NixOS/nixpkgs
1
0
Fork 1
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-06-10 01:53:09 +09:00
Code Activity

nixos/tests/systemd-ssh-proxy: Use container instead of nested virt and ISO

Browse source
This commit is contained in:
Will Fancher 2025-03-16 23:04:03 -04:00
parent 4dcde98327
commit 92ddfef0af
1 changed files with 14 additions and 27 deletions
Download patch file Download diff file Expand all files Collapse all files

41
nixos/tests/systemd-ssh-proxy.nix
View file

@ -6,29 +6,12 @@
}: }:
# This tests that systemd-ssh-proxy and systemd-ssh-generator work correctly with: # This tests that systemd-ssh-proxy and systemd-ssh-generator work correctly with:
# - a local unix socket on the same system # - a local unix socket on the same system
# - a vsock socket inside a vm # - a unix socket inside a container
let let
inherit (import ./ssh-keys.nix pkgs) inherit (import ./ssh-keys.nix pkgs)
snakeOilEd25519PrivateKey snakeOilEd25519PrivateKey
snakeOilEd25519PublicKey snakeOilEd25519PublicKey
; ;
qemu = config.nodes.virthost.virtualisation.qemu.package;
iso =
(import ../lib/eval-config.nix {
inherit (pkgs.stdenv.hostPlatform) system;
modules = [
../modules/installer/cd-dvd/iso-image.nix
{
services.openssh = {
enable = true;
settings.PermitRootLogin = "prohibit-password";
};
isoImage.isoBaseName = lib.mkForce "nixos";
isoImage.makeBiosBootable = true;
system.stateVersion = lib.trivial.release;
}
];
}).config.system.build.isoImage;
in in
{ {
name = "systemd-ssh-proxy"; name = "systemd-ssh-proxy";
@ -46,24 +29,28 @@ in
isNormalUser = true; isNormalUser = true;
}; };
}; };
systemd.services.test-vm = { containers.guest = {
script = "${lib.getExe qemu} --nographic -smp 1 -m 512 -cdrom ${iso}/iso/nixos.iso -device vhost-vsock-pci,guest-cid=3 -smbios type=11,value=\"io.systemd.credential:ssh.authorized_keys.root=${snakeOilEd25519PublicKey}\""; autoStart = true;
config = {
users.users.root.openssh.authorizedKeys.keys = [ snakeOilEd25519PublicKey ];
services.openssh = {
enable = true;
settings.PermitRootLogin = "prohibit-password";
};
system.stateVersion = lib.trivial.release;
};
}; };
}; };
}; };
testScript = '' testScript = ''
virthost.systemctl("start test-vm.service")
virthost.succeed("mkdir -p ~/.ssh") virthost.succeed("mkdir -p ~/.ssh")
virthost.succeed("cp '${snakeOilEd25519PrivateKey}' ~/.ssh/id_ed25519") virthost.succeed("cp '${snakeOilEd25519PrivateKey}' ~/.ssh/id_ed25519")
virthost.succeed("chmod 600 ~/.ssh/id_ed25519") virthost.succeed("chmod 600 ~/.ssh/id_ed25519")
with subtest("ssh into a vm with vsock"): with subtest("ssh into a container with AF_UNIX"):
virthost.wait_until_succeeds("systemctl is-active test-vm.service") virthost.wait_for_unit("container@guest.service")
virthost.wait_until_succeeds("ssh -i ~/.ssh/id_ed25519 vsock/3 echo meow | grep meow") virthost.wait_until_succeeds("ssh -i ~/.ssh/id_ed25519 unix/run/systemd/nspawn/unix-export/guest/ssh echo meow | grep meow")
virthost.wait_until_succeeds("ssh -i ~/.ssh/id_ed25519 vsock/3 shutdown now")
virthost.wait_until_succeeds("! systemctl is-active test-vm.service")
with subtest("elevate permissions using local ssh socket"): with subtest("elevate permissions using local ssh socket"):
virthost.wait_for_unit("sshd-unix-local.socket") virthost.wait_for_unit("sshd-unix-local.socket")