211 lines
5.7 KiB
Nix
211 lines
5.7 KiB
Nix
# implements https://github.com/scionproto/scion/blob/27983125bccac6b84d1f96f406853aab0e460405/doc/tutorials/deploy.rst
|
|
import ../../make-test-python.nix (
|
|
{ pkgs, ... }:
|
|
let
|
|
trust-root-configuration-keys = pkgs.runCommand "generate-trc-keys.sh" {
|
|
buildInputs = [
|
|
pkgs.scion
|
|
];
|
|
} (builtins.readFile ./bootstrap.sh);
|
|
|
|
imports = hostId: [
|
|
({
|
|
services.scion = {
|
|
enable = true;
|
|
bypassBootstrapWarning = true;
|
|
};
|
|
networking = {
|
|
useNetworkd = true;
|
|
useDHCP = false;
|
|
};
|
|
systemd.network.networks."01-eth1" = {
|
|
name = "eth1";
|
|
networkConfig.Address = "192.168.1.${toString hostId}/24";
|
|
};
|
|
environment.etc = {
|
|
"scion/topology.json".source = ./topology${toString hostId}.json;
|
|
"scion/crypto/as".source = trust-root-configuration-keys + "/AS${toString hostId}";
|
|
"scion/certs/ISD42-B1-S1.trc".source = trust-root-configuration-keys + "/ISD42-B1-S1.trc";
|
|
"scion/keys/master0.key".text = "U${toString hostId}v4k23ZXjGDwDofg/Eevw==";
|
|
"scion/keys/master1.key".text = "dBMko${toString hostId}qMS8DfrN/zP2OUdA==";
|
|
};
|
|
environment.systemPackages = [
|
|
pkgs.scion
|
|
];
|
|
})
|
|
];
|
|
in
|
|
{
|
|
name = "scion-test";
|
|
nodes = {
|
|
scion01 =
|
|
{ ... }:
|
|
{
|
|
imports = (imports 1);
|
|
};
|
|
scion02 =
|
|
{ ... }:
|
|
{
|
|
imports = (imports 2);
|
|
};
|
|
scion03 =
|
|
{ ... }:
|
|
{
|
|
imports = (imports 3);
|
|
};
|
|
scion04 =
|
|
{ ... }:
|
|
{
|
|
imports = (imports 4);
|
|
networking.interfaces."lo".ipv4.addresses = [
|
|
{
|
|
address = "172.16.1.1";
|
|
prefixLength = 32;
|
|
}
|
|
];
|
|
services.scion.scion-ip-gateway = {
|
|
enable = true;
|
|
config = {
|
|
tunnel = {
|
|
src_ipv4 = "172.16.1.1";
|
|
};
|
|
};
|
|
trafficConfig = {
|
|
ASes = {
|
|
"42-ffaa:1:5" = {
|
|
Nets = [
|
|
"172.16.100.0/24"
|
|
];
|
|
};
|
|
};
|
|
ConfigVersion = 9001;
|
|
};
|
|
};
|
|
};
|
|
scion05 =
|
|
{ ... }:
|
|
{
|
|
imports = (imports 5);
|
|
networking.interfaces."lo".ipv4.addresses = [
|
|
{
|
|
address = "172.16.100.1";
|
|
prefixLength = 32;
|
|
}
|
|
];
|
|
services.scion.scion-ip-gateway = {
|
|
enable = true;
|
|
config = {
|
|
tunnel = {
|
|
src_ipv4 = "172.16.100.1";
|
|
};
|
|
};
|
|
trafficConfig = {
|
|
ASes = {
|
|
"42-ffaa:1:4" = {
|
|
Nets = [
|
|
"172.16.1.0/24"
|
|
];
|
|
};
|
|
};
|
|
ConfigVersion = 9001;
|
|
};
|
|
};
|
|
};
|
|
};
|
|
testScript =
|
|
let
|
|
pingAll = pkgs.writeShellScript "ping-all-scion.sh" ''
|
|
addresses="42-ffaa:1:1 42-ffaa:1:2 42-ffaa:1:3 42-ffaa:1:4 42-ffaa:1:5"
|
|
timeout=100
|
|
wait_for_all() {
|
|
ret=0
|
|
for as in "$@"
|
|
do
|
|
scion showpaths $as --no-probe > /dev/null
|
|
ret=$?
|
|
if [ "$ret" -ne "0" ]; then
|
|
break
|
|
fi
|
|
done
|
|
return $ret
|
|
}
|
|
ping_all() {
|
|
ret=0
|
|
for as in "$@"
|
|
do
|
|
scion ping "$as,127.0.0.1" -c 3
|
|
ret=$?
|
|
if [ "$ret" -ne "0" ]; then
|
|
break
|
|
fi
|
|
done
|
|
return $ret
|
|
}
|
|
for i in $(seq 0 $timeout); do
|
|
sleep 1
|
|
wait_for_all $addresses || continue
|
|
ping_all $addresses && exit 0
|
|
done
|
|
exit 1
|
|
'';
|
|
in
|
|
''
|
|
# List of AS instances
|
|
machines = [scion01, scion02, scion03, scion04, scion05]
|
|
|
|
# Functions to avoid many for loops
|
|
def start(allow_reboot=False):
|
|
for i in machines:
|
|
i.start(allow_reboot=allow_reboot)
|
|
|
|
def wait_for_unit(service_name):
|
|
for i in machines:
|
|
i.wait_for_unit(service_name)
|
|
|
|
def succeed(command):
|
|
for i in machines:
|
|
i.succeed(command)
|
|
|
|
def reboot():
|
|
for i in machines:
|
|
i.reboot()
|
|
|
|
def crash():
|
|
for i in machines:
|
|
i.crash()
|
|
|
|
# Start all machines, allowing reboot for later
|
|
start(allow_reboot=True)
|
|
|
|
# Wait for scion-control.service on all instances
|
|
wait_for_unit("scion-control.service")
|
|
|
|
# Ensure cert is valid against TRC
|
|
succeed("scion-pki certificate verify --trc /etc/scion/certs/*.trc /etc/scion/crypto/as/*.pem >&2")
|
|
|
|
# Execute pingAll command on all instances
|
|
succeed("${pingAll} >&2")
|
|
|
|
# Execute ICMP pings across scion-ip-gateway
|
|
scion04.succeed("ping -c 3 172.16.100.1 >&2")
|
|
scion05.succeed("ping -c 3 172.16.1.1 >&2")
|
|
|
|
# Restart all scion services and ping again to test robustness
|
|
succeed("systemctl restart scion-* >&2")
|
|
succeed("${pingAll} >&2")
|
|
|
|
# Reboot machines, wait for service, and ping again
|
|
reboot()
|
|
wait_for_unit("scion-control.service")
|
|
succeed("${pingAll} >&2")
|
|
|
|
# Crash, start, wait for service, and ping again
|
|
crash()
|
|
start()
|
|
wait_for_unit("scion-control.service")
|
|
succeed("pkill -9 scion-* >&2")
|
|
wait_for_unit("scion-control.service")
|
|
succeed("${pingAll} >&2")
|
|
'';
|
|
}
|
|
)
|