nixos/nginx: fix config validation with hostnames in proxy_pass by symphorien · Pull Request #207413 · NixOS/nixpkgs

symphorien · 2022-12-23T13:03:13Z

Description of changes

There are actually many directives which trigger domain name resolution, so using regexes to "fix" them all does not seem like a good approach. Instead I run a fake dns server that answers all requests with a dummy IP.
Unfortunately libredirect tricks to point nginx to a fake /etc/resolv.conf don't work, because nginx uses getaddrinfo, so it is glibc which reads /etc/resolv.conf, and one cannot fake glibc calls to glibc it seems.
So I use bubblewrap instead, but that requires user namespaces, which are not always available. If this is not the case, and validation fails on dns failure, then we ignore the failure. The goal is that if it builds somewhere, it builds everywhere (use case: heterogenous remote builders). I have not yet tested building without user namespaces.

Things done

cc @delroth

symphorien · 2022-12-23T13:33:59Z

now works with user namespaces disabled

SuperSandro2000

There is not an easier way to run config validation?
We are getting into territoriality where the overhead and workarounds are eventually outweighing the benefits.

pkgs/tools/networking/fakedns/default.nix

SuperSandro2000 · 2022-12-25T20:12:14Z

pkgs/tools/networking/fakedns/default.nix

Suggested change

];

meta = {

];

pythonImportsCheck = [ "fakedns" ];

meta = {

SuperSandro2000 · 2022-12-25T20:13:01Z

pkgs/development/python-modules/dns-messages/default.nix

Suggested change

pythonImportsCheck = [ "dns_messages" ];

SuperSandro2000 · 2022-12-25T20:13:06Z

pkgs/development/python-modules/dns-messages/default.nix

Suggested change

doCheck = false;

# has no tests

doCheck = false;

SuperSandro2000 · 2022-12-25T20:13:12Z

pkgs/development/python-modules/dns-messages/default.nix

Suggested change

{ buildPythonPackage, fetchPypi, lib }:

buildPythonPackage rec {

{ buildPythonPackage, fetchPypi, lib }:

buildPythonPackage rec {

SuperSandro2000 · 2022-12-25T20:13:47Z

pkgs/development/python-modules/cli-formatter/default.nix

Suggested change

# has no tests

doCheck = false;

pythonImportsCheck = [ "cli_formatter" ];

SuperSandro2000 · 2022-12-25T20:15:24Z

nixos/modules/services/web-servers/nginx/default.nix

Suggested change

userns=yes;

$bwrun ${nginxWithResolver} > out 2>&1;

else

userns=no;

echo "user namespaces are not available, dns resolution will fail if required";

nginx -t -c $(readlink -f ./conf) > out 2>&1 || true;

userns=yes

$bwrun ${nginxWithResolver} > out 2>&1

else

userns=no

echo "user namespaces are not available, dns resolution will fail if required"

nginx -t -c $(readlink -f ./conf) > out 2>&1 || true

SuperSandro2000 · 2022-12-25T20:16:11Z

nixos/modules/services/web-servers/nginx/default.nix

Suggested change

validatedConfigFile = pkgs.runCommand "validated-nginx.conf" { nativeBuildInputs = [ cfg.package pkgs.bubblewrap pkgs.fakedns pkgs.getent ]; } ''

validatedConfigFile = pkgs.runCommand "validated-nginx.conf" {

nativeBuildInputs = with pkgs; [ cfg.package bubblewrap fakedns getent ];

} ''

SuperSandro2000 · 2022-12-25T20:16:56Z

nixos/modules/services/web-servers/nginx/default.nix

Suggested change

for i in $(seq 1 1000); do

for i in $(seq 1 30); do

waiting 1000 seconds for that to come up is to long

SuperSandro2000 · 2022-12-25T20:17:34Z

nixos/modules/services/web-servers/nginx/default.nix

We should use private addresses or if there are some to be not resolveable them.

Fixes NixOS#207409

symphorien · 2022-12-30T17:49:15Z

I pushed changes which

solve @Mic92 issue with dhparams
address some of the stylistic comments of @SuperSandro2000

We are getting into territoriality where the overhead and workarounds are eventually outweighing the benefits.

