From a5a2fc72747319291b5bb5ecc69d491d1a17c294 Mon Sep 17 00:00:00 2001 From: Erik Arvstedt Date: Wed, 16 Dec 2020 01:28:11 +0100 Subject: [PATCH 1/7] make-container: fix renamed variable The variable was only renamed in run-tests.sh, which broke containers. --- test/lib/make-container.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/test/lib/make-container.sh b/test/lib/make-container.sh index 327f13d..99cce7b 100755 --- a/test/lib/make-container.sh +++ b/test/lib/make-container.sh @@ -57,8 +57,8 @@ if [[ $EUID != 0 ]]; then # NixOS containers require root permissions. # By using sudo here and not at the user's call-site extra-container can detect if it is running # inside an existing shell session (by checking an internal environment variable). - exec sudo scenario="$scenario" testDir="$testDir" NIX_PATH="$NIX_PATH" PATH="$PATH" \ - scenarioOverridesFile="${scenarioOverridesFile:-}" "$testDir/lib/make-container.sh" "$@" + exec sudo scenario="$scenario" scriptDir="$scriptDir" NIX_PATH="$NIX_PATH" PATH="$PATH" \ + scenarioOverridesFile="${scenarioOverridesFile:-}" "$scriptDir/lib/make-container.sh" "$@" fi export containerName=nb-test @@ -79,11 +79,11 @@ done containerBin=$(type -P extra-container) || true if [[ ! ($containerBin && $(realpath $containerBin) == *extra-container-0.5*) ]]; then echo "Building extra-container. Skip this step by adding extra-container 0.5 to PATH." - nix-build --out-link /tmp/extra-container "$testDir"/../pkgs -A extra-container >/dev/null + nix-build --out-link /tmp/extra-container "$scriptDir"/../pkgs -A extra-container >/dev/null export PATH="/tmp/extra-container/bin${PATH:+:}$PATH" fi read -d '' src < Date: Wed, 16 Dec 2020 01:28:12 +0100 Subject: [PATCH 2/7] generate-secrets: use pwgen Password length and alphabet is unchanged, but the restriction to include at least one numeric and one capital char has been removed. This restriction is not needed by client applications, adds code complexity, and even (insignificantly) reduces entropy. Reason for switching to pwgen: apg uses /dev/random instead of /dev/urandom which brings no security benefits but can stall the generate-secrets script on low-entropy devices due to blocking. Since `security.rngd` has been disabled in NixOS 20.09, blocking in generate-secrets can also appear on regular NixOS desktop systems. --- docs/faq.md | 2 -- pkgs/generate-secrets/default.nix | 2 +- pkgs/generate-secrets/generate-secrets.sh | 3 ++- 3 files changed, 3 insertions(+), 4 deletions(-) diff --git a/docs/faq.md b/docs/faq.md index 9b60020..5f6252b 100644 --- a/docs/faq.md +++ b/docs/faq.md @@ -32,5 +32,3 @@ * **A:** Check your clightning logs with `journalctl -eu clightning`. Do you see something like `bitcoin-cli getblock ... false` failed? Are you using pruned mode? That means that clightning hasn't seen all the blocks it needs to and it can't get that block because your node is pruned. If you're just setting up a new node you can `systemctl stop clightning` and wipe your `/var/lib/clightning` directory. Otherwise you need to reindex the Bitcoin node. * **Q:** My disk space is getting low due to nix. * **A:** run `nix-collect-garbage -d` -* **Q:** `nix-shell` takes too long and doesn't finish generating `/secrets` - * **A:** This might be the result of low system entropy. Check your entropy with `cat /proc/sys/kernel/random/entropy_avail`. If necessary, take steps to increase entropy like performing some tasks on the system or acquiring a hardware true random number generator. diff --git a/pkgs/generate-secrets/default.nix b/pkgs/generate-secrets/default.nix index 5f88019..d04f06a 100644 --- a/pkgs/generate-secrets/default.nix +++ b/pkgs/generate-secrets/default.nix @@ -10,6 +10,6 @@ let ''; in writers.writeBash "generate-secrets" '' - export PATH=${lib.makeBinPath [ coreutils apg openssl gnugrep rpcauth ]} + export PATH=${lib.makeBinPath [ coreutils pwgen openssl gnugrep rpcauth ]} . ${./generate-secrets.sh} ${./openssl.cnf} '' diff --git a/pkgs/generate-secrets/generate-secrets.sh b/pkgs/generate-secrets/generate-secrets.sh index 229b774..a448f9b 100755 --- a/pkgs/generate-secrets/generate-secrets.sh +++ b/pkgs/generate-secrets/generate-secrets.sh @@ -5,7 +5,8 @@ set -euo pipefail opensslConf=${1:-openssl.cnf} makePasswordSecret() { - [[ -e $1 ]] || apg -m 20 -x 20 -M Ncl -n 1 > "$1" + # Passwords have alphabet {a-z, A-Z, 0-9} and ~119 bits of entropy + [[ -e $1 ]] || pwgen -s 20 1 > "$1" } makeHMAC() { user=$1 From 44b06aea5a2c3ff186279774781f03c70b8fa964 Mon Sep 17 00:00:00 2001 From: Erik Arvstedt Date: Wed, 16 Dec 2020 01:28:13 +0100 Subject: [PATCH 3/7] extra-container: 0.5-pre -> 0.5 --- pkgs/extra-container/default.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pkgs/extra-container/default.nix b/pkgs/extra-container/default.nix index 9f93667..83385ae 100644 --- a/pkgs/extra-container/default.nix +++ b/pkgs/extra-container/default.nix @@ -4,11 +4,11 @@ stdenv.mkDerivation rec { name = "extra-container-${version}"; - version = "0.5-pre"; + version = "0.5"; src = builtins.fetchTarball { url = "https://github.com/erikarvstedt/extra-container/archive/${version}.tar.gz"; - sha256 = "0gdy2dpqrdv7f4kyqz88j34x1p2fpav04kznv41hwqq88hmzap90"; + sha256 = "12xqa11v583ajdv51g1833rxvrndmly9h4r62wc3llm8xs6k7ais"; }; buildCommand = '' @@ -17,7 +17,7 @@ stdenv.mkDerivation rec { share=$out/share/extra-container install $src/eval-config.nix -Dt $share - # Use existing PATH for systemctl and machinectl (for nixos-container) + # Use existing PATH for systemctl and machinectl scriptPath="export PATH=${lib.makeBinPath [ nixos-container openssh ]}:\$PATH" sed -i \ From c8e73c959e09f8ca47e33392b6e37a5a683b4591 Mon Sep 17 00:00:00 2001 From: Erik Arvstedt Date: Wed, 16 Dec 2020 18:57:57 +0100 Subject: [PATCH 4/7] fix 'hardened' profile for NixOS 20.09 The 'scudo' memory allocator set by the 'hardened' profile breaks some services on 20.09. The fix for NixOS unstable (https://github.com/NixOS/nixpkgs/pull/104052) is ineffective on 20.09. As a workaround, add a custom 'hardened' preset that uses the default allocator. --- examples/configuration.nix | 7 +------ modules/presets/hardened.nix | 14 ++++++++++++++ 2 files changed, 15 insertions(+), 6 deletions(-) create mode 100644 modules/presets/hardened.nix diff --git a/examples/configuration.nix b/examples/configuration.nix index 9c7e9b2..e42e357 100644 --- a/examples/configuration.nix +++ b/examples/configuration.nix @@ -9,8 +9,7 @@ # FIXME: The hardened kernel profile improves security but # decreases performance by ~50%. # Turn it off when not needed. - # Source: https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/profiles/hardened.nix - + # FIXME: Uncomment next line to import your hardware configuration. If so, # add the hardware configuration file to the same directory as this file. @@ -208,10 +207,6 @@ # FIXME: Add custom options (like boot options, output of # nixos-generate-config, etc.): - # If the hardened profile is imported above, we need to explicitly allow - # user namespaces to enable sanboxed builds and services. - security.allowUserNamespaces = true; - # This value determines the NixOS release with which your system is to be # compatible, in order to avoid breaking some software such as database # servers. You should change this only after NixOS release notes say you diff --git a/modules/presets/hardened.nix