lix-project/lix
20
57
Fork 31
Code Issues 347 Code Review (Gerrit) Projects 3 Releases Wiki Activity
lix/tests/nixos/nix-copy.nix

112 lines
4.4 KiB
Nix
Raw Normal View History

Add a test for nix copy over ssh Check that nix copy can copy stuff, refuses to copy unsigned paths by default, and doesn't hide the ssh password prompt.
2023-03-16 09:34:48 +00:00
# Test that nix copy works over ssh.
Fix nix-copy test
2023-08-14 12:28:02 +00:00
# Run interactively with:
# rm key key.pub; nix run .#hydraJobs.tests.nix-copy.driverInteractive
Add a test for nix copy over ssh Check that nix copy can copy stuff, refuses to copy unsigned paths by default, and doesn't hide the ssh password prompt.
2023-03-16 09:34:48 +00:00
{ lib, config, nixpkgs, hostPkgs, ... }:
let
pkgs = config.nodes.client.nixpkgs.pkgs;
pkgA = pkgs.cowsay;
pkgB = pkgs.wget;
pkgC = pkgs.hello;
pkgD = pkgs.tmux;
in {
name = "nix-copy";
enableOCR = true;
nodes =
{ client =
{ config, lib, pkgs, ... }:
{ virtualisation.writableStore = true;
virtualisation.additionalPaths = [ pkgA pkgD.drvPath ];
nix.settings.substituters = lib.mkForce [ ];
nix.settings.experimental-features = [ "nix-command" ];
services.getty.autologinUser = "root";
Add a test for ControlMaster
2023-05-17 07:34:45 +00:00
programs.ssh.extraConfig = ''
Host *
ControlMaster auto
ControlPath ~/.ssh/master-%h:%r@%n:%p
ControlPersist 15m
'';
Add a test for nix copy over ssh Check that nix copy can copy stuff, refuses to copy unsigned paths by default, and doesn't hide the ssh password prompt.
2023-03-16 09:34:48 +00:00
};
server =
{ config, pkgs, ... }:
{ services.openssh.enable = true;
Merge pull request #9631 from cole-h/fixup-check-warnings Fix warnings when running checks (cherry picked from commit 75e10e42f3c63fd9b9c8cf222b992ab77e497854) Change-Id: Id955008fe045f23f72fae2a2cdf8f7ccddd1e6b9
2024-03-07 08:58:15 +00:00
services.openssh.settings.PermitRootLogin = "yes";
tests/nixos/nix-copy: fix NixOS >= 24.05 compatibility 4b128008c5d9fde881ce1b0a25e60ae0415a14d5 in nixpkgs introduced a default hashedPasswordFile for root in NixOS tests, which takes precedence over the password option set in the nix-copy test. Change-Id: Iffaebec5992e50614b854033f0d14312c8d275b5
2024-06-08 15:57:17 +00:00
users.users.root.hashedPasswordFile = lib.mkForce null;
Add a test for nix copy over ssh Check that nix copy can copy stuff, refuses to copy unsigned paths by default, and doesn't hide the ssh password prompt.
2023-03-16 09:34:48 +00:00
virtualisation.writableStore = true;
virtualisation.additionalPaths = [ pkgB pkgC ];
};
};
testScript = { nodes }: ''
# fmt: off
import subprocess
# Create an SSH key on the client.
subprocess.run([
"${pkgs.openssh}/bin/ssh-keygen", "-t", "ed25519", "-f", "key", "-N", ""
], capture_output=True, check=True)
start_all()
make the multi-node vm tests a bit more reliable without these changes the tests will very repeatably (although not very reliably) wedge in our runs. the ssh command starts, opens a sessions, does something, the session closes again, but the test does not move on. adding *just* the redirect and not the unit waits is not sufficient either, it needs both. this feels like a bug in the nixos testing framework somewhere, but digging that far is not in the cards right now. Change-Id: Idab577b83a36cc4899bb5ffbb3d9adc04e83e51c
2024-03-09 10:01:28 +00:00
server.succeed("systemctl start network-online.target")
client.succeed("systemctl start network-online.target")
server.wait_for_unit("network-online.target")
client.wait_for_unit("network-online.target")
tests: stop using OCR for nix copy tests this is fragile, slow as fuck, breaks constantly under high concurrency, and completely unnecessary since ssh bypasses the stdio file descriptors *anyway*. we do still check that we see ssh messages to ensure that none of our subprocess handling messes with ssh's /dev/tty, but that's it now Change-Id: Ib8e31e1999f813d07a27efc63a9d3454a9e4fcdd
2024-10-25 14:04:08 +00:00
server.wait_for_unit("multi-user.target")
client.wait_for_unit("multi-user.target")
make the multi-node vm tests a bit more reliable without these changes the tests will very repeatably (although not very reliably) wedge in our runs. the ssh command starts, opens a sessions, does something, the session closes again, but the test does not move on. adding *just* the redirect and not the unit waits is not sufficient either, it needs both. this feels like a bug in the nixos testing framework somewhere, but digging that far is not in the cards right now. Change-Id: Idab577b83a36cc4899bb5ffbb3d9adc04e83e51c
2024-03-09 10:01:28 +00:00
server.wait_for_unit("sshd.service")
Add a test for nix copy over ssh Check that nix copy can copy stuff, refuses to copy unsigned paths by default, and doesn't hide the ssh password prompt.