Yes. I started #205561 because nixcloud-webservice has been doing such a validation since quite a long time, but it turns out it is pretty limited for more diverse configs. I can make it work with what is arguably an ugly pile of hacks. If you think this is too hacky, we can revert introducing the validation. I am also hesitating, other opinions welcome.

SuperSandro2000 · 2022-12-30T21:14:03Z

I can make it work with what is arguably an ugly pile of hacks. If you think this is too hacky, we can revert introducing the validation. I am also hesitating, other opinions welcome.

To be honest the cleanest solution would probably be to change the nginx code to better fit our usecase and try to upstream that.

symphorien · 2023-01-03T19:39:54Z

TBH, that's not something I'm willing to attempt.

symphorien · 2023-02-11T11:54:54Z

superseded by #209075

python3.pkgs.cli-formatter: init at 1.2.0

16d07f4

symphorien requested review from FRidh and jonringer as code owners December 23, 2022 13:03

github-actions bot added 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 6.topic: python Python is a high-level, general-purpose programming language. 8.has: module (update) This PR changes an existing module in `nixos/` labels Dec 23, 2022

symphorien force-pushed the fix_nginx_dns branch from 6e9078c to f56c90b Compare December 23, 2022 13:20

symphorien mentioned this pull request Dec 23, 2022

nixos/nginx: validate config at build time #205561

Merged

13 tasks

SuperSandro2000 reviewed Dec 25, 2022

View reviewed changes

symphorien added 6 commits December 30, 2022 12:00

nixos/nginx: slightly smarter regex for config validation

db13557

python3.pkgs.dns-messages: init at 1.0.0

ce4ebbb

fakedns: init at unstable

6c2d4c7

nixos/nginx: add regression test for NixOS#207409

c00e3a0

ixos/nginx: don't fail to validate configs with proxy_pass <hostname>

65cba21

Fixes NixOS#207409

nixos/nginx: don't fail config validation with dh params

826c415

symphorien force-pushed the fix_nginx_dns branch from f56c90b to db13557 Compare December 30, 2022 17:43

symphorien mentioned this pull request Jan 4, 2023

nixos/nginx: revert config validation #209075

Merged

13 tasks

symphorien closed this Feb 11, 2023

symphorien deleted the fix_nginx_dns branch February 11, 2023 11:55

-  ];
-  meta = {
+  ];
+  pythonImportsCheck = [ "fakedns" ];
+  meta = {

-{ buildPythonPackage, fetchPypi, lib }:
-buildPythonPackage rec {
+{ buildPythonPackage, fetchPypi, lib }:
+buildPythonPackage rec {

+  # has no tests
+  doCheck = false;
+  pythonImportsCheck = [ "cli_formatter" ];

-      userns=yes;
-      $bwrun ${nginxWithResolver} > out 2>&1;
-    else
-      userns=no;
-      echo "user namespaces are not available, dns resolution will fail if required";
-      nginx -t -c $(readlink -f ./conf) > out 2>&1 || true;
+      userns=yes
+      $bwrun ${nginxWithResolver} > out 2>&1
+    else
+      userns=no
+      echo "user namespaces are not available, dns resolution will fail if required"
+      nginx -t -c $(readlink -f ./conf) > out 2>&1 || true

-  validatedConfigFile = pkgs.runCommand "validated-nginx.conf" { nativeBuildInputs = [ cfg.package pkgs.bubblewrap pkgs.fakedns pkgs.getent ]; } ''
+  validatedConfigFile = pkgs.runCommand "validated-nginx.conf" {
+    nativeBuildInputs = with pkgs; [ cfg.package bubblewrap fakedns getent ];
+  } ''

Uh oh!

Conversation

symphorien commented Dec 23, 2022

Description of changes

Things done

Uh oh!

symphorien commented Dec 23, 2022

Uh oh!

SuperSandro2000 left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

symphorien commented Dec 30, 2022

Uh oh!

SuperSandro2000 commented Dec 30, 2022

Uh oh!

symphorien commented Jan 3, 2023

Uh oh!

symphorien commented Feb 11, 2023

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants