nathan/nixpkgs
1
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2026-06-05 21:03:40 +00:00
Code Issues Packages Projects Releases Wiki Activity

Enable systemd stage 1 by default (#435781)

Browse Source
This commit is contained in:
K900
2026-04-08 05:08:43 +00:00
committed by GitHub
parent 5e63c44958 5620d245ad
commit b3054f010f
33 changed files with 396 additions and 277 deletions
Download Patch File Download Diff File Expand all files Collapse all files

84
nixos/doc/manual/administration/boot-problems.section.md
View File

@@ -1,41 +1,61 @@
# Boot Problems {#sec-boot-problems}
If NixOS fails to boot, there are a number of kernel command line parameters that may help you to identify or fix the issue. You can add these parameters in the GRUB boot menu by pressing “e” to modify the selected boot entry and editing the line starting with `linux`. The following are some useful kernel command line parameters that are recognised by the NixOS boot scripts or by systemd:
If NixOS fails to boot, there are a number of kernel command line parameters that may help you to identify or fix the issue. You can add these parameters in the GRUB boot menu by pressing “e” to modify the selected boot entry and editing the line starting with `linux`.
`boot.shell_on_fail`
: Allows the user to start a root shell if something goes wrong in stage 1 of the boot process (the initial ramdisk). This is disabled by default because there is no authentication for the root shell.
`boot.debug1`
: Start an interactive shell in stage 1 before anything useful has been done. That is, no modules have been loaded and no file systems have been mounted, except for `/proc` and `/sys`.
`boot.debug1devices`
: Like `boot.debug1`, but runs stage1 until kernel modules are loaded and device nodes are created. This may help with e.g. making the keyboard work.
`boot.debug1mounts`
: Like `boot.debug1` or `boot.debug1devices`, but runs stage1 until all filesystems that are mounted during initrd are mounted (see [neededForBoot](#opt-fileSystems._name_.neededForBoot)). As a motivating example, this could be useful if you've forgotten to set [neededForBoot](#opt-fileSystems._name_.neededForBoot) on a file system.
`boot.trace`
: Print every shell command executed by the stage 1 and 2 boot scripts.
`single`
: Boot into rescue mode (a.k.a. single user mode). This will cause systemd to start nothing but the unit `rescue.target`, which runs `sulogin` to prompt for the root password and start a root login shell. Exiting the shell causes the system to continue with the normal boot process.
`systemd.log_level=debug` `systemd.log_target=console`
: Make systemd very verbose and send log messages to the console instead of the journal. For more parameters recognised by systemd, see systemd(1).
In addition, these arguments are recognised by the live image only:
{manpage}`kernel-command-line(7)` documents the kernel parameters accepted by systemd. Those include many that are helpful for debugging boot issues, such as `systemd.debug_shell` and `rescue`. Some also have `rd.`prefixed variants that apply to stage 1.
`live.nixos.passwd=password`
: Set the password for the `nixos` live user. This can be used for SSH access if there are issues using the terminal.
Notice that for `boot.shell_on_fail`, `boot.debug1`, `boot.debug1devices`, and `boot.debug1mounts`, if you did **not** select "start the new shell as pid 1", and you `exit` from the new shell, boot will proceed normally from the point where it failed, as if you'd chosen "ignore the error and continue".
If no login prompts or X11 login screens appear (e.g. due to hanging dependencies), you can press Alt+ArrowUp. If youre lucky, this will start `rescue.target` (described in {manpage}`systemd.special(7)`). (Also note that since most units have a 90-second timeout before systemd gives up on them, the `agetty` login prompts should appear eventually unless something is very wrong.)
If no login prompts or X11 login screens appear (e.g. due to hanging dependencies), you can press Alt+ArrowUp. If youre lucky, this will start rescue mode (described above). (Also note that since most units have a 90-second timeout before systemd gives up on them, the `agetty` login prompts should appear eventually unless something is very wrong.)
## Scripted stage 1 {#sec-boot-problems-scripted-stage-1}
The scripted implementation of stage 1 also understands these boot parameters.
::: {.warning}
The scripted implementation of stage 1 is disabled by default and deprecated. These parameters have no effect, unless systemd stage 1 is explicitly disabled with `boot.initrd.systemd.enable = false;`.
:::
`boot.shell_on_fail`
: Allows the user to start a root shell if something goes wrong in stage 1 of the boot process (the initial ramdisk). This is disabled by default because there is no authentication for the root shell.
::: {.note}
systemd stage 1 alternative: `SYSTEMD_SULOGIN_FORCE=1` for rescue mode, or `rd.systemd.debug_shell` for shell on tty9.
:::
`boot.debug1`
: Start an interactive shell in stage 1 before anything useful has been done. That is, no modules have been loaded and no file systems have been mounted, except for `/proc` and `/sys`.
::: {.note}
systemd stage 1 alternative: `rd.systemd.break=pre-udev`
:::
`boot.debug1devices`
: Like `boot.debug1`, but runs stage1 until kernel modules are loaded and device nodes are created. This may help with e.g. making the keyboard work.
::: {.note}
systemd stage 1 alternative: `rd.systemd.break=pre-mount`
:::
`boot.debug1mounts`
: Like `boot.debug1` or `boot.debug1devices`, but runs stage1 until all filesystems that are mounted during initrd are mounted (see [neededForBoot](#opt-fileSystems._name_.neededForBoot)). As a motivating example, this could be useful if you've forgotten to set [neededForBoot](#opt-fileSystems._name_.neededForBoot) on a file system.
