!*]" "$ROOT/etc/shadow" rm -fv "$ROOT/etc/passwd" "$ROOT/etc/shadow" root.passwd -# Set the shell together with the password, as firstboot won't touch -# /etc/passwd if it already exists +# Make sure the root password is set if /etc/passwd and /etc/shadow exist but +# don't have a root entry. +touch "$ROOT/etc/passwd" "$ROOT/etc/shadow" +systemd-firstboot --root="$ROOT" --root-password=foo +grep -q "^root:x:0:0:" "$ROOT/etc/passwd" +grep -q "^root:[^!*]" "$ROOT/etc/shadow" +rm -fv "$ROOT/etc/passwd" "$ROOT/etc/shadow" +# If /etc/passwd and /etc/shadow exist, they will only be updated if the shadow +# password is !unprovisioned. +echo "root:x:0:0:root:/root:/bin/sh" >"$ROOT/etc/passwd" +echo "root:!test:::::::" >"$ROOT/etc/shadow" +systemd-firstboot --root="$ROOT" --root-password=foo +grep -q "^root:x:0:0:" "$ROOT/etc/passwd" +grep -q "^root:!test:" "$ROOT/etc/shadow" +rm -fv "$ROOT/etc/passwd" "$ROOT/etc/shadow" +echo "root:x:0:0:root:/root:/bin/sh" >"$ROOT/etc/passwd" +echo "root:!unprovisioned:::::::" >"$ROOT/etc/shadow" +systemd-firstboot --root="$ROOT" --root-password=foo +grep -q "^root:x:0:0:" "$ROOT/etc/passwd" +grep -q "^root:[^!*]" "$ROOT/etc/shadow" +rm -fv "$ROOT/etc/passwd" "$ROOT/etc/shadow" +systemd-firstboot --root="$ROOT" --root-password-hashed="$ROOT_HASHED_PASSWORD1" +grep -q "^root:x:0:0:" "$ROOT/etc/passwd" +grep -q "^root:$ROOT_HASHED_PASSWORD1:" "$ROOT/etc/shadow" +rm -fv "$ROOT/etc/passwd" "$ROOT/etc/shadow" +systemd-firstboot --root="$ROOT" --root-shell=/bin/fooshell +grep -q "^root:x:0:0:.*:/bin/fooshell$" "$ROOT/etc/passwd" +grep -q "^root:!\*:" "$ROOT/etc/shadow" +rm -fv "$ROOT/etc/passwd" "$ROOT/etc/shadow" systemd-firstboot --root="$ROOT" --root-password-hashed="$ROOT_HASHED_PASSWORD1" --root-shell=/bin/fooshell grep -q "^root:x:0:0:.*:/bin/fooshell$" "$ROOT/etc/passwd" grep -q "^root:$ROOT_HASHED_PASSWORD1:" "$ROOT/etc/shadow" @@ -176,8 +204,9 @@ mkdir -p "$ROOT/bin" touch "$ROOT/bin/fooshell" "$ROOT/bin/barshell" # Temporarily disable pipefail to avoid `echo: write error: Broken pipe set +o pipefail -# We can do only limited testing here, since it's all an interactive stuff, -# so --prompt and --prompt-root-password are skipped on purpose +# We can do only limited testing here, since it's all an interactive stuff, so +# --prompt is skipped on purpose and only limited --prompt-root-password +# testing can be done. echo -ne "\nfoo\nbar\n" | systemd-firstboot --root="$ROOT" --prompt-locale grep -q "LANG=foo" "$ROOT$LOCALE_PATH" grep -q "LC_MESSAGES=bar" "$ROOT$LOCALE_PATH" @@ -193,6 +222,11 @@ echo -ne "\nEurope/Berlin\n" | systemd-firstboot --root="$ROOT" --prompt-timezon readlink "$ROOT/etc/localtime" | grep -q "Europe/Berlin$" echo -ne "\nfoobar\n" | systemd-firstboot --root="$ROOT" --prompt-hostname grep -q "foobar" "$ROOT/etc/hostname" +# With no root password provided, a locked account should be created. +systemd-firstboot --root="$ROOT" --prompt-root-password </dev/null +grep -q "^root:x:0:0:" "$ROOT/etc/passwd" +grep -q "^root:!\*:" "$ROOT/etc/shadow" +rm -fv "$ROOT/etc/passwd" "$ROOT/etc/shadow" echo -ne "\n/bin/fooshell\n" | systemd-firstboot --root="$ROOT" --prompt-root-shell grep -q "^root:.*:0:0:.*:/bin/fooshell$" "$ROOT/etc/passwd" # Existing files should not get overwritten @@ -204,15 +238,46 @@ grep -q "^root:.*:0:0:.*:/bin/barshell$" "$ROOT/etc/passwd" # Re-enable pipefail set -o pipefail +# --prompt-* options with credentials. Unfortunately, with --root the +# --systemd.firstboot kernel command line option is ignored, so that can't be +# --tested. +rm -fr "$ROOT" +mkdir -p "$ROOT/bin" +touch "$ROOT/bin/fooshell" "$ROOT/bin/barshell" +systemd-run --wait --pipe --service-type=exec \ + -p SetCredential=firstboot.locale:foo \ + -p SetCredential=firstboot.locale-messages:bar \ + -p SetCredential=firstboot.keymap:foo \ + -p SetCredential=firstboot.timezone:Europe/Berlin \ + -p SetCredential=passwd.hashed-password.root:"$ROOT_HASHED_PASSWORD1" \ + -p SetCredential=passwd.shell.root:/bin/fooshell \ + systemd-firstboot \ + --root="$ROOT" \ + --prompt-locale \ + --prompt-keymap \ + --prompt-timezone \ + --prompt-root-password \ + --prompt-root-shell \ + </dev/null +grep -q "LANG=foo" "$ROOT$LOCALE_PATH" +grep -q "LC_MESSAGES=bar" "$ROOT$LOCALE_PATH" +grep -q "KEYMAP=foo" "$ROOT/etc/vconsole.conf" +readlink "$ROOT/etc/localtime" | grep -q "Europe/Berlin$" +grep -q "^root:x:0:0:.*:/bin/fooshell$" "$ROOT/etc/passwd" +grep -q "^root:$ROOT_HASHED_PASSWORD1:" "$ROOT/etc/shadow" + # Assorted tests rm -fr "$ROOT" mkdir "$ROOT" systemd-firstboot --root="$ROOT" --setup-machine-id grep -E "[a-z0-9]{32}" "$ROOT/etc/machine-id" +rm -fv "$ROOT/etc/machine-id" systemd-firstboot --root="$ROOT" --delete-root-password -diff <(echo) <(awk -F: '/^root/ { print $2; }' "$ROOT/etc/shadow") +grep -q "^root:x:0:0:" "$ROOT/etc/passwd" +grep -q "^root::" "$ROOT/etc/shadow" +rm -fv "$ROOT/etc/passwd" "$ROOT/etc/shadow" (! systemd-firstboot --root="$ROOT" --root-shell=/bin/nonexistentshell) (! systemd-firstboot --root="$ROOT" --machine-id=invalidmachineid) diff --git a/test/units/TEST-74-AUX-UTILS.ssh.sh b/test/units/TEST-74-AUX-UTILS.ssh.sh index 5d87d9f..79055a1 100755 --- a/test/units/TEST-74-AUX-UTILS.ssh.sh +++ b/test/units/TEST-74-AUX-UTILS.ssh.sh @@ -46,7 +46,10 @@ test -f /etc/ssh/ssh_host_rsa_key || ssh-keygen -t rsa -C '' -N '' -f /etc/ssh/s echo "PermitRootLogin yes" >> /etc/ssh/sshd_config echo "LogLevel DEBUG3" >> /etc/ssh/sshd_config -test -f /etc/ssh/ssh_config || echo 'Include /etc/ssh/ssh_config.d/*.conf' > /etc/ssh/ssh_config +test -f /etc/ssh/ssh_config || { + echo 'Include /etc/ssh/ssh_config.d/*.conf' + echo 'Include /usr/etc/ssh/ssh_config.d/*.conf' +} >/etc/ssh/ssh_config # ssh wants this dir around, but distros cannot agree on a common name for it, let's just create all that are aware of distros use mkdir -p /usr/share/empty.sshd /var/empty /var/empty/sshd /run/sshd diff --git a/test/units/TEST-74-AUX-UTILS.sysusers.sh b/test/units/TEST-74-AUX-UTILS.sysusers.sh new file mode 100755 index 0000000..dcd2993 --- /dev/null +++ b/test/units/TEST-74-AUX-UTILS.sysusers.sh @@ -0,0 +1,24 @@ +#!/usr/bin/env bash +# SPDX-License-Identifier: LGPL-2.1-or-later +set -eux +set -o pipefail + +# shellcheck source=test/units/util.sh +. "$(dirname "$0")"/util.sh + +at_exit() { + set +e + userdel -r foobarbaz + umount /run/systemd/userdb/ +} + +# Check that we indeed run under root to make the rest of the test work +[[ "$(id -u)" -eq 0 ]] + +trap at_exit EXIT + +# Ensure that a non-responsive NSS socket doesn't make sysusers fail +mount -t tmpfs tmpfs /run/systemd/userdb/ +touch /run/systemd/userdb/io.systemd.DynamicUser +echo 'u foobarbaz' | SYSTEMD_LOG_LEVEL=debug systemd-sysusers - +grep -q foobarbaz /etc/passwd diff --git a/test/units/TEST-75-RESOLVED.sh b/test/units/TEST-75-RESOLVED.sh index a4417ce..4f38720 100755 --- a/test/units/TEST-75-RESOLVED.sh +++ b/test/units/TEST-75-RESOLVED.sh @@ -11,6 +11,8 @@ set -eux set -o pipefail +# shellcheck source=test/units/test-control.sh +. "$(dirname "$0")"/test-control.sh # shellcheck source=test/units/util.sh . "$(dirname "$0")"/util.sh @@ -65,143 +67,25 @@ restart_resolved() { systemctl service-log-level systemd-resolved.service debug } -# Test for resolvectl, resolvconf -systemctl unmask systemd-resolved.service -systemctl enable --now systemd-resolved.service -systemctl service-log-level systemd-resolved.service debug -ip link add hoge type dummy -ip link add hoge.foo type dummy -resolvectl dns hoge 10.0.0.1 10.0.0.2 -resolvectl dns hoge.foo 10.0.0.3 10.0.0.4 -assert_in '10.0.0.1 10.0.0.2' "$(resolvectl dns hoge)" -assert_in '10.0.0.3 10.0.0.4' "$(resolvectl dns hoge.foo)" -resolvectl dns hoge 10.0.1.1 10.0.1.2 -resolvectl dns hoge.foo 10.0.1.3 10.0.1.4 -assert_in '10.0.1.1 10.0.1.2' "$(resolvectl dns hoge)" -assert_in '10.0.1.3 10.0.1.4' "$(resolvectl dns hoge.foo)" -if ! RESOLVCONF=$(command -v resolvconf 2>/dev/null); then - TMPDIR=$(mktemp -d -p /tmp resolvconf-tests.XXXXXX) - RESOLVCONF="$TMPDIR"/resolvconf - ln -s "$(command -v resolvectl 2>/dev/null)" "$RESOLVCONF" -fi -echo nameserver 10.0.2.1 10.0.2.2 | "$RESOLVCONF" -a hoge -echo nameserver 10.0.2.3 10.0.2.4 | "$RESOLVCONF" -a hoge.foo -assert_in '10.0.2.1 10.0.2.2' "$(resolvectl dns hoge)" -assert_in '10.0.2.3 10.0.2.4' "$(resolvectl dns hoge.foo)" -echo nameserver 10.0.3.1 10.0.3.2 | "$RESOLVCONF" -a hoge.inet.ipsec.192.168.35 -echo nameserver 10.0.3.3 10.0.3.4 | "$RESOLVCONF" -a hoge.foo.dhcp -assert_in '10.0.3.1 10.0.3.2' "$(resolvectl dns hoge)" -assert_in '10.0.3.3 10.0.3.4' "$(resolvectl dns hoge.foo)" - -# Tests for _localdnsstub and _localdnsproxy -assert_in '127.0.0.53' "$(resolvectl query _localdnsstub)" -assert_in '_localdnsstub' "$(resolvectl query 127.0.0.53)" -assert_in '127.0.0.54' "$(resolvectl query _localdnsproxy)" -assert_in '_localdnsproxy' "$(resolvectl query 127.0.0.54)" - -assert_in '127.0.0.53' "$(dig @127.0.0.53 _localdnsstub)" -assert_in '_localdnsstub' "$(dig @127.0.0.53 -x 127.0.0.53)" -assert_in '127.0.0.54' "$(dig @127.0.0.53 _localdnsproxy)" -assert_in '_localdnsproxy' "$(dig @127.0.0.53 -x 127.0.0.54)" +setup() { + : "SETUP BEGIN" -# Tests for mDNS and LLMNR settings -mkdir -p /run/systemd/resolved.conf.d -{ - echo "[Resolve]" - echo "MulticastDNS=no" - echo "LLMNR=no" -} >/run/systemd/resolved.conf.d/mdns-llmnr.conf -restart_resolved -# make sure networkd is not running. -systemctl stop systemd-networkd.service -assert_in 'no' "$(resolvectl mdns hoge)" -assert_in 'no' "$(resolvectl llmnr hoge)" -# Tests that reloading works -{ - echo "[Resolve]" - echo "MulticastDNS=yes" - echo "LLMNR=yes" -} >/run/systemd/resolved.conf.d/mdns-llmnr.conf -systemctl reload systemd-resolved.service -# defaults to yes (both the global and per-link settings are yes) -assert_in 'yes' "$(resolvectl mdns hoge)" -assert_in 'yes' "$(resolvectl llmnr hoge)" -# set per-link setting -resolvectl mdns hoge yes -resolvectl llmnr hoge yes -assert_in 'yes' "$(resolvectl mdns hoge)" -assert_in 'yes' "$(resolvectl llmnr hoge)" -resolvectl mdns hoge resolve -resolvectl llmnr hoge resolve -assert_in 'resolve' "$(resolvectl mdns hoge)" -assert_in 'resolve' "$(resolvectl llmnr hoge)" -resolvectl mdns hoge no -resolvectl llmnr hoge no -assert_in 'no' "$(resolvectl mdns hoge)" -assert_in 'no' "$(resolvectl llmnr hoge)" -# downgrade global setting to resolve -{ - echo "[Resolve]" - echo "MulticastDNS=resolve" - echo "LLMNR=resolve" -} >/run/systemd/resolved.conf.d/mdns-llmnr.conf -systemctl reload systemd-resolved.service -# set per-link setting -resolvectl mdns hoge yes -resolvectl llmnr hoge yes -assert_in 'resolve' "$(resolvectl mdns hoge)" -assert_in 'resolve' "$(resolvectl llmnr hoge)" -resolvectl mdns hoge resolve -resolvectl llmnr hoge resolve -assert_in 'resolve' "$(resolvectl mdns hoge)" -assert_in 'resolve' "$(resolvectl llmnr hoge)" -resolvectl mdns hoge no -resolvectl llmnr hoge no -assert_in 'no' "$(resolvectl mdns hoge)" -assert_in 'no' "$(resolvectl llmnr hoge)" -# downgrade global setting to no -{ - echo "[Resolve]" - echo "MulticastDNS=no" - echo "LLMNR=no" -} >/run/systemd/resolved.conf.d/mdns-llmnr.conf -systemctl reload systemd-resolved.service -# set per-link setting -resolvectl mdns hoge yes -resolvectl llmnr hoge yes -assert_in 'no' "$(resolvectl mdns hoge)" -assert_in 'no' "$(resolvectl llmnr hoge)" -resolvectl mdns hoge resolve -resolvectl llmnr hoge resolve -assert_in 'no' "$(resolvectl mdns hoge)" -assert_in 'no' "$(resolvectl llmnr hoge)" -resolvectl mdns hoge no -resolvectl llmnr hoge no -assert_in 'no' "$(resolvectl mdns hoge)" -assert_in 'no' "$(resolvectl llmnr hoge)" - -# Cleanup -rm -f /run/systemd/resolved.conf.d/mdns-llmnr.conf -ip link del hoge -ip link del hoge.foo - -### SETUP ### -# Configure network -hostnamectl hostname ns1.unsigned.test -cat >>/etc/hosts <<EOF + : "Setup - Configure network" + hostnamectl hostname ns1.unsigned.test + cat >>/etc/hosts <<EOF 10.0.0.1 ns1.unsigned.test fd00:dead:beef:cafe::1 ns1.unsigned.test 127.128.0.5 localhost5 localhost5.localdomain localhost5.localdomain4 localhost.localdomain5 localhost5.localdomain5 EOF -mkdir -p /run/systemd/network -cat >/run/systemd/network/10-dns0.netdev <<EOF + mkdir -p /run/systemd/network + cat >/run/systemd/network/10-dns0.netdev <<EOF [NetDev] Name=dns0 Kind=dummy EOF -cat >/run/systemd/network/10-dns0.network <<EOF + cat >/run/systemd/network/10-dns0.network <<EOF [Match] Name=dns0 @@ -213,12 +97,12 @@ DNSSEC=allow-downgrade DNS=10.0.0.1 DNS=fd00:dead:beef:cafe::1 EOF -cat >/run/systemd/network/10-dns1.netdev <<EOF + cat >/run/systemd/network/10-dns1.netdev <<EOF [NetDev] Name=dns1 Kind=dummy EOF -cat >/run/systemd/network/10-dns1.network <<EOF + cat >/run/systemd/network/10-dns1.network <<EOF [Match] Name=dns1 @@ -227,497 +111,659 @@ IPv6AcceptRA=no Address=10.99.0.1/24 DNSSEC=no EOF -systemctl edit --stdin --full --runtime --force "resolved-dummy-server.service" <<EOF + systemctl edit --stdin --full --runtime --force "resolved-dummy-server.service" <<EOF [Service] Type=notify Environment=SYSTEMD_LOG_LEVEL=debug ExecStart=/usr/lib/systemd/tests/unit-tests/manual/test-resolved-dummy-server 10.99.0.1:53 EOF -DNS_ADDRESSES=( - "10.0.0.1" - "fd00:dead:beef:cafe::1" -) + DNS_ADDRESSES=( + "10.0.0.1" + "fd00:dead:beef:cafe::1" + ) -mkdir -p /run/systemd/resolved.conf.d -{ - echo "[Resolve]" - echo "FallbackDNS=" - echo "DNSSEC=allow-downgrade" - echo "DNSOverTLS=opportunistic" -} >/run/systemd/resolved.conf.d/test.conf -ln -svf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf -# Override the default NTA list, which turns off DNSSEC validation for (among -# others) the test. domain -mkdir -p "/etc/dnssec-trust-anchors.d/" -echo local >/etc/dnssec-trust-anchors.d/local.negative - -# Copy over our knot configuration -mkdir -p /var/lib/knot/zones/ /etc/knot/ -cp -rfv /usr/lib/systemd/tests/testdata/knot-data/zones/* /var/lib/knot/zones/ -cp -fv /usr/lib/systemd/tests/testdata/knot-data/knot.conf /etc/knot/knot.conf -chgrp -R knot /etc/knot/ /var/lib/knot/ -chmod -R ug+rwX /var/lib/knot/ -chmod -R g+r /etc/knot/ - -# Sign the root zone -keymgr . generate algorithm=ECDSAP256SHA256 ksk=yes zsk=yes -# Create a trust anchor for resolved with our root zone -keymgr . ds | sed 's/ DS/ IN DS/g' >/etc/dnssec-trust-anchors.d/root.positive -# Create a bind-compatible trust anchor (for delv) -# Note: the trust-anchors directive is relatively new, so use the original -# managed-keys one until it's widespread enough -{ - echo 'managed-keys {' - keymgr . dnskey | sed -r 's/^\. DNSKEY ([0-9]+ [0-9]+ [0-9]+) (.+)$/. static-key \1 "\2";/g' - echo '};' -} >/etc/bind.keys -# Create an /etc/bind/bind.keys symlink, which is used by delv on Ubuntu -mkdir -p /etc/bind -ln -svf /etc/bind.keys /etc/bind/bind.keys - -# Start the services -systemctl unmask systemd-networkd -systemctl restart systemd-networkd -/usr/lib/systemd/systemd-networkd-wait-online --interface=dns1:routable --timeout=60 -systemctl reload systemd-resolved -systemctl start resolved-dummy-server - -# Create knot's runtime dir, since from certain version it's provided only by -# the package and not created by tmpfiles/systemd -if [[ ! -d /run/knot ]]; then - mkdir -p /run/knot - chown -R knot:knot /run/knot -fi -systemctl start knot -# Wait a bit for the keys to propagate -sleep 4 - -systemctl status resolved-dummy-server -networkctl status -resolvectl status -resolvectl log-level debug - -# Start monitoring queries -systemd-run -u resolvectl-monitor.service -p Type=notify resolvectl monitor -systemd-run -u resolvectl-monitor-json.service -p Type=notify resolvectl monitor --json=short - -# FIXME: knot, unfortunately, incorrectly complains about missing zone files for zones -# that are forwarded using the `dnsproxy` module. Until the issue is resolved, -# let's fall back to pre-processing the `zone-check` output a bit before checking it -# -# See: https://gitlab.nic.cz/knot/knot-dns/-/issues/913 -run knotc zone-check || : -sed -i '/forwarded.test./d' "$RUN_OUT" -[[ ! -s "$RUN_OUT" ]] -# We need to manually propagate the DS records of onlinesign.test. to the parent -# zone, since they're generated online -knotc zone-begin test. -if knotc zone-get test. onlinesign.test. ds | grep .; then - # Drop any old DS records, if present (e.g. on test re-run) - knotc zone-unset test. onlinesign.test. ds -fi -# Propagate the new DS records -while read -ra line; do - knotc zone-set test. "${line[0]}" 600 "${line[@]:1}" -done < <(keymgr onlinesign.test. ds) -knotc zone-commit test. - -knotc reload -sleep 2 - -### SETUP END ### - -: "--- nss-resolve/nss-myhostname tests" -# Sanity check -TIMESTAMP=$(date '+%F %T') -# Issue: https://github.com/systemd/systemd/issues/23951 -# With IPv6 enabled -run getent -s resolve ahosts ns1.unsigned.test -grep -qE "^fd00:dead:beef:cafe::1\s+STREAM\s+ns1\.unsigned\.test" "$RUN_OUT" -monitor_check_rr "$TIMESTAMP" "ns1.unsigned.test IN AAAA fd00:dead:beef:cafe::1" -# With IPv6 disabled -# Issue: https://github.com/systemd/systemd/issues/23951 -disable_ipv6 -run getent -s resolve ahosts ns1.unsigned.test -grep -qE "^10\.0\.0\.1\s+STREAM\s+ns1\.unsigned\.test" "$RUN_OUT" -(! grep -qE "fd00:dead:beef:cafe::1" "$RUN_OUT") -monitor_check_rr "$TIMESTAMP" "ns1.unsigned.test IN A 10.0.0.1" -enable_ipv6 - -# Issue: https://github.com/systemd/systemd/issues/18812 -# PR: https://github.com/systemd/systemd/pull/18896 -# Follow-up issue: https://github.com/systemd/systemd/issues/23152 -# Follow-up PR: https://github.com/systemd/systemd/pull/23161 -# With IPv6 enabled -run getent -s resolve ahosts localhost -grep -qE "^::1\s+STREAM\s+localhost" "$RUN_OUT" -run getent -s myhostname ahosts localhost -grep -qE "^::1\s+STREAM\s+localhost" "$RUN_OUT" -# With IPv6 disabled -disable_ipv6 -run getent -s resolve ahosts localhost -grep -qE "^127\.0\.0\.1\s+STREAM\s+localhost" "$RUN_OUT" -(! grep -qE "::1" "$RUN_OUT") -run getent -s myhostname ahosts localhost -grep -qE "^127\.0\.0\.1\s+STREAM\s+localhost" "$RUN_OUT" -enable_ipv6 - -# Issue: https://github.com/systemd/systemd/issues/25088 -run getent -s resolve hosts 127.128.0.5 -grep -qEx '127\.128\.0\.5\s+localhost5(\s+localhost5?\.localdomain[45]?){4}' "$RUN_OUT" -[ "$(wc -l <"$RUN_OUT")" -eq 1 ] - -# Issue: https://github.com/systemd/systemd/issues/20158 -run dig +noall +answer +additional localhost5. -grep -qEx 'localhost5\.\s+0\s+IN\s+A\s+127\.128\.0\.5' "$RUN_OUT" -[ "$(wc -l <"$RUN_OUT")" -eq 1 ] -run dig +noall +answer +additional localhost5.localdomain4. -grep -qEx 'localhost5\.localdomain4\.\s+0\s+IN\s+CNAME\s+localhost5\.' "$RUN_OUT" -grep -qEx 'localhost5\.\s+0\s+IN\s+A\s+127\.128\.0\.5' "$RUN_OUT" -[ "$(wc -l <"$RUN_OUT")" -eq 2 ] - -: "--- Basic resolved tests ---" -# Issue: https://github.com/systemd/systemd/issues/22229 -# PR: https://github.com/systemd/systemd/pull/22231 -FILTERED_NAMES=( - "0.in-addr.arpa" - "255.255.255.255.in-addr.arpa" - "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" - "hello.invalid" - "hello.alt" -) + mkdir -p /run/systemd/resolved.conf.d + { + echo "[Resolve]" + echo "FallbackDNS=" + echo "DNSSEC=allow-downgrade" + echo "DNSOverTLS=opportunistic" + } >/run/systemd/resolved.conf.d/test.conf + ln -svf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf + # Override the default NTA list, which turns off DNSSEC validation for (among + # others) the test. domain + mkdir -p "/etc/dnssec-trust-anchors.d/" + echo local >/etc/dnssec-trust-anchors.d/local.negative + + # Copy over our knot configuration + mkdir -p /var/lib/knot/zones/ /etc/knot/ + cp -rfv /usr/lib/systemd/tests/testdata/knot-data/zones/* /var/lib/knot/zones/ + cp -fv /usr/lib/systemd/tests/testdata/knot-data/knot.conf /etc/knot/knot.conf + chgrp -R knot /etc/knot/ /var/lib/knot/ + chmod -R ug+rwX /var/lib/knot/ + chmod -R g+r /etc/knot/ + + : "Setup - Sign the root zone" + keymgr . generate algorithm=ECDSAP256SHA256 ksk=yes zsk=yes + # Create a trust anchor for resolved with our root zone + keymgr . ds | sed 's/ DS/ IN DS/g' >/etc/dnssec-trust-anchors.d/root.positive + # Create a bind-compatible trust anchor (for delv) + # Note: the trust-anchors directive is relatively new, so use the original + # managed-keys one until it's widespread enough + { + echo 'managed-keys {' + keymgr . dnskey | sed -r 's/^\. DNSKEY ([0-9]+ [0-9]+ [0-9]+) (.+)$/. static-key \1 "\2";/g' + echo '};' + } >/etc/bind.keys + # Create an /etc/bind/bind.keys symlink, which is used by delv on Ubuntu + mkdir -p /etc/bind + ln -svf /etc/bind.keys /etc/bind/bind.keys + + # Start the services + systemctl unmask systemd-networkd + systemctl restart systemd-networkd + /usr/lib/systemd/systemd-networkd-wait-online --interface=dns1:routable --timeout=60 + systemctl reload systemd-resolved + systemctl start resolved-dummy-server + + # Create knot's runtime dir, since from certain version it's provided only by + # the package and not created by tmpfiles/systemd + if [[ ! -d /run/knot ]]; then + mkdir -p /run/knot + chown -R knot:knot /run/knot + fi + systemctl start knot + # Wait a bit for the keys to propagate + sleep 4 + + systemctl status resolved-dummy-server + networkctl status + resolvectl status + resolvectl log-level debug + + : "Setup - Start monitoring queries" + systemd-run -u resolvectl-monitor.service -p Type=notify resolvectl monitor + systemd-run -u resolvectl-monitor-json.service -p Type=notify resolvectl monitor --json=short + + : "Setup - Check if all the zones are valid" + # FIXME: knot, unfortunately, incorrectly complains about missing zone files for zones + # that are forwarded using the `dnsproxy` module. Until the issue is resolved, + # let's fall back to pre-processing the `zone-check` output a bit before checking it + # + # See: https://gitlab.nic.cz/knot/knot-dns/-/issues/913 + run knotc zone-check || : + sed -i '/forwarded.test./d' "$RUN_OUT" + [[ ! -s "$RUN_OUT" ]] + # We need to manually propagate the DS records of onlinesign.test. to the parent + # zone, since they're generated online + knotc zone-begin test. + if knotc zone-get test. onlinesign.test. ds | grep .; then + # Drop any old DS records, if present (e.g. on test re-run) + knotc zone-unset test. onlinesign.test. ds + fi + + : "Setup - Propagate the new DS records" + while read -ra line; do + knotc zone-set test. "${line[0]}" 600 "${line[@]:1}" + done < <(keymgr onlinesign.test. ds) + knotc zone-commit test. + + knotc reload + sleep 2 + + : "SETUP END" +} + +# Test for resolvectl, resolvconf +manual_testcase_01_resolvectl() { + ip link add hoge type dummy + ip link add hoge.foo type dummy + + # Cleanup + # shellcheck disable=SC2317 + cleanup() { + rm -f /run/systemd/resolved.conf.d/mdns-llmnr.conf + ip link del hoge + ip link del hoge.foo + } + + trap cleanup RETURN + + resolvectl dns hoge 10.0.0.1 10.0.0.2 + resolvectl dns hoge.foo 10.0.0.3 10.0.0.4 + assert_in '10.0.0.1 10.0.0.2' "$(resolvectl dns hoge)" + assert_in '10.0.0.3 10.0.0.4' "$(resolvectl dns hoge.foo)" + resolvectl dns hoge 10.0.1.1 10.0.1.2 + resolvectl dns hoge.foo 10.0.1.3 10.0.1.4 + assert_in '10.0.1.1 10.0.1.2' "$(resolvectl dns hoge)" + assert_in '10.0.1.3 10.0.1.4' "$(resolvectl dns hoge.foo)" + if ! RESOLVCONF=$(command -v resolvconf 2>/dev/null); then + TMPDIR=$(mktemp -d -p /tmp resolvconf-tests.XXXXXX) + RESOLVCONF="$TMPDIR"/resolvconf + ln -s "$(command -v resolvectl 2>/dev/null)" "$RESOLVCONF" + fi + echo nameserver 10.0.2.1 10.0.2.2 | "$RESOLVCONF" -a hoge + echo nameserver 10.0.2.3 10.0.2.4 | "$RESOLVCONF" -a hoge.foo + assert_in '10.0.2.1 10.0.2.2' "$(resolvectl dns hoge)" + assert_in '10.0.2.3 10.0.2.4' "$(resolvectl dns hoge.foo)" + echo nameserver 10.0.3.1 10.0.3.2 | "$RESOLVCONF" -a hoge.inet.ipsec.192.168.35 + echo nameserver 10.0.3.3 10.0.3.4 | "$RESOLVCONF" -a hoge.foo.dhcp + assert_in '10.0.3.1 10.0.3.2' "$(resolvectl dns hoge)" + assert_in '10.0.3.3 10.0.3.4' "$(resolvectl dns hoge.foo)" + + # Tests for _localdnsstub and _localdnsproxy + assert_in '127.0.0.53' "$(resolvectl query _localdnsstub)" + assert_in '_localdnsstub' "$(resolvectl query 127.0.0.53)" + assert_in '127.0.0.54' "$(resolvectl query _localdnsproxy)" + assert_in '_localdnsproxy' "$(resolvectl query 127.0.0.54)" + + assert_in '127.0.0.53' "$(dig @127.0.0.53 _localdnsstub)" + assert_in '_localdnsstub' "$(dig @127.0.0.53 -x 127.0.0.53)" + assert_in '127.0.0.54' "$(dig @127.0.0.53 _localdnsproxy)" + assert_in '_localdnsproxy' "$(dig @127.0.0.53 -x 127.0.0.54)" +} + +# Tests for mDNS and LLMNR settings +manual_testcase_02_mdns_llmnr() { + ip link add hoge type dummy + ip link add hoge.foo type dummy + + # Cleanup + cleanup() { + rm -f /run/systemd/resolved.conf.d/mdns-llmnr.conf + ip link del hoge + ip link del hoge.foo + } -for name in "${FILTERED_NAMES[@]}"; do - (! run host "$name") - grep -qF "NXDOMAIN" "$RUN_OUT" -done - -# Follow-up -# Issue: https://github.com/systemd/systemd/issues/22401 -# PR: https://github.com/systemd/systemd/pull/22414 -run dig +noall +authority +comments SRV . -grep -qF "status: NOERROR" "$RUN_OUT" -grep -qE "IN\s+SOA\s+ns1\.unsigned\.test\." "$RUN_OUT" - -run resolvectl query -t SVCB svcb.test -grep -qF 'alpn="dot"' "$RUN_OUT" -grep -qF "ipv4hint=10.0.0.1" "$RUN_OUT" - -run resolvectl query -t HTTPS https.test -grep -qF 'alpn="h2,h3"' "$RUN_OUT" - -: "--- ZONE: unsigned.test. ---" -run dig @ns1.unsigned.test +short unsigned.test A unsigned.test AAAA -grep -qF "10.0.0.101" "$RUN_OUT" -grep -qF "fd00:dead:beef:cafe::101" "$RUN_OUT" -run resolvectl query unsigned.test -grep -qF "10.0.0.10" "$RUN_OUT" -grep -qF "fd00:dead:beef:cafe::101" "$RUN_OUT" -grep -qF "authenticated: no" "$RUN_OUT" -run dig @ns1.unsigned.test +short MX unsigned.test -grep -qF "15 mail.unsigned.test." "$RUN_OUT" -run resolvectl query --legend=no -t MX unsigned.test -grep -qF "unsigned.test IN MX 15 mail.unsigned.test" "$RUN_OUT" - - -: "--- ZONE: signed.test (static DNSSEC) ---" -# Check the trust