services: tor: Add a system test.

* gnu/services/networking.scm (tor-configuration->torrc): Set PidFile to
/var/run/tor/tor.pid in the base torrc configuration.
(tor-shepherd-service) <start>: Call make-forkexec-constructor/container with
a new #:pid-file argument to tell Shepherd where to find the PID file.  Add a
a new <file-system-mapping> to its existing #:mappings argument to share
/var/run/tor with the the container.
(tor-hidden-services-activation): Update docstring.  Create /var/run/tor and
set its permissions so only the tor user can access it.
* gnu/tests/networking.scm (%test-tor, %tor-os): New variables.
(run-tor-test): New procedure.
This commit is contained in:
Chris Marusich 2018-07-22 16:23:53 -07:00
parent 526ce41930
commit 5dfd80e1c5
No known key found for this signature in database
GPG Key ID: DD409A15D822469D
2 changed files with 74 additions and 4 deletions

View File

@ -7,6 +7,7 @@
;;; Copyright © 2017 Thomas Danckaert <post@thomasdanckaert.be> ;;; Copyright © 2017 Thomas Danckaert <post@thomasdanckaert.be>
;;; Copyright © 2017 Marius Bakke <mbakke@fastmail.com> ;;; Copyright © 2017 Marius Bakke <mbakke@fastmail.com>
;;; Copyright © 2018 Tobias Geerinckx-Rice <me@tobias.gr> ;;; Copyright © 2018 Tobias Geerinckx-Rice <me@tobias.gr>
;;; Copyright © 2018 Chris Marusich <cmmarusich@gmail.com>
;;; ;;;
;;; This file is part of GNU Guix. ;;; This file is part of GNU Guix.
;;; ;;;
@ -612,6 +613,7 @@ demand.")))
### These lines were generated from your system configuration: ### These lines were generated from your system configuration:
User tor User tor
DataDirectory /var/lib/tor DataDirectory /var/lib/tor
PidFile /var/run/tor/tor.pid
Log notice syslog\n" port) Log notice syslog\n" port)
(for-each (match-lambda (for-each (match-lambda
@ -639,7 +641,7 @@ HiddenServicePort ~a ~a~%"
#t)))))))) #t))))))))
(define (tor-shepherd-service config) (define (tor-shepherd-service config)
"Return a <shepherd-service> running TOR." "Return a <shepherd-service> running Tor."
(match config (match config
(($ <tor-configuration> tor) (($ <tor-configuration> tor)
(let ((torrc (tor-configuration->torrc config))) (let ((torrc (tor-configuration->torrc config)))
@ -665,12 +667,17 @@ HiddenServicePort ~a ~a~%"
(writable? #t)) (writable? #t))
(file-system-mapping (file-system-mapping
(source "/dev/log") ;for syslog (source "/dev/log") ;for syslog
(target source))))) (target source))
(file-system-mapping
(source "/var/run/tor")
(target source)
(writable? #t)))
#:pid-file "/var/run/tor/tor.pid"))
(stop #~(make-kill-destructor)) (stop #~(make-kill-destructor))
(documentation "Run the Tor anonymous network overlay.")))))))) (documentation "Run the Tor anonymous network overlay."))))))))
(define (tor-hidden-service-activation config) (define (tor-hidden-service-activation config)
"Return the activation gexp for SERVICES, a list of hidden services." "Set up directories for Tor and its hidden services, if any."
#~(begin #~(begin
(use-modules (guix build utils)) (use-modules (guix build utils))
@ -686,6 +693,15 @@ HiddenServicePort ~a ~a~%"
;; The daemon bails out if we give wider permissions. ;; The daemon bails out if we give wider permissions.
(chmod directory #o700))) (chmod directory #o700)))
;; Allow Tor to write its PID file.
(mkdir-p "/var/run/tor")
(chown "/var/run/tor" (passwd:uid %user) (passwd:gid %user))
;; Set the group permissions to rw so that if the system administrator
;; has specified UnixSocksGroupWritable=1 in their torrc file, members
;; of the "tor" group will be able to use the SOCKS socket.
(chmod "/var/run/tor" #o750)
;; Allow Tor to access the hidden services' directories.
(mkdir-p "/var/lib/tor") (mkdir-p "/var/lib/tor")
(chown "/var/lib/tor" (passwd:uid %user) (passwd:gid %user)) (chown "/var/lib/tor" (passwd:uid %user) (passwd:gid %user))
(chmod "/var/lib/tor" #o700) (chmod "/var/lib/tor" #o700)

View File

@ -30,7 +30,7 @@
#:use-module (gnu packages bash) #:use-module (gnu packages bash)
#:use-module (gnu packages networking) #:use-module (gnu packages networking)
#:use-module (gnu services shepherd) #:use-module (gnu services shepherd)
#:export (%test-inetd %test-openvswitch %test-dhcpd)) #:export (%test-inetd %test-openvswitch %test-dhcpd %test-tor))
(define %inetd-os (define %inetd-os
;; Operating system with 2 inetd services. ;; Operating system with 2 inetd services.
@ -339,3 +339,57 @@ subnet 192.168.1.0 netmask 255.255.255.0 {
(name "dhcpd") (name "dhcpd")
(description "Test a running DHCP daemon configuration.") (description "Test a running DHCP daemon configuration.")
(value (run-dhcpd-test)))) (value (run-dhcpd-test))))
;;;
;;; Services related to Tor
;;;
(define %tor-os
(simple-operating-system
(tor-service)))
(define (run-tor-test)
(define os
(marionette-operating-system %tor-os
#:imported-modules '((gnu services herd))
#:requirements '(tor)))
(define test
(with-imported-modules '((gnu build marionette))
#~(begin
(use-modules (gnu build marionette)
(ice-9 popen)
(ice-9 rdelim)
(srfi srfi-64))
(define marionette
(make-marionette (list #$(virtual-machine os))))
(mkdir #$output)
(chdir #$output)
(test-begin "tor")
(test-assert "tor is alive"
(marionette-eval
'(begin
(use-modules (gnu services herd)
(srfi srfi-1))
(live-service-running
(find (lambda (live)
(memq 'tor
(live-service-provision live)))
(current-services))))
marionette))
(test-end)
(exit (= (test-runner-fail-count (test-runner-current)) 0)))))
(gexp->derivation "tor-test" test))
(define %test-tor
(system-test
(name "tor")
(description "Test a running Tor daemon configuration.")
(value (run-tor-test))))