::: {.note}
systemd stage 1 alternative: `rd.systemd.break=pre-switch-root`
:::
`boot.trace`
: Print every shell command executed by the stage 1 and 2 boot scripts.
::: {.note}
systemd stage 1 alternative: `rd.systemd.log_level=debug`
:::
Notice that for `boot.shell_on_fail`, `boot.debug1`, `boot.debug1devices`, and `boot.debug1mounts`, if you did **not** select "start the new shell as pid 1", and you `exit` from the new shell, boot will proceed normally from the point where it failed, as if you'd chosen "ignore the error and continue".

9
nixos/doc/manual/installation/installing-from-other-distro.section.md
View File

@@ -149,6 +149,10 @@ The first steps to all these are the same:
`NIXOS_LUSTRATE`:
:::
::: {.warning}
The lustrate process will not work if the [](#opt-boot.initrd.systemd.enable) option is set to `true`, which is now the default. Setting this to `false` is deprecated and scheduled for removal in NixOS 26.11, along with `NIXOS_LUSTRATE`. Other installation methods, such as the one outlined above, or installing from [kexec](#sec-booting-via-kexec), are recommended instead.
:::
Generate your NixOS configuration:
```ShellSession
@@ -167,11 +171,6 @@ The first steps to all these are the same:
If the current system and NixOS's bootloader configuration don't agree on where the [EFI System Partition](https://en.wikipedia.org/wiki/EFI_system_partition) is to be mounted, you'll need to manually alter the mount point in `hardware-configuration.nix` before building the system closure.
:::
::: {.note}
The lustrate process will not work if the [](#opt-boot.initrd.systemd.enable) option is set to `true`.
If you want to use this option, wait until after the first boot into the NixOS system to enable it and rebuild.
:::
You'll likely want to set a root password for your first boot using
the configuration files because you won't have a chance to enter a
password until after you reboot. You can initialize the root password

3
nixos/doc/manual/redirects.json
View File

@@ -151,6 +151,9 @@
"module-virtualisation-xen-introduction": [
"index.html#module-virtualisation-xen-introduction"
],
"sec-boot-problems-scripted-stage-1": [
"index.html#sec-boot-problems-scripted-stage-1"
],
"sec-nixos-test-vms-vs-containers": [
"index.html#sec-nixos-test-vms-vs-containers"
],

10
nixos/doc/manual/release-notes/rl-2605.section.md
View File

@@ -4,6 +4,16 @@
<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
- Stage 1 (a.k.a. initrd) is now based on systemd by default, and the old scripted implementation is deprecated and scheduled for removal in 26.11. If you run into issues migrating, you can [get help from the community](https://nixos.org/community/) or report an issue on GitHub.
You can temporarily revert to the scripted stage 1 implementation by disabling [](#opt-boot.initrd.systemd.enable), but this is discouraged.
Most incompatibilities will be explained with assertions during configuration evaluation, but be aware of the following that can't be automatically detected:
- If you use LUKS disk encryption, ensure that `fileSystems."/".device` is set to `"/dev/mapper/<name>"`, where `<name>` matches the name in your `boot.initrd.luks.devices.<name>` definition, to avoid systemd timing out while prompting for a passphrase. If you have a more complex setup, e.g. with LVM on top of LUKS, you may need to add `"x-systemd.device-timeout=infinity"` to `fileSystems."/".options` instead. If you need to disable the timeout before you can boot into the system, pass `systemd.default_device_timeout_sec=infinity` on the kernel command line.
- The `cryptsetup-askpass` program is not available; use `systemctl default` instead, which will prompt for passphrases as necessary. If you pipe password responses into SSH over stdin, use `ssh -o RequestTTY=force` to ensure `systemctl default` gets a TTY to prompt on.
- Many kernel parameters have been replaced with native systemd versions; see [](#sec-boot-problems).
- The system.nix file has been added has an alternative entry point to configuration.nix (and flake.nix) that allows to configure NixOS without using `nix-channel`.
This file must evaluate to a NixOS system derivation or an attribute set of such derivations, in which case the attribute to build has to be selected with the `--attr` option of `nixos-rebuild` or `nixos-install`.
For example,

10
nixos/modules/config/users-groups.nix
View File

@@ -1143,6 +1143,16 @@ in
'';
}
]
++ flip mapAttrsToList config.boot.initrd.systemd.users (
name: user: {
assertion = config.boot.initrd.systemd.enable -> (baseNameOf user.shell != "cryptsetup-askpass");
message = ''
cryptsetup-askpass is not available in systemd stage 1. Please remove it from: boot.initrd.systemd.users.${name}.shell
Use `systemctl default` instead; see the NixOS 26.05 release notes for details. If you want to continue restricting the command for SSH login, you can use `command="systemctl default"` in SSH authorized keys instead; see `sshd(8)`.
'';
}
)
++ flatten (
flip mapAttrsToList cfg.users (
name: user:

21
nixos/modules/services/system/dbus.nix
View File

@@ -32,7 +32,19 @@ in
options = {
boot.initrd.systemd.dbus = {
enable = mkEnableOption "dbus in stage 1";
enable = mkEnableOption "dbus in stage 1" // {
# TODO: This isn't really necessary, but it avoids a very
# common red herring error message:
#
# $ systemctl ...
# Failed to connect to system scope bus via local transport: No such file or directory.
#
# When systemctl tries and fails to control the system manager
# over dbus, it fals back to a private bus socket after
# printing this message. It works, but users often think it is
# the source of their problem when it isn't.
default = true;
};
};
services.dbus = {
@@ -163,6 +175,13 @@ in
"${config.boot.initrd.systemd.package}/share/dbus-1/system.d"
];
targets.sockets.wants = [ "dbus.socket" ];
# Otherwise, dbus waits on cryptsetup, and systemctl says the
# bus couldn't be found. This isn't an error (systemctl will
# fall back to a private bus with PID 1), but it's confusing
# to unaware users.
services.dbus.unitConfig.DefaultDependencies = false;
sockets.dbus.unitConfig.DefaultDependencies = false;
};
})

1
nixos/modules/system/boot/luksroot.nix
View File

@@ -998,7 +998,6 @@ in
type = with types; listOf singleLineStr;
default = [ ];
example = [ "_netdev" ];
visible = false;
description = ''
Only used with systemd stage 1.

