commit 8b3baa1402c77b7e960bcacc347a0c7c694f6872 · pyrox.dev/nixpkgs

+29

nixos/doc/manual/development/running-nixos-tests-interactively.section.md

···

       63
       63
        
       Once the connection is established, you can enter commands in the socat terminal

     

       64
       64
        
       where socat is running.

     

       65
       65
        
       

     

       66
       66
       +
       ## SSH Access for test machines {#sec-nixos-test-ssh-access}

     

       67
       67
       +
       

     

       68
       68
       +
       An SSH-based backdoor to log into machines can be enabled with

     

       69
       69
       +
       

     

       70
       70
       +
       ```nix

     

       71
       71
       +
       {

     

       72
       72
       +
         name = "…";

     

       73
       73
       +
         nodes.machines = { /* … */ };

     

       74
       74
       +
         sshBackdoor.enable = true;

     

       75
       75
       +
       }

     

       76
       76
       +
       ```

     

       77
       77
       +
       

     

       78
       78
       +
       This creates a [vsock socket](https://man7.org/linux/man-pages/man7/vsock.7.html)

     

       79
       79
       +
       for each VM to log in with SSH. This configures root login with an empty password.

     

       80
       80
       +
       

     

       81
       81
       +
       When the VMs get started interactively with the test-driver, it's possible to

     

       82
       82
       +
       connect to `machine` with

     

       83
       83
       +
       

     

       84
       84
       +
       ```

     

       85
       85
       +
       $ ssh vsock/3 -o User=root

     

       86
       86
       +
       ```

     

       87
       87
       +
       

     

       88
       88
       +
       The socket numbers correspond to the node number of the test VM, but start

     

       89
       89
       +
       at three instead of one because that's the lowest possible

     

       90
       90
       +
       vsock number.

     

       91
       91
       +
       

     

       92
       92
       +
       On non-NixOS systems you'll probably need to enable

     

       93
       93
       +
       the SSH config from {manpage}`systemd-ssh-proxy(1)` yourself.

     

       94
       94
       +
       

     

       66
       95
        
       ## Port forwarding to NixOS test VMs {#sec-nixos-test-port-forwarding}

     

       67
       96
        
       

     

       68
       97
        
       If your test has only a single VM, you may use e.g.

+6

nixos/doc/manual/redirects.json

···

       1823
       1823
        
         "sec-test-options-reference": [

     

       1824
       1824
        
           "index.html#sec-test-options-reference"

     

       1825
       1825
        
         ],

     

       1826
       1826
       +
         "test-opt-sshBackdoor.enable": [

     

       1827
       1827
       +
           "index.html#test-opt-sshBackdoor.enable"

     

       1828
       1828
       +
         ],

     

       1826
       1829
        
         "test-opt-defaults": [

     

       1827
       1830
        
           "index.html#test-opt-defaults"

     

       1828
       1831
        
         ],

     
···

       1909
       1912
        
         ],

     

       1910
       1913
        
         "sec-nixos-test-shell-access": [

     

       1911
       1914
        
           "index.html#sec-nixos-test-shell-access"

     

       1915
       1915
       +
         ],

     

       1916
       1916
       +
         "sec-nixos-test-ssh-access": [

     

       1917
       1917
       +
           "index.html#sec-nixos-test-ssh-access"

     

       1912
       1918
        
         ],

     

       1913
       1919
        
         "sec-nixos-test-port-forwarding": [

     

       1914
       1920
        
           "index.html#sec-nixos-test-port-forwarding"

+7

nixos/lib/test-driver/src/test_driver/__init__.py

···

       109
       109
        
               help="the test script to run",

     

       110
       110
        
               type=Path,

     

       111
       111
        
           )

     

       112
       112
       +
           arg_parser.add_argument(

     

       113
       113
       +
               "--dump-vsocks",

     

       114
       114
       +
               help="indicates that the interactive SSH backdoor is active and dumps information about it on start",

     

       115
       115
       +
               action="store_true",

     

       116
       116
       +
           )

     

       112
       117
        
       

     

       113
       118
        
           args = arg_parser.parse_args()

     

       114
       119
        
       

     
···

       136
       141
        
               if args.interactive:

     

       137
       142
        
                   history_dir = os.getcwd()

     

       138
       143
        
                   history_path = os.path.join(history_dir, ".nixos-test-history")

     

       144
       144
       +
                   if args.dump_vsocks:

     

       145
       145
       +
                       driver.dump_machine_ssh()

     

       139
       146
        
                   ptpython.ipython.embed(

     

       140
       147
        
                       user_ns=driver.test_symbols(),

     

       141
       148
        
                       history_filename=history_path,

+15

nixos/lib/test-driver/src/test_driver/driver.py

···

       11
       11
        
       from typing import Any

     

       12
       12
        
       from unittest import TestCase

     

       13
       13
        
       

     

       14
       14
       +
       from colorama import Style

     

       15
       15
       +
       

     

       14
       16
        
       from test_driver.errors import MachineError, RequestedAssertionFailed

     

       15
       17
        
       from test_driver.logger import AbstractLogger

     

       16
       18
        
       from test_driver.machine import Machine, NixStartScript, retry

     
···

       175
       177
        
                   + ", ".join(list(general_symbols.keys()))

     

       176
       178
        
               )

     

       177
       179
        
               return {**general_symbols, **machine_symbols, **vlan_symbols}

     

       180
       180
       +
       

     

       181
       181
       +
           def dump_machine_ssh(self) -> None:

     

       182
       182
       +
               print("SSH backdoor enabled, the machines can be accessed like this:")

     

       183
       183
       +
               print(

     

       184
       184
       +
                   f"{Style.BRIGHT}Note:{Style.RESET_ALL} this requires {Style.BRIGHT}systemd-ssh-proxy(1){Style.RESET_ALL} to be enabled (default on NixOS 25.05 and newer)."