chain (with and without systemd-resolved in between -# Issue: https://github.com/systemd/systemd/issues/22002 -# PR: https://github.com/systemd/systemd/pull/23289 -run_delv @ns1.unsigned.test signed.test -grep -qF "; fully validated" "$RUN_OUT" -run_delv signed.test -grep -qF "; fully validated" "$RUN_OUT" - -for addr in "${DNS_ADDRESSES[@]}"; do - run_delv "@$addr" -t A mail.signed.test + trap cleanup RETURN + + mkdir -p /run/systemd/resolved.conf.d + { + echo "[Resolve]" + echo "MulticastDNS=no" + echo "LLMNR=no" + } >/run/systemd/resolved.conf.d/mdns-llmnr.conf + restart_resolved + # make sure networkd is not running. + systemctl stop systemd-networkd.service + assert_in 'no' "$(resolvectl mdns hoge)" + assert_in 'no' "$(resolvectl llmnr hoge)" + # Tests that reloading works + { + echo "[Resolve]" + echo "MulticastDNS=yes" + echo "LLMNR=yes" + } >/run/systemd/resolved.conf.d/mdns-llmnr.conf + systemctl reload systemd-resolved.service + # defaults to yes (both the global and per-link settings are yes) + assert_in 'yes' "$(resolvectl mdns hoge)" + assert_in 'yes' "$(resolvectl llmnr hoge)" + # set per-link setting + resolvectl mdns hoge yes + resolvectl llmnr hoge yes + assert_in 'yes' "$(resolvectl mdns hoge)" + assert_in 'yes' "$(resolvectl llmnr hoge)" + resolvectl mdns hoge resolve + resolvectl llmnr hoge resolve + assert_in 'resolve' "$(resolvectl mdns hoge)" + assert_in 'resolve' "$(resolvectl llmnr hoge)" + resolvectl mdns hoge no + resolvectl llmnr hoge no + assert_in 'no' "$(resolvectl mdns hoge)" + assert_in 'no' "$(resolvectl llmnr hoge)" + # downgrade global setting to resolve + { + echo "[Resolve]" + echo "MulticastDNS=resolve" + echo "LLMNR=resolve" + } >/run/systemd/resolved.conf.d/mdns-llmnr.conf + systemctl reload systemd-resolved.service + # set per-link setting + resolvectl mdns hoge yes + resolvectl llmnr hoge yes + assert_in 'resolve' "$(resolvectl mdns hoge)" + assert_in 'resolve' "$(resolvectl llmnr hoge)" + resolvectl mdns hoge resolve + resolvectl llmnr hoge resolve + assert_in 'resolve' "$(resolvectl mdns hoge)" + assert_in 'resolve' "$(resolvectl llmnr hoge)" + resolvectl mdns hoge no + resolvectl llmnr hoge no + assert_in 'no' "$(resolvectl mdns hoge)" + assert_in 'no' "$(resolvectl llmnr hoge)" + # downgrade global setting to no + { + echo "[Resolve]" + echo "MulticastDNS=no" + echo "LLMNR=no" + } >/run/systemd/resolved.conf.d/mdns-llmnr.conf + systemctl reload systemd-resolved.service + # set per-link setting + resolvectl mdns hoge yes + resolvectl llmnr hoge yes + assert_in 'no' "$(resolvectl mdns hoge)" + assert_in 'no' "$(resolvectl llmnr hoge)" + resolvectl mdns hoge resolve + resolvectl llmnr hoge resolve + assert_in 'no' "$(resolvectl mdns hoge)" + assert_in 'no' "$(resolvectl llmnr hoge)" + resolvectl mdns hoge no + resolvectl llmnr hoge no + assert_in 'no' "$(resolvectl mdns hoge)" + assert_in 'no' "$(resolvectl llmnr hoge)" +} + +testcase_03_23951() { + : "--- nss-resolve/nss-myhostname tests" + # Sanity check + TIMESTAMP=$(date '+%F %T') + # Issue: https://github.com/systemd/systemd/issues/23951 + # With IPv6 enabled + run getent -s resolve ahosts ns1.unsigned.test + grep -qE "^fd00:dead:beef:cafe::1\s+STREAM\s+ns1\.unsigned\.test" "$RUN_OUT" + monitor_check_rr "$TIMESTAMP" "ns1.unsigned.test IN AAAA fd00:dead:beef:cafe::1" + # With IPv6 disabled + # Issue: https://github.com/systemd/systemd/issues/23951 + disable_ipv6 + run getent -s resolve ahosts ns1.unsigned.test + grep -qE "^10\.0\.0\.1\s+STREAM\s+ns1\.unsigned\.test" "$RUN_OUT" + (! grep -qE "fd00:dead:beef:cafe::1" "$RUN_OUT") + monitor_check_rr "$TIMESTAMP" "ns1.unsigned.test IN A 10.0.0.1" + enable_ipv6 +} + +testcase_04_18812() { + # Issue: https://github.com/systemd/systemd/issues/18812 + # PR: https://github.com/systemd/systemd/pull/18896 + # Follow-up issue: https://github.com/systemd/systemd/issues/23152 + # Follow-up PR: https://github.com/systemd/systemd/pull/23161 + # With IPv6 enabled + run getent -s resolve ahosts localhost + grep -qE "^::1\s+STREAM\s+localhost" "$RUN_OUT" + run getent -s myhostname ahosts localhost + grep -qE "^::1\s+STREAM\s+localhost" "$RUN_OUT" + # With IPv6 disabled + disable_ipv6 + run getent -s resolve ahosts localhost + grep -qE "^127\.0\.0\.1\s+STREAM\s+localhost" "$RUN_OUT" + (! grep -qE "::1" "$RUN_OUT") + run getent -s myhostname ahosts localhost + grep -qE "^127\.0\.0\.1\s+STREAM\s+localhost" "$RUN_OUT" + enable_ipv6 +} + +testcase_05_25088() { + # Issue: https://github.com/systemd/systemd/issues/25088 + run getent -s resolve hosts 127.128.0.5 + grep -qEx '127\.128\.0\.5\s+localhost5(\s+localhost5?\.localdomain[45]?){4}' "$RUN_OUT" + [ "$(wc -l <"$RUN_OUT")" -eq 1 ] +} + +testcase_06_20158() { + # Issue: https://github.com/systemd/systemd/issues/20158 + run dig +noall +answer +additional localhost5. + grep -qEx 'localhost5\.\s+0\s+IN\s+A\s+127\.128\.0\.5' "$RUN_OUT" + [ "$(wc -l <"$RUN_OUT")" -eq 1 ] + run dig +noall +answer +additional localhost5.localdomain4. + grep -qEx 'localhost5\.localdomain4\.\s+0\s+IN\s+CNAME\s+localhost5\.' "$RUN_OUT" + grep -qEx 'localhost5\.\s+0\s+IN\s+A\s+127\.128\.0\.5' "$RUN_OUT" + [ "$(wc -l <"$RUN_OUT")" -eq 2 ] +} + +testcase_07_22229() { + : "--- Basic resolved tests ---" + # Issue: https://github.com/systemd/systemd/issues/22229 + # PR: https://github.com/systemd/systemd/pull/22231 + FILTERED_NAMES=( + "0.in-addr.arpa" + "255.255.255.255.in-addr.arpa" + "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" + "hello.invalid" + "hello.alt" + ) + + for name in "${FILTERED_NAMES[@]}"; do + (! run host "$name") + grep -qF "NXDOMAIN" "$RUN_OUT" + done + + # Follow-up + # Issue: https://github.com/systemd/systemd/issues/22401 + # PR: https://github.com/systemd/systemd/pull/22414 + run dig +noall +authority +comments SRV . + grep -qF "status: NOERROR" "$RUN_OUT" + grep -qE "IN\s+SOA\s+ns1\.unsigned\.test\." "$RUN_OUT" +} + +testcase_08_resolved() { + run resolvectl query -t SVCB svcb.test + grep -qF 'alpn="dot"' "$RUN_OUT" + grep -qF "ipv4hint=10.0.0.1" "$RUN_OUT" + + run resolvectl query -t HTTPS https.test + grep -qF 'alpn="h2,h3"' "$RUN_OUT" + + : "--- ZONE: unsigned.test. ---" + run dig @ns1.unsigned.test +short unsigned.test A unsigned.test AAAA + grep -qF "10.0.0.101" "$RUN_OUT" + grep -qF "fd00:dead:beef:cafe::101" "$RUN_OUT" + run resolvectl query unsigned.test + grep -qF "10.0.0.10" "$RUN_OUT" + grep -qF "fd00:dead:beef:cafe::101" "$RUN_OUT" + grep -qF "authenticated: no" "$RUN_OUT" + run dig @ns1.unsigned.test +short MX unsigned.test + grep -qF "15 mail.unsigned.test." "$RUN_OUT" + run resolvectl query --legend=no -t MX unsigned.test + grep -qF "unsigned.test IN MX 15 mail.unsigned.test" "$RUN_OUT" + + : "--- ZONE: signed.test (static DNSSEC) ---" + # Check the trust chain (with and without systemd-resolved in between + # Issue: https://github.com/systemd/systemd/issues/22002 + # PR: https://github.com/systemd/systemd/pull/23289 + run_delv @ns1.unsigned.test signed.test grep -qF "; fully validated" "$RUN_OUT" - run_delv "@$addr" -t AAAA mail.signed.test + run_delv signed.test grep -qF "; fully validated" "$RUN_OUT" -done -run resolvectl query mail.signed.test -grep -qF "10.0.0.11" "$RUN_OUT" -grep -qF "fd00:dead:beef:cafe::11" "$RUN_OUT" -grep -qF "authenticated: yes" "$RUN_OUT" - -run dig +short signed.test -grep -qF "10.0.0.10" "$RUN_OUT" -run resolvectl query signed.test -grep -qF "signed.test: 10.0.0.10" "$RUN_OUT" -grep -qF "authenticated: yes" "$RUN_OUT" -run dig @ns1.unsigned.test +short MX signed.test -grep -qF "10 mail.signed.test." "$RUN_OUT" -run resolvectl query --legend=no -t MX signed.test -grep -qF "signed.test IN MX 10 mail.signed.test" "$RUN_OUT" -# Check a non-existent domain -run dig +dnssec this.does.not.exist.signed.test -grep -qF "status: NXDOMAIN" "$RUN_OUT" -# Check a wildcard record -run resolvectl query -t TXT this.should.be.authenticated.wild.signed.test -grep -qF 'this.should.be.authenticated.wild.signed.test IN TXT "this is a wildcard"' "$RUN_OUT" -grep -qF "authenticated: yes" "$RUN_OUT" -# Check SRV support -run resolvectl service _mysvc._tcp signed.test -grep -qF "myservice.signed.test:1234" "$RUN_OUT" -grep -qF "10.0.0.20" "$RUN_OUT" -grep -qF "fd00:dead:beef:cafe::17" "$RUN_OUT" -grep -qF "authenticated: yes" "$RUN_OUT" - -# Test service resolve over Varlink -run varlinkctl call /run/systemd/resolve/io.systemd.Resolve io.systemd.Resolve.ResolveService '{"name":"","type":"_mysvc._tcp","domain":"signed.test"}' -grep -qF '"services":[{"priority":10,"weight":5,"port":1234,"hostname":"myservice.signed.test","canonicalName":"myservice.signed.test","addresses":[{"ifindex":' "$RUN_OUT" -grep -qF '"family":10,"address":[253,0,222,173,190,239,202,254,0,0,0,0,0,0,0,23]' "$RUN_OUT" -grep -qF '"family":2,"address":[10,0,0,20]' "$RUN_OUT" -grep -qF '}]}],"txt":["This is TXT for myservice"],"canonical":{"name":null,"type":"_mysvc._tcp","domain":"signed.test"},"flags":' "$RUN_OUT" - -# without name -run varlinkctl call /run/systemd/resolve/io.systemd.Resolve io.systemd.Resolve.ResolveService '{"type":"_mysvc._tcp","domain":"signed.test"}' -# without txt (SD_RESOLVE_NO_TXT) -run varlinkctl call /run/systemd/resolve/io.systemd.Resolve io.systemd.Resolve.ResolveService '{"type":"_mysvc._tcp","domain":"signed.test","flags":64}' -(! grep -qF '"txt"' "$RUN_OUT") -# without address (SD_RESOLVE_NO_ADDRESS) -run varlinkctl call /run/systemd/resolve/io.systemd.Resolve io.systemd.Resolve.ResolveService '{"type":"_mysvc._tcp","domain":"signed.test","flags":128}' -(! grep -qF '"addresses"' "$RUN_OUT") -# without txt and address -run varlinkctl call /run/systemd/resolve/io.systemd.Resolve io.systemd.Resolve.ResolveService '{"type":"_mysvc._tcp","domain":"signed.test","flags":192}' -(! grep -qF '"txt"' "$RUN_OUT") -(! grep -qF '"addresses"' "$RUN_OUT") - -(! run resolvectl service _invalidsvc._udp signed.test) -grep -qE "invalidservice\.signed\.test' not found" "$RUN_OUT" -run resolvectl service _untrustedsvc._udp signed.test -grep -qF "myservice.untrusted.test:1111" "$RUN_OUT" -grep -qF "10.0.0.123" "$RUN_OUT" -grep -qF "fd00:dead:beef:cafe::123" "$RUN_OUT" -grep -qF "authenticated: yes" "$RUN_OUT" -# Check OPENPGPKEY support -run_delv -t OPENPGPKEY 5a786cdc59c161cdafd818143705026636962198c66ed4c5b3da321e._openpgpkey.signed.test -grep -qF "; fully validated" "$RUN_OUT" -run resolvectl openpgp mr.smith@signed.test -grep -qF "5a786cdc59c161cdafd818143705026636962198c66ed4c5b3da321e._openpgpkey.signed.test" "$RUN_OUT" -grep -qF "authenticated: yes" "$RUN_OUT" -# Check zone transfers (AXFR/IXFR) -# Note: since resolved doesn't support zone transfers, let's just make sure it -# simply refuses such requests without choking on them -# See: https://github.com/systemd/systemd/pull/30809#issuecomment-1880102804 -run dig @ns1.unsigned.test AXFR signed.test -grep -qE "SOA\s+ns1.unsigned.test. root.unsigned.test." "$RUN_OUT" -run dig AXFR signed.test -grep -qF "; Transfer failed" "$RUN_OUT" -run dig @ns1.unsigned.test IXFR=43 signed.test -grep -qE "SOA\s+ns1.unsigned.test. root.unsigned.test." "$RUN_OUT" -run dig IXFR=43 signed.test -grep -qF "; Transfer failed" "$RUN_OUT" - -# DNSSEC validation with multiple records of the same type for the same name -# Issue: https://github.com/systemd/systemd/issues/22002 -# PR: https://github.com/systemd/systemd/pull/23289 -check_domain() { - local domain="${1:?}" - local record="${2:?}" - local message="${3:?}" - local addr for addr in "${DNS_ADDRESSES[@]}"; do - run_delv "@$addr" -t "$record" "$domain" - grep -qF "$message" "$RUN_OUT" + run_delv "@$addr" -t A mail.signed.test + grep -qF "; fully validated" "$RUN_OUT" + run_delv "@$addr" -t AAAA mail.signed.test + grep -qF "; fully validated" "$RUN_OUT" done + run resolvectl query mail.signed.test + grep -qF "10.0.0.11" "$RUN_OUT" + grep -qF "fd00:dead:beef:cafe::11" "$RUN_OUT" + grep -qF "authenticated: yes" "$RUN_OUT" - run_delv -t "$record" "$domain" - grep -qF "$message" "$RUN_OUT" + run dig +short signed.test + grep -qF "10.0.0.10" "$RUN_OUT" + run resolvectl query signed.test + grep -qF "signed.test: 10.0.0.10" "$RUN_OUT" + grep -qF "authenticated: yes" "$RUN_OUT" + run dig @ns1.unsigned.test +short MX signed.test + grep -qF "10 mail.signed.test." "$RUN_OUT" + run resolvectl query --legend=no -t MX signed.test + grep -qF "signed.test IN MX 10 mail.signed.test" "$RUN_OUT" + # Check a non-existent domain + run dig +dnssec this.does.not.exist.signed.test + grep -qF "status: NXDOMAIN" "$RUN_OUT" + # Check a wildcard record + run resolvectl query -t TXT this.should.be.authenticated.wild.signed.test + grep -qF 'this.should.be.authenticated.wild.signed.test IN TXT "this is a wildcard"' "$RUN_OUT" + grep -qF "authenticated: yes" "$RUN_OUT" + # Check SRV support + run resolvectl service _mysvc._tcp signed.test + grep -qF "myservice.signed.test:1234" "$RUN_OUT" + grep -qF "10.0.0.20" "$RUN_OUT" + grep -qF "fd00:dead:beef:cafe::17" "$RUN_OUT" + grep -qF "authenticated: yes" "$RUN_OUT" - run resolvectl query "$domain" + # Test service resolve over Varlink + run varlinkctl call /run/systemd/resolve/io.systemd.Resolve io.systemd.Resolve.ResolveService '{"name":"","type":"_mysvc._tcp","domain":"signed.test"}' + grep -qF '"services":[{"priority":10,"weight":5,"port":1234,"hostname":"myservice.signed.test","canonicalName":"myservice.signed.test","addresses":[{"ifindex":' "$RUN_OUT" + grep -qF '"family":10,"address":[253,0,222,173,190,239,202,254,0,0,0,0,0,0,0,23]' "$RUN_OUT" + grep -qF '"family":2,"address":[10,0,0,20]' "$RUN_OUT" + grep -qF '}]}],"txt":["This is TXT for myservice"],"canonical":{"name":null,"type":"_mysvc._tcp","domain":"signed.test"},"flags":' "$RUN_OUT" + + # without name + run varlinkctl call /run/systemd/resolve/io.systemd.Resolve io.systemd.Resolve.ResolveService '{"type":"_mysvc._tcp","domain":"signed.test"}' + # without txt (SD_RESOLVE_NO_TXT) + run varlinkctl call /run/systemd/resolve/io.systemd.Resolve io.systemd.Resolve.ResolveService '{"type":"_mysvc._tcp","domain":"signed.test","flags":64}' + (! grep -qF '"txt"' "$RUN_OUT") + # without address (SD_RESOLVE_NO_ADDRESS) + run varlinkctl call /run/systemd/resolve/io.systemd.Resolve io.systemd.Resolve.ResolveService '{"type":"_mysvc._tcp","domain":"signed.test","flags":128}' + (! grep -qF '"addresses"' "$RUN_OUT") + # without txt and address + run varlinkctl call /run/systemd/resolve/io.systemd.Resolve io.systemd.Resolve.ResolveService '{"type":"_mysvc._tcp","domain":"signed.test","flags":192}' + (! grep -qF '"txt"' "$RUN_OUT") + (! grep -qF '"addresses"' "$RUN_OUT") + + (! run resolvectl service _invalidsvc._udp signed.test) + grep -qE "invalidservice\.signed\.test' not found" "$RUN_OUT" + run resolvectl service _untrustedsvc._udp signed.test + grep -qF "myservice.untrusted.test:1111" "$RUN_OUT" + grep -qF "10.0.0.123" "$RUN_OUT" + grep -qF "fd00:dead:beef:cafe::123" "$RUN_OUT" grep -qF "authenticated: yes" "$RUN_OUT" -} + # Check OPENPGPKEY support + run_delv -t OPENPGPKEY 5a786cdc59c161cdafd818143705026636962198c66ed4c5b3da321e._openpgpkey.signed.test + grep -qF "; fully validated" "$RUN_OUT" + run resolvectl openpgp mr.smith@signed.test + grep -qF "5a786cdc59c161cdafd818143705026636962198c66ed4c5b3da321e._openpgpkey.signed.test" "$RUN_OUT" + grep -qF "authenticated: yes" "$RUN_OUT" + # Check zone transfers (AXFR/IXFR) + # Note: since resolved doesn't support zone transfers, let's just make sure it + # simply refuses such requests without choking on them + # See: https://github.com/systemd/systemd/pull/30809#issuecomment-1880102804 + run dig @ns1.unsigned.test AXFR signed.test + grep -qE "SOA\s+ns1.unsigned.test. root.unsigned.test." "$RUN_OUT" + run dig AXFR signed.test + grep -qF "; Transfer failed" "$RUN_OUT" + run dig @ns1.unsigned.test IXFR=43 signed.test + grep -qE "SOA\s+ns1.unsigned.test. root.unsigned.test." "$RUN_OUT" + run dig IXFR=43 signed.test + grep -qF "; Transfer failed" "$RUN_OUT" + + # DNSSEC validation with multiple records of the same type for the same name + # Issue: https://github.com/systemd/systemd/issues/22002 + # PR: https://github.com/systemd/systemd/pull/23289 + check_domain() { + local domain="${1:?}" + local record="${2:?}" + local message="${3:?}" + local addr + + for addr in "${DNS_ADDRESSES[@]}"; do + run_delv "@$addr" -t "$record" "$domain" + grep -qF "$message" "$RUN_OUT" + done + + run_delv -t "$record" "$domain" + grep -qF "$message" "$RUN_OUT" + + run resolvectl query "$domain" + grep -qF "authenticated: yes" "$RUN_OUT" + } + + check_domain "dupe.signed.test" "A" "; fully validated" + check_domain "dupe.signed.test" "AAAA" "; negative response, fully validated" + check_domain "dupe-ipv6.signed.test" "AAAA" "; fully validated" + check_domain "dupe-ipv6.signed.test" "A" "; negative response, fully validated" + check_domain "dupe-mixed.signed.test" "A" "; fully validated" + check_domain "dupe-mixed.signed.test" "AAAA" "; fully validated" + + # Test resolution of CNAME chains + TIMESTAMP=$(date '+%F %T') + run resolvectl query -t A cname-chain.signed.test + grep -qF "follow14.final.signed.test IN A 10.0.0.14" "$RUN_OUT" + grep -qF "authenticated: yes" "$RUN_OUT" + + monitor_check_rr "$TIMESTAMP" "follow10.so.close.signed.test IN CNAME follow11.yet.so.far.signed.test" + monitor_check_rr "$TIMESTAMP" "follow11.yet.so.far.signed.test IN CNAME follow12.getting.hot.signed.test" + monitor_check_rr "$TIMESTAMP" "follow12.getting.hot.signed.test IN CNAME follow13.almost.final.signed.test" + monitor_check_rr "$TIMESTAMP" "follow13.almost.final.signed.test IN CNAME follow14.final.signed.test" + monitor_check_rr "$TIMESTAMP" "follow14.final.signed.test IN A 10.0.0.14" + + # Non-existing RR + CNAME chain + #run dig +dnssec AAAA cname-chain.signed.test + #grep -qF "status: NOERROR" "$RUN_OUT" + #grep -qE "^follow14\.final\.signed\.test\..