From dd3f4b252c1ee9fecf0662bd09cf374df96013e3 Mon Sep 17 00:00:00 2001 From: Zhaofeng Li Date: Fri, 10 Jun 2022 11:29:25 -0700 Subject: [PATCH] host/local: Upload keys with sudo as well --- integration-tests/apply-local/default.nix | 10 +++++++++- integration-tests/apply-local/hive.nix | 3 +++ integration-tests/tools.nix | 5 +++++ src/nix/host/local.rs | 4 +--- 4 files changed, 18 insertions(+), 4 deletions(-) diff --git a/integration-tests/apply-local/default.nix b/integration-tests/apply-local/default.nix index f3eeada..f0cc54a 100644 --- a/integration-tests/apply-local/default.nix +++ b/integration-tests/apply-local/default.nix @@ -4,6 +4,13 @@ let tools = pkgs.callPackage ../tools.nix { targets = []; prebuiltTarget = "deployer"; + extraDeployerConfig = { + users.users.colmena = { + isNormalUser = true; + extraGroups = [ "wheel" ]; + }; + security.sudo.wheelNeedsPassword = false; + }; }; in tools.makeTest { name = "colmena-apply-local"; @@ -11,7 +18,8 @@ in tools.makeTest { bundle = ./.; testScript = '' - deployer.succeed("cd /tmp/bundle && ${tools.colmenaExec} apply-local") + deployer.succeed("cd /tmp/bundle && sudo -u colmena ${tools.colmenaExec} apply-local --sudo") deployer.succeed("grep SUCCESS /etc/deployment") + deployer.succeed("grep SECRET /run/keys/key-text") ''; } diff --git a/integration-tests/apply-local/hive.nix b/integration-tests/apply-local/hive.nix index 21cf73e..fbc2676 100644 --- a/integration-tests/apply-local/hive.nix +++ b/integration-tests/apply-local/hive.nix @@ -19,5 +19,8 @@ in { }; environment.etc."deployment".text = "SUCCESS"; + + # /run/keys/key-text + deployment.keys."key-text".text = "SECRET"; }; } diff --git a/integration-tests/tools.nix b/integration-tests/tools.nix index 8c67732..5527fa0 100644 --- a/integration-tests/tools.nix +++ b/integration-tests/tools.nix @@ -10,6 +10,7 @@ { insideVm ? false , deployers ? [ "deployer" ] # Nodes configured as deployers (with Colmena and pre-built system closure) , targets ? [ "alpha" "beta" "gamma" ] # Nodes configured as targets (minimal config) +, extraDeployerConfig ? {} # Extra config on the deployer , prebuiltTarget ? "alpha" # Target node to prebuild system closure for, or null , pkgs ? if insideVm then import {} else throw "Must specify pkgs" @@ -38,6 +39,10 @@ let # so it can build system profiles for the targets without # network access. deployerConfig = { lib, config, ... }: { + imports = [ + extraDeployerConfig + ]; + nix.nixPath = [ "nixpkgs=${pkgs.path}" ]; diff --git a/src/nix/host/local.rs b/src/nix/host/local.rs index f4c1d16..d6e6f76 100644 --- a/src/nix/host/local.rs +++ b/src/nix/host/local.rs @@ -143,9 +143,7 @@ impl Local { let path = key.path(); let key_script = format!("'{}'", key_uploader::generate_script(key, path, require_ownership)); - let mut command = Command::new("sh"); - - command.args(&["-c", &key_script]); + let mut command = self.make_privileged_command(&["sh", "-c", &key_script]); command.stdin(Stdio::piped()); command.stderr(Stdio::piped()); command.stdout(Stdio::piped());