     

       185
       185
       +
               )

     

       186
       186
       +
               names = [machine.name for machine in self.machines]

     

       187
       187
       +
               longest_name = len(max(names, key=len))

     

       188
       188
       +
               for num, name in enumerate(names, start=3):

     

       189
       189
       +
                   spaces = " " * (longest_name - len(name) + 2)

     

       190
       190
       +
                   print(

     

       191
       191
       +
                       f"    {name}:{spaces}{Style.BRIGHT}ssh -o User=root vsock/{num}{Style.RESET_ALL}"

     

       192
       192
       +
                   )

     

       178
       193
        
       

     

       179
       194
        
           def test_script(self) -> None:

     

       180
       195
        
               """Run the test script"""

+1

nixos/lib/testing-python.nix

···

       75
       75
        
                 ),

     

       76
       76
        
               extraPythonPackages ? (_: [ ]),

     

       77
       77
        
               interactive ? { },

     

       78
       78
       +
               sshBackdoor ? { },

     

       78
       79
        
             }@t:

     

       79
       80
        
             let

     

       80
       81
        
               testConfig =

+22 -4

nixos/lib/testing/nodes.nix

···

       13
       13
        
           mapAttrs

     

       14
       14
        
           mkDefault

     

       15
       15
        
           mkIf

     

       16
       16
       +
           mkMerge

     

       16
       17
        
           mkOption

     

       17
       18
        
           mkForce

     

       18
       19
        
           optional

     
···

       77
       78
        
       {

     

       78
       79
        
       

     

       79
       80
        
         options = {

     

       81
       81
       +
           sshBackdoor = {

     

       82
       82
       +
             enable = mkOption {

     

       83
       83
       +
               default = false;

     

       84
       84
       +
               type = types.bool;

     

       85
       85
       +
               description = "Whether to turn on the VSOCK-based access to all VMs. This provides an unauthenticated access intended for debugging.";

     

       86
       86
       +
             };

     

       87
       87
       +
           };

     

       88
       88
       +
       

     

       80
       89
        
           node.type = mkOption {

     

       81
       90
        
             type = types.raw;

     

       82
       91
        
             default = baseOS.type;

     
···

       172
       181
        
       

     

       173
       182
        
           passthru.nodes = config.nodesCompat;

     

       174
       183
        
       

     

       175
       175
       -
           defaults = mkIf config.node.pkgsReadOnly {

     

       176
       176
       -
             nixpkgs.pkgs = config.node.pkgs;

     

       177
       177
       -
             imports = [ ../../modules/misc/nixpkgs/read-only.nix ];

     

       178
       178
       -
           };

     

       184
       184
       +
           extraDriverArgs = mkIf config.sshBackdoor.enable [

     

       185
       185
       +
             "--dump-vsocks"

     

       186
       186
       +
           ];

     

       187
       187
       +
       

     

       188
       188
       +
           defaults = mkMerge [

     

       189
       189
       +
             (mkIf config.node.pkgsReadOnly {

     

       190
       190
       +
               nixpkgs.pkgs = config.node.pkgs;

     

       191
       191
       +
               imports = [ ../../modules/misc/nixpkgs/read-only.nix ];

     

       192
       192
       +
             })

     

       193
       193
       +
             (mkIf config.sshBackdoor.enable {

     

       194
       194
       +
               testing.sshBackdoor.enable = true;

     

       195
       195
       +
             })

     

       196
       196
       +
           ];

     

       179
       197
        
       

     

       180
       198
        
         };

     

       181
       199
        
       }

+20

nixos/modules/testing/test-instrumentation.nix

···

       87
       87
        
             machine.switch_root() to leave stage 1 and proceed to stage 2

     

       88
       88
        
           '';

     

       89
       89
        
       

     

       90
       90
       +
           sshBackdoor = {

     

       91
       91
       +
             enable = mkEnableOption "vsock-based ssh backdoor for the VM";

     

       92
       92
       +
           };

     

       93
       93
       +
       

     

       90
       94
        
         };

     

       91
       95
        
       

     

       92
       96
        
         config = {

     
···

       99
       103
        
               '';

     

       100
       104
        
             }

     

       101
       105
        
           ];

     

       106
       106
       +
       

     

       107
       107
       +
           services.openssh = mkIf config.testing.sshBackdoor.enable {

     

       108
       108
       +
             enable = true;

     

       109
       109
       +
             settings = {

     

       110
       110
       +
               PermitRootLogin = "yes";

     

       111
       111
       +
               PermitEmptyPasswords = "yes";

     

       112
       112
       +
             };

     

       113
       113
       +
           };

     

       114
       114
       +
       

     

       115
       115
       +
           security.pam.services.sshd = mkIf config.testing.sshBackdoor.enable {

     

       116
       116
       +
             allowNullPassword = true;

     

       117
       117
       +
           };

     

       102
       118
        
       

     

       103
       119
        
           systemd.services.backdoor = lib.mkMerge [

     

       104
       120
        
             backdoorService

     
···

       175
       191
        
               #       we avoid defining attributes if not possible.

     

       176
       192
        
               # TODO: refactor such that test-instrumentation can import qemu-vm

     

       177
       193
        
               package = lib.mkDefault pkgs.qemu_test;

     

       194
       194
       +
       

     

       195
       195
       +
               options = mkIf config.testing.sshBackdoor.enable [

     

       196
       196
       +
                 "-device vhost-vsock-pci,guest-cid=${toString (config.virtualisation.test.nodeNumber + 2)}"

     

       197
       197
       +
               ];

     

       178
       198
        
             };

     

       179
       199
        
           };

     

       180
       200