systemd-stage-1: Enable backdoor in nixos tests

This commit is contained in:
Will Fancher 2023-09-19 23:39:51 -04:00
parent f8ba8be54b
commit 9a0f523372
4 changed files with 86 additions and 15 deletions

View file

@ -554,3 +554,5 @@ The module update takes care of the new config syntax and the data itself (user
- `teleport` has been upgraded from major version 12 to major version 14. Please see upstream [upgrade instructions](https://goteleport.com/docs/management/operations/upgrading/) and release notes for versions [13](https://goteleport.com/docs/changelog/#1300-050823) and [14](https://goteleport.com/docs/changelog/#1400-092023). Note that Teleport does not officially support upgrades across more than one major version at a time. If you're running Teleport server components, it is recommended to first upgrade to an intermediate 13.x version by setting `services.teleport.package = pkgs.teleport_13`. Afterwards, this option can be removed to upgrade to the default version (14).
- The Linux kernel module `msr` (see [`msr(4)`](https://man7.org/linux/man-pages/man4/msr.4.html)), which provides an interface to read and write the model-specific registers (MSRs) of an x86 CPU, can now be configured via `hardware.cpu.x86.msr`.
- There is a new NixOS option when writing NixOS tests `testing.initrdBackdoor`, that enables `backdoor.service` in initrd. Requires `boot.initrd.systemd.enable` to be enabled. Boot will pause in stage 1 at `initrd.target`, and will listen for commands from the `Machine` python interface, just like stage 2 normally does. This enables commands to be sent to test and debug stage 1. Use `machine.switch_root()` to leave stage 1 and proceed to stage 2.

View file

@ -1278,3 +1278,19 @@ class Machine:
def run_callbacks(self) -> None:
for callback in self.callbacks:
callback()
def switch_root(self) -> None:
"""
Transition from stage 1 to stage 2. This requires the
machine to be configured with `testing.initrdBackdoor = true`
and `boot.initrd.systemd.enable = true`.
"""
self.wait_for_unit("initrd.target")
self.execute(
"systemctl isolate --no-block initrd-switch-root.target 2>/dev/null >/dev/null",
check_return=False,
check_output=False,
)
self.wait_for_console_text(r"systemd\[1\]:.*Switching root\.")
self.connected = False
self.connect()

View file

@ -6,10 +6,15 @@
with lib;
let
cfg = config.testing;
qemu-common = import ../../lib/qemu-common.nix { inherit lib pkgs; };
backdoorService = {
wantedBy = [ "multi-user.target" ];
wantedBy = [ "sysinit.target" ];
unitConfig.DefaultDependencies = false;
conflicts = [ "shutdown.target" "initrd-switch-root.target" ];
before = [ "shutdown.target" "initrd-switch-root.target" ];
requires = [ "dev-hvc0.device" "dev-${qemu-common.qemuSerialDevice}.device" ];
after = [ "dev-hvc0.device" "dev-${qemu-common.qemuSerialDevice}.device" ];
script =
@ -18,7 +23,9 @@ let
export HOME=/root
export DISPLAY=:0.0
source /etc/profile
if [[ -e /etc/profile ]]; then
source /etc/profile
fi
# Don't use a pager when executing backdoor
# actions. Because we use a tty, commands like systemctl
@ -49,9 +56,59 @@ in
{
options.testing = {
initrdBackdoor = lib.mkEnableOption (lib.mdDoc ''
enable backdoor.service in initrd. Requires
boot.initrd.systemd.enable to be enabled. Boot will pause in
stage 1 at initrd.target, and will listen for commands from the
Machine python interface, just like stage 2 normally does. This
enables commands to be sent to test and debug stage 1. Use
machine.switch_root() to leave stage 1 and proceed to stage 2.
'');
};
config = {
systemd.services.backdoor = backdoorService
assertions = [
{
assertion = cfg.initrdBackdoor -> config.boot.initrd.systemd.enable;
message = ''
testing.initrdBackdoor requires boot.initrd.systemd.enable to be enabled.
'';
}
];
systemd.services.backdoor = backdoorService;
boot.initrd.systemd = lib.mkMerge [
{
contents."/etc/systemd/journald.conf".text = ''
[Journal]
ForwardToConsole=yes
MaxLevelConsole=debug
'';
extraConfig = config.systemd.extraConfig;
}
(lib.mkIf cfg.initrdBackdoor {
# Implemented in machine.switch_root(). Suppress the unit by
# making it a noop without removing it, which would break
# initrd-parse-etc.service
services.initrd-cleanup.serviceConfig.ExecStart = [
# Reset
""
# noop
"/bin/true"
];
services.backdoor = backdoorService;
contents."/usr/bin/env".source = "${pkgs.coreutils}/bin/env";
})
];
# Prevent agetty from being instantiated on the serial device, since it
# interferes with the backdoor (writes to it will randomly fail
@ -107,12 +164,6 @@ in
MaxLevelConsole=debug
'';
boot.initrd.systemd.contents."/etc/systemd/journald.conf".text = ''
[Journal]
ForwardToConsole=yes
MaxLevelConsole=debug
'';
systemd.extraConfig = ''
# Don't clobber the console with duplicate systemd messages.
ShowStatus=no
@ -126,8 +177,6 @@ in
DefaultDeviceTimeoutSec=300
'';
boot.initrd.systemd.extraConfig = config.systemd.extraConfig;
boot.consoleLogLevel = 7;
# Prevent tests from accessing the Internet.

View file

@ -2,16 +2,19 @@ import ./make-test-python.nix ({ lib, pkgs, ... }: {
name = "systemd-initrd-simple";
nodes.machine = { pkgs, ... }: {
boot.initrd.systemd = {
enable = true;
emergencyAccess = true;
};
testing.initrdBackdoor = true;
boot.initrd.systemd.enable = true;
virtualisation.fileSystems."/".autoResize = true;
};
testScript = ''
import subprocess
with subtest("testing initrd backdoor"):
machine.wait_for_unit("initrd.target")
machine.succeed("systemctl status initrd-fs.target")
machine.switch_root()
with subtest("handover to stage-2 systemd works"):
machine.wait_for_unit("multi-user.target")
machine.succeed("systemd-analyze | grep -q '(initrd)'") # direct handover
@ -37,6 +40,7 @@ import ./make-test-python.nix ({ lib, pkgs, ... }: {
subprocess.check_call(["qemu-img", "resize", "vm-state-machine/machine.qcow2", "+1G"])
machine.start()
machine.switch_root()
newAvail = machine.succeed("df --output=avail / | sed 1d")
assert int(oldAvail) < int(newAvail), "File system did not grow"