+2

nixos/doc/manual/release-notes/rl-2311.section.md

··· 556 556 - `teleport` has been upgraded from major version 12 to major version 14. Please see upstream [upgrade instructions](https://goteleport.com/docs/management/operations/upgrading/) and release notes for versions [13](https://goteleport.com/docs/changelog/#1300-050823) and [14](https://goteleport.com/docs/changelog/#1400-092023). Note that Teleport does not officially support upgrades across more than one major version at a time. If you're running Teleport server components, it is recommended to first upgrade to an intermediate 13.x version by setting `services.teleport.package = pkgs.teleport_13`. Afterwards, this option can be removed to upgrade to the default version (14). 557 557 558 558 - The Linux kernel module `msr` (see [`msr(4)`](https://man7.org/linux/man-pages/man4/msr.4.html)), which provides an interface to read and write the model-specific registers (MSRs) of an x86 CPU, can now be configured via `hardware.cpu.x86.msr`. 559 559 + 560 560 + - There is a new NixOS option when writing NixOS tests `testing.initrdBackdoor`, that enables `backdoor.service` in initrd. Requires `boot.initrd.systemd.enable` to be enabled. Boot will pause in stage 1 at `initrd.target`, and will listen for commands from the `Machine` python interface, just like stage 2 normally does. This enables commands to be sent to test and debug stage 1. Use `machine.switch_root()` to leave stage 1 and proceed to stage 2.

+16

nixos/lib/test-driver/test_driver/machine.py

··· 1278 1278 def run_callbacks(self) -> None: 1279 1279 for callback in self.callbacks: 1280 1280 callback() 1281 1281 + 1282 1282 + def switch_root(self) -> None: 1283 1283 + """ 1284 1284 + Transition from stage 1 to stage 2. This requires the 1285 1285 + machine to be configured with `testing.initrdBackdoor = true` 1286 1286 + and `boot.initrd.systemd.enable = true`. 1287 1287 + """ 1288 1288 + self.wait_for_unit("initrd.target") 1289 1289 + self.execute( 1290 1290 + "systemctl isolate --no-block initrd-switch-root.target 2>/dev/null >/dev/null", 1291 1291 + check_return=False, 1292 1292 + check_output=False, 1293 1293 + ) 1294 1294 + self.wait_for_console_text(r"systemd\[1\]:.*Switching root\.") 1295 1295 + self.connected = False 1296 1296 + self.connect()

