from invoke import task
from invoke.exceptions import Failure, UnexpectedExit
+import json
import os
import sys
import time
auth_backend_ip_addr = os.getenv('AUTH_BACKEND_IP_ADDR', '127.0.0.1')
clang_version = os.getenv('CLANG_VERSION', '13')
-quiche_version = '0.18.0'
-quiche_hash = 'eb242a14c4d801a90b57b6021dd29f7a62099f3a4d7a7ba889e105f8328e6c1f'
all_build_deps = [
'ccache',
'libboost-all-dev',
'libluajit-5.1-dev',
'libsodium-dev',
- 'libssl-dev',
+ 'libssl-dev', # This will install libssl 1.1 on Debian 11 and libssl3 on Debian 12
'libsystemd-dev',
'libtool',
'make',
'libluajit-5.1-2',
'"libsnmp[1-9]+"',
'libsodium23',
- 'libssl1.1',
'libsystemd0',
'moreutils',
'pdns-tools',
'libre2-dev',
'libsnmp-dev',
]
+dnsdist_xdp_build_deps = [
+ 'libbpf-dev',
+ 'libxdp-dev',
+]
auth_test_deps = [ # FIXME: we should be generating some of these from shlibdeps in build
'authbind',
'bc',
'libcurl4',
'libgeoip1',
'libkrb5-3',
- 'libldap-2.4-2',
+ '"libldap-2.[1-9]+"',
'liblmdb0',
'libluajit-5.1-2',
'libmaxminddb0',
'libpq5',
'libsodium23',
'libsqlite3-dev',
- 'libssl1.1',
'libsystemd0',
- 'libyaml-cpp0.6',
+ '"libyaml-cpp0.[1-9]+"',
'libzmq3-dev',
'lmdb-utils',
'prometheus',
@task
def ci_install_rust(c, repo):
- c.sudo(f'{repo}/builder-support/helpers/install_rust.sh')
+ with c.cd(f'{repo}/builder-support/helpers/'):
+ c.run('sudo sh install_rust.sh')
def install_libdecaf(c, product):
c.run('git clone https://git.code.sf.net/p/ed448goldilocks/code /tmp/libdecaf')
time.sleep(5)
c.sudo('chmod 755 /var/agentx')
-@task
-def install_dnsdist_test_deps(c): # FIXME: rename this, we do way more than apt-get
- c.sudo('apt-get install -y \
- libluajit-5.1-2 \
- libboost-all-dev \
- libcap2 \
- libcdb1 \
- libcurl4-openssl-dev \
- libfstrm0 \
- libgnutls30 \
- libh2o-evloop0.13 \
- liblmdb0 \
- libnghttp2-14 \
- "libre2-[1-9]+" \
- libssl-dev \
- libsystemd0 \
- libsodium23 \
- lua-socket \
- patch \
- protobuf-compiler \
- python3-venv snmpd prometheus')
+@task(optional=['skipXDP'])
+def install_dnsdist_test_deps(c, skipXDP=False): # FIXME: rename this, we do way more than apt-get
+ deps = 'libluajit-5.1-2 \
+ libboost-all-dev \
+ libcap2 \
+ libcdb1 \
+ libcurl4-openssl-dev \
+ libfstrm0 \
+ libgnutls30 \
+ libh2o-evloop0.13 \
+ liblmdb0 \
+ libnghttp2-14 \
+ "libre2-[1-9]+" \
+ libssl-dev \
+ libsystemd0 \
+ libsodium23 \
+ lua-socket \
+ patch \
+ protobuf-compiler \
+ python3-venv snmpd prometheus'
+ if not skipXDP:
+ deps = deps + '\
+ libbpf1 \
+ libxdp1'
+
+ c.sudo(f'apt-get install -y {deps}')
c.run('sed "s/agentxperms 0700 0755 dnsdist/agentxperms 0777 0755/g" regression-tests.dnsdist/snmpd.conf | sudo tee /etc/snmp/snmpd.conf')
c.sudo('/etc/init.d/snmpd restart')
time.sleep(5)
def install_rec_build_deps(c):
c.sudo('apt-get install -y --no-install-recommends ' + ' '.join(all_build_deps + git_build_deps + rec_build_deps))
-@task
-def install_dnsdist_build_deps(c):
- c.sudo('apt-get install -y --no-install-recommends ' + ' '.join(all_build_deps + git_build_deps + dnsdist_build_deps))
+@task(optional=['skipXDP'])
+def install_dnsdist_build_deps(c, skipXDP=False):
+ c.sudo('apt-get install -y --no-install-recommends ' + ' '.join(all_build_deps + git_build_deps + dnsdist_build_deps + (dnsdist_xdp_build_deps if not skipXDP else [])))
@task
def ci_autoconf(c):
"-Werror=shadow",
"-Wformat=2",
"-Werror=format-security",
+ "-fstack-clash-protection",
+ "-fstack-protector-strong",
+ "-fcf-protection=full",
"-Werror=string-plus-int" if is_compiler_clang() else '',
])
"--enable-experimental-pkcs11",
"--enable-experimental-gss-tsig",
"--enable-remotebackend-zeromq",
+ "--enable-verbose-logging",
"--with-lmdb=/usr",
"--with-libdecaf" if os.getenv('DECAF_SUPPORT', 'no') == 'yes' else '',
"--prefix=/opt/pdns-auth",
@task
-def ci_rec_configure(c):
+def ci_rec_configure(c, features):
unittests = get_unit_tests()
- configure_cmd = " ".join([
- get_base_configure_cmd(),
- "--enable-nod",
- "--prefix=/opt/pdns-recursor",
- "--with-lua=luajit",
- "--with-libcap",
- "--with-net-snmp",
