movefasta/nixpkgs
0
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-07-13 21:50:33 +03:00
Code Activity

Merge pull request #256226 from ElvishJerricco/systemd-stage-1-testing-backdoor

Browse source
This commit is contained in:
Ryan Lahfa 2023-11-10 14:08:07 +01:00 committed by GitHub
commit b8218af2e6
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
7 changed files with 215 additions and 142 deletions
Download patch file Download diff file Expand all files Collapse all files

2
nixos/doc/manual/release-notes/rl-2311.section.md
View file

@ -556,3 +556,5 @@ The module update takes care of the new config syntax and the data itself (user
- `teleport` has been upgraded from major version 12 to major version 14. Please see upstream [upgrade instructions](https://goteleport.com/docs/management/operations/upgrading/) and release notes for versions [13](https://goteleport.com/docs/changelog/#1300-050823) and [14](https://goteleport.com/docs/changelog/#1400-092023). Note that Teleport does not officially support upgrades across more than one major version at a time. If you're running Teleport server components, it is recommended to first upgrade to an intermediate 13.x version by setting `services.teleport.package = pkgs.teleport_13`. Afterwards, this option can be removed to upgrade to the default version (14). - `teleport` has been upgraded from major version 12 to major version 14. Please see upstream [upgrade instructions](https://goteleport.com/docs/management/operations/upgrading/) and release notes for versions [13](https://goteleport.com/docs/changelog/#1300-050823) and [14](https://goteleport.com/docs/changelog/#1400-092023). Note that Teleport does not officially support upgrades across more than one major version at a time. If you're running Teleport server components, it is recommended to first upgrade to an intermediate 13.x version by setting `services.teleport.package = pkgs.teleport_13`. Afterwards, this option can be removed to upgrade to the default version (14).
- The Linux kernel module `msr` (see [`msr(4)`](https://man7.org/linux/man-pages/man4/msr.4.html)), which provides an interface to read and write the model-specific registers (MSRs) of an x86 CPU, can now be configured via `hardware.cpu.x86.msr`. - The Linux kernel module `msr` (see [`msr(4)`](https://man7.org/linux/man-pages/man4/msr.4.html)), which provides an interface to read and write the model-specific registers (MSRs) of an x86 CPU, can now be configured via `hardware.cpu.x86.msr`.
- There is a new NixOS option when writing NixOS tests `testing.initrdBackdoor`, that enables `backdoor.service` in initrd. Requires `boot.initrd.systemd.enable` to be enabled. Boot will pause in stage 1 at `initrd.target`, and will listen for commands from the `Machine` python interface, just like stage 2 normally does. This enables commands to be sent to test and debug stage 1. Use `machine.switch_root()` to leave stage 1 and proceed to stage 2.

16
nixos/lib/test-driver/test_driver/machine.py
View file

@ -1278,3 +1278,19 @@ class Machine:
def run_callbacks(self) -> None: def run_callbacks(self) -> None:
for callback in self.callbacks: for callback in self.callbacks:
callback() callback()
def switch_root(self) -> None:
"""
Transition from stage 1 to stage 2. This requires the
machine to be configured with `testing.initrdBackdoor = true`
and `boot.initrd.systemd.enable = true`.
"""
self.wait_for_unit("initrd.target")
self.execute(
"systemctl isolate --no-block initrd-switch-root.target 2>/dev/null >/dev/null",
check_return=False,
check_output=False,
)
self.wait_for_console_text(r"systemd\[1\]:.*Switching root\.")
self.connected = False
self.connect()

