nixos/test-driver: exit early if /dev/vhost-vsock isn't available

Right now it wrongly seems as if you can set `sshBackdoor.enable = true;` for each test and not only for debugging purposes. This is wrong however since you'd need to pass /dev/vhost-vsock into the sandbox for this (which is also a prerequisite for #392117). To make that clear, two things were changed: * add a warning to the manual to communicate this. * exit both interactive and non-interactive driver early if /dev/vhost-vsock is missing and the ssh backdoor is enabled. If that's the case, we pass a CLI flag to the driver already in the interactive case. This change also sets the flag for the non-interactive case. That way we also get a better error if somebody tries to enable this on a system that doesn't support that.
2025-06-09 19:13:26 +03:00 · 2025-05-12 15:27:24 +02:00 · 2025-05-12 15:27:24 +02:00 · c6978e8a58
commit c6978e8a58
parent 079ead620a
2 changed files with 28 additions and 16 deletions
--- a/nixos/doc/manual/development/running-nixos-tests-interactively.section.md
+++ b/nixos/doc/manual/development/running-nixos-tests-interactively.section.md
@ -71,10 +71,19 @@ An SSH-based backdoor to log into machines can be enabled with
 {
  name = "…";
  nodes.machines = { /* … */ };
-  sshBackdoor.enable = true;
+  interactive.sshBackdoor.enable = true;
 }
 ```

+::: {.warning}
+Make sure to only enable the backdoor for interactive tests
+(i.e. by using `interactive.sshBackdoor.enable`)! This is the only
+supported configuration.
+
+Running a test in a sandbox with this will fail because `/dev/vhost-vsock` isn't available
+in the sandbox.
+:::
+
 This creates a [vsock socket](https://man7.org/linux/man-pages/man7/vsock.7.html)
 for each VM to log in with SSH. This configures root login with an empty password.

--- a/nixos/lib/testing/run.nix
+++ b/nixos/lib/testing/run.nix
@ -43,27 +43,30 @@ in
  };

  config = {
-    rawTestDerivation = hostPkgs.stdenv.mkDerivation {
-      name = "vm-test-run-${config.name}";
+    rawTestDerivation =
+      assert lib.assertMsg (!config.sshBackdoor.enable)
+        "The SSH backdoor is currently not supported for non-interactive testing! Please make sure to only set `interactive.sshBackdoor.enable = true;`!";
+      hostPkgs.stdenv.mkDerivation {
+        name = "vm-test-run-${config.name}";

-      requiredSystemFeatures =
-        [ "nixos-test" ]
-        ++ lib.optionals hostPkgs.stdenv.hostPlatform.isLinux [ "kvm" ]
-        ++ lib.optionals hostPkgs.stdenv.hostPlatform.isDarwin [ "apple-virt" ];
+        requiredSystemFeatures =
+          [ "nixos-test" ]
+          ++ lib.optionals hostPkgs.stdenv.hostPlatform.isLinux [ "kvm" ]
+          ++ lib.optionals hostPkgs.stdenv.hostPlatform.isDarwin [ "apple-virt" ];

-      buildCommand = ''
-        mkdir -p $out
+        buildCommand = ''
+          mkdir -p $out

-        # effectively mute the XMLLogger
-        export LOGFILE=/dev/null
+          # effectively mute the XMLLogger
+          export LOGFILE=/dev/null

-        ${config.driver}/bin/nixos-test-driver -o $out
-      '';
+          ${config.driver}/bin/nixos-test-driver -o $out
+        '';

-      passthru = config.passthru;
+        passthru = config.passthru;

-      meta = config.meta;
-    };
+        meta = config.meta;
+      };
    test = lib.lazyDerivation {
      # lazyDerivation improves performance when only passthru items and/or meta are used.
      derivation = config.rawTestDerivation;