2023-03-16 09:34:48 +00:00
# Copy the closure of package A from the client to the server using password authentication,
# and check that all prompts are visible
tests: stop using OCR for nix copy tests this is fragile, slow as fuck, breaks constantly under high concurrency, and completely unnecessary since ssh bypasses the stdio file descriptors *anyway*. we do still check that we see ssh messages to ensure that none of our subprocess handling messes with ssh's /dev/tty, but that's it now Change-Id: Ib8e31e1999f813d07a27efc63a9d3454a9e4fcdd
2024-10-25 14:04:08 +00:00
# NOTE: this used to also check password prompts, but the test implementation was monumentally
# fragile (and hence broke constantly). since ssh interacts with /dev/tty directly fixing this
# requires some proper cli automation, which we do not have. however, since ssh interacts with
# /dev/tty directly and the host key message goes there too, we don't even need to check this.
Add a test for nix copy over ssh Check that nix copy can copy stuff, refuses to copy unsigned paths by default, and doesn't hide the ssh password prompt.
2023-03-16 09:34:48 +00:00
server.fail("nix-store --check-validity ${pkgA}")
tests: stop using OCR for nix copy tests this is fragile, slow as fuck, breaks constantly under high concurrency, and completely unnecessary since ssh bypasses the stdio file descriptors *anyway*. we do still check that we see ssh messages to ensure that none of our subprocess handling messes with ssh's /dev/tty, but that's it now Change-Id: Ib8e31e1999f813d07a27efc63a9d3454a9e4fcdd
2024-10-25 14:04:08 +00:00
client.succeed("echo | script -f /dev/stdout -c 'nix copy --to ssh://server ${pkgA}' | grep 'continue connecting'")
Add a test for nix copy over ssh Check that nix copy can copy stuff, refuses to copy unsigned paths by default, and doesn't hide the ssh password prompt.
2023-03-16 09:34:48 +00:00
tests: stop using OCR for nix copy tests this is fragile, slow as fuck, breaks constantly under high concurrency, and completely unnecessary since ssh bypasses the stdio file descriptors *anyway*. we do still check that we see ssh messages to ensure that none of our subprocess handling messes with ssh's /dev/tty, but that's it now Change-Id: Ib8e31e1999f813d07a27efc63a9d3454a9e4fcdd
2024-10-25 14:04:08 +00:00
client.copy_from_host("key", "/root/.ssh/id_ed25519.setup")
client.succeed("chmod 600 /root/.ssh/id_ed25519.setup")
Add a test for nix copy over ssh Check that nix copy can copy stuff, refuses to copy unsigned paths by default, and doesn't hide the ssh password prompt.
2023-03-16 09:34:48 +00:00
# Install the SSH key on the server.
server.copy_from_host("key.pub", "/root/.ssh/authorized_keys")
server.succeed("systemctl restart sshd")
tests: stop using OCR for nix copy tests this is fragile, slow as fuck, breaks constantly under high concurrency, and completely unnecessary since ssh bypasses the stdio file descriptors *anyway*. we do still check that we see ssh messages to ensure that none of our subprocess handling messes with ssh's /dev/tty, but that's it now Change-Id: Ib8e31e1999f813d07a27efc63a9d3454a9e4fcdd
2024-10-25 14:04:08 +00:00
client.succeed("NIX_SSHOPTS='-oStrictHostKeyChecking=no -i /root/.ssh/id_ed25519.setup' nix copy --to ssh://server ${pkgA}")
server.succeed("nix-store --check-validity ${pkgA}")
# Check that ControlMaster is working
client.succeed("nix copy --to ssh://server ${pkgA}")
client.succeed("cp /root/.ssh/id_ed25519.setup /root/.ssh/id_ed25519")
make the multi-node vm tests a bit more reliable without these changes the tests will very repeatably (although not very reliably) wedge in our runs. the ssh command starts, opens a sessions, does something, the session closes again, but the test does not move on. adding *just* the redirect and not the unit waits is not sufficient either, it needs both. this feels like a bug in the nixos testing framework somewhere, but digging that far is not in the cards right now. Change-Id: Idab577b83a36cc4899bb5ffbb3d9adc04e83e51c
2024-03-09 10:01:28 +00:00
client.succeed(f"ssh -o StrictHostKeyChecking=no {server.name} 'echo hello world' >&2")
Add test of explicit ssh control path in nix-copy test This highlights a problem caused by SSHMaster::isMasterRunning returning false when NIX_SSHOPTS contains -oControlPath.
2023-06-13 02:42:05 +00:00
client.succeed(f"ssh -O check {server.name}")
client.succeed(f"ssh -O exit {server.name}")
client.fail(f"ssh -O check {server.name}")
# Check that an explicit master will work
client.succeed(f"ssh -MNfS /tmp/master {server.name}")
client.succeed(f"ssh -S /tmp/master -O check {server.name}")
client.succeed("NIX_SSHOPTS='-oControlPath=/tmp/master' nix copy --to ssh://server ${pkgA} >&2")
client.succeed(f"ssh -S /tmp/master -O exit {server.name}")
Add a test for nix copy over ssh Check that nix copy can copy stuff, refuses to copy unsigned paths by default, and doesn't hide the ssh password prompt.
2023-03-16 09:34:48 +00:00
# Copy the closure of package B from the server to the client, using ssh-ng.
client.fail("nix-store --check-validity ${pkgB}")
# Shouldn't download untrusted paths by default
client.fail("nix copy --from ssh-ng://server ${pkgB} >&2")
client.succeed("nix copy --no-check-sigs --from ssh-ng://server ${pkgB} >&2")
client.succeed("nix-store --check-validity ${pkgB}")
# Copy the derivation of package D's derivation from the client to the server.
server.fail("nix-store --check-validity ${pkgD.drvPath}")
client.succeed("nix copy --derivation --to ssh://server ${pkgD.drvPath} >&2")
server.succeed("nix-store --check-validity ${pkgD.drvPath}")
'';
}
Reference in a new issue Copy permalink