134
nixos/modules/testing/test-instrumentation.nix
View file

@ -6,49 +6,109 @@
with lib; with lib;
let let
cfg = config.testing;
qemu-common = import ../../lib/qemu-common.nix { inherit lib pkgs; }; qemu-common = import ../../lib/qemu-common.nix { inherit lib pkgs; };
backdoorService = {
wantedBy = [ "sysinit.target" ];
unitConfig.DefaultDependencies = false;
conflicts = [ "shutdown.target" "initrd-switch-root.target" ];
before = [ "shutdown.target" "initrd-switch-root.target" ];
requires = [ "dev-hvc0.device" "dev-${qemu-common.qemuSerialDevice}.device" ];
after = [ "dev-hvc0.device" "dev-${qemu-common.qemuSerialDevice}.device" ];
script =
''
export USER=root
export HOME=/root
export DISPLAY=:0.0
if [[ -e /etc/profile ]]; then
source /etc/profile
fi
# Don't use a pager when executing backdoor
# actions. Because we use a tty, commands like systemctl
# or nix-store get confused into thinking they're running
# interactively.
export PAGER=
cd /tmp
exec < /dev/hvc0 > /dev/hvc0
while ! exec 2> /dev/${qemu-common.qemuSerialDevice}; do sleep 0.1; done
echo "connecting to host..." >&2
stty -F /dev/hvc0 raw -echo # prevent nl -> cr/nl conversion
# The following line is essential since it signals to
# the test driver that the shell is ready.
# See: the connect method in the Machine class.
echo "Spawning backdoor root shell..."
# Passing the terminal device makes bash run non-interactively.
# Otherwise we get errors on the terminal because bash tries to
# setup things like job control.
# Note: calling bash explicitly here instead of sh makes sure that
# we can also run non-NixOS guests during tests.
PS1= exec /usr/bin/env bash --norc /dev/hvc0
'';
serviceConfig.KillSignal = "SIGHUP";
};
in in
{ {
options.testing = {
initrdBackdoor = lib.mkEnableOption (lib.mdDoc ''
enable backdoor.service in initrd. Requires
boot.initrd.systemd.enable to be enabled. Boot will pause in
stage 1 at initrd.target, and will listen for commands from the
Machine python interface, just like stage 2 normally does. This
enables commands to be sent to test and debug stage 1. Use
machine.switch_root() to leave stage 1 and proceed to stage 2.
'');
};
config = { config = {
systemd.services.backdoor = assertions = [
{ wantedBy = [ "multi-user.target" ]; {
requires = [ "dev-hvc0.device" "dev-${qemu-common.qemuSerialDevice}.device" ]; assertion = cfg.initrdBackdoor -> config.boot.initrd.systemd.enable;
after = [ "dev-hvc0.device" "dev-${qemu-common.qemuSerialDevice}.device" ]; message = ''
script = testing.initrdBackdoor requires boot.initrd.systemd.enable to be enabled.
'' '';
export USER=root }
export HOME=/root ];
export DISPLAY=:0.0
source /etc/profile systemd.services.backdoor = backdoorService;
# Don't use a pager when executing backdoor boot.initrd.systemd = lib.mkMerge [
# actions. Because we use a tty, commands like systemctl {
# or nix-store get confused into thinking they're running contents."/etc/systemd/journald.conf".text = ''
# interactively. [Journal]
export PAGER= ForwardToConsole=yes
MaxLevelConsole=debug
'';
cd /tmp extraConfig = config.systemd.extraConfig;
exec < /dev/hvc0 > /dev/hvc0 }
while ! exec 2> /dev/${qemu-common.qemuSerialDevice}; do sleep 0.1; done
echo "connecting to host..." >&2 (lib.mkIf cfg.initrdBackdoor {
stty -F /dev/hvc0 raw -echo # prevent nl -> cr/nl conversion # Implemented in machine.switch_root(). Suppress the unit by
# The following line is essential since it signals to # making it a noop without removing it, which would break
# the test driver that the shell is ready. # initrd-parse-etc.service
# See: the connect method in the Machine class. services.initrd-cleanup.serviceConfig.ExecStart = [
echo "Spawning backdoor root shell..." # Reset
# Passing the terminal device makes bash run non-interactively. ""
# Otherwise we get errors on the terminal because bash tries to # noop
# setup things like job control. "/bin/true"
# Note: calling bash explicitly here instead of sh makes sure that ];
# we can also run non-NixOS guests during tests.
PS1= exec /usr/bin/env bash --norc /dev/hvc0 services.backdoor = backdoorService;
'';
serviceConfig.KillSignal = "SIGHUP"; contents."/usr/bin/env".source = "${pkgs.coreutils}/bin/env";
}; })
];
# Prevent agetty from being instantiated on the serial device, since it # Prevent agetty from being instantiated on the serial device, since it
# interferes with the backdoor (writes to it will randomly fail # interferes with the backdoor (writes to it will randomly fail
@ -104,12 +164,6 @@ in
MaxLevelConsole=debug MaxLevelConsole=debug
''; '';
boot.initrd.systemd.contents."/etc/systemd/journald.conf".text = ''
[Journal]
ForwardToConsole=yes
MaxLevelConsole=debug
'';
systemd.extraConfig = '' systemd.extraConfig = ''
# Don't clobber the console with duplicate systemd messages. # Don't clobber the console with duplicate systemd messages.
ShowStatus=no ShowStatus=no
@ -123,8 +177,6 @@ in
DefaultDeviceTimeoutSec=300 DefaultDeviceTimeoutSec=300
''; '';
boot.initrd.systemd.extraConfig = config.systemd.extraConfig;
boot.consoleLogLevel = 7; boot.consoleLogLevel = 7;
# Prevent tests from accessing the Internet. # Prevent tests from accessing the Internet.

