From c6978e8a58ff5a9fc1ab30310dedbdfc3f5ebc42 Mon Sep 17 00:00:00 2001 From: Maximilian Bosch Date: Mon, 12 May 2025 15:27:24 +0200 Subject: [PATCH] nixos/test-driver: exit early if /dev/vhost-vsock isn't available Right now it wrongly seems as if you can set `sshBackdoor.enable = true;` for each test and not only for debugging purposes. This is wrong however since you'd need to pass /dev/vhost-vsock into the sandbox for this (which is also a prerequisite for #392117). To make that clear, two things were changed: * add a warning to the manual to communicate this. * exit both interactive and non-interactive driver early if /dev/vhost-vsock is missing and the ssh backdoor is enabled. If that's the case, we pass a CLI flag to the driver already in the interactive case. This change also sets the flag for the non-interactive case. That way we also get a better error if somebody tries to enable this on a system that doesn't support that. --- ...nning-nixos-tests-interactively.section.md | 11 ++++++- nixos/lib/testing/run.nix | 33 ++++++++++--------- 2 files changed, 28 insertions(+), 16 deletions(-) diff --git a/nixos/doc/manual/development/running-nixos-tests-interactively.section.md b/nixos/doc/manual/development/running-nixos-tests-interactively.section.md index b29f6df5bdaa..38d1e5916072 100644 --- a/nixos/doc/manual/development/running-nixos-tests-interactively.section.md +++ b/nixos/doc/manual/development/running-nixos-tests-interactively.section.md @@ -71,10 +71,19 @@ An SSH-based backdoor to log into machines can be enabled with { name = "…"; nodes.machines = { /* … */ }; - sshBackdoor.enable = true; + interactive.sshBackdoor.enable = true; } ``` +::: {.warning} +Make sure to only enable the backdoor for interactive tests +(i.e. by using `interactive.sshBackdoor.enable`)! This is the only +supported configuration. + +Running a test in a sandbox with this will fail because `/dev/vhost-vsock` isn't available +in the sandbox. +::: + This creates a [vsock socket](https://man7.org/linux/man-pages/man7/vsock.7.html) for each VM to log in with SSH. This configures root login with an empty password. diff --git a/nixos/lib/testing/run.nix b/nixos/lib/testing/run.nix index 4ea0b1e9a034..f37aa1bcd0e5 100644 --- a/nixos/lib/testing/run.nix +++ b/nixos/lib/testing/run.nix @@ -43,27 +43,30 @@ in }; config = { - rawTestDerivation = hostPkgs.stdenv.mkDerivation { - name = "vm-test-run-${config.name}"; + rawTestDerivation = + assert lib.assertMsg (!config.sshBackdoor.enable) + "The SSH backdoor is currently not supported for non-interactive testing! Please make sure to only set `interactive.sshBackdoor.enable = true;`!"; + hostPkgs.stdenv.mkDerivation { + name = "vm-test-run-${config.name}"; - requiredSystemFeatures = - [ "nixos-test" ] - ++ lib.optionals hostPkgs.stdenv.hostPlatform.isLinux [ "kvm" ] - ++ lib.optionals hostPkgs.stdenv.hostPlatform.isDarwin [ "apple-virt" ]; + requiredSystemFeatures = + [ "nixos-test" ] + ++ lib.optionals hostPkgs.stdenv.hostPlatform.isLinux [ "kvm" ] + ++ lib.optionals hostPkgs.stdenv.hostPlatform.isDarwin [ "apple-virt" ]; - buildCommand = '' - mkdir -p $out + buildCommand = '' + mkdir -p $out - # effectively mute the XMLLogger - export LOGFILE=/dev/null + # effectively mute the XMLLogger + export LOGFILE=/dev/null - ${config.driver}/bin/nixos-test-driver -o $out - ''; + ${config.driver}/bin/nixos-test-driver -o $out + ''; - passthru = config.passthru; + passthru = config.passthru; - meta = config.meta; - }; + meta = config.meta; + }; test = lib.lazyDerivation { # lazyDerivation improves performance when only passthru items and/or meta are used. derivation = config.rawTestDerivation;