4
nixos/modules/system/boot/stage-1.nix
View File

@@ -727,6 +727,10 @@ in
};
config = mkIf config.boot.initrd.enable {
warnings = lib.optional (!config.boot.initrd.systemd.enable) ''
Scripted initrd is deprecated and scheduled for removal in 26.11. See the NixOS 26.05 release notes.
'';
assertions = [
{
assertion = !config.boot.initrd.systemd.enable -> any (fs: fs.mountPoint == "/") fileSystems;

88
nixos/modules/system/boot/systemd/initrd.nix
View File

@@ -29,6 +29,10 @@ let
upstreamUnits = [
"basic.target"
"breakpoint-pre-udev.service"
"breakpoint-pre-basic.service"
"breakpoint-pre-mount.service"
"breakpoint-pre-switch-root.service"
"ctrl-alt-del.target"
"debug-shell.service"
"emergency.service"
@@ -153,6 +157,7 @@ in
options.boot.initrd.systemd = {
enable = mkEnableOption "systemd in initrd" // {
default = true;
description = ''
Whether to enable systemd in initrd. The unit options such as
{option}`boot.initrd.systemd.services` are the same as their
@@ -423,42 +428,57 @@ in
};
config = mkIf (config.boot.initrd.enable && cfg.enable) {
assertions = [
{
assertion =
cfg.root == "fstab" -> any (fs: fs.mountPoint == "/") (builtins.attrValues config.fileSystems);
message = "The fileSystems option does not specify your root file system.";
}
]
++
map
(name: {
assertion = lib.attrByPath name (throw "impossible") config.boot.initrd == "";
message = ''
systemd stage 1 does not support 'boot.initrd.${lib.concatStringsSep "." name}'. Please
convert it to analogous systemd units in 'boot.initrd.systemd'.
Definitions:
${lib.concatMapStringsSep "\n" ({ file, ... }: " - ${file}")
(lib.attrByPath name (throw "impossible") options.boot.initrd).definitionsWithLocations
}
'';
})
[
[ "preFailCommands" ]
[ "preDeviceCommands" ]
[ "preLVMCommands" ]
[ "postDeviceCommands" ]
[ "postResumeCommands" ]
[ "postMountCommands" ]
[ "extraUdevRulesCommands" ]
[ "extraUtilsCommands" ]
[ "extraUtilsCommandsTest" ]
assertions =
let
obsoleteOpt =
opts: msgFn:
lib.flip map opts (opt: {
assertion = lib.attrByPath opt (throw "impossible") config.boot.initrd == "";
message = ''
${msgFn (lib.concatStringsSep "." opt)}
Definitions:
${lib.concatMapStringsSep "\n" ({ file, ... }: " - ${file}")
(lib.attrByPath opt (throw "impossible") options.boot.initrd).definitionsWithLocations
}
'';
});
in
[
{
assertion =
cfg.root == "fstab" -> any (fs: fs.mountPoint == "/") (builtins.attrValues config.fileSystems);
message = "The fileSystems option does not specify your root file system.";
}
]
++
obsoleteOpt
[
"network"
"postCommands"
[ "preFailCommands" ]
[ "preDeviceCommands" ]
[ "preLVMCommands" ]
[ "postDeviceCommands" ]
[ "postResumeCommands" ]
[ "postMountCommands" ]
[
"network"
"postCommands"
]
]
];
(name: ''
systemd stage 1 does not support `boot.initrd.${name}`. Instead, create systemd services using the `boot.initrd.systemd.services` options, which has an API matching the stage 2 `systemd.services` options. Refer to `bootup(7)`, specifically the sections on "Bootup in the Initrd" and "System Manager Bootup", for information about when various units happen, and order services accordingly.
'')
++
obsoleteOpt
[
[ "extraUtilsCommands" ]
[ "extraUtilsCommandsTest" ]
]
(name: ''
systemd stage 1 does not support `boot.initrd.${name}`. Instead, use `boot.initrd.systemd.initrdBin`, `boot.initrd.systemd.extraBin`, `boot.initrd.systemd.contents`, or `boot.initrd.systemd.storePaths` to add files to the initrd.
'')
++ obsoleteOpt [ [ "extraUdevRulesCommands" ] ] (name: ''
systemd stage 1 does not support `boot.initrd.${name}`. Instead, use `boot.initrd.services.udev` to configure udev.