+93 -41

nixos/modules/testing/test-instrumentation.nix

··· 6 6 with lib; 7 7 8 8 let 9 9 + cfg = config.testing; 10 10 + 9 11 qemu-common = import ../../lib/qemu-common.nix { inherit lib pkgs; }; 12 12 + 13 13 + backdoorService = { 14 14 + wantedBy = [ "sysinit.target" ]; 15 15 + unitConfig.DefaultDependencies = false; 16 16 + conflicts = [ "shutdown.target" "initrd-switch-root.target" ]; 17 17 + before = [ "shutdown.target" "initrd-switch-root.target" ]; 18 18 + requires = [ "dev-hvc0.device" "dev-${qemu-common.qemuSerialDevice}.device" ]; 19 19 + after = [ "dev-hvc0.device" "dev-${qemu-common.qemuSerialDevice}.device" ]; 20 20 + script = 21 21 + '' 22 22 + export USER=root 23 23 + export HOME=/root 24 24 + export DISPLAY=:0.0 25 25 + 26 26 + if [[ -e /etc/profile ]]; then 27 27 + source /etc/profile 28 28 + fi 29 29 + 30 30 + # Don't use a pager when executing backdoor 31 31 + # actions. Because we use a tty, commands like systemctl 32 32 + # or nix-store get confused into thinking they're running 33 33 + # interactively. 34 34 + export PAGER= 35 35 + 36 36 + cd /tmp 37 37 + exec < /dev/hvc0 > /dev/hvc0 38 38 + while ! exec 2> /dev/${qemu-common.qemuSerialDevice}; do sleep 0.1; done 39 39 + echo "connecting to host..." >&2 40 40 + stty -F /dev/hvc0 raw -echo # prevent nl -> cr/nl conversion 41 41 + # The following line is essential since it signals to 42 42 + # the test driver that the shell is ready. 43 43 + # See: the connect method in the Machine class. 44 44 + echo "Spawning backdoor root shell..." 45 45 + # Passing the terminal device makes bash run non-interactively. 46 46 + # Otherwise we get errors on the terminal because bash tries to 47 47 + # setup things like job control. 48 48 + # Note: calling bash explicitly here instead of sh makes sure that 49 49 + # we can also run non-NixOS guests during tests. 50 50 + PS1= exec /usr/bin/env bash --norc /dev/hvc0 51 51 + ''; 52 52 + serviceConfig.KillSignal = "SIGHUP"; 53 53 + }; 54 54 + 10 55 in 11 56 12 57 { 13 58 59 59 + options.testing = { 60 60 + 61 61 + initrdBackdoor = lib.mkEnableOption (lib.mdDoc '' 62 62 + enable backdoor.service in initrd. Requires 63 63 + boot.initrd.systemd.enable to be enabled. Boot will pause in 64 64 + stage 1 at initrd.target, and will listen for commands from the 65 65 + Machine python interface, just like stage 2 normally does. This 66 66 + enables commands to be sent to test and debug stage 1. Use 67 67 + machine.switch_root() to leave stage 1 and proceed to stage 2. 68 68 + ''); 69 69 + 70 70 + }; 71 71 + 14 72 config = { 15 73 16 16 - systemd.services.backdoor = 17 17 - { wantedBy = [ "multi-user.target" ]; 18 18 - requires = [ "dev-hvc0.device" "dev-${qemu-common.qemuSerialDevice}.device" ]; 19 19 - after = [ "dev-hvc0.device" "dev-${qemu-common.qemuSerialDevice}.device" ]; 20 20 - script = 21 21 - '' 22 22 - export USER=root 23 23 - export HOME=/root 24 24 - export DISPLAY=:0.0 74 74 + assertions = [ 75 75 + { 76 76 + assertion = cfg.initrdBackdoor -> config.boot.initrd.systemd.enable; 77 77 + message = '' 78 78 + testing.initrdBackdoor requires boot.initrd.systemd.enable to be enabled. 79 79 + ''; 80 80 + } 81 81 + ]; 25 82 26 26 - source /etc/profile 83 83 + systemd.services.backdoor = backdoorService; 84 84 + 85 85 + boot.initrd.systemd = lib.mkMerge [ 86 86 + { 87 87 + contents."/etc/systemd/journald.conf".text = '' 88 88 + [Journal] 89 89 + ForwardToConsole=yes 90 90 + MaxLevelConsole=debug 91 91 + ''; 92 92 + 93 93 + extraConfig = config.systemd.extraConfig; 94 94 + } 95 95 + 96 96 + (lib.mkIf cfg.initrdBackdoor { 97 97 + # Implemented in machine.switch_root(). Suppress the unit by 98 98 + # making it a noop without removing it, which would break 99 99 + # initrd-parse-etc.service 100 100 + services.initrd-cleanup.serviceConfig.ExecStart = [ 101 101 + # Reset 102 102 + "" 103 103 + # noop 104 104 + "/bin/true" 105 105 + ]; 27 106 28 28 - # Don't use a pager when executing backdoor 29 29 - # actions. Because we use a tty, commands like systemctl 30 30 - # or nix-store get confused into thinking they're running 31 31 - # interactively. 32 32 - export PAGER= 107 107 + services.backdoor = backdoorService; 33 108 34 34 - cd /tmp 35 35 - exec < /dev/hvc0 > /dev/hvc0 36 36 - while ! exec 2> /dev/${qemu-common.qemuSerialDevice}; do sleep 0.1; done 37 37 - echo "connecting to host..." >&2 38 38 - stty -F /dev/hvc0 raw -echo # prevent nl -> cr/nl conversion 39 39 - # The following line is essential since it signals to 40 40 - # the test driver that the shell is ready. 41 41 - # See: the connect method in the Machine class. 42 42 - echo "Spawning backdoor root shell..." 43 43 - # Passing the terminal device makes bash run non-interactively. 44 44 - # Otherwise we get errors on the terminal because bash tries to 45 45 - # setup things like job control. 46 46 - # Note: calling bash explicitly here instead of sh makes sure that 47 47 - # we can also run non-NixOS guests during tests. 48 48 - PS1= exec /usr/bin/env bash --norc /dev/hvc0 49 49 - ''; 50 50 - serviceConfig.KillSignal = "SIGHUP"; 51 51 - }; 109 109 + contents."/usr/bin/env".source = "${pkgs.coreutils}/bin/env"; 110 110 + }) 111 111 + ]; 52 112 53 113 # Prevent agetty from being instantiated on the serial device, since it 54 114 # interferes with the backdoor (writes to it will randomly fail ··· 104 164 MaxLevelConsole=debug 105 165 ''; 106 166 107 107 - boot.initrd.systemd.contents."/etc/systemd/journald.conf".text = '' 108 108 - [Journal] 109 109 - ForwardToConsole=yes 110 110 - MaxLevelConsole=debug 111 111 - ''; 112 112 - 113 167 systemd.extraConfig = '' 114 168 # Don't clobber the console with duplicate systemd messages. 115 169 ShowStatus=no ··· 122 176 DefaultTimeoutStartSec=300 123 177 DefaultDeviceTimeoutSec=300 124 178 ''; 125 125 - 126 126 - boot.initrd.systemd.extraConfig = config.systemd.extraConfig; 127 179 128 180 boot.consoleLogLevel = 7; 129 181