+IN\s+NSEC\s+" "$RUN_OUT" + + + : "--- ZONE: onlinesign.test (dynamic DNSSEC) ---" + # Check the trust chain (with and without systemd-resolved in between + # Issue: https://github.com/systemd/systemd/issues/22002 + # PR: https://github.com/systemd/systemd/pull/23289 + run_delv @ns1.unsigned.test sub.onlinesign.test + grep -qF "; fully validated" "$RUN_OUT" + run_delv sub.onlinesign.test + grep -qF "; fully validated" "$RUN_OUT" + + run dig +short sub.onlinesign.test + grep -qF "10.0.0.133" "$RUN_OUT" + run resolvectl query sub.onlinesign.test + grep -qF "sub.onlinesign.test: 10.0.0.133" "$RUN_OUT" + grep -qF "authenticated: yes" "$RUN_OUT" + run dig @ns1.unsigned.test +short TXT onlinesign.test + grep -qF '"hello from onlinesign"' "$RUN_OUT" + run resolvectl query --legend=no -t TXT onlinesign.test + grep -qF 'onlinesign.test IN TXT "hello from onlinesign"' "$RUN_OUT" -check_domain "dupe.signed.test" "A" "; fully validated" -check_domain "dupe.signed.test" "AAAA" "; negative response, fully validated" -check_domain "dupe-ipv6.signed.test" "AAAA" "; fully validated" -check_domain "dupe-ipv6.signed.test" "A" "; negative response, fully validated" -check_domain "dupe-mixed.signed.test" "A" "; fully validated" -check_domain "dupe-mixed.signed.test" "AAAA" "; fully validated" - -# Test resolution of CNAME chains -TIMESTAMP=$(date '+%F %T') -run resolvectl query -t A cname-chain.signed.test -grep -qF "follow14.final.signed.test IN A 10.0.0.14" "$RUN_OUT" -grep -qF "authenticated: yes" "$RUN_OUT" - -monitor_check_rr "$TIMESTAMP" "follow10.so.close.signed.test IN CNAME follow11.yet.so.far.signed.test" -monitor_check_rr "$TIMESTAMP" "follow11.yet.so.far.signed.test IN CNAME follow12.getting.hot.signed.test" -monitor_check_rr "$TIMESTAMP" "follow12.getting.hot.signed.test IN CNAME follow13.almost.final.signed.test" -monitor_check_rr "$TIMESTAMP" "follow13.almost.final.signed.test IN CNAME follow14.final.signed.test" -monitor_check_rr "$TIMESTAMP" "follow14.final.signed.test IN A 10.0.0.14" - -# Non-existing RR + CNAME chain -#run dig +dnssec AAAA cname-chain.signed.test -#grep -qF "status: NOERROR" "$RUN_OUT" -#grep -qE "^follow14\.final\.signed\.test\..+IN\s+NSEC\s+" "$RUN_OUT" - - -: "--- ZONE: onlinesign.test (dynamic DNSSEC) ---" -# Check the trust chain (with and without systemd-resolved in between -# Issue: https://github.com/systemd/systemd/issues/22002 -# PR: https://github.com/systemd/systemd/pull/23289 -run_delv @ns1.unsigned.test sub.onlinesign.test -grep -qF "; fully validated" "$RUN_OUT" -run_delv sub.onlinesign.test -grep -qF "; fully validated" "$RUN_OUT" - -run dig +short sub.onlinesign.test -grep -qF "10.0.0.133" "$RUN_OUT" -run resolvectl query sub.onlinesign.test -grep -qF "sub.onlinesign.test: 10.0.0.133" "$RUN_OUT" -grep -qF "authenticated: yes" "$RUN_OUT" -run dig @ns1.unsigned.test +short TXT onlinesign.test -grep -qF '"hello from onlinesign"' "$RUN_OUT" -run resolvectl query --legend=no -t TXT onlinesign.test -grep -qF 'onlinesign.test IN TXT "hello from onlinesign"' "$RUN_OUT" - -for addr in "${DNS_ADDRESSES[@]}"; do - run_delv "@$addr" -t A dual.onlinesign.test + for addr in "${DNS_ADDRESSES[@]}"; do + run_delv "@$addr" -t A dual.onlinesign.test + grep -qF "10.0.0.135" "$RUN_OUT" + run_delv "@$addr" -t AAAA dual.onlinesign.test + grep -qF "fd00:dead:beef:cafe::135" "$RUN_OUT" + run_delv "@$addr" -t ANY ipv6.onlinesign.test + grep -qF "fd00:dead:beef:cafe::136" "$RUN_OUT" + done + run resolvectl query dual.onlinesign.test grep -qF "10.0.0.135" "$RUN_OUT" - run_delv "@$addr" -t AAAA dual.onlinesign.test grep -qF "fd00:dead:beef:cafe::135" "$RUN_OUT" - run_delv "@$addr" -t ANY ipv6.onlinesign.test + grep -qF "authenticated: yes" "$RUN_OUT" + run resolvectl query ipv6.onlinesign.test grep -qF "fd00:dead:beef:cafe::136" "$RUN_OUT" -done -run resolvectl query dual.onlinesign.test -grep -qF "10.0.0.135" "$RUN_OUT" -grep -qF "fd00:dead:beef:cafe::135" "$RUN_OUT" -grep -qF "authenticated: yes" "$RUN_OUT" -run resolvectl query ipv6.onlinesign.test -grep -qF "fd00:dead:beef:cafe::136" "$RUN_OUT" -grep -qF "authenticated: yes" "$RUN_OUT" - -# Check a non-existent domain -# Note: mod-onlinesign utilizes Minimally Covering NSEC Records, hence the -# different response than with "standard" DNSSEC -run dig +dnssec this.does.not.exist.onlinesign.test -grep -qF "status: NOERROR" "$RUN_OUT" -grep -qF "NSEC \\000.this.does.not.exist.onlinesign.test." "$RUN_OUT" -# Check a wildcard record -run resolvectl query -t TXT this.should.be.authenticated.wild.onlinesign.test -grep -qF 'this.should.be.authenticated.wild.onlinesign.test IN TXT "this is an onlinesign wildcard"' "$RUN_OUT" -grep -qF "authenticated: yes" "$RUN_OUT" - -# Resolve via dbus method -TIMESTAMP=$(date '+%F %T') -run busctl call org.freedesktop.resolve1 /org/freedesktop/resolve1 org.freedesktop.resolve1.Manager ResolveHostname 'isit' 0 secondsub.onlinesign.test 0 0 -grep -qF '10 0 0 134 "secondsub.onlinesign.test"' "$RUN_OUT" -monitor_check_rr "$TIMESTAMP" "secondsub.onlinesign.test IN A 10.0.0.134" - - -: "--- ZONE: untrusted.test (DNSSEC without propagated DS records) ---" -# Issue: https://github.com/systemd/systemd/issues/23955 -# FIXME -resolvectl flush-caches -#run dig +short untrusted.test A untrusted.test AAAA -#grep -qF "10.0.0.121" "$RUN_OUT" -#grep -qF "fd00:dead:beef:cafe::121" "$RUN_OUT" -run resolvectl query untrusted.test -grep -qF "untrusted.test:" "$RUN_OUT" -grep -qF "10.0.0.121" "$RUN_OUT" -grep -qF "fd00:dead:beef:cafe::121" "$RUN_OUT" -grep -qF "authenticated: no" "$RUN_OUT" -run resolvectl service _mysvc._tcp untrusted.test -grep -qF "myservice.untrusted.test:1234" "$RUN_OUT" -grep -qF "10.0.0.123" "$RUN_OUT" -grep -qF "fd00:dead:beef:cafe::123" "$RUN_OUT" - -# Issue: https://github.com/systemd/systemd/issues/19472 -# 1) Query for a non-existing RR should return NOERROR + NSEC (?), not NXDOMAIN -# FIXME: re-enable once the issue is resolved -#run dig +dnssec AAAA untrusted.test -#grep -qF "status: NOERROR" "$RUN_OUT" -#grep -qE "^untrusted\.test\..+IN\s+NSEC\s+" "$RUN_OUT" -## 2) Query for a non-existing name should return NXDOMAIN, not SERVFAIL -#run dig +dnssec this.does.not.exist.untrusted.test -#grep -qF "status: NXDOMAIN" "$RUN_OUT" - -: "--- ZONE: forwarded.test (queries forwarded to our dummy test server) ---" -JOURNAL_CURSOR="$(mktemp)" -journalctl -n0 -q --cursor-file="$JOURNAL_CURSOR" - -# See "test-resolved-dummy-server.c" for the server part -(! run resolvectl query nope.forwarded.test) -grep -qF "nope.forwarded.test" "$RUN_OUT" -grep -qF "not found" "$RUN_OUT" - -# SERVFAIL + EDE code 6: DNSSEC Bogus -(! run resolvectl query edns-bogus-dnssec.forwarded.test) -grep -qE "^edns-bogus-dnssec.forwarded.test:.+: upstream-failure \(DNSSEC Bogus\)" "$RUN_OUT" -# Same thing, but over Varlink -(! run varlinkctl call /run/systemd/resolve/io.systemd.Resolve io.systemd.Resolve.ResolveHostname '{"name" : "edns-bogus-dnssec.forwarded.test"}') -grep -qF "io.systemd.Resolve.DNSSECValidationFailed" "$RUN_OUT" -grep -qF '{"result":"upstream-failure","extendedDNSErrorCode":6}' "$RUN_OUT" -journalctl --sync -journalctl -u systemd-resolved.service --cursor-file="$JOURNAL_CURSOR" --grep "Server returned error: SERVFAIL \(DNSSEC Bogus\). Lookup failed." - -# SERVFAIL + EDE code 16: Censored + extra text -(! run resolvectl query edns-extra-text.forwarded.test) -grep -qE "^edns-extra-text.forwarded.test.+: SERVFAIL \(Censored: Nothing to see here!\)" "$RUN_OUT" -(! run varlinkctl call /run/systemd/resolve/io.systemd.Resolve io.systemd.Resolve.ResolveHostname '{"name" : "edns-extra-text.forwarded.test"}') -grep -qF "io.systemd.Resolve.DNSError" "$RUN_OUT" -grep -qF '{"rcode":2,"extendedDNSErrorCode":16,"extendedDNSErrorMessage":"Nothing to see here!"}' "$RUN_OUT" -journalctl --sync -journalctl -u systemd-resolved.service --cursor-file="$JOURNAL_CURSOR" --grep "Server returned error: SERVFAIL \(Censored: Nothing to see here!\)" - -# SERVFAIL + EDE code 0: Other + extra text -(! run resolvectl query edns-code-zero.forwarded.test) -grep -qE "^edns-code-zero.forwarded.test:.