7
nixos/tests/systemd-initrd-modprobe.nix
View file

@ -2,6 +2,7 @@ import ./make-test-python.nix ({ lib, pkgs, ... }: {
name = "systemd-initrd-modprobe"; name = "systemd-initrd-modprobe";
nodes.machine = { pkgs, ... }: { nodes.machine = { pkgs, ... }: {
testing.initrdBackdoor = true;
boot.initrd.systemd.enable = true; boot.initrd.systemd.enable = true;
boot.initrd.kernelModules = [ "loop" ]; # Load module in initrd. boot.initrd.kernelModules = [ "loop" ]; # Load module in initrd.
boot.extraModprobeConfig = '' boot.extraModprobeConfig = ''
@ -10,6 +11,12 @@ import ./make-test-python.nix ({ lib, pkgs, ... }: {
}; };
testScript = '' testScript = ''
machine.wait_for_unit("initrd.target")
max_loop = machine.succeed("cat /sys/module/loop/parameters/max_loop")
assert int(max_loop) == 42, "Parameter should be respected for initrd kernel modules"
# Make sure it sticks in stage 2
machine.switch_root()
machine.wait_for_unit("multi-user.target") machine.wait_for_unit("multi-user.target")
max_loop = machine.succeed("cat /sys/module/loop/parameters/max_loop") max_loop = machine.succeed("cat /sys/module/loop/parameters/max_loop")
assert int(max_loop) == 42, "Parameter should be respected for initrd kernel modules" assert int(max_loop) == 42, "Parameter should be respected for initrd kernel modules"

