commit 08ed87ccc6a3467c00413db3bd394a6c7682efef · pyrox.dev/nixpkgs

+23 -1

nixos/doc/manual/development/running-nixos-tests-interactively.section.md

···

       87
       87
        
       

     

       88
       88
        
       The socket numbers correspond to the node number of the test VM, but start

     

       89
       89
        
       at three instead of one because that's the lowest possible

     

       90
       90
       -
       vsock number.

     

       90
       90
       +
       vsock number. The exact SSH commands are also printed out when starting

     

       91
       91
       +
       `nixos-test-driver`.

     

       91
       92
        
       

     

       92
       93
        
       On non-NixOS systems you'll probably need to enable

     

       93
       94
        
       the SSH config from {manpage}`systemd-ssh-proxy(1)` yourself.

     

       95
       95
       +
       

     

       96
       96
       +
       If starting VM fails with an error like

     

       97
       97
       +
       

     

       98
       98
       +
       ```

     

       99
       99
       +
       qemu-system-x86_64: -device vhost-vsock-pci,guest-cid=3: vhost-vsock: unable to set guest cid: Address already in use

     

       100
       100
       +
       ```

     

       101
       101
       +
       

     

       102
       102
       +
       it means that the vsock numbers for the VMs are already in use. This can happen

     

       103
       103
       +
       if another interactive test with SSH backdoor enabled is running on the machine.

     

       104
       104
       +
       

     

       105
       105
       +
       In that case, you need to assign another range of vsock numbers. You can pick another

     

       106
       106
       +
       offset with

     

       107
       107
       +
       

     

       108
       108
       +
       ```nix

     

       109
       109
       +
       {

     

       110
       110
       +
         sshBackdoor = {

     

       111
       111
       +
           enable = true;

     

       112
       112
       +
           vsockOffset = 23542;

     

       113
       113
       +
         };

     

       114
       114
       +
       }

     

       115
       115
       +
       ```

     

       94
       116
        
       

     

       95
       117
        
       ## Port forwarding to NixOS test VMs {#sec-nixos-test-port-forwarding}

     

       96
       118

+3

nixos/doc/manual/redirects.json

···

       1832
       1832
        
         "test-opt-sshBackdoor.enable": [

     

       1833
       1833
        
           "index.html#test-opt-sshBackdoor.enable"

     

       1834
       1834
        
         ],

     

       1835
       1835
       +
         "test-opt-sshBackdoor.vsockOffset": [

     

       1836
       1836
       +
           "index.html#test-opt-sshBackdoor.vsockOffset"

     

       1837
       1837
       +
         ],

     

       1835
       1838
        
         "test-opt-defaults": [

     

       1836
       1839
        
           "index.html#test-opt-defaults"

     

       1837
       1840
        
         ],

+3 -3

nixos/lib/test-driver/src/test_driver/__init__.py

···

       112
       112
        
           arg_parser.add_argument(

     

       113
       113
        
               "--dump-vsocks",

     

       114
       114
        
               help="indicates that the interactive SSH backdoor is active and dumps information about it on start",

     

       115
       115
       -
               action="store_true",

     

       115
       115
       +
               type=int,

     

       116
       116
        
           )

     

       117
       117
        
       

     

       118
       118
        
           args = arg_parser.parse_args()

     
···

       141
       141
        
               if args.interactive:

     

       142
       142
        
                   history_dir = os.getcwd()

     

       143
       143
        
                   history_path = os.path.join(history_dir, ".nixos-test-history")

     

       144
       144
       -
                   if args.dump_vsocks:

     

       145
       145
       -
                       driver.dump_machine_ssh()

     

       144
       144
       +
                   if offset := args.dump_vsocks:

     

       145
       145
       +
                       driver.dump_machine_ssh(offset)

     

       146
       146
        
                   ptpython.ipython.embed(

     

       147
       147
        
                       user_ns=driver.test_symbols(),

     

       148
       148
        
                       history_filename=history_path,

+2 -2

nixos/lib/test-driver/src/test_driver/driver.py

···

       178
       178
        
               )

     

       179
       179
        
               return {**general_symbols, **machine_symbols, **vlan_symbols}

     

       180
       180
        
       

     

       181
       181
       -
           def dump_machine_ssh(self) -> None:

     

       181
       181
       +
           def dump_machine_ssh(self, offset: int) -> None:

     

       182
       182
        
               print("SSH backdoor enabled, the machines can be accessed like this:")

     

       183
       183
        
               print(

     

       184
       184
        
                   f"{Style.BRIGHT}Note:{Style.RESET_ALL} this requires {Style.BRIGHT}systemd-ssh-proxy(1){Style.RESET_ALL} to be enabled (default on NixOS 25.05 and newer)."

     

       185
       185
        
               )

     

       186
       186
        
               names = [machine.name for machine in self.machines]

     

       187
       187
        
               longest_name = len(max(names, key=len))

     

       188
       188
       -
               for num, name in enumerate(names, start=3):

     

       188
       188
       +
               for num, name in enumerate(names, start=offset + 1):

     

       189
       189
        
                   spaces = " " * (longest_name - len(name) + 2)

     

       190
       190
        
                   print(

     

       191
       191
        
                       f"    {name}:{spaces}{Style.BRIGHT}ssh -o User=root vsock/{num}{Style.RESET_ALL}"

+42 -4

nixos/lib/testing/nodes.nix

···

       84
       84
        
               type = types.bool;

     

       85
       85
        
               description = "Whether to turn on the VSOCK-based access to all VMs. This provides an unauthenticated access intended for debugging.";

     

       86
       86
        
             };

     

       87
       87
       +
             vsockOffset = mkOption {

     

       88
       88
       +
               default = 2;

     

       89
       89
       +
               type = types.ints.between 2 4294967296;

     

       90
       90
       +
               description = ''

     

       91
       91
       +
                 This field is only relevant when multiple users run the (interactive)

     

       92
       92
       +
                 driver outside the sandbox and with the SSH backdoor activated.

