diff options
author | Florian Klink <flokli@flokli.de> | 2020-08-05 01:34:12 +0200 |
---|---|---|
committer | Florian Klink <flokli@flokli.de> | 2020-08-05 01:34:12 +0200 |
commit | eb58711edf7b8a41c3b86c6099258c49a563b518 (patch) | |
tree | 1728fa163bcab07701ecf1df303f923260287c44 /nixos/tests/systemd.nix | |
parent | 29941db6bd333964145921a92c045c74b8bf4cb8 (diff) |
nixosTests.systemd: test cryptsetup support
This creates and opens a luks volume, puts its passphrase into a keyfile and writes a /etc/crypttab. It then reboots the machine, and verifies systemd parsed /etc/crypttab properly, and was able to unlock the volume with the keyfile provided (as we try to mount it). The memorySize of the VM had to be bumped, as luksFormat would otherwise run out of memory.
Diffstat (limited to 'nixos/tests/systemd.nix')
-rw-r--r-- | nixos/tests/systemd.nix | 25 |
1 files changed, 24 insertions, 1 deletions
diff --git a/nixos/tests/systemd.nix b/nixos/tests/systemd.nix index a653932fb37c7..9d21f9158f3c1 100644 --- a/nixos/tests/systemd.nix +++ b/nixos/tests/systemd.nix @@ -4,7 +4,10 @@ import ./make-test-python.nix ({ pkgs, ... }: { machine = { lib, ... }: { imports = [ common/user-account.nix common/x11.nix ]; - virtualisation.emptyDiskImages = [ 512 ]; + virtualisation.emptyDiskImages = [ 512 512 ]; + virtualisation.memorySize = 1024; + + environment.systemPackages = [ pkgs.cryptsetup ]; fileSystems = lib.mkVMOverride { "/test-x-initrd-mount" = { @@ -144,5 +147,25 @@ import ./make-test-python.nix ({ pkgs, ... }: { assert "RuntimeWatchdogUSec=30s" in output assert "RebootWatchdogUSec=10m" in output assert "KExecWatchdogUSec=5m" in output + + # Test systemd cryptsetup support + with subtest("systemd successfully reads /etc/crypttab and unlocks volumes"): + # create a luks volume and put a filesystem on it + machine.succeed( + "echo -n supersecret | cryptsetup luksFormat -q /dev/vdc -", + "echo -n supersecret | cryptsetup luksOpen --key-file - /dev/vdc foo", + "mkfs.ext3 /dev/mapper/foo", + ) + + # create a keyfile and /etc/crypttab + machine.succeed("echo -n supersecret > /var/lib/luks-keyfile") + machine.succeed("chmod 600 /var/lib/luks-keyfile") + machine.succeed("echo 'luks1 /dev/vdc /var/lib/luks-keyfile luks' > /etc/crypttab") + + # after a reboot, systemd should unlock the volume and we should be able to mount it + machine.shutdown() + machine.succeed("systemctl status systemd-cryptsetup@luks1.service") + machine.succeed("mkdir -p /tmp/luks1") + machine.succeed("mount /dev/mapper/luks1 /tmp/luks1") ''; }) |