nixos/tests: Use a patched QEMU for testing

The reason to patch QEMU is that with latest Nix, tests like "printing"
or "misc" fail because they expect the store paths to be owned by uid 0
and gid 0.

Starting with NixOS/nix@5e51ffb1c2, Nix
builds inside of a new user namespace. Unfortunately this also means
that bind-mounted store paths that are part of the derivation's inputs
are no longer owned by uid 0 and gid 0 but by uid 65534 and gid 65534.

This in turn causes things like sudo or cups to fail with errors about
insecure file permissions.

So in order to avoid that, let's make sure the VM always gets files
owned by uid 0 and gid 0 and does a no-op when doing a chmod on a store
path.

In addition, this adds a virtualisation.qemu.program option so that we
can make sure that we only use the patched version if we're *really*
running NixOS VM tests (that is, whenever we have imported
test-instrumentation.nix).

Tested against the "misc" and "printing" tests.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
This commit is contained in:
aszlig 2016-11-17 17:06:17 +01:00
parent 2c01da3654
commit 6cfb3b6364
No known key found for this signature in database
GPG Key ID: 1DE8E48E57DB5436
5 changed files with 63 additions and 2 deletions

View File

@ -110,6 +110,9 @@ let kernel = config.boot.kernelPackages.kernel; in
networking.usePredictableInterfaceNames = false;
# Make sure we use a patched QEMU that ignores file ownership.
virtualisation.qemu.program = "${pkgs.qemu_test}/bin/qemu-kvm";
# Make it easy to log in as root when running the test interactively.
users.extraUsers.root.initialHashedPassword = mkOverride 150 "";

View File

@ -70,7 +70,7 @@ let
'')}
# Start QEMU.
exec ${pkgs.qemu_kvm}/bin/qemu-kvm \
exec ${cfg.qemu.program} \
-name ${vmName} \
-m ${toString config.virtualisation.memorySize} \
${optionalString (pkgs.stdenv.system == "x86_64-linux") "-cpu kvm64"} \
@ -299,6 +299,14 @@ in
};
virtualisation.qemu = {
program = mkOption {
type = types.path;
default = "${pkgs.qemu_kvm}/bin/qemu-kvm";
defaultText = "\${pkgs.qemu_kvm}/bin/qemu-kvm";
example = literalExample "\${pkgs.qemu_test}/bin/qemu-kvm";
description = "The QEMU variant used to start the VM.";
};
options =
mkOption {
type = types.listOf types.unspecified;

View File

@ -11,6 +11,7 @@
, vncSupport ? true, libjpeg, libpng
, spiceSupport ? !stdenv.isDarwin, spice, spice_protocol, usbredir
, x86Only ? false
, nixosTestRunner ? false
}:
with stdenv.lib;
@ -118,7 +119,7 @@ stdenv.mkDerivation rec {
# from http://git.qemu.org/?p=qemu.git;a=patch;h=ff55e94d23ae94c8628b0115320157c763eb3e06
./CVE-2016-9102.patch
];
] ++ optional nixosTestRunner ./force-uid0-on-9p.patch;
hardeningDisable = [ "stackprotector" ];
configureFlags =

View File

@ -0,0 +1,48 @@
diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c
index 845675e..43fa036 100644
--- a/hw/9pfs/9p-local.c
+++ b/hw/9pfs/9p-local.c
@@ -128,6 +128,8 @@ static int local_lstat(FsContext *fs_ctx, V9fsPath *fs_path, struct stat *stbuf)
if (err) {
goto err_out;
}
+ stbuf->st_uid = 0;
+ stbuf->st_gid = 0;
if (fs_ctx->export_flags & V9FS_SM_MAPPED) {
/* Actual credentials are part of extended attrs */
uid_t tmp_uid;
@@ -462,6 +464,16 @@ static ssize_t local_pwritev(FsContext *ctx, V9fsFidOpenState *fs,
return ret;
}
+static int maybe_chmod(const char *path, mode_t mode)
+{
+ static char *store_path = NULL;
+ if (store_path == NULL)
+ store_path = getenv("NIX_STORE");
+ if (strncmp(path, store_path, strlen(store_path)) != 0)
+ return chmod(path, mode);
+ return 0;
+}
+
static int local_chmod(FsContext *fs_ctx, V9fsPath *fs_path, FsCred *credp)
{
char *buffer;
@@ -477,7 +489,7 @@ static int local_chmod(FsContext *fs_ctx, V9fsPath *fs_path, FsCred *credp)
} else if ((fs_ctx->export_flags & V9FS_SM_PASSTHROUGH) ||
(fs_ctx->export_flags & V9FS_SM_NONE)) {
buffer = rpath(fs_ctx, path);
- ret = chmod(buffer, credp->fc_mode);
+ ret = maybe_chmod(buffer, credp->fc_mode);
g_free(buffer);
}
return ret;
@@ -621,6 +633,8 @@ static int local_fstat(FsContext *fs_ctx, int fid_type,
if (err) {
return err;
}
+ stbuf->st_uid = 0;
+ stbuf->st_gid = 0;
if (fs_ctx->export_flags & V9FS_SM_MAPPED) {
/* Actual credentials are part of extended attrs */
uid_t tmp_uid;

View File

@ -11358,6 +11358,7 @@ in
watch = callPackage ../os-specific/linux/procps/watch.nix { };
qemu_kvm = lowPrio (qemu.override { x86Only = true; });
qemu_test = lowPrio (qemu.override { x86Only = true; nixosTestRunner = true; });
firmwareLinuxNonfree = callPackage ../os-specific/linux/firmware/firmware-linux-nonfree { };