mirror of
https://github.com/NixOS/nixpkgs.git
synced 2026-07-06 17:13:24 -05:00
Locally this just prefixes activation commands with `run0 --`, so the user's normal polkit agent (graphical or pkttyagent) handles auth. For --target-host, run0 would need a controlling terminal, which we deliberately do not allocate over SSH. Instead the equivalent `systemd-run --uid=0 --pipe --wait ...` form is used. Without --ask-elevate-password this relies on a polkit rule on the target granting the deploying user `org.freedesktop.systemd1.manage-units`. With --ask-elevate-password the command is wrapped in polkit-stdin-agent, which registers a per-process polkit agent for the child and answers the PAM conversation from stdin. A transient unit does not inherit the SSH login environment. On NixOS the unit's PATH is just the systemd store path, so neither `env` nor `nix-env` would be found inside it. Elevator.wrap_remote() therefore now takes the env mapping and the command, and returns the full remote argv: sudo keeps the existing `/bin/sh -c 'exec /usr/bin/env -i ...'` wrapper inside itself, while run0 puts the shell wrapper *around* systemd-run and forwards the resolved values into the unit via --setenv. The Arg/Args/EnvValue/PRESERVE_ENV types and the env-shell helper move from process.py into elevate.py to avoid a circular import, and callers are updated to import them from there. polkit-stdin-agent is resolved on the machine doing the elevation rather than baked in as a host-arch store path, which would be wrong for --no-reexec, cross-arch deploys (re-exec hits ENOEXEC and falls back), --rollback/--store-path, and Darwin deployers. Locally that is PATH. Remotely, Elevator.for_target_config() binds the elevator to the toplevel just placed on the target, and a small /bin/sh picker tries <toplevel>/sw/bin/polkit-stdin-agent (target-arch, in the copied closure) then PATH, exiting with an actionable error pointing at system.tools.nixos-rebuild.enableRun0Elevation when neither resolves. That option (added here) puts the agent in environment.systemPackages and asserts security.polkit.enable. A nixos-rebuild-target-host subtest exercises the full remote run0 path (polkit-stdin-agent + systemd-run + activation) end-to-end. Drop the now-unused stdenv argument from package.nix while here. Closes #507054.
198 lines
7.9 KiB
Nix
198 lines
7.9 KiB
Nix
{ hostPkgs, ... }:
|
|
{
|
|
name = "nixos-rebuild-target-host";
|
|
|
|
# TODO: remove overlay from nixos/modules/profiles/installation-device.nix
|
|
# make it a _small package instead, then remove pkgsReadOnly = false;.
|
|
node.pkgsReadOnly = false;
|
|
|
|
nodes = {
|
|
deployer =
|
|
{ lib, pkgs, ... }:
|
|
let
|
|
inherit (import ./ssh-keys.nix pkgs) snakeOilPrivateKey snakeOilPublicKey;
|
|
in
|
|
{
|
|
imports = [ ../modules/profiles/installation-device.nix ];
|
|
|
|
nix.settings = {
|
|
substituters = lib.mkForce [ ];
|
|
hashed-mirrors = null;
|
|
connect-timeout = 1;
|
|
};
|
|
|
|
system.includeBuildDependencies = true;
|
|
# Needed so the offline build of the target config succeeds.
|
|
system.extraDependencies = [ pkgs.polkit-stdin-agent ];
|
|
|
|
virtualisation = {
|
|
cores = 2;
|
|
memorySize = 3072;
|
|
};
|
|
|
|
system.build.privateKey = snakeOilPrivateKey;
|
|
system.build.publicKey = snakeOilPublicKey;
|
|
system.switch.enable = true;
|
|
|
|
services.getty.autologinUser = lib.mkForce "root";
|
|
};
|
|
|
|
target =
|
|
{ nodes, lib, ... }:
|
|
let
|
|
targetConfig = {
|
|
documentation.enable = false;
|
|
services.openssh.enable = true;
|
|
|
|
users.users.root.openssh.authorizedKeys.keys = [ nodes.deployer.system.build.publicKey ];
|
|
users.users.alice.openssh.authorizedKeys.keys = [ nodes.deployer.system.build.publicKey ];
|
|
users.users.bob.openssh.authorizedKeys.keys = [ nodes.deployer.system.build.publicKey ];
|
|
|
|
users.users.alice.extraGroups = [ "wheel" ];
|
|
users.users.bob.extraGroups = [ "wheel" ];