+7

nixos/tests/systemd-initrd-modprobe.nix

··· 2 2 name = "systemd-initrd-modprobe"; 3 3 4 4 nodes.machine = { pkgs, ... }: { 5 5 + testing.initrdBackdoor = true; 5 6 boot.initrd.systemd.enable = true; 6 7 boot.initrd.kernelModules = [ "loop" ]; # Load module in initrd. 7 8 boot.extraModprobeConfig = '' ··· 10 11 }; 11 12 12 13 testScript = '' 14 14 + machine.wait_for_unit("initrd.target") 15 15 + max_loop = machine.succeed("cat /sys/module/loop/parameters/max_loop") 16 16 + assert int(max_loop) == 42, "Parameter should be respected for initrd kernel modules" 17 17 + 18 18 + # Make sure it sticks in stage 2 19 19 + machine.switch_root() 13 20 machine.wait_for_unit("multi-user.target") 14 21 max_loop = machine.succeed("cat /sys/module/loop/parameters/max_loop") 15 22 assert int(max_loop) == 42, "Parameter should be respected for initrd kernel modules"

+13 -39

nixos/tests/systemd-initrd-networkd-ssh.nix

··· 4 4 5 5 nodes = { 6 6 server = { config, pkgs, ... }: { 7 7 - environment.systemPackages = [ pkgs.cryptsetup ]; 8 8 - boot.loader.systemd-boot.enable = true; 9 9 - boot.loader.timeout = 0; 10 10 - virtualisation = { 11 11 - emptyDiskImages = [ 4096 ]; 12 12 - useBootLoader = true; 13 13 - # Booting off the encrypted disk requires an available init script from 14 14 - # the Nix store 15 15 - mountHostNixStore = true; 16 16 - useEFIBoot = true; 17 17 - }; 18 18 - 19 19 - specialisation.encrypted-root.configuration = { 20 20 - virtualisation.rootDevice = "/dev/mapper/root"; 21 21 - virtualisation.fileSystems."/".autoFormat = true; 22 22 - boot.initrd.luks.devices = lib.mkVMOverride { 23 23 - root.device = "/dev/vdb"; 24 24 - }; 25 25 - boot.initrd.systemd.enable = true; 26 26 - boot.initrd.network = { 7 7 + testing.initrdBackdoor = true; 8 8 + boot.initrd.systemd.enable = true; 9 9 + boot.initrd.systemd.contents."/etc/msg".text = "foo"; 10 10 + boot.initrd.network = { 11 11 + enable = true; 12 12 + ssh = { 27 13 enable = true; 28 28 - ssh = { 29 29 - enable = true; 30 30 - authorizedKeys = [ (lib.readFile ./initrd-network-ssh/id_ed25519.pub) ]; 31 31 - port = 22; 32 32 - # Terrible hack so it works with useBootLoader 33 33 - hostKeys = [ { outPath = "${./initrd-network-ssh/ssh_host_ed25519_key}"; } ]; 34 34 - }; 14 14 + authorizedKeys = [ (lib.readFile ./initrd-network-ssh/id_ed25519.pub) ]; 15 15 + port = 22; 16 16 + hostKeys = [ ./initrd-network-ssh/ssh_host_ed25519_key ]; 35 17 }; 36 18 }; 37 19 }; ··· 63 45 status, _ = client.execute("nc -z server 22") 64 46 return status == 0 65 47 66 66 - server.wait_for_unit("multi-user.target") 67 67 - server.succeed( 68 68 - "echo somepass | cryptsetup luksFormat --type=luks2 /dev/vdb", 69 69 - "bootctl set-default nixos-generation-1-specialisation-encrypted-root.conf", 70 70 - "sync", 71 71 - ) 72 72 - server.shutdown() 73 73 - server.start() 74 74 - 75 48 client.wait_for_unit("network.target") 76 49 with client.nested("waiting for SSH server to come up"): 77 50 retry(ssh_is_up) 78 51 79 79 - client.succeed( 80 80 - "echo somepass | ssh -i /etc/sshKey -o UserKnownHostsFile=/etc/knownHosts server 'systemd-tty-ask-password-agent' & exit" 52 52 + msg = client.succeed( 53 53 + "ssh -i /etc/sshKey -o UserKnownHostsFile=/etc/knownHosts server 'cat /etc/msg'" 81 54 ) 55 55 + assert "foo" in msg 82 56 57 57 + server.switch_root() 83 58 server.wait_for_unit("multi-user.target") 84 84 - server.succeed("mount | grep '/dev/mapper/root on /'") 85 59 ''; 86 60 })

