pyrox.dev
1{
2 name = "systemd-initrd-simple";
3
4 nodes.machine =
5 { pkgs, ... }:
6 {
7 testing.initrdBackdoor = true;
8 boot.initrd.systemd.enable = true;
9 virtualisation.fileSystems."/".autoResize = true;
10 };
11
12 testScript =
13 # python
14 ''
15 import subprocess
16
17 with subtest("testing initrd backdoor"):
18 machine.wait_for_unit("initrd.target")
19 machine.succeed("systemctl status initrd-fs.target")
20 machine.switch_root()
21
22 with subtest("handover to stage-2 systemd works"):
23 machine.wait_for_unit("multi-user.target")
24 machine.succeed("systemd-analyze | grep -q '(initrd)'") # direct handover
25 machine.succeed("touch /testfile") # / is writable
26 machine.fail("touch /nix/store/testfile") # /nix/store is not writable
27 # Special filesystems are mounted by systemd
28 machine.succeed("[ -e /run/booted-system ]") # /run
29 machine.succeed("[ -e /sys/class ]") # /sys
30 machine.succeed("[ -e /dev/null ]") # /dev
31 machine.succeed("[ -e /proc/1 ]") # /proc
32 # stage-2-init mounted more special filesystems
33 machine.succeed("[ -e /dev/shm ]") # /dev/shm
34 machine.succeed("[ -e /dev/pts/ptmx ]") # /dev/pts
35 machine.succeed("[ -e /run/keys ]") # /run/keys
36 # /nixos-closure didn't leak into stage-2
37 machine.succeed("[ ! -e /nixos-closure ]")
38
39 with subtest("groups work"):
40 machine.fail("journalctl -b 0 | grep 'systemd-udevd.*Unknown group.*ignoring'")
41
42 with subtest("growfs works"):
43 oldAvail = machine.succeed("df --output=avail / | sed 1d")
44 machine.shutdown()
45
46 subprocess.check_call(["qemu-img", "resize", "vm-state-machine/machine.qcow2", "+1G"])
47
48 machine.start()
49 machine.switch_root()
50 newAvail = machine.succeed("df --output=avail / | sed 1d")
51
52 assert int(oldAvail) < int(newAvail), "File system did not grow"
53
54 with subtest("no warnings from systemd about write permissions"):
55 machine.fail("journalctl -b 0 | grep 'is marked world-writable, which is a security risk as it is executed with privileges'")
56 '';
57}