logrotate: add logrotate-checkconf.service

the build-time check is not safe (e.g. doesn't protect from bad users or nomissingok paths missing), so add a new unit for configuration switch time check
2 years ago · 829c611b48
parent b0a04e4105
commit 829c611b48
2 changed files with 33 additions and 1 deletions
--- a/nixos/modules/services/logging/logrotate.nix
+++ b/nixos/modules/services/logging/logrotate.nix
@ -300,7 +300,10 @@ in
          for example, the test does not know about existing files and system users are
          not known.
          These limitations mean we must adjust the file for tests (missingok is forced
-          and users are replaced by dummy users).
+          and users are replaced by dummy users), so tests are complemented by a
+          logrotate-checkconf service that is enabled by default.
+          This extra check can be disabled by disabling it at the systemd level with the
+          <option>services.systemd.services.logrotate-checkconf.enable</option> option.

          Conversely there are still things that might make this check fail incorrectly
          (e.g. a file path where we don't have access to intermediate directories):
@ -387,5 +390,14 @@ in
        ExecStart = "${pkgs.logrotate}/sbin/logrotate ${mailOption} ${cfg.configFile}";
      };
    };
+    systemd.services.logrotate-checkconf = {
+      description = "Logrotate configuration check";
+      wantedBy = [ "multi-user.target" ];
+      serviceConfig = {
+        Type = "oneshot";
+        RemainAfterExit = true;
+        ExecStart = "${pkgs.logrotate}/sbin/logrotate --debug ${cfg.configFile}";
+      };
+    };
  };
 }
--- a/nixos/tests/logrotate.nix
+++ b/nixos/tests/logrotate.nix
@ -17,6 +17,12 @@ import ./make-test-python.nix ({ pkgs, ... }: rec {

  nodes = {
    defaultMachine = { ... }: { };
+    failingMachine = { ... }: {
+      services.logrotate.configFile = pkgs.writeText "logrotate.conf" ''
+        # self-written config file
+        su notarealuser notagroupeither
+      '';
+    };
    machine = { config, ... }: {
      imports = [ importTest ];

@ -128,5 +134,19 @@ import ./make-test-python.nix ({ pkgs, ... }: rec {
              "[[ $(sed -ne '/\"compat_keep\" {/,/}/p' /tmp/logrotate.conf | grep -w rotate) = \"  rotate 1\" ]]",
              "! sed -ne '/\"compat_keep\" {/,/}/p' /tmp/logrotate.conf | grep -w keep",
          )
+          # also check configFile option
+          failingMachine.succeed(
+              "conf=$(systemctl cat logrotate | grep -oE '/nix/store[^ ]*logrotate.conf'); cp $conf /tmp/logrotate.conf",
+              "grep 'self-written config' /tmp/logrotate.conf",
+          )
+      with subtest("Check logrotate-checkconf service"):
+          machine.wait_for_unit("logrotate-checkconf.service")
+          # wait_for_unit also asserts for success, so wait for
+          # parent target instead and check manually.
+          failingMachine.wait_for_unit("multi-user.target")
+          info = failingMachine.get_unit_info("logrotate-checkconf.service")
+          if info["ActiveState"] != "failed":
+              raise Exception('logrotate-checkconf.service was not failed')
+
    '';
 })