+: SERVFAIL \(Other: 🐱\)" "$RUN_OUT" -(! run varlinkctl call /run/systemd/resolve/io.systemd.Resolve io.systemd.Resolve.ResolveHostname '{"name" : "edns-code-zero.forwarded.test"}') -grep -qF "io.systemd.Resolve.DNSError" "$RUN_OUT" -grep -qF '{"rcode":2,"extendedDNSErrorCode":0,"extendedDNSErrorMessage":"🐱"}' "$RUN_OUT" -journalctl --sync -journalctl -u systemd-resolved.service --cursor-file="$JOURNAL_CURSOR" --grep "Server returned error: SERVFAIL \(Other: 🐱\)" - -# SERVFAIL + invalid EDE code -(! run resolvectl query edns-invalid-code.forwarded.test) -grep -qE "^edns-invalid-code.forwarded.test:.+: SERVFAIL \([0-9]+\)" "$RUN_OUT" -(! run varlinkctl call /run/systemd/resolve/io.systemd.Resolve io.systemd.Resolve.ResolveHostname '{"name" : "edns-invalid-code.forwarded.test"}') -grep -qF "io.systemd.Resolve.DNSError" "$RUN_OUT" -grep -qE '{"rcode":2,"extendedDNSErrorCode":[0-9]+}' "$RUN_OUT" -journalctl --sync -journalctl -u systemd-resolved.service --cursor-file="$JOURNAL_CURSOR" --grep "Server returned error: SERVFAIL \(\d+\)" - -# SERVFAIL + invalid EDE code + extra text -(! run resolvectl query edns-invalid-code-with-extra-text.forwarded.test) -grep -qE '^edns-invalid-code-with-extra-text.forwarded.test:.+: SERVFAIL \([0-9]+: Hello \[#\]\$%~ World\)' "$RUN_OUT" -(! run varlinkctl call /run/systemd/resolve/io.systemd.Resolve io.systemd.Resolve.ResolveHostname '{"name" : "edns-invalid-code-with-extra-text.forwarded.test"}') -grep -qF "io.systemd.Resolve.DNSError" "$RUN_OUT" -grep -qE '{"rcode":2,"extendedDNSErrorCode":[0-9]+,"extendedDNSErrorMessage":"Hello \[#\]\$%~ World"}' "$RUN_OUT" -journalctl --sync -journalctl -u systemd-resolved.service --cursor-file="$JOURNAL_CURSOR" --grep "Server returned error: SERVFAIL \(\d+: Hello \[\#\]\\$%~ World\)" - -### Test resolvectl show-cache -run resolvectl show-cache -run resolvectl show-cache --json=short -run resolvectl show-cache --json=pretty - -# Issue: https://github.com/systemd/systemd/issues/29580 (part #1) -dig @127.0.0.54 signed.test - -systemctl stop resolvectl-monitor.service -systemctl stop resolvectl-monitor-json.service - -# Issue: https://github.com/systemd/systemd/issues/29580 (part #2) -# -# Check for any warnings regarding malformed messages -(! journalctl -u resolvectl-monitor.service -u reseolvectl-monitor-json.service -p warning --grep malformed) -# Verify that all queries recorded by `resolvectl monitor --json` produced a valid JSON -# with expected fields -journalctl -p info -o cat _SYSTEMD_UNIT="resolvectl-monitor-json.service" | while read -r line; do - # Check that both "question" and "answer" fields are arrays + grep -qF "authenticated: yes" "$RUN_OUT" + + # Check a non-existent domain + # Note: mod-onlinesign utilizes Minimally Covering NSEC Records, hence the + # different response than with "standard" DNSSEC + run dig +dnssec this.does.not.exist.onlinesign.test + grep -qF "status: NOERROR" "$RUN_OUT" + grep -qF "NSEC \\000.this.does.not.exist.onlinesign.test." "$RUN_OUT" + # Check a wildcard record + run resolvectl query -t TXT this.should.be.authenticated.wild.onlinesign.test + grep -qF 'this.should.be.authenticated.wild.onlinesign.test IN TXT "this is an onlinesign wildcard"' "$RUN_OUT" + grep -qF "authenticated: yes" "$RUN_OUT" + + # Resolve via dbus method + TIMESTAMP=$(date '+%F %T') + run busctl call org.freedesktop.resolve1 /org/freedesktop/resolve1 org.freedesktop.resolve1.Manager ResolveHostname 'isit' 0 secondsub.onlinesign.test 0 0 + grep -qF '10 0 0 134 "secondsub.onlinesign.test"' "$RUN_OUT" + monitor_check_rr "$TIMESTAMP" "secondsub.onlinesign.test IN A 10.0.0.134" + + + : "--- ZONE: untrusted.test (DNSSEC without propagated DS records) ---" + # Issue: https://github.com/systemd/systemd/issues/23955 + # FIXME + resolvectl flush-caches + #run dig +short untrusted.test A untrusted.test AAAA + #grep -qF "10.0.0.121" "$RUN_OUT" + #grep -qF "fd00:dead:beef:cafe::121" "$RUN_OUT" + run resolvectl query untrusted.test + grep -qF "untrusted.test:" "$RUN_OUT" + grep -qF "10.0.0.121" "$RUN_OUT" + grep -qF "fd00:dead:beef:cafe::121" "$RUN_OUT" + grep -qF "authenticated: no" "$RUN_OUT" + run resolvectl service _mysvc._tcp untrusted.test + grep -qF "myservice.untrusted.test:1234" "$RUN_OUT" + grep -qF "10.0.0.123" "$RUN_OUT" + grep -qF "fd00:dead:beef:cafe::123" "$RUN_OUT" + + # Issue: https://github.com/systemd/systemd/issues/19472 + # 1) Query for a non-existing RR should return NOERROR + NSEC (?), not NXDOMAIN + # FIXME: re-enable once the issue is resolved + #run dig +dnssec AAAA untrusted.test + #grep -qF "status: NOERROR" "$RUN_OUT" + #grep -qE "^untrusted\.test\..+IN\s+NSEC\s+" "$RUN_OUT" + ## 2) Query for a non-existing name should return NXDOMAIN, not SERVFAIL + #run dig +dnssec this.does.not.exist.untrusted.test + #grep -qF "status: NXDOMAIN" "$RUN_OUT" + + : "--- ZONE: forwarded.test (queries forwarded to our dummy test server) ---" + JOURNAL_CURSOR="$(mktemp)" + journalctl -n0 -q --cursor-file="$JOURNAL_CURSOR" + + # See "test-resolved-dummy-server.c" for the server part + (! run resolvectl query nope.forwarded.test) + grep -qF "nope.forwarded.test" "$RUN_OUT" + grep -qF "not found" "$RUN_OUT" + + # SERVFAIL + EDE code 6: DNSSEC Bogus + (! run resolvectl query edns-bogus-dnssec.forwarded.test) + grep -qE "^edns-bogus-dnssec.forwarded.test:.+: upstream-failure \(DNSSEC Bogus\)" "$RUN_OUT" + # Same thing, but over Varlink + (! run varlinkctl call /run/systemd/resolve/io.systemd.Resolve io.systemd.Resolve.ResolveHostname '{"name" : "edns-bogus-dnssec.forwarded.test"}') + grep -qF "io.systemd.Resolve.DNSSECValidationFailed" "$RUN_OUT" + grep -qF '{"result":"upstream-failure","extendedDNSErrorCode":6}' "$RUN_OUT" + journalctl --sync + journalctl -u systemd-resolved.service --cursor-file="$JOURNAL_CURSOR" --grep "Server returned error: SERVFAIL \(DNSSEC Bogus\). Lookup failed." + + # SERVFAIL + EDE code 16: Censored + extra text + (! run resolvectl query edns-extra-text.forwarded.test) + grep -qE "^edns-extra-text.forwarded.test.+: SERVFAIL \(Censored: Nothing to see here!\)" "$RUN_OUT" + (! run varlinkctl call /run/systemd/resolve/io.systemd.Resolve io.systemd.Resolve.ResolveHostname '{"name" : "edns-extra-text.forwarded.test"}') + grep -qF "io.systemd.Resolve.DNSError" "$RUN_OUT" + grep -qF '{"rcode":2,"extendedDNSErrorCode":16,"extendedDNSErrorMessage":"Nothing to see here!"}' "$RUN_OUT" + journalctl --sync + journalctl -u systemd-resolved.service --cursor-file="$JOURNAL_CURSOR" --grep "Server returned error: SERVFAIL \(Censored: Nothing to see here!\)" + + # SERVFAIL + EDE code 0: Other + extra text + (! run resolvectl query edns-code-zero.forwarded.test) + grep -qE "^edns-code-zero.forwarded.test:.+: SERVFAIL \(Other: 🐱\)" "$RUN_OUT" + (! run varlinkctl call /run/systemd/resolve/io.systemd.Resolve io.systemd.Resolve.ResolveHostname '{"name" : "edns-code-zero.forwarded.test"}') + grep -qF "io.systemd.Resolve.DNSError" "$RUN_OUT" + grep -qF '{"rcode":2,"extendedDNSErrorCode":0,"extendedDNSErrorMessage":"🐱"}' "$RUN_OUT" + journalctl --sync + journalctl -u systemd-resolved.service --cursor-file="$JOURNAL_CURSOR" --grep "Server returned error: SERVFAIL \(Other: 🐱\)" + + # SERVFAIL + invalid EDE code + (! run resolvectl query edns-invalid-code.forwarded.test) + grep -qE "^edns-invalid-code.forwarded.test:.+: SERVFAIL \([0-9]+\)" "$RUN_OUT" + (! run varlinkctl call /run/systemd/resolve/io.systemd.Resolve io.systemd.Resolve.ResolveHostname '{"name" : "edns-invalid-code.forwarded.test"}') + grep -qF "io.systemd.Resolve.DNSError" "$RUN_OUT" + grep -qE '{"rcode":2,"extendedDNSErrorCode":[0-9]+}' "$RUN_OUT" + journalctl --sync + journalctl -u systemd-resolved.service --cursor-file="$JOURNAL_CURSOR" --grep "Server returned error: SERVFAIL \(\d+\)" + + # SERVFAIL + invalid EDE code + extra text + (! run resolvectl query edns-invalid-code-with-extra-text.forwarded.test) + grep -qE '^edns-invalid-code-with-extra-text.forwarded.test:.