'');
system.build = { inherit initialRamdisk; };

20
nixos/release-combined.nix
View File

@@ -103,6 +103,24 @@ rec {
(onFullSupported "nixos.tests.gnome")
(onSystems [ "x86_64-linux" ] "nixos.tests.hibernate")
(onFullSupported "nixos.tests.i3wm")
(onSystems [ "aarch64-linux" ] "nixos.tests.installer-systemd-stage-1.simpleUefiSystemdBoot")
(onSystems [ "x86_64-linux" ] "nixos.tests.installer-systemd-stage-1.btrfsSimple")
(onSystems [ "x86_64-linux" ] "nixos.tests.installer-systemd-stage-1.btrfsSubvolDefault")
(onSystems [ "x86_64-linux" ] "nixos.tests.installer-systemd-stage-1.btrfsSubvolEscape")
(onSystems [ "x86_64-linux" ] "nixos.tests.installer-systemd-stage-1.btrfsSubvols")
(onSystems [ "x86_64-linux" ] "nixos.tests.installer-systemd-stage-1.luksroot")
(onSystems [ "x86_64-linux" ] "nixos.tests.installer-systemd-stage-1.lvm")
(onSystems [ "x86_64-linux" ] "nixos.tests.installer-systemd-stage-1.separateBootZfs")
(onSystems [ "x86_64-linux" ] "nixos.tests.installer-systemd-stage-1.separateBootFat")
(onSystems [ "x86_64-linux" ] "nixos.tests.installer-systemd-stage-1.separateBoot")
(onSystems [ "x86_64-linux" ] "nixos.tests.installer-systemd-stage-1.simpleLabels")
(onSystems [ "x86_64-linux" ] "nixos.tests.installer-systemd-stage-1.simpleProvided")
(onSystems [ "x86_64-linux" ] "nixos.tests.installer-systemd-stage-1.simpleUefiSystemdBoot")
(onSystems [ "x86_64-linux" ] "nixos.tests.installer-systemd-stage-1.simple")
(onSystems [ "x86_64-linux" ] "nixos.tests.installer-systemd-stage-1.swraid")
(onSystems [ "x86_64-linux" ] "nixos.tests.installer-systemd-stage-1.zfsroot")
(onSystems [ "x86_64-linux" ] "nixos.tests.nixos-rebuild-specialisations")
# Scripted stage 1 installer tests, remove in 26.11
(onSystems [ "aarch64-linux" ] "nixos.tests.installer.simpleUefiSystemdBoot")
(onSystems [ "x86_64-linux" ] "nixos.tests.installer.btrfsSimple")
(onSystems [ "x86_64-linux" ] "nixos.tests.installer.btrfsSubvolDefault")
@@ -166,6 +184,8 @@ rec {
(onFullSupported "nixos.tests.nfs4.simple")
(onSystems [ "x86_64-linux" ] "nixos.tests.oci-containers.podman")
(onFullSupported "nixos.tests.openssh")
(onFullSupported "nixos.tests.systemd-initrd-networkd-ssh")
# Scripted stage 1 SSH test, remove in 26.11
(onFullSupported "nixos.tests.initrd-network-ssh")
(onFullSupported "nixos.tests.pantheon")
(onFullSupported "nixos.tests.php.fpm")

22
nixos/tests/all-tests.nix
View File

@@ -727,7 +727,9 @@ in
# 9pnet_virtio used to mount /nix partition doesn't support
# hibernation. This test happens to work on x86_64-linux but
# not on other platforms.
hibernate = handleTestOn [ "x86_64-linux" ] ./hibernate.nix { };
hibernate = handleTestOn [ "x86_64-linux" ] ./hibernate.nix {
systemdStage1 = false;
};
hibernate-systemd-stage-1 = handleTestOn [ "x86_64-linux" ] ./hibernate.nix {
systemdStage1 = true;
};
@@ -769,8 +771,13 @@ in
};
influxdb = runTest ./influxdb.nix;
influxdb2 = runTest ./influxdb2.nix;
initrd-luks-empty-passphrase = runTest ./initrd-luks-empty-passphrase.nix;
initrd-network-openvpn = handleTestOn [ "x86_64-linux" "i686-linux" ] ./initrd-network-openvpn { };
initrd-luks-empty-passphrase = runTest {
imports = [ ./initrd-luks-empty-passphrase.nix ];
_module.args.systemdStage1 = false;
};
initrd-network-openvpn = handleTestOn [ "x86_64-linux" "i686-linux" ] ./initrd-network-openvpn {
systemdStage1 = false;
};
initrd-network-ssh = handleTest ./initrd-network-ssh { };
initrd-secrets = handleTest ./initrd-secrets.nix { };
initrd-secrets-changing = handleTest ./initrd-secrets-changing.nix { };
@@ -778,8 +785,8 @@ in
input-remapper = runTest ./input-remapper.nix;
inspircd = runTest ./inspircd.nix;
installed-tests = recurseIntoAttrs (handleTest ./installed-tests { });
installer = handleTest ./installer.nix { };
installer-systemd-stage-1 = handleTest ./installer-systemd-stage-1.nix { };
installer = handleTest ./installer.nix { systemdStage1 = true; };
installer-systemd-stage-1 = handleTest ./installer.nix { systemdStage1 = true; };
intune = runTest ./intune.nix;
invidious = runTest ./invidious.nix;
invoiceplane = runTest ./invoiceplane.nix;
@@ -1602,7 +1609,10 @@ in
systemd-pstore = runTest ./systemd-pstore.nix;
systemd-repart = handleTest ./systemd-repart.nix { };
systemd-resolved = runTest ./systemd-resolved.nix;
systemd-shutdown = runTest ./systemd-shutdown.nix;
systemd-shutdown = runTest {
imports = [ ./systemd-shutdown.nix ];
_module.args.systemdStage1 = false;
};
systemd-ssh-proxy = runTest ./systemd-ssh-proxy.nix;
systemd-sysupdate = runTest ./systemd-sysupdate.nix;
systemd-sysusers-immutable = runTest ./systemd-sysusers-immutable.nix;

5
nixos/tests/boot-stage1.nix
View File

@@ -1,3 +1,6 @@
# Remove in 26.11. This test guards against problems with
# stage-1-init.sh, which will be removed with scripted stage 1.
{ pkgs, ... }:
{
name = "boot-stage1";
@@ -10,6 +13,8 @@
...
