3
0
Fork 0
forked from mirrors/nixpkgs
nixpkgs/nixos/tests/systemd.nix
Florian Klink eb58711edf nixosTests.systemd: test cryptsetup support
This creates and opens a luks volume, puts its passphrase into a keyfile
and writes a /etc/crypttab. It then reboots the machine, and verifies
systemd parsed /etc/crypttab properly, and was able to unlock the volume
with the keyfile provided (as we try to mount it).

The memorySize of the VM had to be bumped, as luksFormat would otherwise
run out of memory.
2020-08-05 01:34:12 +02:00

172 lines
6.1 KiB
Nix

import ./make-test-python.nix ({ pkgs, ... }: {
name = "systemd";
machine = { lib, ... }: {
imports = [ common/user-account.nix common/x11.nix ];
virtualisation.emptyDiskImages = [ 512 512 ];
virtualisation.memorySize = 1024;
environment.systemPackages = [ pkgs.cryptsetup ];
fileSystems = lib.mkVMOverride {
"/test-x-initrd-mount" = {
device = "/dev/vdb";
fsType = "ext2";
autoFormat = true;
noCheck = true;
options = [ "x-initrd.mount" ];
};
};
systemd.extraConfig = "DefaultEnvironment=\"XXX_SYSTEM=foo\"";
systemd.user.extraConfig = "DefaultEnvironment=\"XXX_USER=bar\"";
services.journald.extraConfig = "Storage=volatile";
test-support.displayManager.auto.user = "alice";
systemd.shutdown.test = pkgs.writeScript "test.shutdown" ''
#!${pkgs.runtimeShell}
PATH=${lib.makeBinPath (with pkgs; [ utillinux coreutils ])}
mount -t 9p shared -o trans=virtio,version=9p2000.L /tmp/shared
touch /tmp/shared/shutdown-test
umount /tmp/shared
'';
systemd.services.testservice1 = {
description = "Test Service 1";
wantedBy = [ "multi-user.target" ];
serviceConfig.Type = "oneshot";
script = ''
if [ "$XXX_SYSTEM" = foo ]; then
touch /system_conf_read
fi
'';
};
systemd.user.services.testservice2 = {
description = "Test Service 2";
wantedBy = [ "default.target" ];
serviceConfig.Type = "oneshot";
script = ''
if [ "$XXX_USER" = bar ]; then
touch "$HOME/user_conf_read"
fi
'';
};
systemd.watchdog = {
device = "/dev/watchdog";
runtimeTime = "30s";
rebootTime = "10min";
kexecTime = "5min";
};
};
testScript = ''
import re
import subprocess
machine.wait_for_x()
# wait for user services
machine.wait_for_unit("default.target", "alice")
# Regression test for https://github.com/NixOS/nixpkgs/issues/35415
with subtest("configuration files are recognized by systemd"):
machine.succeed("test -e /system_conf_read")
machine.succeed("test -e /home/alice/user_conf_read")
machine.succeed("test -z $(ls -1 /var/log/journal)")
# Regression test for https://github.com/NixOS/nixpkgs/issues/50273
with subtest("DynamicUser actually allocates a user"):
assert "iamatest" in machine.succeed(
"systemd-run --pty --property=Type=oneshot --property=DynamicUser=yes --property=User=iamatest whoami"
)
# Regression test for https://github.com/NixOS/nixpkgs/issues/35268
with subtest("file system with x-initrd.mount is not unmounted"):
machine.succeed("mountpoint -q /test-x-initrd-mount")
machine.shutdown()
subprocess.check_call(
[
"qemu-img",
"convert",
"-O",
"raw",
"vm-state-machine/empty0.qcow2",
"x-initrd-mount.raw",
]
)
extinfo = subprocess.check_output(
[
"${pkgs.e2fsprogs}/bin/dumpe2fs",
"x-initrd-mount.raw",
]
).decode("utf-8")
assert (
re.search(r"^Filesystem state: *clean$", extinfo, re.MULTILINE) is not None
), ("File system was not cleanly unmounted: " + extinfo)
# Regression test for https://github.com/NixOS/nixpkgs/pull/91232
with subtest("setting transient hostnames works"):
machine.succeed("hostnamectl set-hostname --transient machine-transient")
machine.fail("hostnamectl set-hostname machine-all")
with subtest("systemd-shutdown works"):
machine.shutdown()
machine.wait_for_unit("multi-user.target")
machine.succeed("test -e /tmp/shared/shutdown-test")
# Test settings from /etc/sysctl.d/50-default.conf are applied
with subtest("systemd sysctl settings are applied"):
machine.wait_for_unit("multi-user.target")
assert "fq_codel" in machine.succeed("sysctl net.core.default_qdisc")
# Test cgroup accounting is enabled
with subtest("systemd cgroup accounting is enabled"):
machine.wait_for_unit("multi-user.target")
assert "yes" in machine.succeed(
"systemctl show testservice1.service -p IOAccounting"
)
retcode, output = machine.execute("systemctl status testservice1.service")
assert retcode in [0, 3] # https://bugs.freedesktop.org/show_bug.cgi?id=77507
assert "CPU:" in output
# Test systemd is configured to manage a watchdog
with subtest("systemd manages hardware watchdog"):
machine.wait_for_unit("multi-user.target")
# It seems that the device's path doesn't appear in 'systemctl show' so
# check it separately.
assert "WatchdogDevice=/dev/watchdog" in machine.succeed(
"cat /etc/systemd/system.conf"
)
output = machine.succeed("systemctl show | grep Watchdog")
assert "RuntimeWatchdogUSec=30s" in output
assert "RebootWatchdogUSec=10m" in output
assert "KExecWatchdogUSec=5m" in output
# Test systemd cryptsetup support
with subtest("systemd successfully reads /etc/crypttab and unlocks volumes"):
# create a luks volume and put a filesystem on it
machine.succeed(
"echo -n supersecret | cryptsetup luksFormat -q /dev/vdc -",
"echo -n supersecret | cryptsetup luksOpen --key-file - /dev/vdc foo",
"mkfs.ext3 /dev/mapper/foo",
)
# create a keyfile and /etc/crypttab
machine.succeed("echo -n supersecret > /var/lib/luks-keyfile")
machine.succeed("chmod 600 /var/lib/luks-keyfile")
machine.succeed("echo 'luks1 /dev/vdc /var/lib/luks-keyfile luks' > /etc/crypttab")
# after a reboot, systemd should unlock the volume and we should be able to mount it
machine.shutdown()
machine.succeed("systemctl status systemd-cryptsetup@luks1.service")
machine.succeed("mkdir -p /tmp/luks1")
machine.succeed("mount /dev/mapper/luks1 /tmp/luks1")
'';
})