diff options
Diffstat (limited to 'nixos')
| -rw-r--r-- | nixos/doc/manual/administration/boot-problems.xml | 31 | ||||
| -rw-r--r-- | nixos/doc/manual/release-notes/rl-2009.xml | 56 | ||||
| -rw-r--r-- | nixos/modules/module-list.nix | 3 | ||||
| -rw-r--r-- | nixos/modules/programs/hamster.nix | 15 | ||||
| -rw-r--r-- | nixos/modules/rename.nix | 6 | ||||
| -rw-r--r-- | nixos/modules/services/databases/mysql.nix | 44 | ||||
| -rw-r--r-- | nixos/modules/services/hardware/fwupd.nix | 35 | ||||
| -rw-r--r-- | nixos/modules/services/hardware/u2f.nix | 23 | ||||
| -rw-r--r-- | nixos/modules/services/networking/go-neb.nix | 53 | ||||
| -rw-r--r-- | nixos/modules/system/boot/loader/systemd-boot/systemd-boot-builder.py | 20 | ||||
| -rw-r--r-- | nixos/modules/system/boot/systemd.nix | 9 | ||||
| -rw-r--r-- | nixos/modules/virtualisation/qemu-vm.nix | 2 | ||||
| -rw-r--r-- | nixos/tests/all-tests.nix | 1 | ||||
| -rw-r--r-- | nixos/tests/go-neb.nix | 44 | ||||
| -rw-r--r-- | nixos/tests/systemd-boot.nix | 57 |
15 files changed, 326 insertions, 73 deletions
diff --git a/nixos/doc/manual/administration/boot-problems.xml b/nixos/doc/manual/administration/boot-problems.xml index 5fa0b29e6d62..badc374ebcfd 100644 --- a/nixos/doc/manual/administration/boot-problems.xml +++ b/nixos/doc/manual/administration/boot-problems.xml @@ -19,9 +19,9 @@ </term> <listitem> <para> - Start a root shell if something goes wrong in stage 1 of the boot process - (the initial ramdisk). This is disabled by default because there is no - authentication for the root shell. + Allows the user to start a root shell if something goes wrong in stage 1 + of the boot process (the initial ramdisk). This is disabled by default + because there is no authentication for the root shell. </para> </listitem> </varlistentry> @@ -51,6 +51,22 @@ </varlistentry> <varlistentry> <term> + <literal>boot.debug1mounts</literal> + </term> + <listitem> + <para> + Like <literal>boot.debug1</literal> or + <literal>boot.debug1devices</literal>, but runs stage1 until all + filesystems that are mounted during initrd are mounted (see + <option><link linkend="opt-fileSystems._name__.neededForBoot">neededForBoot</link></option> + ). As a motivating example, this could be useful if you've forgotten to set + <option><link linkend="opt-fileSystems._name__.neededForBoot">neededForBoot</link></option> + on a file system. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> <literal>boot.trace</literal> </term> <listitem> @@ -91,6 +107,15 @@ </para> <para> + Notice that for <literal>boot.shell_on_fail</literal>, + <literal>boot.debug1</literal>, <literal>boot.debug1devices</literal>, and + <literal>boot.debug1mounts</literal>, if you did <emphasis>not</emphasis> + select "start the new shell as pid 1", and you <literal>exit</literal> from + the new shell, boot will proceed normally from the point where it failed, as + if you'd chosen "ignore the error and continue". + </para> + + <para> If no login prompts or X11 login screens appear (e.g. due to hanging dependencies), you can press Alt+ArrowUp. If you’re lucky, this will start rescue mode (described above). (Also note that since most units have a diff --git a/nixos/doc/manual/release-notes/rl-2009.xml b/nixos/doc/manual/release-notes/rl-2009.xml index f2485f7395c8..d1eecd65085c 100644 --- a/nixos/doc/manual/release-notes/rl-2009.xml +++ b/nixos/doc/manual/release-notes/rl-2009.xml @@ -94,6 +94,22 @@ services.mysql.initialScript = pkgs.writeText "mariadb-init.sql" '' When MariaDB data directory is just upgraded (not initialized), the users are not created or modified. </para> </listitem> + <listitem> + <para> + MySQL server is now started with additional systemd sandbox/hardening options for better security. The PrivateTmp, ProtectHome, and