}:
{
boot.initrd.systemd.enable = false;
boot.extraModulePackages =
let
compileKernelModule =

3
nixos/tests/boot-stage2.nix
View File

@@ -54,6 +54,9 @@
boot = {
initrd = {
# TODO: Switch to systemd initrd
systemd.enable = false;
# Format the upper Nix store.
postDeviceCommands = ''
${pkgs.e2fsprogs}/bin/mkfs.ext4 /dev/vdb

10
nixos/tests/ec2.nix
View File

@@ -19,9 +19,13 @@ let
../modules/profiles/qemu-guest.nix
{
# Hack to make the partition resizing work in QEMU.
boot.initrd.postDeviceCommands = mkBefore ''
ln -s vda /dev/xvda
ln -s vda1 /dev/xvda1
boot.initrd.services.udev.rules = ''
KERNEL==vda, SYMLINK+=xvda
KERNEL==vda1, SYMLINK+=xvda1
'';
services.udev.extraRules = ''
KERNEL==vda, SYMLINK+=xvda
KERNEL==vda1, SYMLINK+=xvda1
'';
amazonImage.format = "qcow2";

2
nixos/tests/envfs.nix
View File

@@ -1,6 +1,6 @@
{
pkgs,
systemdStage1 ? false,
systemdStage1,
...
}:

2
nixos/tests/hibernate.nix
View File

@@ -4,7 +4,7 @@
system ? builtins.currentSystem,
config ? { },
pkgs ? import ../.. { inherit system config; },
systemdStage1 ? false,
systemdStage1,
}:
with import ../lib/testing-python.nix { inherit system pkgs; };

8
nixos/tests/initrd-luks-empty-passphrase.nix
View File

@@ -14,8 +14,6 @@ in
{
name = "initrd-luks-empty-passphrase";
_module.args.systemdStage1 = lib.mkDefault false;
nodes.machine =
{ pkgs, ... }:
{
@@ -31,9 +29,9 @@ in
};
boot.loader.systemd-boot.enable = true;
boot.initrd.systemd = lib.mkIf systemdStage1 {
enable = true;
emergencyAccess = true;
boot.initrd.systemd = {
enable = systemdStage1;
emergencyAccess = lib.mkIf systemdStage1 true;
};
environment.systemPackages = with pkgs; [ cryptsetup ];

2
nixos/tests/initrd-network-openvpn/default.nix
View File

@@ -2,7 +2,7 @@
system ? builtins.currentSystem,
config ? { },
pkgs ? import ../.. { inherit system config; },
systemdStage1 ? false,
systemdStage1,
}:
import ../make-test-python.nix (

3
nixos/tests/initrd-network-ssh/default.nix
View File

@@ -1,3 +1,5 @@
# This tests SSH in scripted stage 1. Remove in 26.11.
import ../make-test-python.nix (
{ lib, pkgs, ... }:
@@ -14,6 +16,7 @@ import ../make-test-python.nix (
boot.kernelParams = [
"ip=${config.networking.primaryIPAddress}:::255.255.255.0::eth1:none"
];
boot.initrd.systemd.enable = false;
boot.initrd.network = {
enable = true;
ssh = {

3
nixos/tests/initrd-network.nix
View File

@@ -1,3 +1,5 @@
# Tests networking in scripted stage 1. Remove in 26.11.
{ pkgs, lib, ... }:
{
name = "initrd-network";
@@ -8,6 +10,7 @@
{ ... }:
{
imports = [ ../modules/profiles/minimal.nix ];
boot.initrd.systemd.enable = false;
boot.initrd.network.enable = true;
boot.initrd.network.postCommands = ''
ip addr show

21
nixos/tests/initrd-secrets-changing.nix
View File

@@ -24,14 +24,19 @@ testing.makeTest {
boot.initrd.secrets = {
"/test" = secret1InStore;
"/run/keys/test" = secret1InStore;
"/run/test" = secret1InStore;
};
boot.initrd.systemd = {
enable = true;
tmpfiles.settings."00-copy-secret" = {
"/sysroot/secret-from-initramfs".C.argument = "/test";
};
};
boot.initrd.postMountCommands = "cp /test /mnt-root/secret-from-initramfs";
specialisation.secrets2System.configuration = {
boot.initrd.secrets = lib.mkForce {
"/test" = secret2InStore;
"/run/keys/test" = secret2InStore;
"/run/test" = secret2InStore;
};
};
};
@@ -40,21 +45,23 @@ testing.makeTest {
start_all()
machine.wait_for_unit("multi-user.target")
print(machine.succeed("cat /run/keys/test"))
print(machine.succeed("cat /run/test"))
machine.succeed(
"cmp ${secret1InStore} /secret-from-initramfs",
"cmp ${secret1InStore} /run/keys/test",
"cmp ${secret1InStore} /run/test",
)