- "--enable-dns-over-tls",
- unittests,
- ])
+ if features == 'full':
+ configure_cmd = " ".join([
+ get_base_configure_cmd(),
+ "--prefix=/opt/pdns-recursor",
+ "--enable-option-checking",
+ "--enable-verbose-logging",
+ "--enable-dns-over-tls",
+ "--enable-nod",
+ "--with-libcap",
+ "--with-lua=luajit",
+ "--with-net-snmp",
+ unittests,
+ ])
+ else:
+ configure_cmd = " ".join([
+ get_base_configure_cmd(),
+ "--prefix=/opt/pdns-recursor",
+ "--enable-option-checking",
+ "--enable-verbose-logging",
+ "--disable-dns-over-tls",
+ "--disable-dnstap",
+ "--disable-nod",
+ "--disable-systemd",
+ "--with-lua=luajit",
+ "--without-libcap",
+ "--without-libcurl",
+ "--without-libdecaf",
+ "--without-libsodium",
+ "--without-net-snmp",
+ unittests,
+ ])
res = c.run(configure_cmd, warn=True)
if res.exited != 0:
c.run('cat config.log')
--enable-dns-over-tls \
--enable-dns-over-https \
--enable-dns-over-quic \
+ --enable-dns-over-http3 \
--enable-systemd \
--prefix=/opt/dnsdist \
--with-gnutls \
features_set,
unittests,
fuzztargets,
- ' --enable-lto=thin',
+ '--enable-lto=thin',
'--prefix=/opt/dnsdist'
])
'bind-dnssec-nsec3-both',
'bind-dnssec-nsec3-optout-both',
'bind-dnssec-nsec3-narrow',
- # FIXME 'bind-dnssec-pkcs11'
+ 'bind-dnssec-pkcs11'
],
geoip = [
'geoip',
geoip_mmdb = ['geoip'],
)
-godbc_mssql_credentials = {"username": "sa", "password": "SAsa12%%"}
+godbc_mssql_credentials = {"username": "sa", "password": "SAsa12%%-not-a-secret-password"}
godbc_config = f'''
[pdns-mssql-docker]
c.sudo('DEBIAN_FRONTEND=noninteractive apt-get install -y ldap-utils')
c.sudo(f'sh -c \'echo "{auth_backend_ip_addr} ldapserver" | tee -a /etc/hosts\'')
+def setup_softhsm(c):
+ # Modify the location of the softhsm tokens and configuration directory.
+ # Enables token generation by non-root users (runner)
+ c.run('mkdir -p /opt/pdns-auth/softhsm/tokens')
+ c.run('echo "directories.tokendir = /opt/pdns-auth/softhsm/tokens" > /opt/pdns-auth/softhsm/softhsm2.conf')
+
@task
def test_auth_backend(c, backend):
pdns_auth_env_vars = f'PDNS=/opt/pdns-auth/sbin/pdns_server PDNS2=/opt/pdns-auth/sbin/pdns_server SDIG=/opt/pdns-auth/bin/sdig NOTIFY=/opt/pdns-auth/bin/pdns_notify NSEC3DIG=/opt/pdns-auth/bin/nsec3dig SAXFR=/opt/pdns-auth/bin/saxfr ZONE2SQL=/opt/pdns-auth/bin/zone2sql ZONE2LDAP=/opt/pdns-auth/bin/zone2ldap ZONE2JSON=/opt/pdns-auth/bin/zone2json PDNSUTIL=/opt/pdns-auth/bin/pdnsutil PDNSCONTROL=/opt/pdns-auth/bin/pdns_control PDNSSERVER=/opt/pdns-auth/sbin/pdns_server SDIG=/opt/pdns-auth/bin/sdig GMYSQLHOST={auth_backend_ip_addr} GMYSQL2HOST={auth_backend_ip_addr} MYSQL_HOST={auth_backend_ip_addr} PGHOST={auth_backend_ip_addr} PGPORT=5432'
c.run(f'{pdns_auth_env_vars} WITHKERBEROS=YES ./runtests')
return
+ if backend == 'bind':
+ setup_softhsm(c)
+ with c.cd('regression-tests'):
+ for variant in backend_regress_tests[backend]:
+ c.run(f'{pdns_auth_env_vars} SOFTHSM2_CONF=/opt/pdns-auth/softhsm/softhsm2.conf ./start-test-stop 5300 {variant}')
+ return
+
if backend == 'godbc_sqlite3':
setup_godbc_sqlite3(c)
with c.cd('regression-tests'):
c.run('ls -ald /var /var/agentx /var/agentx/master')
c.run('ls -al /var/agentx/master')
with c.cd('regression-tests.dnsdist'):
- c.run('DNSDISTBIN=/opt/dnsdist/bin/dnsdist LD_LIBRARY_PATH=/opt/dnsdist/lib/ ./runtests')
+ c.run('DNSDISTBIN=/opt/dnsdist/bin/dnsdist LD_LIBRARY_PATH=/opt/dnsdist/lib/ ENABLE_SUDO_TESTS=1 ./runtests')
@task
def test_regression_recursor(c):
https://scan.coverity.com/builds?project={project}', hide=True)
@task
-def ci_build_and_install_quiche(c):
+def ci_build_and_install_quiche(c, repo):
+ with open(f'{repo}/builder-support/helpers/quiche.json') as quiche_json:
+ quiche_data = json.load(quiche_json)
+ quiche_version = quiche_data['version']
+ quiche_hash = quiche_data['SHA256SUM']
+
# we have to pass -L because GitHub will do a redirect, sadly
c.run(f'curl -L -o quiche-{quiche_version}.tar.gz https://github.com/cloudflare/quiche/archive/{quiche_version}.tar.gz')
# Line below should echo two spaces between digest and name