nixosTests.systemd: test cryptsetup support

This creates and opens a luks volume, puts its passphrase into a keyfile and writes a /etc/crypttab. It then reboots the machine, and verifies systemd parsed /etc/crypttab properly, and was able to unlock the volume with the keyfile provided (as we try to mount it). The memorySize of the VM had to be bumped, as luksFormat would otherwise run out of memory.
2020-08-05 01:34:12 +02:00 · 2020-08-05 01:34:12 +02:00 · eb58711edf
parent 29941db6bd
commit eb58711edf
1 changed files with 24 additions and 1 deletions
--- a/nixos/tests/systemd.nix
+++ b/nixos/tests/systemd.nix
@ -4,7 +4,10 @@ import ./make-test-python.nix ({ pkgs, ... }: {
  machine = { lib, ... }: {
    imports = [ common/user-account.nix common/x11.nix ];

-    virtualisation.emptyDiskImages = [ 512 ];
+    virtualisation.emptyDiskImages = [ 512 512 ];
+    virtualisation.memorySize = 1024;
+
+    environment.systemPackages = [ pkgs.cryptsetup ];

    fileSystems = lib.mkVMOverride {
      "/test-x-initrd-mount" = {
@ -144,5 +147,25 @@ import ./make-test-python.nix ({ pkgs, ... }: {
        assert "RuntimeWatchdogUSec=30s" in output
        assert "RebootWatchdogUSec=10m" in output
        assert "KExecWatchdogUSec=5m" in output
+
+    # Test systemd cryptsetup support
+    with subtest("systemd successfully reads /etc/crypttab and unlocks volumes"):
+        # create a luks volume and put a filesystem on it
+        machine.succeed(
+            "echo -n supersecret | cryptsetup luksFormat -q /dev/vdc -",
+            "echo -n supersecret | cryptsetup luksOpen --key-file - /dev/vdc foo",
+            "mkfs.ext3 /dev/mapper/foo",
+        )
+
+        # create a keyfile and /etc/crypttab
+        machine.succeed("echo -n supersecret > /var/lib/luks-keyfile")
+        machine.succeed("chmod 600 /var/lib/luks-keyfile")
+        machine.succeed("echo 'luks1 /dev/vdc /var/lib/luks-keyfile luks' > /etc/crypttab")
+
+        # after a reboot, systemd should unlock the volume and we should be able to mount it
+        machine.shutdown()
+        machine.succeed("systemctl status systemd-cryptsetup@luks1.service")
+        machine.succeed("mkdir -p /tmp/luks1")
+        machine.succeed("mount /dev/mapper/luks1 /tmp/luks1")
  '';
 })