# Select the second boot entry corresponding to the specialisation secrets2System.
machine.succeed("grub-reboot 1")
# Remove the rootfs secret so tmpfiles will copy the new one next time
machine.succeed("rm /secret-from-initramfs")
machine.shutdown()
with subtest("Check that the specialisation's secrets are distinct despite identical kernels"):
machine.wait_for_unit("multi-user.target")
print(machine.succeed("cat /run/keys/test"))
print(machine.succeed("cat /run/test"))
machine.succeed(
"cmp ${secret2InStore} /secret-from-initramfs",
"cmp ${secret2InStore} /run/keys/test",
"cmp ${secret2InStore} /run/test",
)
machine.shutdown()
'';

15
nixos/tests/initrd-secrets.nix
View File

@@ -24,12 +24,15 @@ let
boot.initrd.secrets = {
"/test" = secretInStore;
# This should *not* need to be copied in postMountCommands
"/run/keys/test" = secretInStore;
# This should *not* need to be copied
"/run/test" = secretInStore;
};
boot.initrd.systemd = {
enable = true;
tmpfiles.settings."00-copy-secret" = {
"/sysroot/secret-from-initramfs".C.argument = "/test";
};
};
boot.initrd.postMountCommands = ''
cp /test /mnt-root/secret-from-initramfs
'';
boot.initrd.compressor = compressor;
# zstd compression is only supported from 5.9 onwards. Remove when 5.10 becomes default.
boot.kernelPackages = pkgs.linuxPackages_latest;
@@ -40,7 +43,7 @@ let
machine.wait_for_unit("multi-user.target")
machine.succeed(
"cmp ${secretInStore} /secret-from-initramfs",
"cmp ${secretInStore} /run/keys/test",
"cmp ${secretInStore} /run/test",
)
'';
};

52
nixos/tests/installer-systemd-stage-1.nix
View File

@@ -1,52 +0,0 @@
{
system ? builtins.currentSystem,
config ? { },
pkgs ? import ../.. { inherit system config; },
}:
{
# Some of these tests don't work with systemd stage 1 yet. Uncomment
# them when fixed.
inherit
(import ./installer.nix {
inherit system config pkgs;
systemdStage1 = true;
})
# bcache
bcachefsSimple
bcachefsEncrypted
btrfsSimple
btrfsSubvolDefault
btrfsSubvolEscape
btrfsSubvols
encryptedFSWithKeyfile
# grub1
luksroot
luksroot-format1
luksroot-format2
lvm
separateBoot
separateBootFat
separateBootZfs
simple
simpleLabels
simpleProvided
simpleSpecialised
simpleUefiGrub
simpleUefiGrubSpecialisation
simpleUefiSystemdBoot
stratisRoot
swraid
zfsroot
clevisLuks
clevisLuksFallback
clevisZfs
clevisZfsFallback
clevisZfsParentDataset
clevisZfsParentDatasetFallback
gptAutoRoot
clevisBcachefs
clevisBcachefsFallback
;
}

34
nixos/tests/installer.nix
View File

@@ -2,7 +2,7 @@
system ? builtins.currentSystem,
config ? { },
pkgs ? import ../.. { inherit system config; },
systemdStage1 ? false,
systemdStage1,
}:
with import ../lib/testing-python.nix { inherit system pkgs; };
@@ -42,7 +42,7 @@ let
# To ensure that we can rebuild the grub configuration on the nixos-rebuild
system.extraDependencies = with pkgs; [ stdenvNoCC ];
${optionalString systemdStage1 "boot.initrd.systemd.enable = true;"}
boot.initrd.systemd.enable = ${boolToString systemdStage1};
${optionalString (bootLoader == "grub") ''
boot.loader.grub.extraConfig = "serial; terminal_output serial";
@@ -640,6 +640,7 @@ let
clevisFallbackTest ? false,
disableFileSystems ? false,
selectNixPackage ? pkgs: pkgs.nixVersions.stable,
broken ? false,
}:
let
isEfi = bootLoader == "systemd-boot" || (bootLoader == "grub" && grubUseEfi);
@@ -656,6 +657,7 @@ let
"x86_64-darwin"
"i686-linux"
];
inherit broken;
};
nodes =
let
@@ -846,14 +848,23 @@ let
"mount LABEL=boot /mnt/boot",
)
'';
extraConfig = ''
boot.kernelParams = lib.mkAfter [ "console=tty0" ];
'';
enableOCR = true;
postBootCommands = ''
target.wait_for_text("[Pp]assphrase for")
target.send_chars("supersecret\n")
'';
# The serial console is much more reliable than OCR, but
# scripted stage 1 doesn't forward logs / password prompts to
# it. (TODO: The test framework should use 'console=ttyS0'
# anyway, but currently it uses 'console=tty0' for the sake of
# the interactive driver)
enableOCR = !systemdStage1;
postBootCommands =
if systemdStage1 then
''
target.wait_for_console_text("passphrase for")
target.send_console("supersecret\n")
''
else
''
target.wait_for_text("[Pp]assphrase for")
target.send_chars("supersecret\n")
'';
};
# The (almost) simplest partitioning scheme: a swap partition and
@@ -879,11 +890,13 @@ let
simple-test-config-by-attr = simple-test-config // {
testByAttrSwitch = true;
broken = true;
};
simple-test-config-from-by-attr-to-flake = simple-test-config // {
testByAttrSwitch = true;
testFlakeSwitch = true;
broken = true;
};
simple-uefi-grub-config = {
@@ -1387,6 +1400,7 @@ in
# Full disk encryption (root, kernel and initrd encrypted) using GRUB, GPT/UEFI,
# LVM-on-LUKS and a keyfile in initrd.secrets to enter the passphrase once
fullDiskEncryption = makeInstallerTest "fullDiskEncryption" {
broken = true;
createPartitions = ''
installer.succeed(
"flock /dev/vda parted --script /dev/vda -- mklabel gpt"

1
nixos/tests/iscsi-multipath-root.nix
View File

@@ -186,6 +186,7 @@ in
boot.initrd.extraFiles."etc/multipath/wwids".source =
pkgs.writeText "wwids" "/3600140592b17c3f6b404168b082ceeb7/";
boot.initrd.systemd.enable = false;
boot.iscsi-initiator = {
discoverPortal = "target";
name = initiatorName;

2
nixos/tests/iscsi-root.nix
View File

@@ -142,6 +142,8 @@ in
};
};
# No SCSI support in systemd stage 1 at present.
boot.initrd.systemd.enable = false;
boot.iscsi-initiator = {
discoverPortal = "target";
name = initiatorName;

4
nixos/tests/luks.nix
View File