+74 -56

nixos/tests/systemd-initrd-networkd.nix

··· 1 1 - import ./make-test-python.nix ({ pkgs, lib, ... }: { 2 2 - name = "systemd-initrd-network"; 3 3 - meta.maintainers = [ lib.maintainers.elvishjerricco ]; 1 1 + { system ? builtins.currentSystem 2 2 + , config ? {} 3 3 + , pkgs ? import ../.. { inherit system config; } 4 4 + , lib ? pkgs.lib 5 5 + }: 6 6 + 7 7 + with import ../lib/testing-python.nix { inherit system pkgs; }; 8 8 + 9 9 + let 10 10 + inherit (lib.maintainers) elvishjerricco; 11 11 + 12 12 + common = { 13 13 + boot.initrd.systemd = { 14 14 + enable = true; 15 15 + network.wait-online.timeout = 10; 16 16 + network.wait-online.anyInterface = true; 17 17 + targets.network-online.requiredBy = [ "initrd.target" ]; 18 18 + services.systemd-networkd-wait-online.requiredBy = 19 19 + [ "network-online.target" ]; 20 20 + initrdBin = [ pkgs.iproute2 pkgs.iputils pkgs.gnugrep ]; 21 21 + }; 22 22 + testing.initrdBackdoor = true; 23 23 + boot.initrd.network.enable = true; 24 24 + }; 25 25 + 26 26 + mkFlushTest = flush: script: makeTest { 27 27 + name = "systemd-initrd-network-${lib.optionalString (!flush) "no-"}flush"; 28 28 + meta.maintainers = [ elvishjerricco ]; 29 29 + 30 30 + nodes.machine = { 31 31 + imports = [ common ]; 4 32 5 5 - nodes = let 6 6 - mkFlushTest = flush: script: { ... }: { 7 7 - boot.initrd.systemd.enable = true; 8 8 - boot.initrd.network = { 9 9 - enable = true; 10 10 - flushBeforeStage2 = flush; 11 11 - }; 33 33 + boot.initrd.network.flushBeforeStage2 = flush; 12 34 systemd.services.check-flush = { 13 35 requiredBy = ["multi-user.target"]; 14 36 before = ["network-pre.target" "multi-user.target"]; ··· 19 41 inherit script; 20 42 }; 21 43 }; 22 22 - in { 23 23 - basic = { ... }: { 24 24 - boot.initrd.network.enable = true; 25 44 26 26 - boot.initrd.systemd = { 27 27 - enable = true; 28 28 - # Enable network-online to fail the test in case of timeout 29 29 - network.wait-online.timeout = 10; 30 30 - network.wait-online.anyInterface = true; 31 31 - targets.network-online.requiredBy = [ "initrd.target" ]; 32 32 - services.systemd-networkd-wait-online.requiredBy = 33 33 - [ "network-online.target" ]; 34 34 - 35 35 - initrdBin = [ pkgs.iproute2 pkgs.iputils pkgs.gnugrep ]; 36 36 - services.check = { 37 37 - requiredBy = [ "initrd.target" ]; 38 38 - before = [ "initrd.target" ]; 39 39 - after = [ "network-online.target" ]; 40 40 - serviceConfig.Type = "oneshot"; 41 41 - path = [ pkgs.iproute2 pkgs.iputils pkgs.gnugrep ]; 42 42 - script = '' 43 43 - ip addr | grep 10.0.2.15 || exit 1 44 44 - ping -c1 10.0.2.2 || exit 1 45 45 - ''; 46 46 - }; 47 47 - }; 48 48 - }; 45 45 + testScript = '' 46 46 + machine.wait_for_unit("network-online.target") 47 47 + machine.succeed( 48 48 + "ip addr | grep 10.0.2.15", 49 49 + "ping -c1 10.0.2.2", 50 50 + ) 51 51 + machine.switch_root() 49 52 50 50 - doFlush = mkFlushTest true '' 51 51 - if ip addr | grep 10.0.2.15; then 52 52 - echo "Network configuration survived switch-root; flushBeforeStage2 failed" 53 53 - exit 1 54 54 - fi 53 53 + machine.wait_for_unit("multi-user.target") 55 54 ''; 55 55 + }; 56 56 57 57 - dontFlush = mkFlushTest false '' 58 58 - if ! (ip addr | grep 10.0.2.15); then 59 59 - echo "Network configuration didn't survive switch-root" 60 60 - exit 1 61 61 - fi 57 57 + in { 58 58 + basic = makeTest { 59 59 + name = "systemd-initrd-network"; 60 60 + meta.maintainers = [ elvishjerricco ]; 61 61 + 62 62 + nodes.machine = common; 63 63 + 64 64 + testScript = '' 65 65 + machine.wait_for_unit("network-online.target") 66 66 + machine.succeed( 67 67 + "ip addr | grep 10.0.2.15", 68 68 + "ping -c1 10.0.2.2", 69 69 + ) 70 70 + machine.switch_root() 71 71 + 72 72 + # Make sure the systemd-network user was set correctly in initrd 73 73 + machine.wait_for_unit("multi-user.target") 74 74 + machine.succeed("[ $(stat -c '%U,%G' /run/systemd/netif/links) = systemd-network,systemd-network ]") 75 75 + machine.succeed("ip addr show >&2") 76 76 + machine.succeed("ip route show >&2") 62 77 ''; 63 78 }; 64 79 65 65 - testScript = '' 66 66 - start_all() 67 67 - basic.wait_for_unit("multi-user.target") 68 68 - doFlush.wait_for_unit("multi-user.target") 69 69 - dontFlush.wait_for_unit("multi-user.target") 70 70 - # Make sure the systemd-network user was set correctly in initrd 71 71 - basic.succeed("[ $(stat -c '%U,%G' /run/systemd/netif/links) = systemd-network,systemd-network ]") 72 72 - basic.succeed("ip addr show >&2") 73 73 - basic.succeed("ip route show >&2") 80 80 + doFlush = mkFlushTest true '' 81 81 + if ip addr | grep 10.0.2.15; then 82 82 + echo "Network configuration survived switch-root; flushBeforeStage2 failed" 83 83 + exit 1 84 84 + fi 74 85 ''; 75 75 - }) 86 86 + 87 87 + dontFlush = mkFlushTest false '' 88 88 + if ! (ip addr | grep 10.0.2.15); then 89 89 + echo "Network configuration didn't survive switch-root" 90 90 + exit 1 91 91 + fi 92 92 + ''; 93 93 + }