     

       93
       93
       +
                 The typical symptom for this being a problem are error messages like this:

     

       94
       94
       +
                 `vhost-vsock: unable to set guest cid: Address already in use`

     

       95
       95
       +
       

     

       96
       96
       +
                 This option allows to assign an offset to each vsock number to

     

       97
       97
       +
                 resolve this.

     

       98
       98
       +
       

     

       99
       99
       +
                 This is a 32bit number. The lowest possible vsock number is `3`

     

       100
       100
       +
                 (i.e. with the lowest node number being `1`, this is 2+1).

     

       101
       101
       +
               '';

     

       102
       102
       +
             };

     

       87
       103
        
           };

     

       88
       104
        
       

     

       89
       105
        
           node.type = mkOption {

     
···

       182
       198
        
           passthru.nodes = config.nodesCompat;

     

       183
       199
        
       

     

       184
       200
        
           extraDriverArgs = mkIf config.sshBackdoor.enable [

     

       185
       185
       -
             "--dump-vsocks"

     

       201
       201
       +
             "--dump-vsocks=${toString config.sshBackdoor.vsockOffset}"

     

       186
       202
        
           ];

     

       187
       203
        
       

     

       188
       204
        
           defaults = mkMerge [

     
···

       190
       206
        
               nixpkgs.pkgs = config.node.pkgs;

     

       191
       207
        
               imports = [ ../../modules/misc/nixpkgs/read-only.nix ];

     

       192
       208
        
             })

     

       193
       193
       -
             (mkIf config.sshBackdoor.enable {

     

       194
       194
       -
               testing.sshBackdoor.enable = true;

     

       195
       195
       -
             })

     

       209
       209
       +
             (mkIf config.sshBackdoor.enable (

     

       210
       210
       +
               let

     

       211
       211
       +
                 inherit (config.sshBackdoor) vsockOffset;

     

       212
       212
       +
               in

     

       213
       213
       +
               { config, ... }:

     

       214
       214
       +
               {

     

       215
       215
       +
                 services.openssh = {

     

       216
       216
       +
                   enable = true;

     

       217
       217
       +
                   settings = {

     

       218
       218
       +
                     PermitRootLogin = "yes";

     

       219
       219
       +
                     PermitEmptyPasswords = "yes";

     

       220
       220
       +
                   };

     

       221
       221
       +
                 };

     

       222
       222
       +
       

     

       223
       223
       +
                 security.pam.services.sshd = {

     

       224
       224
       +
                   allowNullPassword = true;

     

       225
       225
       +
                 };

     

       226
       226
       +
       

     

       227
       227
       +
                 virtualisation.qemu.options = [

     

       228
       228
       +
                   "-device vhost-vsock-pci,guest-cid=${

     

       229
       229
       +
                     toString (config.virtualisation.test.nodeNumber + vsockOffset)

     

       230
       230
       +
                   }"

     

       231
       231
       +
                 ];

     

       232
       232
       +
               }

     

       233
       233
       +
             ))

     

       196
       234
        
           ];

     

       197
       235
        
       

     

       198
       236
        
         };

-21

nixos/modules/testing/test-instrumentation.nix

···

       86
       86
        
             enables commands to be sent to test and debug stage 1. Use

     

       87
       87
        
             machine.switch_root() to leave stage 1 and proceed to stage 2

     

       88
       88
        
           '';

     

       89
       89
       -
       

     

       90
       90
       -
           sshBackdoor = {

     

       91
       91
       -
             enable = mkEnableOption "vsock-based ssh backdoor for the VM";

     

       92
       92
       -
           };

     

       93
       93
       -
       

     

       94
       89
        
         };

     

       95
       90
        
       

     

       96
       91
        
         config = {

     
···

       103
       98
        
               '';

     

       104
       99
        
             }

     

       105
       100
        
           ];

     

       106
       106
       -
       

     

       107
       107
       -
           services.openssh = mkIf config.testing.sshBackdoor.enable {

     

       108
       108
       -
             enable = true;

     

       109
       109
       -
             settings = {

     

       110
       110
       -
               PermitRootLogin = "yes";

     

       111
       111
       -
               PermitEmptyPasswords = "yes";

     

       112
       112
       -
             };

     

       113
       113
       -
           };

     

       114
       114
       -
       

     

       115
       115
       -
           security.pam.services.sshd = mkIf config.testing.sshBackdoor.enable {

     

       116
       116
       -
             allowNullPassword = true;

     

       117
       117
       -
           };

     

       118
       101
        
       

     

       119
       102
        
           systemd.services.backdoor = lib.mkMerge [

     

       120
       103
        
             backdoorService

     
···

       191
       174
        
               #       we avoid defining attributes if not possible.

     

       192
       175
        
               # TODO: refactor such that test-instrumentation can import qemu-vm

     

       193
       176
        
               package = lib.mkDefault pkgs.qemu_test;

     

       194
       194
       -
       

     

       195
       195
       -
               options = mkIf config.testing.sshBackdoor.enable [

     

       196
       196
       -
                 "-device vhost-vsock-pci,guest-cid=${toString (config.virtualisation.test.nodeNumber + 2)}"

     

       197
       197
       -
               ];

     

       198
       177
        
             };

     

       199
       178
        
           };

     

       200
       179