* For security, don't mount the entire host filesystem.

svn path=/nixos/trunk/; revision=28429
This commit is contained in:
Eelco Dolstra 2011-08-09 14:07:44 +00:00
parent 27a54b1761
commit d75efe4aa1
6 changed files with 26 additions and 35 deletions

View File

@ -127,7 +127,6 @@ sub start {
"-no-reboot -monitor unix:./monitor -chardev socket,id=shell,path=./shell " .
"-device virtio-serial -device virtconsole,chardev=shell " .
($showGraphics ? "-serial stdio" : "-nographic") . " " . ($ENV{QEMU_OPTS} || "");
$ENV{QEMU_KERNEL_PARAMS} = "hostTmpDir=$ENV{TMPDIR}";
chdir $self->{stateDir} or die;
exec $self->{startCommand};
die "running VM script: $!";

View File

@ -129,7 +129,7 @@ sub runTests {
# sources.
my $kernelDir = $vm->mustSucceed("echo \$(dirname \$(readlink -f /var/run/current-system/kernel))/.build/linux-*");
chomp $kernelDir;
my $coverageDir = "/hostfs" . $vm->stateDir() . "/coverage-data/$kernelDir";
my $coverageDir = "/tmp/xchg/coverage-data/$kernelDir";
# Copy all the *.gcda files.
$vm->execute("for d in $gcovDir/nix/store/*/.build/linux-*; do for i in \$(cd \$d && find -name '*.gcda'); do echo \$i; mkdir -p $coverageDir/\$(dirname \$i); cp -v \$d/\$i $coverageDir/\$i; done; done");

View File

@ -59,9 +59,9 @@ rec {
touch $out/nix-support/hydra-build-products
echo "report testlog $out log.html" >> $out/nix-support/hydra-build-products
for i in */coverage-data; do
for i in */xchg/coverage-data; do
mkdir -p $out/coverage-data
mv $i $out/coverage-data/$(dirname $i)
mv $i $out/coverage-data/$(dirname $(dirname $i))
done
[ -z "$failed" ] || touch $out/nix-support/failed
@ -193,13 +193,14 @@ rec {
testscript = ''
startAll;
${preBuild}
$client->succeed("env -i ${pkgs.bash}/bin/bash ${buildrunner} /hostfs".$client->stateDir."/saved-env >&2");
$client->succeed("env -i ${pkgs.bash}/bin/bash ${buildrunner} /tmp/xchg/saved-env >&2");
${postBuild}
'';
vmRunCommand = writeText "vm-run" ''
${coreutils}/bin/mkdir -p vm-state-client
export > vm-state-client/saved-env
${coreutils}/bin/mkdir $out
${coreutils}/bin/mkdir -p vm-state-client/xchg
export > vm-state-client/xchg/saved-env
export tests='${testscript}'
${testDriver}/bin/nixos-test-driver ${vm.config.system.build.vm}/bin/run-*-vm
''; # */

View File

@ -558,22 +558,17 @@ in
startOn = "started ${startingDependency} and filesystem";
environment =
{ # !!! This should be added in test-instrumentation.nix. It
# shouldn't hurt though, since packages usually aren't built
# with coverage enabled.
GCOV_PREFIX = "/tmp/coverage-data";
{ PATH = concatStringsSep ":" (
[ "${pkgs.coreutils}/bin" "${pkgs.gnugrep}/bin" ]
++ # Needed for PHP's mail() function. !!! Probably the
# ssmtp module should export the path to sendmail in
# some way.
optional config.networking.defaultMailServer.directDelivery "${pkgs.ssmtp}/sbin"
++ (concatMap (svc: svc.extraServerPath) allSubservices) );
PATH = concatStringsSep ":" (
[ "${pkgs.coreutils}/bin" "${pkgs.gnugrep}/bin" ]
++ # Needed for PHP's mail() function. !!! Probably the
# ssmtp module should export the path to sendmail in
# some way.
optional config.networking.defaultMailServer.directDelivery "${pkgs.ssmtp}/sbin"
++ (concatMap (svc: svc.extraServerPath) allSubservices) );
PHPRC = if enablePHP then phpIni else "";
PHPRC = if enablePHP then phpIni else "";
TZ = config.time.timeZone;
TZ = config.time.timeZone;
} // (listToAttrs (concatMap (svc: svc.globalEnvVars) allSubservices));

View File

@ -64,13 +64,8 @@ in
# to failures that are hard to diagnose.
echo 2 > /proc/sys/vm/panic_on_oom
# Coverage data is written into /tmp/coverage-data. Symlink
# it to the host filesystem so that we don't need to copy it
# on shutdown.
( eval $(cat /proc/cmdline)
mkdir -p /hostfs/$hostTmpDir/coverage-data
ln -sfn /hostfs/$hostTmpDir/coverage-data /tmp/coverage-data
)
# Coverage data is written into /tmp/coverage-data.
mkdir -p /tmp/xchg/coverage-data
# Mount debugfs to gain access to the kernel coverage data (if
# available).
@ -103,7 +98,7 @@ in
networking.defaultGateway = mkOverride 150 "";
networking.nameservers = mkOverride 150 [ ];
system.upstartEnvironment.GCOV_PREFIX = "/tmp/coverage-data";
system.upstartEnvironment.GCOV_PREFIX = "/tmp/xchg/coverage-data";
};

View File

@ -153,6 +153,7 @@ let
TMPDIR=$(mktemp -d nix-vm-smbd.XXXXXXXXXX --tmpdir)
fi
cd $TMPDIR
mkdir -p $TMPDIR/xchg
${pkgs.vmTools.startSamba}
@ -310,16 +311,16 @@ in
[ { mountPoint = "/";
device = "/dev/vda";
}
{ mountPoint = "/hostfs";
device = "//10.0.2.4/qemu";
{ mountPoint = "/nix/store";
device = "//10.0.2.4/store";
fsType = "cifs";
options = "guest,sec=none,noperm,noacl";
neededForBoot = true;
}
{ mountPoint = "/nix/store";
device = "/hostfs/nix/store";
fsType = "none";
options = "bind";
{ mountPoint = "/tmp/xchg";
device = "//10.0.2.4/xchg";
fsType = "cifs";
options = "guest,sec=none,noperm,noacl";
neededForBoot = true;
}
] ++ optional cfg.useBootLoader