Commit graph

11 commits

Author SHA1 Message Date
Wolfgang Walther
3d29b7d3a2
nixos/postgresql: improve local peer authentication with default map
This allows to easily map allowed database roles to system users.
2025-05-11 10:24:21 +02:00
Wolfgang Walther
dd5fd6cc22
postgresql: always build with JIT enabled
This changes the build to always enable JIT - but to only enable it at
run-time, when required. This keeps the runtime closure small without
JIT, but allows enabling it without a rebuild. We can do this, because
JIT is actually built as a shared module, which is loaded at run-time.
We put it into a -jit output and only link it into the environment when
requested.

Under the hood, this uses withPackages and adds the "JIT package" -
thus, to be able to use withPackages on top of that, we also need to be
able to apply withPackages repeatedly.

This cuts down the number of NixOS tests in half, because we don't need
to run it for every version with and without JIT anymore. There really
is no point in running everything with llvmjit.so in place, when the
queries are not making use of it anyway.

Also, we only need to build each extension once and not twice, further
reducing the number of rebuilds required for PRs touching postgresql.
2025-04-05 20:00:13 +02:00
Wolfgang Walther
cd972edfe4
postgresqlJitPackages.plv8: unbreak
This was originally marked as broken, because plv8 hardcoded gcc in its
Makefile. This has been resolved upstream in the meantime, so it builds
fine.
2025-04-05 13:41:30 +02:00
Maximilian Bosch
eb96c8dc5b
postgresql: refactor postgresqlVersions attribute & tests
Every postgresql testcase essentially does the following things:

* Filter `postgresqlVersions` for server packages
* Filter postgresql server packages for suitable ones (i.e. extensions
  must support the given version)
* Generate an attribute-set of testcases

The first item became necessary in
7ab1e88833 given that
`postgresql/default.nix` now exposes JIT and non-JIT servers AND a
`libpq` that is not suitable for the tests here.

This changes restructures this a little bit, i.e.:

* Having an attribute-set that contains a bunch of postgresql servers
  and a single client package seems odd (and the sole consumer of
  `postgresqlVersions` in nixpkgs, the test suite, has to take that into
  account). Hence, postgresql's default.nix now provides `libpq` (the client)
  and a `postgresqlVersions` attribute with all supported JIT and non-JIT
  variants of postgresql.

* Each test-case gets a third argument, a function called `genTests`:
  this function sets `recurseForDerivations = true;` and generates an
  attribute-set of tests for each postgresql version given a function
  that returns a testcase or multiple test-cases (`makeTestFor`). The
  argument to `makeTestFor` is a postgresql server package.

  This function also accepts a filter predicate that is passed against
  `filterAttrs` to remove postgresql server packages that are not
  suitable for the test (e.g. because the version isn't supported by the
  extension to test).

I checked by making sure that the `.drv` doesn't change on staging with
this change on top for postgresq, postgresql-jit,
postgresql-wal-receiver, postgresql-tls-client-cert, anonymizer, pgjwt,
pgvecto-rs, timescaledb, tsja and wal2json.
2025-01-26 21:58:57 +01:00
Maximilian Bosch
7ab1e88833
nixosTests.postgresql.*: fix eval
The `libpq` attribute from `postgresqlVersions` doesn't have a `pkgs`
attribute with extensions in it. Filtering for postgresql server
packages only fixes the problem.

Reported in https://github.com/NixOS/nixpkgs/pull/359659#issuecomment-2601045449
2025-01-20 14:29:01 +01:00
Maximilian Bosch
68d9643388
nixos/tests/postgresql: test plv8 hardening on non-JIT variants only
PostgreSQL with JIT support enabled doesn't work with plv8. Hence, we'd
get an evaluation failure for each
`nixosTests.postgresql.postgresql.postgresql_jit_X`.

This should be restructured in the future (less VM tests for custom
extensions, but a single VM test for this case to cover). For now, we
should get this fix out and this is a good-enough approach.
2024-11-16 21:16:06 +01:00
Martin Weinelt
e198536d26
nixosTests.postgresql: test hardening gets relaxed
The plv8 plugin requires access to pkey syscalls. The execution will
crash hard when it is not allowed by the syscall filter.

Co-Authored-By: Jan Tojnar <jtojnar@gmail.com>
2024-11-16 17:29:34 +01:00
Wolfgang Walther
9486472352
nixosTests.postgresql: run tests with JIT as well
This was intended for quite some time already, but ever since enableJIT
was changed to be the source of truth of JIT-iness for the PostgreSQL
module, this hasn't worked for the tests anymore.
2024-11-12 21:04:41 +01:00
Wolfgang Walther
45cef36e39
nixosTests.postgresql: run nixfmt
Because with as many changes as in here anybody working on those test
files will have merge conflicts anyway.
2024-11-09 18:24:52 +01:00
Wolfgang Walther
128244b598
nixosTests.postgresql: use a common pattern throughout all tests
Avoiding "with", using the same names and basic structure in each test.

Consistency is key!
2024-11-09 18:24:52 +01:00
Wolfgang Walther
9035573855
nixosTests.postgresql: move all postgresql related nixosTests into one folder
This makes it possible to run all those tests at once by building
nixosTests.postgresql and allow a simple entry to ci/OWNERS for all
tests.
2024-11-09 18:24:52 +01:00
Renamed from nixos/tests/postgresql.nix (Browse further)