+8 -4

nixos/tests/systemd-initrd-simple.nix

··· 2 2 name = "systemd-initrd-simple"; 3 3 4 4 nodes.machine = { pkgs, ... }: { 5 5 - boot.initrd.systemd = { 6 6 - enable = true; 7 7 - emergencyAccess = true; 8 8 - }; 5 5 + testing.initrdBackdoor = true; 6 6 + boot.initrd.systemd.enable = true; 9 7 virtualisation.fileSystems."/".autoResize = true; 10 8 }; 11 9 12 10 testScript = '' 13 11 import subprocess 12 12 + 13 13 + with subtest("testing initrd backdoor"): 14 14 + machine.wait_for_unit("initrd.target") 15 15 + machine.succeed("systemctl status initrd-fs.target") 16 16 + machine.switch_root() 14 17 15 18 with subtest("handover to stage-2 systemd works"): 16 19 machine.wait_for_unit("multi-user.target") ··· 37 40 subprocess.check_call(["qemu-img", "resize", "vm-state-machine/machine.qcow2", "+1G"]) 38 41 39 42 machine.start() 43 43 + machine.switch_root() 40 44 newAvail = machine.succeed("df --output=avail / | sed 1d") 41 45 42 46 assert int(oldAvail) < int(newAvail), "File system did not grow"