52
nixos/tests/systemd-initrd-networkd-ssh.nix
View file

@ -4,34 +4,16 @@ import ./make-test-python.nix ({ lib, ... }: {
nodes = { nodes = {
server = { config, pkgs, ... }: { server = { config, pkgs, ... }: {
environment.systemPackages = [ pkgs.cryptsetup ]; testing.initrdBackdoor = true;
boot.loader.systemd-boot.enable = true; boot.initrd.systemd.enable = true;
boot.loader.timeout = 0; boot.initrd.systemd.contents."/etc/msg".text = "foo";
virtualisation = { boot.initrd.network = {
emptyDiskImages = [ 4096 ]; enable = true;
useBootLoader = true; ssh = {
# Booting off the encrypted disk requires an available init script from
# the Nix store
mountHostNixStore = true;
useEFIBoot = true;
};
specialisation.encrypted-root.configuration = {
virtualisation.rootDevice = "/dev/mapper/root";
virtualisation.fileSystems."/".autoFormat = true;
boot.initrd.luks.devices = lib.mkVMOverride {
root.device = "/dev/vdb";
};
boot.initrd.systemd.enable = true;
boot.initrd.network = {
enable = true; enable = true;
ssh = { authorizedKeys = [ (lib.readFile ./initrd-network-ssh/id_ed25519.pub) ];
enable = true; port = 22;
authorizedKeys = [ (lib.readFile ./initrd-network-ssh/id_ed25519.pub) ]; hostKeys = [ ./initrd-network-ssh/ssh_host_ed25519_key ];
port = 22;
# Terrible hack so it works with useBootLoader
hostKeys = [ { outPath = "${./initrd-network-ssh/ssh_host_ed25519_key}"; } ];
};
}; };
}; };
}; };
@ -63,24 +45,16 @@ import ./make-test-python.nix ({ lib, ... }: {
status, _ = client.execute("nc -z server 22") status, _ = client.execute("nc -z server 22")
return status == 0 return status == 0
server.wait_for_unit("multi-user.target")
server.succeed(
"echo somepass | cryptsetup luksFormat --type=luks2 /dev/vdb",
"bootctl set-default nixos-generation-1-specialisation-encrypted-root.conf",
"sync",
)
server.shutdown()
server.start()
client.wait_for_unit("network.target") client.wait_for_unit("network.target")
with client.nested("waiting for SSH server to come up"): with client.nested("waiting for SSH server to come up"):
retry(ssh_is_up) retry(ssh_is_up)
client.succeed( msg = client.succeed(
"echo somepass | ssh -i /etc/sshKey -o UserKnownHostsFile=/etc/knownHosts server 'systemd-tty-ask-password-agent' & exit" "ssh -i /etc/sshKey -o UserKnownHostsFile=/etc/knownHosts server 'cat /etc/msg'"
) )
assert "foo" in msg
server.switch_root()
server.wait_for_unit("multi-user.target") server.wait_for_unit("multi-user.target")
server.succeed("mount | grep '/dev/mapper/root on /'")
''; '';
}) })

134
nixos/tests/systemd-initrd-networkd.nix
View file

@ -1,14 +1,36 @@
import ./make-test-python.nix ({ pkgs, lib, ... }: { { system ? builtins.currentSystem
name = "systemd-initrd-network"; , config ? {}
meta.maintainers = [ lib.maintainers.elvishjerricco ]; , pkgs ? import ../.. { inherit system config; }
, lib ? pkgs.lib
}:
nodes = let with import ../lib/testing-python.nix { inherit system pkgs; };
mkFlushTest = flush: script: { ... }: {
boot.initrd.systemd.enable = true; let
boot.initrd.network = { inherit (lib.maintainers) elvishjerricco;
enable = true;
flushBeforeStage2 = flush; common = {
}; boot.initrd.systemd = {
enable = true;
network.wait-online.timeout = 10;
network.wait-online.anyInterface = true;
targets.network-online.requiredBy = [ "initrd.target" ];
services.systemd-networkd-wait-online.requiredBy =
[ "network-online.target" ];
initrdBin = [ pkgs.iproute2 pkgs.iputils pkgs.gnugrep ];
};
testing.initrdBackdoor = true;
boot.initrd.network.enable = true;
};
mkFlushTest = flush: script: makeTest {
name = "systemd-initrd-network-${lib.optionalString (!flush) "no-"}flush";
meta.maintainers = [ elvishjerricco ];
nodes.machine = {
imports = [ common ];
boot.initrd.network.flushBeforeStage2 = flush;
systemd.services.check-flush = { systemd.services.check-flush = {
requiredBy = ["multi-user.target"]; requiredBy = ["multi-user.target"];
before = ["network-pre.target" "multi-user.target"]; before = ["network-pre.target" "multi-user.target"];
@ -19,57 +41,53 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: {
inherit script; inherit script;
}; };
}; };
in {
basic = { ... }: {
boot.initrd.network.enable = true;
boot.initrd.systemd = { testScript = ''
enable = true; machine.wait_for_unit("network-online.target")
# Enable network-online to fail the test in case of timeout machine.succeed(
network.wait-online.timeout = 10; "ip addr | grep 10.0.2.15",
network.wait-online.anyInterface = true; "ping -c1 10.0.2.2",
targets.network-online.requiredBy = [ "initrd.target" ]; )
services.systemd-networkd-wait-online.requiredBy = machine.switch_root()
[ "network-online.target" ];
initrdBin = [ pkgs.iproute2 pkgs.iputils pkgs.gnugrep ]; machine.wait_for_unit("multi-user.target")
services.check = {
requiredBy = [ "initrd.target" ];
before = [ "initrd.target" ];
after = [ "network-online.target" ];
serviceConfig.Type = "oneshot";
path = [ pkgs.iproute2 pkgs.iputils pkgs.gnugrep ];
script = ''
ip addr | grep 10.0.2.15 || exit 1
ping -c1 10.0.2.2 || exit 1
'';
};
};
};
doFlush = mkFlushTest true ''
if ip addr | grep 10.0.2.15; then
echo "Network configuration survived switch-root; flushBeforeStage2 failed"
exit 1
fi
'';
dontFlush = mkFlushTest false ''
if ! (ip addr | grep 10.0.2.15); then
echo "Network configuration didn't survive switch-root"
exit 1
fi
''; '';
}; };
testScript = '' in {
start_all() basic = makeTest {
basic.wait_for_unit("multi-user.target") name = "systemd-initrd-network";
doFlush.wait_for_unit("multi-user.target") meta.maintainers = [ elvishjerricco ];
dontFlush.wait_for_unit("multi-user.target")
# Make sure the systemd-network user was set correctly in initrd nodes.machine = common;
basic.succeed("[ $(stat -c '%U,%G' /run/systemd/netif/links) = systemd-network,systemd-network ]")
basic.succeed("ip addr show >&2") testScript = ''
basic.succeed("ip route show >&2") machine.wait_for_unit("network-online.target")
machine.succeed(
"ip addr | grep 10.0.2.15",
"ping -c1 10.0.2.2",
)
machine.switch_root()
# Make sure the systemd-network user was set correctly in initrd
machine.wait_for_unit("multi-user.target")
machine.succeed("[ $(stat -c '%U,%G' /run/systemd/netif/links) = systemd-network,systemd-network ]")
machine.succeed("ip addr show >&2")
machine.succeed("ip route show >&2")
'';
};
doFlush = mkFlushTest true ''
if ip addr | grep 10.0.2.15; then
echo "Network configuration survived switch-root; flushBeforeStage2 failed"
exit 1
fi
''; '';
})
dontFlush = mkFlushTest false ''
if ! (ip addr | grep 10.0.2.15); then
echo "Network configuration didn't survive switch-root"
exit 1
fi
'';
}