ProtectSystem options + may be problematic when MySQL is attempting to read from or write to your filesystem anywhere outside of its own state directory, for example when + calling <literal>LOAD DATA INFILE or SELECT * INTO OUTFILE</literal>. In this scenario a variant of the following may be required: + - allow MySQL to read from /home and /tmp directories when using <literal>LOAD DATA INFILE</literal> +<programlisting> +systemd.services.mysql.serviceConfig.ProtectHome = lib.mkForce "read-only"; +</programlisting> + - allow MySQL to write to custom folder <literal>/var/data</literal> when using <literal>SELECT * INTO OUTFILE</literal>, assuming the mysql user has write + access to <literal>/var/data</literal> +<programlisting> +systemd.services.mysql.serviceConfig.ReadWritePaths = [ "/var/data" ]; +</programlisting> + </para> + </listitem> </itemizedlist> </section> @@ -486,7 +502,7 @@ systemd.services.nginx.serviceConfig.ReadWritePaths = [ "/var/www" ]; <itemizedlist> <listitem> - <para>SD and ISO images are now compressed by default using <literal>zstd</literal>.</para> + <para>SD images are now compressed by default using <literal>zstd</literal>. The compression for ISO images has also been changed to <literal>zstd</literal>, but ISO images are still not compressed by default.</para> </listitem> <listitem> <para> @@ -560,6 +576,44 @@ systemd.services.nginx.serviceConfig.ReadWritePaths = [ "/var/www" ]; <link xlink:href="https://grafana.com/docs/grafana/latest/installation/upgrading/#upgrading-to-v7-0">in the Grafana documentation</link>. </para> </listitem> + <listitem> + <para> + The <literal>hardware.u2f</literal> module, which was installing udev rules + was removed, as udev gained native support to handle FIDO security tokens. + </para> + </listitem> + <listitem> + <para> + With this release <literal>systemd-networkd</literal> (when enabled through <xref linkend="opt-networking.useNetworkd"/>) + has it's netlink socket created through a <literal>systemd.socket</literal> unit. This gives us control over + socket buffer sizes and other parameters. For larger setups where networkd has to create a lot of (virtual) + devices the default buffer size (currently 128MB) is not enough. + </para> + <para> + On a machine with >100 virtual interfaces (e.g., wireguard tunnels, VLANs, …), that all have to + be brought up during system startup, the receive buffer size will spike for a brief period. + Eventually some of the message will be dropped since there is not enough (permitted) buffer + space available. + </para> + <para> + By having <literal>systemd-networkd</literal> start with a netlink socket created by + <literal>systemd</literal> we can configure the <literal>ReceiveBufferSize=</literal> parameter + in the socket options (i.e. <literal>systemd.sockets.systemd-networkd.socketOptions.ReceiveBufferSize</literal>) + without recompiling <literal>systemd-networkd</literal>. + </para> + <para> + Since the actual memory requirements depend on hardware, timing, exact + configurations etc. it isn't currently possible to infer a good default + from within the NixOS module system. Administrators are advised to + monitor the logs of <literal>systemd-networkd</literal> for <literal>rtnl: kernel receive buffer + overrun</literal> spam and increase the memory limit as they see fit. + </para> + <para> + Note: Increasing the <literal>ReceiveBufferSize=</literal> doesn't allocate any memory. It just increases + the upper bound on the kernel side. The memory allocation depends on the amount of messages that are + queued on the kernel side of the netlink socket. + </para> + </listitem> </itemizedlist> </section> </section> diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 321fec5fb517..448d432853d3 