nixosTests.systemd: test cryptsetup support
This creates and opens a luks volume, puts its passphrase into a keyfile and writes a /etc/crypttab. It then reboots the machine, and verifies systemd parsed /etc/crypttab properly, and was able to unlock the volume with the keyfile provided (as we try to mount it). The memorySize of the VM had to be bumped, as luksFormat would otherwise run out of memory.
This commit is contained in:
parent
29941db6bd
commit
eb58711edf
@ -4,7 +4,10 @@ import ./make-test-python.nix ({ pkgs, ... }: {
|
||||
machine = { lib, ... }: {
|
||||
imports = [ common/user-account.nix common/x11.nix ];
|
||||
|
||||
virtualisation.emptyDiskImages = [ 512 ];
|
||||
virtualisation.emptyDiskImages = [ 512 512 ];
|
||||
virtualisation.memorySize = 1024;
|
||||
|
||||
environment.systemPackages = [ pkgs.cryptsetup ];
|
||||
|
||||
fileSystems = lib.mkVMOverride {
|
||||
"/test-x-initrd-mount" = {
|
||||
@ -144,5 +147,25 @@ import ./make-test-python.nix ({ pkgs, ... }: {
|
||||
assert "RuntimeWatchdogUSec=30s" in output
|
||||
assert "RebootWatchdogUSec=10m" in output
|
||||
assert "KExecWatchdogUSec=5m" in output
|
||||
|
||||
# Test systemd cryptsetup support
|
||||
with subtest("systemd successfully reads /etc/crypttab and unlocks volumes"):
|
||||
# create a luks volume and put a filesystem on it
|
||||
machine.succeed(
|
||||
"echo -n supersecret | cryptsetup luksFormat -q /dev/vdc -",
|
||||
"echo -n supersecret | cryptsetup luksOpen --key-file - /dev/vdc foo",
|
||||
"mkfs.ext3 /dev/mapper/foo",
|
||||
)
|
||||
|
||||
# create a keyfile and /etc/crypttab
|
||||
machine.succeed("echo -n supersecret > /var/lib/luks-keyfile")
|
||||
machine.succeed("chmod 600 /var/lib/luks-keyfile")
|
||||
machine.succeed("echo 'luks1 /dev/vdc /var/lib/luks-keyfile luks' > /etc/crypttab")
|
||||
|
||||
# after a reboot, systemd should unlock the volume and we should be able to mount it
|
||||
machine.shutdown()
|
||||
machine.succeed("systemctl status systemd-cryptsetup@luks1.service")
|
||||
machine.succeed("mkdir -p /tmp/luks1")
|
||||
machine.succeed("mount /dev/mapper/luks1 /tmp/luks1")
|
||||
'';
|
||||
})
|
||||
|
Loading…
Reference in New Issue
Block a user