b/modules/presets/hardened.nix new file mode 100644 index 0000000..16833a6 --- /dev/null +++ b/modules/presets/hardened.nix @@ -0,0 +1,14 @@ +{ + imports = [ + # Source: https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/profiles/hardened.nix + + ]; + + ## Reset some options set by the hardened profile + + # Needed for sandboxed builds and services + security.allowUserNamespaces = true; + + # The "scudo" allocator is broken on NixOS 20.09 + environment.memoryAllocator.provider = "libc"; +} From ff94985b8bf11481e315980e499965443abd7d58 Mon Sep 17 00:00:00 2001 From: Erik Arvstedt Date: Fri, 18 Dec 2020 13:27:20 +0100 Subject: [PATCH 5/7] tests: add test 'hardened' --- test/run-tests.sh | 1 + test/tests.nix | 7 +++++++ 2 files changed, 8 insertions(+) diff --git a/test/run-tests.sh b/test/run-tests.sh index c3fd248..ba3f5a5 100755 --- a/test/run-tests.sh +++ b/test/run-tests.sh @@ -206,6 +206,7 @@ all() { basic scenario=full buildTest "$@" scenario=regtest buildTest "$@" + scenario=hardened buildTest "$@" } # An alias for buildTest diff --git a/test/tests.nix b/test/tests.nix index 8a1cecc..f9924ee 100644 --- a/test/tests.nix +++ b/test/tests.nix @@ -165,6 +165,13 @@ let testEnv = rec { imports = with scenarios; [ netnsBase regtest ]; }; + hardened = { + imports = [ + scenarios.secureNode + ../modules/presets/hardened.nix + ]; + }; + netnsBase = { nix-bitcoin.netns-isolation.enable = true; test.data.netns = config.nix-bitcoin.netns-isolation.netns; From 3403795c8600bc63a6e36011aed30fd391f7c96e Mon Sep 17 00:00:00 2001 From: Erik Arvstedt Date: Fri, 18 Dec 2020 13:27:21 +0100 Subject: [PATCH 6/7] tests: add example scripts --- examples/deploy-qemu-vm.sh | 2 ++ test/run-tests.sh | 18 +++++++++++++++++- 2 files changed, 19 insertions(+), 1 deletion(-) diff --git a/examples/deploy-qemu-vm.sh b/examples/deploy-qemu-vm.sh index e155126..331451f 100755 --- a/examples/deploy-qemu-vm.sh +++ b/examples/deploy-qemu-vm.sh @@ -17,6 +17,8 @@ if [[ ! -v IN_NIX_SHELL ]]; then exec nix-shell --run "./${BASH_SOURCE[0]##*/} $*" fi +cd "${BASH_SOURCE[0]%/*}" + tmpDir=/tmp/nix-bitcoin-qemu-vm mkdir -p $tmpDir diff --git a/test/run-tests.sh b/test/run-tests.sh index ba3f5a5..5b24a33 100755 --- a/test/run-tests.sh +++ b/test/run-tests.sh @@ -202,13 +202,29 @@ basic() { pkgsUnstable } -all() { +# All tests that only consist of building a nix derivation. +# Their output is cached in /nix/store. +buildable() { basic scenario=full buildTest "$@" scenario=regtest buildTest "$@" scenario=hardened buildTest "$@" } +examples() { + script=" + set -e + ./deploy-container.sh + ./deploy-qemu-vm.sh + " + (cd $scriptDir/../examples && nix-shell --run "$script") +} + +all() { + buildable + examples +} + # An alias for buildTest build() { buildTest "$@" From 2bfb4efbd8d313725f659983193e26170c2b4881 Mon Sep 17 00:00:00 2001 From: Erik Arvstedt Date: Sat, 19 Dec 2020 13:08:37 +0100 Subject: [PATCH 7/7] make-container: fix usage comment --- test/lib/make-container.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/test/lib/make-container.sh b/test/lib/make-container.sh index 99cce7b..6957018 100755 --- a/test/lib/make-container.sh +++ b/test/lib/make-container.sh @@ -28,7 +28,7 @@ # This args disables auto-destructing containers. # # -# run-tests.sh container --run|-r c systemctl status bitcoind +# run-tests.sh container --run c systemctl status bitcoind # # Run a command in the shell session environmentand exit. # Destroy the container afterwards. @@ -39,7 +39,7 @@ # run-tests.sh container --run c # # -# run-tests.sh [--scenario|-s ] container --command|--c +# run-tests.sh [--scenario|-s ] container --command|-c # # Provide a custom extra-container command. #