search

slackhq / nebula

A scalable overlay networking tool with a focus on performance, simplicity and security
MIT License
14.01k stars 939 forks source link

🐛 BUG: tests fail after 2027-11-11 #1124

Open bmwiedemann opened 2 months ago

bmwiedemann commented 2 months ago

What version of nebula are you using? (nebula -version)

1.8.2

What operating system are you using?

openSUSE Tumbleweed

Describe the Bug

While working on reproducible builds for openSUSE, I found that our nebula-1.8.2 package fails build-tests after 2027-11-11

To reproduce on Debian or openSUSE, use osc checkout openSUSE:Factory/nebula && cd $_ osc build --no-service --vm-type=kvm --build-opt=--vm-custom-opt=-rtc\ base=2027-11-12T00:00:00 standard

or set the system time instead.

Background: As part of my work on reproducible builds for openSUSE, I check that software still gives identical build results in the future. The usual offset is +16 years, because that is how long I expect some software will be used in some places. This showed up failing tests in our package build.

Logs from affected hosts

build log (from year 2040):

 === RUN   TestNewCAPoolFromBytes
     cert_test.go:596: 
                Error Trace:    /home/abuild/rpmbuild/BUILD/nebula-1.8.2/cert/cert_test.go:596
                Error:          Expected nil, but got: &errors.errorString{s:"certificate is expired"}
                Test:           TestNewCAPoolFromBytes
     cert_test.go:601: 
                Error Trace:    /home/abuild/rpmbuild/BUILD/nebula-1.8.2/cert/cert_test.go:601
                Error:          Expected nil, but got: &errors.errorString{s:"certificate is expired"}
                Test:           TestNewCAPoolFromBytes
     cert_test.go:619: 
                Error Trace:    /home/abuild/rpmbuild/BUILD/nebula-1.8.2/cert/cert_test.go:619
                Error:          Expected nil, but got: &errors.errorString{s:"certificate is expired"}
                Test:           TestNewCAPoolFromBytes
 --- FAIL: TestNewCAPoolFromBytes (0.00s) 
 === RUN   TestUnmrshalCertPEM

Config files from affected hosts

johnmaguire commented 1 month ago

We should be able to update the tests with new certs with longer expirations (say 100 or 1000 years.)

@nbrownus informed me that one of the tests has an embedded cert from the initial implementation of nebula-cert which may have a slightly different protobuf representation than we have today. In order to update the tests, we'll need to check out the old code (from before it was released publicly) and generate a new cert using that iteration of the tool.

This is on my radar.