nixos/test-driver: add backdoor based on systemd-ssh-proxy & AF_VSOCK (#392030)

2025-06-11 20:25:32 +03:00 · 2025-05-09 08:03:55 +02:00 · 2025-05-09 08:03:55 +02:00 · 8b3baa1402
commit 8b3baa1402
parent 907e98d6cc 8869265f93
7 changed files with 100 additions and 4 deletions
--- a/nixos/lib/test-driver/src/test_driver/init.py
+++ b/nixos/lib/test-driver/src/test_driver/init.py
@ -109,6 +109,11 @@ def main() -> None:
        help="the test script to run",
        type=Path,
    )
+    arg_parser.add_argument(
+        "--dump-vsocks",
+        help="indicates that the interactive SSH backdoor is active and dumps information about it on start",
+        action="store_true",
+    )

    args = arg_parser.parse_args()

@ -136,6 +141,8 @@ def main() -> None:
        if args.interactive:
            history_dir = os.getcwd()
            history_path = os.path.join(history_dir, ".nixos-test-history")
+            if args.dump_vsocks:
+                driver.dump_machine_ssh()
            ptpython.ipython.embed(
                user_ns=driver.test_symbols(),
                history_filename=history_path,
--- a/nixos/lib/test-driver/src/test_driver/driver.py
+++ b/nixos/lib/test-driver/src/test_driver/driver.py
@ -11,6 +11,8 @@ from pathlib import Path
 from typing import Any
 from unittest import TestCase

+from colorama import Style
+
 from test_driver.errors import MachineError, RequestedAssertionFailed
 from test_driver.logger import AbstractLogger
 from test_driver.machine import Machine, NixStartScript, retry
@ -176,6 +178,19 @@ class Driver:
        )
        return {**general_symbols, **machine_symbols, **vlan_symbols}

+    def dump_machine_ssh(self) -> None:
+        print("SSH backdoor enabled, the machines can be accessed like this:")
+        print(
+            f"{Style.BRIGHT}Note:{Style.RESET_ALL} this requires {Style.BRIGHT}systemd-ssh-proxy(1){Style.RESET_ALL} to be enabled (default on NixOS 25.05 and newer)."
+        )
+        names = [machine.name for machine in self.machines]
+        longest_name = len(max(names, key=len))
+        for num, name in enumerate(names, start=3):
+            spaces = " " * (longest_name - len(name) + 2)
+            print(
+                f"    {name}:{spaces}{Style.BRIGHT}ssh -o User=root vsock/{num}{Style.RESET_ALL}"
+            )
+
    def test_script(self) -> None:
        """Run the test script"""
        with self.logger.nested("run the VM test script"):
--- a/nixos/lib/testing-python.nix
+++ b/nixos/lib/testing-python.nix
@ -75,6 +75,7 @@ pkgs.lib.throwIf (args ? specialArgs)
          ),
        extraPythonPackages ? (_: [ ]),
        interactive ? { },
+        sshBackdoor ? { },
      }@t:
      let
        testConfig =
--- a/nixos/lib/testing/nodes.nix
+++ b/nixos/lib/testing/nodes.nix
@ -13,6 +13,7 @@ let
    mapAttrs
    mkDefault
    mkIf
+    mkMerge
    mkOption
    mkForce
    optional
@ -77,6 +78,14 @@ in
 {

  options = {
+    sshBackdoor = {
+      enable = mkOption {
+        default = false;
+        type = types.bool;
+        description = "Whether to turn on the VSOCK-based access to all VMs. This provides an unauthenticated access intended for debugging.";
+      };
+    };
+
    node.type = mkOption {
      type = types.raw;
      default = baseOS.type;
@ -172,10 +181,19 @@ in

    passthru.nodes = config.nodesCompat;

-    defaults = mkIf config.node.pkgsReadOnly {
-      nixpkgs.pkgs = config.node.pkgs;
-      imports = [ ../../modules/misc/nixpkgs/read-only.nix ];
-    };
+    extraDriverArgs = mkIf config.sshBackdoor.enable [
+      "--dump-vsocks"
+    ];
+
+    defaults = mkMerge [
+      (mkIf config.node.pkgsReadOnly {
+        nixpkgs.pkgs = config.node.pkgs;
+        imports = [ ../../modules/misc/nixpkgs/read-only.nix ];
+      })
+      (mkIf config.sshBackdoor.enable {
+        testing.sshBackdoor.enable = true;
+      })
+    ];

  };
 }