12
nixos/tests/systemd-initrd-simple.nix
View file

@ -2,16 +2,19 @@ import ./make-test-python.nix ({ lib, pkgs, ... }: {
name = "systemd-initrd-simple"; name = "systemd-initrd-simple";
nodes.machine = { pkgs, ... }: { nodes.machine = { pkgs, ... }: {
boot.initrd.systemd = { testing.initrdBackdoor = true;
enable = true; boot.initrd.systemd.enable = true;
emergencyAccess = true;
};
virtualisation.fileSystems."/".autoResize = true; virtualisation.fileSystems."/".autoResize = true;
}; };
testScript = '' testScript = ''
import subprocess import subprocess
with subtest("testing initrd backdoor"):
machine.wait_for_unit("initrd.target")
machine.succeed("systemctl status initrd-fs.target")
machine.switch_root()
with subtest("handover to stage-2 systemd works"): with subtest("handover to stage-2 systemd works"):
machine.wait_for_unit("multi-user.target") machine.wait_for_unit("multi-user.target")
machine.succeed("systemd-analyze | grep -q '(initrd)'") # direct handover machine.succeed("systemd-analyze | grep -q '(initrd)'") # direct handover
@ -37,6 +40,7 @@ import ./make-test-python.nix ({ lib, pkgs, ... }: {
subprocess.check_call(["qemu-img", "resize", "vm-state-machine/machine.qcow2", "+1G"]) subprocess.check_call(["qemu-img", "resize", "vm-state-machine/machine.qcow2", "+1G"])
machine.start() machine.start()
machine.switch_root()
newAvail = machine.succeed("df --output=avail / | sed 1d") newAvail = machine.succeed("df --output=avail / | sed 1d")
assert int(oldAvail) < int(newAvail), "File system did not grow" assert int(oldAvail) < int(newAvail), "File system did not grow"