@@ -1,3 +1,5 @@
# Tests LUKS specifically with scripted stage 1. Remove in 26.11.
{ lib, pkgs, ... }:
{
name = "luks";
@@ -6,6 +8,8 @@
{ pkgs, ... }:
{
boot.initrd.systemd.enable = false;
# Use systemd-boot
virtualisation = {
emptyDiskImages = [

108
nixos/tests/non-default-filesystems.nix
View File

@@ -36,66 +36,70 @@ with pkgs.lib;
'';
};
btrfs = makeTest {
name = "non-default-filesystems-btrfs";
btrfs =
let
disk = "/dev/vda";
partition = "/dev/disk/by-label/storage";
in
makeTest {
name = "non-default-filesystems-btrfs";
nodes.machine =
{
config,
pkgs,
lib,
...
}:
let
disk = config.virtualisation.rootDevice;
in
{
virtualisation.rootDevice = "/dev/vda";
virtualisation.useDefaultFilesystems = false;
nodes.machine =
{ ... }:
{
virtualisation.rootDevice = disk;
virtualisation.useDefaultFilesystems = false;
boot.initrd.availableKernelModules = [ "btrfs" ];
boot.supportedFilesystems = [ "btrfs" ];
boot.initrd.postDeviceCommands = ''
FSTYPE=$(blkid -o value -s TYPE ${disk} || true)
if test -z "$FSTYPE"; then
modprobe btrfs
${pkgs.btrfs-progs}/bin/mkfs.btrfs ${disk}
mkdir /nixos
mount -t btrfs ${disk} /nixos
${pkgs.btrfs-progs}/bin/btrfs subvolume create /nixos/root
${pkgs.btrfs-progs}/bin/btrfs subvolume create /nixos/home
umount /nixos
fi
'';
virtualisation.fileSystems = {
"/" = {
device = disk;
fsType = "btrfs";
options = [ "subvol=/root" ];
systemd.repart.partitions."00-root" = {
Type = "linux-generic";
Format = "btrfs";
Label = "storage";
Subvolumes = [
"/root"
"/home"
];
MakeDirectories = [
"/root"
"/home"
];
};
"/home" = {
device = disk;
fsType = "btrfs";
options = [ "subvol=/home" ];
boot.initrd.supportedFilesystems = [ "btrfs" ];
boot.initrd.systemd = {
enable = true;
repart = {
enable = true;
device = disk;
empty = "allow";
};
};
virtualisation.fileSystems = {
"/" = {
device = partition;
fsType = "btrfs";
options = [ "subvol=/root" ];
};
"/home" = {
device = partition;
fsType = "btrfs";
options = [ "subvol=/home" ];
};
};
};
};
testScript = ''
machine.wait_for_unit("multi-user.target")
testScript = ''
machine.wait_for_unit("multi-user.target")
with subtest("BTRFS filesystems are mounted correctly"):
print("output of \"grep -E '/dev/vda' /proc/mounts\":\n" + machine.execute("grep -E '/dev/vda' /proc/mounts")[1])
machine.succeed("grep -E '/dev/vda / btrfs rw,.*subvolid=[0-9]+,subvol=/root 0 0' /proc/mounts")
machine.succeed("grep -E '/dev/vda /home btrfs rw,.*subvolid=[0-9]+,subvol=/home 0 0' /proc/mounts")
'';
};
with subtest("BTRFS filesystems are mounted correctly"):
realdev = machine.succeed("realpath '${partition}'")
print(f"output of \"grep -E '{realdev}' /proc/mounts\":\n" + machine.execute(f"grep -E '{realdev}' /proc/mounts")[1])
machine.succeed(f"grep -E '{realdev} / btrfs rw,.*subvolid=[0-9]+,subvol=/root 0 0' /proc/mounts")
machine.succeed(f"grep -E '{realdev} /home btrfs rw,.*subvolid=[0-9]+,subvol=/home 0 0' /proc/mounts")
'';
};
erofs =
let

26
nixos/tests/predictable-interface-names.nix
View File

@@ -63,18 +63,20 @@ pkgs.lib.listToAttrs (
# Check if predictable interface names are working in stage-1
boot.initrd.postDeviceCommands = lib.mkIf (!systemdStage1) script;
boot.initrd.systemd = lib.mkIf systemdStage1 {
enable = true;
initrdBin = [ pkgs.iproute2 ];
services.systemd-udev-settle.wantedBy = [ "initrd.target" ];
services.check-interfaces = {
requiredBy = [ "initrd.target" ];
after = [ "systemd-udev-settle.service" ];
serviceConfig.Type = "oneshot";
path = [ pkgs.iproute2 ];
inherit script;
};
};
boot.initrd.systemd = lib.mkMerge [
{ enable = systemdStage1; }
(lib.mkIf systemdStage1 {
initrdBin = [ pkgs.iproute2 ];
services.systemd-udev-settle.wantedBy = [ "initrd.target" ];
services.check-interfaces = {
requiredBy = [ "initrd.target" ];
after = [ "systemd-udev-settle.service" ];
serviceConfig.Type = "oneshot";
path = [ pkgs.iproute2 ];
inherit script;
};
})
];
};
testScript = ''

2
nixos/tests/qemu-vm-external-disk-image.nix
View File

@@ -33,7 +33,7 @@ let
label = rootFslabel;
partitionTableType = "efi";
format = "qcow2";
bootSize = "32M";
bootSize = "128M";
additionalSpace = "0M";
copyChannel = false;
};

47
nixos/tests/swap-partition.nix
View File

@@ -1,33 +1,35 @@
{ lib, pkgs, ... }:
{ ... }:
{
name = "swap-partition";
nodes.machine =
{
config,
pkgs,
lib,
...