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -126,6 +126,7 @@ ./programs/gpaste.nix ./programs/gnupg.nix ./programs/gphoto2.nix + ./programs/hamster.nix ./programs/iftop.nix ./programs/iotop.nix ./programs/java.nix @@ -362,7 +363,6 @@ ./services/hardware/throttled.nix ./services/hardware/trezord.nix ./services/hardware/triggerhappy.nix - ./services/hardware/u2f.nix ./services/hardware/udev.nix ./services/hardware/udisks2.nix ./services/hardware/upower.nix @@ -624,6 +624,7 @@ ./services/networking/gdomap.nix ./services/networking/git-daemon.nix ./services/networking/gnunet.nix + ./services/networking/go-neb.nix ./services/networking/go-shadowsocks2.nix ./services/networking/gogoclient.nix ./services/networking/gvpe.nix diff --git a/nixos/modules/programs/hamster.nix b/nixos/modules/programs/hamster.nix new file mode 100644 index 000000000000..ddf26a22fb53 --- /dev/null +++ b/nixos/modules/programs/hamster.nix @@ -0,0 +1,15 @@ +{ config, lib, pkgs, ... }: + +with lib; + +{ + meta.maintainers = maintainers.fabianhauser; + + options.programs.hamster.enable = + mkEnableOption "Whether to enable hamster time tracking."; + + config = lib.mkIf config.programs.hamster.enable { + environment.systemPackages = [ pkgs.hamster ]; + services.dbus.packages = [ pkgs.hamster ]; + }; +} diff --git a/nixos/modules/rename.nix b/nixos/modules/rename.nix index c91febdb710f..1dc7f8533176 100644 --- a/nixos/modules/rename.nix +++ b/nixos/modules/rename.nix @@ -55,6 +55,12 @@ with lib; prey-bash-client is deprecated upstream '') + (mkRemovedOptionModule ["hardware" "u2f" ] '' + The U2F modules module was removed, as all it did was adding the + udev rules from libu2f-host to the system. Udev gained native support + to handle FIDO security tokens, so this isn't necessary anymore. + '') + # Do NOT add any option renames here, see top of the file ]; } diff --git a/nixos/modules/services/databases/mysql.nix b/nixos/modules/services/databases/mysql.nix index 51885881cf73..2e8c5b7640b2 100644 --- a/nixos/modules/services/databases/mysql.nix +++ b/nixos/modules/services/databases/mysql.nix @@ -334,7 +334,8 @@ in environment.etc."my.cnf".source = cfg.configFile; systemd.tmpfiles.rules = [ - "d '${cfg.dataDir}' 0700 ${cfg.user} mysql -" + "d '${cfg.dataDir}' 0700 ${cfg.user} mysql - -" + "z '${cfg.dataDir}' 0700 ${cfg.user} mysql - -" ]; systemd.services.mysql = let @@ -357,21 +358,17 @@ in preStart = if isMariaDB then '' if ! test -e ${cfg.dataDir}/mysql; then ${mysql}/bin/mysql_install_db --defaults-file=/etc/my.cnf ${mysqldOptions} - touch /tmp/mysql_init + touch ${cfg.dataDir}/mysql_init fi '' else '' if ! test -e ${cfg.dataDir}/mysql; then ${mysql}/bin/mysqld --defaults-file=/etc/my.cnf ${mysqldOptions} --initialize-insecure - touch /tmp/mysql_init + touch ${cfg.dataDir}/mysql_init fi ''; serviceConfig = { - User = cfg.user; - Group = "mysql"; Type = if hasNotify then "notify" else "simple"; - RuntimeDirectory = "mysqld"; - RuntimeDirectoryMode = "0755"; Restart = "on-abort"; RestartSec = "5s"; # The last two environment variables are used for starting Galera clusters @@ -398,7 +395,7 @@ in done ''} - if [ -f /tmp/mysql_init ] + if [ -f ${cfg.dataDir}/mysql_init ] then ${concatMapStrings (database: '' # Create initial databases @@ -452,7 +449,7 @@ in cat ${toString cfg.initialScript} | ${mysql}/bin/mysql -u root -N ''} - rm /tmp/mysql_init + rm ${cfg.dataDir}/mysql_init fi ${optionalString (cfg.ensureDatabases != []) '' @@ -476,6 +473,35 @@ in # ensureDatbases & ensureUsers depends on this script being run as root # when the user has secured their mysql install "+${setupScript}"; + # User and group + User = cfg.user; + Group = "mysql"; + # Runtime directory and mode + RuntimeDirectory = "mysqld"; + RuntimeDirectoryMode = "0755"; + # Access write directories + ReadWritePaths = [ cfg.dataDir ]; + # Capabilities + CapabilityBoundingSet = ""; + # Security + NoNewPrivileges = true; + # Sandboxing + ProtectSystem = "strict"; + ProtectHome = true; + PrivateTmp = true; + PrivateDevices = true; + ProtectHostname = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectControlGroups = true; + RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ]; + LockPersonality = true; + MemoryDenyWriteExecute = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + PrivateMounts = true; + # System Call Filtering + SystemCallArchitectures = "native"; }; }; diff --git a/nixos/modules/services/hardware/fwupd.nix b/nixos/modules/services/hardware/fwupd.nix index e586af25c2b1..222ac8e487eb 100644 --- a/nixos/modules/services/hardware/fwupd.nix +++ b/nixos/modules/services/hardware/fwupd.nix @@ -6,6 +6,23 @@ with lib; let cfg = config.services.fwupd; + + customEtc = { + "fwupd/daemon.conf" = { + source = pkgs.writeText "daemon.conf" '' + [fwupd] + BlacklistDevices=${lib.concatStringsSep ";" cfg.blacklistDevices} + BlacklistPlugins=${lib.concatStringsSep ";" cfg.blacklistPlugins} + ''; + }; + "fwupd/uefi.conf" = { + source = pkgs.writeText "uefi.conf" '' + [uefi] + OverrideESPMountPoint=${config.boot.loader.efi.efiSysMountPoint} + ''; + }; + }; + originalEtc = let mkEtcFile = n: nameValuePair n { source = "${cfg.package}/etc/${n}"; }; @@ -96,22 +113,8 @@ in { environment.systemPackages = [ cfg.package ]; - environment.etc = { - "fwupd/daemon.conf" = { - source = pkgs.writeText "daemon.conf" '' - [fwupd] - BlacklistDevices=${lib.concatStringsSep ";" cfg.blacklistDevices} - BlacklistPlugins=${lib.concatStringsSep ";" cfg.blacklistPlugins} - ''; - }; - "fwupd/uefi.conf" = { - source = pkgs.writeText "uefi.conf" '' - [uefi] - OverrideESPMountPoint=${config.boot.loader.efi.efiSysMountPoint} - ''; - }; - - } // originalEtc // extraTrustedKeys // testRemote; + # customEtc overrides some files from the package + environment.etc = originalEtc // customEtc // extraTrustedKeys // testRemote; services.dbus.packages = [ cfg.package ]; diff --git a/nixos/modules/services/hardware/u2f.nix b/nixos/modules/services/hardware/u2f.nix deleted file mode 100644 index bb4b2f05f890..000000000000 --- a/nixos/modules/services/hardware/u2f.nix +++ /dev/null @@ -1,23 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; -let - cfg = config.hardware.u2f; -in { - options = { - hardware.u2f = { - enable = mkOption { - type = types.bool; - default = false; - description = '' - Enable U2F hardware support. - ''; - }; - }; - }; - - config = mkIf cfg.enable { - services.udev.packages = [ pkgs.libu2f-host ]; - }; -} - diff --git a/nixos/modules/services/networking/go-neb.nix b/nixos/modules/services/networking/go-neb.nix new file mode 100644 index 000000000000..991ae38f30a5 --- /dev/null +++ b/nixos/modules/services/networking/go-neb.nix @@ -0,0 +1,53 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.go-neb; + + configFile = pkgs.writeText "config.yml" (builtins.toJSON cfg.config); +in { + options.services.go-neb = { + enable = mkEnableOption "Extensible matrix bot written in Go"; + + bindAddress = mkOption { + type = types.str; + description = "Port (and optionally address) to listen on."; + default = ":4050"; + }; + + baseUrl = mkOption { + type = types.str; + description = "Public-facing endpoint that can receive webhooks."; + }; + + config = mkOption { + type = types.uniq types.attrs; + description = '' + Your <filename>config.yaml</filename> as a Nix attribute set. + See <link xlink:href="https://github.com/matrix-org/go-neb/blob/master/config.sample.yaml">config.sample.yaml</link> + for possible options. + ''; + }; + }; + + config = mkIf cfg.enable { + systemd.services.go-neb = { + description = "Extensible matrix bot written in Go"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + environment = { + BASE_URL = cfg.baseUrl; + BIND_ADDRESS = cfg.bindAddress; + CONFIG_FILE = configFile; + }; + + serviceConfig = { + ExecStart = "${pkgs.go-neb}/bin/go-neb"; + DynamicUser = true; + }; + }; + }; + + meta.maintainers = with maintainers; [ hexa maralorn ]; +} diff --git a/nixos/modules/system/boot/loader/systemd-boot/systemd-boot-builder.py b/nixos/modules/system/boot/loader/systemd-boot/systemd-boot-builder.py index f48a085ce57a..d8baed65c6df 100644 --- a/nixos/modules/system/boot/loader/systemd-boot/systemd-boot-builder.py +++ b/nixos/modules/system/boot/loader/systemd-boot/systemd-boot-builder.py @@ -47,9 +47,9 @@ def write_loader_conf(profile, generation): if "@timeout@" != "": f.write("timeout @timeout@\n") if profile: - f.write("default nixos-%s-generation-%d\n" % (profile, generation)) + f.write("default nixos-%s-generation-%d.conf\n".format(profile, generation)) else: - f.write("default nixos-generation-%d\n" % (generation)) + f.write("default nixos-generation-%d.conf\n".format(generation)) if not @editor@: f.write("editor 0\n"); f.write("console-mode @consoleMode@\n"); @@ -197,6 +197,22 @@ def main(): subprocess.check_call(["@systemd@/bin/bootctl", "--path=@efiSysMountPoint@", "install"]) else: subprocess.check_call(["@systemd@/bin/bootctl", "--path=@efiSysMountPoint@", "--no-variables", "install"]) + else: + # Update bootloader to latest if needed + systemd_version = subprocess.check_output(["@systemd@/bin/bootctl", "--version"], universal_newlines=True).split()[1] + sdboot_status = subprocess.check_output(["@systemd@/bin/bootctl", "--path=@efiSysMountPoint@", "status"], universal_newlines=True) + + # See status_binaries() in systemd bootctl.c for code which generates this + m = re.search("^\W+File:.*/EFI/(BOOT|systemd)/.*\.efi \(systemd-boot (\d+)\)$", + sdboot_status, re.IGNORECASE | re.MULTILINE) + if m is None: + print("could not find any previously installed systemd-boot") + else: + sdboot_version = m.group(2) + if systemd_version > sdboot_version: + print("updating systemd-boot from %s to %s" % (sdboot_version, systemd_version)) + subprocess.check_call(["@systemd@/bin/bootctl", "--path=@efiSysMountPoint@", "update"]) + mkdir_p("@efiSysMountPoint@/efi/nixos") mkdir_p("@efiSysMountPoint@/loader/entries") diff --git a/nixos/modules/system/boot/systemd.nix b/nixos/modules/system/boot/systemd.nix index 99892a28115c..a8e51fc09014 100644 --- a/nixos/modules/system/boot/systemd.nix +++ b/nixos/modules/system/boot/systemd.nix @@ -826,8 +826,13 @@ in config = { warnings = concatLists (mapAttrsToList (name: service: - optional (service.serviceConfig.Type or "" == "oneshot" && service.serviceConfig.Restart or "no" != "no") - "Service ‘${name}.service’ with ‘Type=oneshot’ must have ‘Restart=no’") cfg.services); + let + type = service.serviceConfig.Type or ""; + restart = service.serviceConfig.Restart or "no"; + in optional + (type == "oneshot" && (restart == "always" || restart == "on-success")) + "Service '${name}.service' with 'Type=oneshot' cannot have 'Restart=always' or 'Restart=on-success'") + cfg.services); system.build.units = cfg.units; diff --git a/nixos/modules/virtualisation/qemu-vm.nix b/nixos/modules/virtualisation/qemu-vm.nix index b8d0606be7c1..be06d6feb11f 100644 --- a/nixos/modules/virtualisation/qemu-vm.nix +++ b/nixos/modules/virtualisation/qemu-vm.nix @@ -448,7 +448,7 @@ in description = '' An alternate BIOS (such as <package>qboot</package>) with which to start the VM. - Should containin a file named <literal>bios.bin</literal>. + Should contain a file named <literal>bios.bin</literal>. If <literal>null</literal>, QEMU's builtin SeaBIOS will be