+: SERVFAIL \([0-9]+: Hello \[#\]\$%~ World\)' "$RUN_OUT" + (! run varlinkctl call /run/systemd/resolve/io.systemd.Resolve io.systemd.Resolve.ResolveHostname '{"name" : "edns-invalid-code-with-extra-text.forwarded.test"}') + grep -qF "io.systemd.Resolve.DNSError" "$RUN_OUT" + grep -qE '{"rcode":2,"extendedDNSErrorCode":[0-9]+,"extendedDNSErrorMessage":"Hello \[#\]\$%~ World"}' "$RUN_OUT" + journalctl --sync + journalctl -u systemd-resolved.service --cursor-file="$JOURNAL_CURSOR" --grep "Server returned error: SERVFAIL \(\d+: Hello \[\#\]\\$%~ World\)" +} + +testcase_09_resolvectl_showcache() { + ### Test resolvectl show-cache + run resolvectl show-cache + run resolvectl show-cache --json=short + run resolvectl show-cache --json=pretty +} + +testcase_10_resolvectl_json() { + # Issue: https://github.com/systemd/systemd/issues/29580 (part #1) + dig @127.0.0.54 signed.test + + systemctl stop resolvectl-monitor.service + systemctl stop resolvectl-monitor-json.service + + # Issue: https://github.com/systemd/systemd/issues/29580 (part #2) # - # The expression is slightly more complicated due to the fact that the "answer" field is optional, - # so we need to select it only if it's present, otherwise the type == "array" check would fail - echo "$line" | jq -e '[. | .question, (select(has("answer")) | .answer) | type == "array"] | all' -done + # Check for any warnings regarding malformed messages + (! journalctl -u resolvectl-monitor.service -u reseolvectl-monitor-json.service -p warning --grep malformed) + # Verify that all queries recorded by `resolvectl monitor --json` produced a valid JSON + # with expected fields + journalctl -p info -o cat _SYSTEMD_UNIT="resolvectl-monitor-json.service" | while read -r line; do + # Check that both "question" and "answer" fields are arrays + # + # The expression is slightly more complicated due to the fact that the "answer" field is optional, + # so we need to select it only if it's present, otherwise the type == "array" check would fail + echo "$line" | jq -e '[. | .question, (select(has("answer")) | .answer) | type == "array"] | all' + done +} # Test serve stale feature and NFTSet= if nftables is installed -if command -v nft >/dev/null; then +testcase_11_nft() { + if ! command -v nft >/dev/null; then + echo "nftables is not installed. Skipped serve stale feature and NFTSet= tests." + return 0 + fi + ### Test without serve stale feature ### NFT_FILTER_NAME=dns_port_filter @@ -833,70 +879,85 @@ if command -v nft >/dev/null; then rm -rf /run/systemd/system/system.slice.d nft flush ruleset -else - echo "nftables is not installed. Skipped serve stale feature and NFTSet= tests." -fi +} + +# Test resolvectl show-server-state +testcase_12_resolvectl2() { + run resolvectl show-server-state + grep -qF "10.0.0.1" "$RUN_OUT" + grep -qF "Interface" "$RUN_OUT" + + run resolvectl show-server-state --json=short + grep -qF "10.0.0.1" "$RUN_OUT" + grep -qF "Interface" "$RUN_OUT" + + run resolvectl show-server-state --json=pretty + grep -qF "10.0.0.1" "$RUN_OUT" + grep -qF "Interface" "$RUN_OUT" + + ### Test resolvectl statistics ### + run resolvectl statistics + grep -qF "Transactions" "$RUN_OUT" + grep -qF "Cache" "$RUN_OUT" + grep -qF "Failure Transactions" "$RUN_OUT" + grep -qF "DNSSEC Verdicts" "$RUN_OUT" + + run resolvectl statistics --json=short + grep -qF "transactions" "$RUN_OUT" + grep -qF "cache" "$RUN_OUT" + grep -qF "dnssec" "$RUN_OUT" + + run resolvectl statistics --json=pretty + grep -qF "transactions" "$RUN_OUT" + grep -qF "cache" "$RUN_OUT" + grep -qF "dnssec" "$RUN_OUT" + + ### Test resolvectl reset-statistics ### + run resolvectl reset-statistics + + run resolvectl reset-statistics --json=pretty + + run resolvectl reset-statistics --json=short + + test "$(resolvectl --json=short query -t AAAA localhost)" == '{"key":{"class":1,"type":28,"name":"localhost"},"address":[0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1]}' + test "$(resolvectl --json=short query -t A localhost)" == '{"key":{"class":1,"type":1,"name":"localhost"},"address":[127,0,0,1]}' + + # Test ResolveRecord RR resolving via Varlink + test "$(varlinkctl call /run/systemd/resolve/io.systemd.Resolve io.systemd.Resolve.ResolveRecord '{"name":"localhost","type":1}' --json=short | jq -rc 'del(.rrs | .[] | .ifindex)')" == '{"rrs":[{"rr":{"key":{"class":1,"type":1,"name":"localhost"},"address":[127,0,0,1]},"raw":"CWxvY2FsaG9zdAAAAQABAAAAAAAEfwAAAQ=="}],"flags":786945}' + test "$(varlinkctl call /run/systemd/resolve/io.systemd.Resolve io.systemd.Resolve.ResolveRecord '{"name":"localhost","type":28}' --json=short | jq -rc 'del(.rrs | .[] | .ifindex)')" == '{"rrs":[{"rr":{"key":{"class":1,"type":28,"name":"localhost"},"address":[0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1]},"raw":"CWxvY2FsaG9zdAAAHAABAAAAAAAQAAAAAAAAAAAAAAAAAAAAAQ=="}],"flags":786945}' + + # Ensure that reloading keeps the manually configured address + { + echo "[Resolve]" + echo "DNS=8.8.8.8" + } >/run/systemd/resolved.conf.d/reload.conf + resolvectl dns dns0 1.1.1.1 + systemctl reload systemd-resolved.service + resolvectl status + resolvectl dns dns0 | grep -qF "1.1.1.1" + # For some reason piping this last command to grep fails with: + # 'resolvectl[1378]: Failed to print table: Broken pipe' + # so use an intermediate file in /tmp/ + resolvectl >/tmp/output + grep -qF "DNS Servers: 8.8.8.8" /tmp/output + + # Check if resolved exits cleanly. + restart_resolved +} + +# PRE-SETUP +systemctl unmask systemd-resolved.service +systemctl enable --now systemd-resolved.service +systemctl service-log-level systemd-resolved.service debug + +# Need to be run before SETUP, otherwise things will break +manual_testcase_01_resolvectl +manual_testcase_02_mdns_llmnr + +# Run setup +setup -### Test resolvectl show-server-state ### -run resolvectl show-server-state -grep -qF "10.0.0.1" "$RUN_OUT" -grep -qF "Interface" "$RUN_OUT" - -run resolvectl show-server-state --json=short -grep -qF "10.0.0.1" "$RUN_OUT" -grep -qF "Interface" "$RUN_OUT" - -run resolvectl show-server-state --json=pretty -grep -qF "10.0.0.1" "$RUN_OUT" -grep -qF "Interface" "$RUN_OUT" - -### Test resolvectl statistics ### -run resolvectl statistics -grep -qF "Transactions" "$RUN_OUT" -grep -qF "Cache" "$RUN_OUT" -grep -qF "Failure Transactions" "$RUN_OUT" -grep -qF "DNSSEC Verdicts" "$RUN_OUT" - -run resolvectl statistics --json=short -grep -qF "transactions" "$RUN_OUT" -grep -qF "cache" "$RUN_OUT" -grep -qF "dnssec" "$RUN_OUT" - -run resolvectl statistics --json=pretty -grep -qF "transactions" "$RUN_OUT" -grep -qF "cache" "$RUN_OUT" -grep -qF "dnssec" "$RUN_OUT" - -### Test resolvectl reset-statistics ### -run resolvectl reset-statistics - -run resolvectl reset-statistics --json=pretty - -run resolvectl reset-statistics --json=short - -test "$(resolvectl --json=short query -t AAAA localhost)" == '{"key":{"class":1,"type":28,"name":"localhost"},"address":[0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1]}' -test "$(resolvectl --json=short query -t A localhost)" == '{"key":{"class":1,"type":1,"name":"localhost"},"address":[127,0,0,1]}' - -# Test ResolveRecord RR resolving via Varlink -test "$(varlinkctl call /run/systemd/resolve/io.systemd.Resolve io.systemd.Resolve.ResolveRecord '{"name":"localhost","type":1}' --json=short | jq -rc 'del(.rrs | .[] | .ifindex)')" == '{"rrs":[{"rr":{"key":{"class":1,"type":1,"name":"localhost"},"address":[127,0,0,1]},"raw":"CWxvY2FsaG9zdAAAAQABAAAAAAAEfwAAAQ=="}],"flags":786945}' -test "$(varlinkctl call /run/systemd/resolve/io.systemd.Resolve io.systemd.Resolve.ResolveRecord '{"name":"localhost","type":28}' --json=short | jq -rc 'del(.rrs | .[] | .ifindex)')" == '{"rrs":[{"rr":{"key":{"class":1,"type":28,"name":"localhost"},"address":[0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1]},"raw":"CWxvY2FsaG9zdAAAHAABAAAAAAAQAAAAAAAAAAAAAAAAAAAAAQ=="}],"flags":786945}' - -# Ensure that reloading keeps the manually configured address -{ - echo "[Resolve]" - echo "DNS=8.8.8.8" -} >/run/systemd/resolved.conf.d/reload.conf -resolvectl dns dns0 1.1.1.1 -systemctl reload systemd-resolved.service -resolvectl status -resolvectl dns dns0 | grep -qF "1.1.1.1" -# For some reason piping this last command to grep fails with: -# 'resolvectl[1378]: Failed to print table: Broken pipe' -# so use an intermediate file in /tmp/ -resolvectl >/tmp/output -grep -qF "DNS Servers: 8.8.8.8" /tmp/output - -# Check if resolved exits cleanly. -restart_resolved +# Run tests +run_testcases touch /testok diff --git a/test/units/TEST-82-SOFTREBOOT.sh b/test/units/TEST-82-SOFTREBOOT.sh index f86bc92..9f3d406 100755 --- a/test/units/TEST-82-SOFTREBOOT.sh +++ b/test/units/TEST-82-SOFTREBOOT.sh @@ -19,6 +19,21 @@ at_exit() { trap at_exit EXIT +# Because this test tests soft-reboot, we have to get rid of the symlink we put at +# /run/nextroot to allow rebooting into the previous snapshot if the test fails for +# the duration of the test. However, let's make sure we put the symlink back in place +# if the test fails. +if [[ -L /run/nextroot ]]; then + at_error() { + mountpoint -q /run/nextroot && umount -R /run/nextroot + rm -rf /run/nextroot + ln -sf /snapshot /run/nextroot + } + + trap at_error ERR + rm -f /run/nextroot +fi + systemd-analyze log-level debug export SYSTEMD_LOG_LEVEL=debug |