|
|
|
|
# Needed for --elevate=run0. NixOS's default polkit admin rule is
|
|
# `unix-group:wheel`, so bob (in wheel) can authenticate with his
|
|
# own password via polkit-stdin-agent.
|
|
system.tools.nixos-rebuild.enableRun0Elevation = true;
|
|
|
|
# Disable sudo for root to ensure sudo isn't called without `--sudo`
|
|
security.sudo.extraRules = lib.mkForce [
|
|
{
|
|
groups = [ "wheel" ];
|
|
commands = [ { command = "ALL"; } ];
|
|
}
|
|
{
|
|
users = [ "alice" ];
|
|
commands = [
|
|
{
|
|
command = "ALL";
|
|
options = [ "NOPASSWD" ];
|
|
}
|
|
];
|
|
}
|
|
];
|
|
|
|
nix.settings.trusted-users = [ "@wheel" ];
|
|
};
|
|
in
|
|
{
|
|
imports = [ ./common/user-account.nix ];
|
|
|
|
config = lib.mkMerge [
|
|
targetConfig
|
|
{
|
|
system.build = {
|
|
inherit targetConfig;
|
|
};
|
|
system.switch.enable = true;
|
|
|
|
networking.hostName = "target";
|
|
}
|
|
];
|
|
};
|
|
};
|
|
|
|
testScript =
|
|
{ nodes, ... }:
|
|
let
|
|
sshConfig = builtins.toFile "ssh.conf" ''
|
|
UserKnownHostsFile=/dev/null
|
|
StrictHostKeyChecking=no
|
|
'';
|
|
|
|
targetConfigJSON = hostPkgs.writeText "target-configuration.json" (
|
|
builtins.toJSON nodes.target.system.build.targetConfig
|
|
);
|
|
|
|
targetNetworkJSON = hostPkgs.writeText "target-network.json" (
|
|
builtins.toJSON nodes.target.system.build.networkConfig
|
|
);
|
|
|
|
configFile =
|
|
hostname:
|
|
hostPkgs.writeText "configuration.nix" # nix
|
|
''
|
|
{ lib, modulesPath, ... }: {
|
|
imports = [
|
|
(modulesPath + "/virtualisation/qemu-vm.nix")
|
|
(modulesPath + "/testing/test-instrumentation.nix")
|
|
(modulesPath + "/../tests/common/user-account.nix")
|
|
(lib.modules.importJSON ./target-configuration.json)
|
|
(lib.modules.importJSON ./target-network.json)
|
|
./hardware-configuration.nix
|
|
];
|
|
|
|
boot.loader.grub = {
|
|
enable = true;
|
|
device = "/dev/vda";
|
|
forceInstall = true;
|
|
};
|
|
|
|
# this will be asserted
|
|
networking.hostName = "${hostname}";
|
|
}
|
|
'';
|
|
in
|
|
# python
|
|
''
|
|
start_all()
|
|
target.wait_for_open_port(22)
|
|
|
|
deployer.wait_until_succeeds("ping -c1 target")
|
|
deployer.succeed("install -Dm 600 ${nodes.deployer.system.build.privateKey} ~root/.ssh/id_ecdsa")
|
|
deployer.succeed("install ${sshConfig} ~root/.ssh/config")
|
|
|
|
target.succeed("nixos-generate-config")
|
|
deployer.succeed("scp alice@target:/etc/nixos/hardware-configuration.nix /root/hardware-configuration.nix")
|
|
|
|
deployer.copy_from_host("${configFile "config-1-deployed"}", "/root/configuration-1.nix")
|
|
deployer.copy_from_host("${configFile "config-2-deployed"}", "/root/configuration-2.nix")
|
|
deployer.copy_from_host("${configFile "config-3-deployed"}", "/root/configuration-3.nix")
|
|
deployer.copy_from_host("${configFile "config-4-deployed"}", "/root/configuration-4.nix")
|
|
deployer.copy_from_host("${targetNetworkJSON}", "/root/target-network.json")
|
|