used. ''; }; diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index 1bf091b361cb..bd26fc906aaa 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -119,6 +119,7 @@ in installed-tests = pkgs.recurseIntoAttrs (handleTest ./installed-tests {}); gocd-agent = handleTest ./gocd-agent.nix {}; gocd-server = handleTest ./gocd-server.nix {}; + go-neb = handleTest ./go-neb.nix {}; google-oslogin = handleTest ./google-oslogin {}; grafana = handleTest ./grafana.nix {}; graphite = handleTest ./graphite.nix {}; diff --git a/nixos/tests/go-neb.nix b/nixos/tests/go-neb.nix new file mode 100644 index 000000000000..d9e5db0b4a53 --- /dev/null +++ b/nixos/tests/go-neb.nix @@ -0,0 +1,44 @@ +import ./make-test-python.nix ({ pkgs, ... }: +{ + name = "go-neb"; + meta = with pkgs.stdenv.lib.maintainers; { + maintainers = [ hexa maralorn ]; + }; + + nodes = { + server = { + services.go-neb = { + enable = true; + baseUrl = "http://localhost"; + config = { + clients = [ { + UserId = "@test:localhost"; + AccessToken = "changeme"; + HomeServerUrl = "http://localhost"; + Sync = false; + AutoJoinRooms = false; + DisplayName = "neverbeseen"; + } ]; + services = [ { + ID = "wikipedia_service"; + Type = "wikipedia"; + UserID = "@test:localhost"; + Config = { }; + } ]; + }; + }; + }; + }; + + testScript = '' + start_all() + server.wait_for_unit("go-neb.service") + server.wait_until_succeeds( + "curl -L http://localhost:4050/services/hooks/d2lraXBlZGlhX3NlcnZpY2U" + ) + server.wait_until_succeeds( + "journalctl -eu go-neb -o cat | grep -q service_id=wikipedia_service" + ) + ''; + +}) diff --git a/nixos/tests/systemd-boot.nix b/nixos/tests/systemd-boot.nix index e911c3933616..eba4729d6de8 100644 --- a/nixos/tests/systemd-boot.nix +++ b/nixos/tests/systemd-boot.nix @@ -6,26 +6,53 @@ with import ../lib/testing-python.nix { inherit system pkgs; }; with pkgs.lib; -makeTest { - name = "systemd-boot"; - meta.maintainers = with pkgs.stdenv.lib.maintainers; [ danielfullmer ]; - - machine = { pkgs, lib, ... }: { +let + common = { virtualisation.useBootLoader = true; virtualisation.useEFIBoot = true; boot.loader.systemd-boot.enable = true; }; +in +{ + basic = makeTest { + name = "systemd-boot"; + meta.maintainers = with pkgs.stdenv.lib.maintainers; [ danielfullmer ]; + + machine = common; + + testScript = '' + machine.start() + machine.wait_for_unit("multi-user.target") - testScript = '' - machine.start() - machine.wait_for_unit("multi-user.target") + machine.succeed("test -e /boot/loader/entries/nixos-generation-1.conf") + + # Ensure we actually booted using systemd-boot + # Magic number is the vendor UUID used by systemd-boot. + machine.succeed( + "test -e /sys/firmware/efi/efivars/LoaderEntrySelected-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f" + ) + ''; + }; - machine.succeed("test -e /boot/loader/entries/nixos-generation-1.conf") + update = makeTest { + name = "systemd-boot-update"; + meta.maintainers = with pkgs.stdenv.lib.maintainers; [ danielfullmer ]; - # Ensure we actually booted using systemd-boot. - # Magic number is the vendor UUID used by systemd-boot. - machine.succeed( - "test -e /sys/firmware/efi/efivars/LoaderEntrySelected-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f" - ) - ''; + machine = common; + + testScript = '' + machine.succeed("mount -o remount,rw /boot") + + # Replace version inside sd-boot with something older. See magic[] string in systemd src/boot/efi/boot.c + machine.succeed( + """ + find /boot -iname '*.efi' -print0 | \ + xargs -0 -I '{}' sed -i 's/#### LoaderInfo: systemd-boot .* ####/#### LoaderInfo: systemd-boot 001 ####/' '{}' + """ + ) + + output = machine.succeed("/run/current-system/bin/switch-to-configuration boot") + assert "updating systemd-boot from 001 to " in output + ''; + }; } |