nixos/image/repart-verity-store: also support building images that do not have... (a5c1fff2) · Commits · nix / nixpkgs

nixos/modules/image/repart-verity-store.nix

+5 −1

Original line number	Diff line number	Diff line
		@@ -123,7 +123,11 @@ in
		(
		_: previousAttrs: {
		# make it easier to identify the intermediate image in build logs
		pname = "${previousAttrs.pname}-intermediate";
		name =
		if previousAttrs ? pname then
		"${previousAttrs.pname}-${previousAttrs.version}-intermediate"
		else
		"${previousAttrs.name}-intermediate";

		# do not prepare the ESP, this is done in the final image
		systemdRepartFlags = previousAttrs.systemdRepartFlags ++ [ "--defer-partitions=esp" ];

nixos/tests/appliance-repart-image-verity-store.nix

+51 −35

Original line number	Diff line number	Diff line
		@@ -10,13 +10,8 @@
		willibutz
		];

		nodes.machine =
		{
		config,
		lib,
		pkgs,
		...
		}:
		defaults =
		{ config, lib, ... }:
		let
		inherit (config.image.repart.verityStore) partitionIds;
		in
		@@ -75,10 +70,7 @@
		initrd.systemd.enable = true;
		};

		system.image = {
		id = "nixos-appliance";
		version = "1";
		};
		system.image.id = "nixos-appliance";

		# don't create /usr/bin/env
		# this would require some extra work on read-only /usr
		@@ -86,6 +78,12 @@
		system.activationScripts.usrbinenv = lib.mkForce "";
		};

		nodes.machine = {
		system.image.version = "1";
		};

		nodes.without-version = { };

		testScript =
		{ nodes, ... }: # python
		''
		@@ -93,24 +91,22 @@
		import subprocess
		import tempfile

		tmp_disk_image = tempfile.NamedTemporaryFile()

		def create_disk_image(qemu_img, backing_file):
		tmp = tempfile.NamedTemporaryFile()
		subprocess.run([
		"${nodes.machine.virtualisation.qemu.package}/bin/qemu-img",
		qemu_img,
		"create",
		"-f",
		"qcow2",
		"-b",
		"${nodes.machine.system.build.image}/${nodes.machine.image.filePath}",
		backing_file,
		"-F",
		"raw",
		tmp_disk_image.name,
		])

		os.environ['NIX_DISK_IMAGE'] = tmp_disk_image.name

		machine.wait_for_unit("default.target")
		tmp.name,
		], check=True)
		return tmp

		def run_verity_tests(machine):
		with subtest("Running with volatile root"):
		machine.succeed("findmnt --kernel --type tmpfs /")

		@@ -119,6 +115,26 @@
		assert "ACTIVE" in verity_info, f"unexpected verity info: {verity_info}"

		backing_device = machine.succeed("df --output=source /nix/store \| tail -n1").strip()
		assert "/dev/mapper/usr" == backing_device,"unexpected backing device: {backing_device}"
		assert "/dev/mapper/usr" == backing_device, f"unexpected backing device: {backing_device}"

		tmp_disk_machine = create_disk_image(
		"${nodes.machine.virtualisation.qemu.package}/bin/qemu-img",
		"${nodes.machine.system.build.image}/${nodes.machine.image.filePath}",
		)
		os.environ['NIX_DISK_IMAGE'] = tmp_disk_machine.name
		machine.wait_for_unit("default.target")
		run_verity_tests(machine)
		with subtest("Image version is set"):
		machine.succeed("grep IMAGE_VERSION=1 /etc/os-release")

		tmp_disk_without_version = create_disk_image(
		"${nodes."without-version".virtualisation.qemu.package}/bin/qemu-img",
		"${nodes."without-version".system.build.image}/${nodes."without-version".image.filePath}",
		)
		os.environ['NIX_DISK_IMAGE'] = tmp_disk_without_version.name
		without_version.wait_for_unit("default.target")
		run_verity_tests(without_version)
		with subtest("Image version is not set"):
		without_version.succeed('grep IMAGE_VERSION="" /etc/os-release')
		'';
		}