add almost complete valgrind support to complement

Signed-off-by: June Clementine Strawberry <strawberry@puppygock.gay>
2025-01-28 19:09:22 -05:00 · 2025-01-28 19:09:22 -05:00 · fc2d051477
commit fc2d051477
parent 71a3855af6
6 changed files with 101 additions and 31 deletions
--- a/nix/pkgs/complement/default.nix
+++ b/nix/pkgs/complement/default.nix
@ -9,19 +9,22 @@
 , openssl
 , stdenv
 , tini
+, valgrind
 , writeShellScriptBin
 }:

 let
  main' = main.override {
-    profile = "test";
+    #profile = "test";
+    profile = "release-debuginfo";
    all_features = true;
    disable_release_max_log_level = true;
    disable_features = [
-        # no reason to use jemalloc for complement, just has compatibility/build issues
        "jemalloc"
        "jemalloc_stats"
        "jemalloc_prof"
+        "jemalloc_conf"
+        "io_uring"
        # console/CLI stuff isn't used or relevant for complement
        "console"
        "tokio_console"
@ -29,7 +32,7 @@ let
        "sentry_telemetry"
        "perf_measurements"
        # the containers don't use or need systemd signal support
-        "systemd"
+        #"systemd"
        # this is non-functional on nix for some reason
        "hardened_malloc"
        # dont include experimental features
@ -44,8 +47,50 @@ let
        "url_preview"
    ];
  };
+        # TODO: figure out why a suspicious amounnt of complement tests fail with valgrind only under complement.
+        # maybe issue with direct TLS mode?
+        #${lib.getExe' valgrind "valgrind"} \
+        #--leak-check=no \
+        #--undef-value-errors=no \
+        #--exit-on-first-error=yes \
+        #--error-exitcode=1 \

-  start = writeShellScriptBin "start" ''
+  # valgrind only works in non-static ocntexts
+  start = if !stdenv.hostPlatform.isStatic then writeShellScriptBin "start" ''
+    set -euxo pipefail
+
+    ${lib.getExe openssl} genrsa -out private_key.key 2048
+    ${lib.getExe openssl} req \
+      -new \
+      -sha256 \
+      -key private_key.key \
+      -subj "/C=US/ST=CA/O=MyOrg, Inc./CN=$SERVER_NAME" \
+      -out signing_request.csr
+    cp ${./v3.ext} v3.ext
+    echo "DNS.1 = $SERVER_NAME" >> v3.ext
+    echo "IP.1 = $(${lib.getExe gawk} 'END{print $1}' /etc/hosts)" \
+      >> v3.ext
+    ${lib.getExe openssl} x509 \
+      -req \
+      -extfile v3.ext \
+      -in signing_request.csr \
+      -CA /complement/ca/ca.crt \
+      -CAkey /complement/ca/ca.key \
+      -CAcreateserial \
+      -out certificate.crt \
+      -days 1 \
+      -sha256
+
+    ${lib.getExe' coreutils "env"} \
+      CONDUWUIT_SERVER_NAME="$SERVER_NAME" \
+      TMPDIR="/" \
+        ${lib.getExe' valgrind "valgrind"} \
+          --leak-check=no \
+          --undef-value-errors=no \
+          --exit-on-first-error=yes \
+          --error-exitcode=1 \
+            ${lib.getExe main'}
+  '' else writeShellScriptBin "start" ''
    set -euxo pipefail

    ${lib.getExe openssl} genrsa -out private_key.key 2048
@ -90,6 +135,7 @@ dockerTools.buildImage {
      coreutils
      main'
      start
+      valgrind
    ];
  };