}:
{ config, ... }:
{
virtualisation.useDefaultFilesystems = false;
virtualisation.rootDevice = "/dev/vda1";
boot.initrd.postDeviceCommands = ''
if ! test -b /dev/vda1; then
${pkgs.parted}/bin/parted --script /dev/vda -- mklabel msdos
${pkgs.parted}/bin/parted --script /dev/vda -- mkpart primary 1MiB -250MiB
${pkgs.parted}/bin/parted --script /dev/vda -- mkpart primary -250MiB 100%
sync
fi
FSTYPE=$(blkid -o value -s TYPE /dev/vda1 || true)
if test -z "$FSTYPE"; then
${pkgs.e2fsprogs}/bin/mke2fs -t ext4 -L root /dev/vda1
${pkgs.util-linux}/bin/mkswap --label swap /dev/vda2
fi
'';
boot.initrd.systemd = {
enable = true;
repart = {
enable = true;
device = "/dev/vda";
empty = "allow";
};
};
systemd.repart.partitions = {
"00-root" = {
Type = "linux-generic";
Format = "ext4";
Label = "root";
};
"10-swap" = {
Type = "linux-generic";
Label = "swap";
SizeMinBytes = "250M";
SizeMaxBytes = "250M";
};
};
virtualisation.fileSystems = {
"/" = {
@@ -38,7 +40,8 @@
swapDevices = [
{
device = "/dev/disk/by-label/swap";
device = "/dev/disk/by-partlabel/swap";
options = [ "x-systemd.makefs" ];
}
];
};

49
nixos/tests/swap-random-encryption.nix
View File

@@ -1,14 +1,9 @@
{ lib, pkgs, ... }:
{ ... }:
{
name = "swap-random-encryption";
nodes.machine =
{
config,
pkgs,
lib,
...
}:
{ pkgs, ... }:
{
environment.systemPackages = [ pkgs.cryptsetup ];
@@ -16,19 +11,27 @@
virtualisation.rootDevice = "/dev/vda1";
boot.initrd.postDeviceCommands = ''
if ! test -b /dev/vda1; then
${pkgs.parted}/bin/parted --script /dev/vda -- mklabel msdos
${pkgs.parted}/bin/parted --script /dev/vda -- mkpart primary 1MiB -250MiB
${pkgs.parted}/bin/parted --script /dev/vda -- mkpart primary -250MiB 100%
sync
fi
FSTYPE=$(blkid -o value -s TYPE /dev/vda1 || true)
if test -z "$FSTYPE"; then
${pkgs.e2fsprogs}/bin/mke2fs -t ext4 -L root /dev/vda1
fi
'';
boot.initrd.systemd = {
enable = true;
repart = {
enable = true;
device = "/dev/vda";
empty = "allow";
};
};
systemd.repart.partitions = {
"00-root" = {
Type = "linux-generic";
Format = "ext4";
Label = "root";
};
"10-swap" = {
Type = "linux-generic";
Label = "swap";
SizeMinBytes = "250M";
SizeMaxBytes = "250M";
};
};
virtualisation.fileSystems = {
"/" = {
@@ -39,7 +42,7 @@
swapDevices = [
{
device = "/dev/vda2";
device = "/dev/disk/by-partlabel/swap";
randomEncryption = {
enable = true;
@@ -60,7 +63,7 @@
with subtest("Swap device has 4k sector size"):
import json
result = json.loads(machine.succeed("lsblk -Jo PHY-SEC,LOG-SEC /dev/mapper/dev-vda2"))
result = json.loads(machine.succeed("lsblk -Jo PHY-SEC,LOG-SEC /dev/mapper/dev-disk-by\\x2dpartlabel-swap"))
block_devices = result["blockdevices"]
if len(block_devices) != 1:
raise Exception ("lsblk output did not report exactly one block device")
@@ -72,7 +75,7 @@
with subtest("Swap encrypt has assigned cipher and keysize"):
import re
results = machine.succeed("cryptsetup status dev-vda2").splitlines()
results = machine.succeed("cryptsetup status dev-disk-by\\x2dpartlabel-swap").splitlines()
cipher_pattern = re.compile(r"\s*cipher:\s+aes-xts-plain64\s*")
if not any(cipher_pattern.fullmatch(line) for line in results):

2
nixos/tests/systemd-shutdown.nix
View File

@@ -11,8 +11,6 @@ in
name = "systemd-shutdown";
meta.maintainers = with lib.maintainers; [ das_j ];
_module.args.systemdStage1 = lib.mkDefault false;
nodes.machine = {
imports = [ ../modules/profiles/minimal.nix ];
systemd.shutdownRamfs.contents."/etc/systemd/system-shutdown/shutdown-message".source =