deployer.copy_from_host("${targetConfigJSON}", "/root/target-configuration.json")
|
|
|
|
# Ensure sudo is disabled for root
|
|
target.fail("sudo true")
|
|
|
|
# This test also ensures that sudo is not called without --sudo
|
|
with subtest("Deploy to root@target"):
|
|
deployer.succeed("nixos-rebuild switch -I nixos-config=/root/configuration-1.nix --target-host root@target &>/dev/console")
|
|
target_hostname = deployer.succeed("ssh alice@target cat /etc/hostname").rstrip()
|
|
assert target_hostname == "config-1-deployed", f"{target_hostname=}"
|
|
|
|
with subtest("Deploy to alice@target with passwordless sudo"):
|
|
deployer.succeed("nixos-rebuild switch -I nixos-config=/root/configuration-2.nix --target-host alice@target --sudo &>/dev/console")
|
|
target_hostname = deployer.succeed("ssh alice@target cat /etc/hostname").rstrip()
|
|
assert target_hostname == "config-2-deployed", f"{target_hostname=}"
|
|
|
|
with subtest("Deploy to bob@target with password-based sudo"):
|
|
deployer.wait_for_unit("multi-user.target")
|
|
deployer.send_chars("nixos-rebuild switch -I nixos-config=/root/configuration-3.nix --target-host bob@target --ask-sudo-password\n")
|
|
deployer.wait_until_tty_matches("1", "password for bob")
|
|
deployer.send_chars("${nodes.target.users.users.bob.password}\n")
|
|
deployer.wait_until_tty_matches("1", "Done. The new configuration is /nix/store/.*config-3-deployed")
|
|
target_hostname = deployer.succeed("ssh alice@target cat /etc/hostname").rstrip()
|
|
assert target_hostname == "config-3-deployed", f"{target_hostname=}"
|
|
|
|
with subtest("Deploy to bob@target with run0 and password"):
|
|
# polkit-stdin-agent registers an agent for systemd-run on the
|
|
# target and answers the PAM conversation with the password we
|
|
# supply locally. The agent is resolved on the target from
|
|
# <toplevel>/sw/bin (see Run0Elevator._remote_agent_argv).
|
|
deployer.send_chars("nixos-rebuild switch -I nixos-config=/root/configuration-4.nix --target-host bob@target --elevate=run0 --ask-elevate-password\n")
|
|
deployer.wait_until_tty_matches("1", "\\[run0\\] password for bob@target")
|
|
deployer.send_chars("${nodes.target.users.users.bob.password}\n")
|
|
deployer.wait_until_tty_matches("1", "Done. The new configuration is /nix/store/.*config-4-deployed")
|
|
target_hostname = deployer.succeed("ssh alice@target cat /etc/hostname").rstrip()
|
|
assert target_hostname == "config-4-deployed", f"{target_hostname=}"
|
|
# The target-arch agent is reachable at the stable sw/bin path.
|
|
target.succeed("test -x /run/current-system/sw/bin/polkit-stdin-agent")
|
|
|
|
with subtest("Deploy works with very long TMPDIR"):
|
|
tmp_dir = "/var/folder/veryveryveryveryverylongpathnamethatdoesnotworkwithcontrolpath"
|
|
deployer.succeed(f"mkdir -p {tmp_dir}")
|
|
deployer.succeed(f"TMPDIR={tmp_dir} nixos-rebuild switch -I nixos-config=/root/configuration-1.nix --target-host root@target &>/dev/console")
|
|
'';
|
|
}
|