1 files changed, 43 insertions, 17 deletions
diff --git a/scripts/testing/run-test-baremetal.sh b/scripts/testing/run-test-baremetal.sh
index b6d1ab1..d22c424 100755
--- a/scripts/testing/run-test-baremetal.sh
+++ b/scripts/testing/run-test-baremetal.sh
@@ -1,4 +1,5 @@
 #!/bin/bash
+# SPDX-License-Identifier: GPL-3.0-or-later
 # Run archsetup test on bare metal ZFS system
 # Author: Craig Jennings <craigmartinjennings@gmail.com>
 # License: GNU GPLv3
@@ -19,13 +20,16 @@ PROJECT_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"
 
 # Source utilities
 source "$SCRIPT_DIR/lib/logging.sh"
-source "$SCRIPT_DIR/lib/validation.sh"
+source "$SCRIPT_DIR/lib/validation.sh"   # live helpers: ssh_cmd, capture_*_state, analyze_log_diff, generate_issue_report
+source "$SCRIPT_DIR/lib/vm-utils.sh"     # inject_root_key + SSH_OPTS/SSH_KEY_OPT for key auth
+source "$SCRIPT_DIR/lib/testinfra.sh"    # run_testinfra_validation (authoritative validator)
 
 # Parse arguments
 ROLLBACK_FIRST=false
 ROLLBACK_AFTER=false
 TARGET_HOST=""
 ROOT_PASSWORD=""
+PORT="22"
 
 usage() {
     echo "Usage: $0 --host <hostname> --password <root_password> [options]"
@@ -35,6 +39,7 @@ usage() {
     echo "  --password <password>   Root password for SSH"
     echo ""
     echo "Options:"
+    echo "  --port <port>           SSH port (default 22; use 2222 to target a test VM)"
     echo "  --rollback-first        Roll back to genesis snapshots before running"
     echo "  --rollback-after        Roll back to genesis snapshots after test (cleanup)"
     echo "  --validate-only         Skip archsetup, only run validation checks"
@@ -54,6 +59,10 @@ while [[ $# -gt 0 ]]; do
             ROOT_PASSWORD="${2:?--password requires a value}"
             shift 2
             ;;
+        --port)
+            PORT="${2:?--port requires a value}"
+            shift 2
+            ;;
         --rollback-first)
             ROLLBACK_FIRST=true
             shift
@@ -93,9 +102,16 @@ cleanup_baremetal() {
 }
 trap cleanup_baremetal EXIT
 
-# Override VM_IP for validation.sh ssh_cmd function
-# shellcheck disable=SC2034  # consumed by the sourced validation.sh
+# Connection globals consumed by ssh_cmd (validation.sh), inject_root_key
+# (vm-utils.sh), and run_testinfra_validation (testinfra.sh).
+# shellcheck disable=SC2034  # consumed by the sourced libraries
 VM_IP="$TARGET_HOST"
+# shellcheck disable=SC2034
+SSH_PORT="$PORT"
+# Test-user source for testinfra (reads USERNAME); the bare-metal user is the
+# archsetup default, cjennings, same as the VM conf.
+# shellcheck disable=SC2034
+ARCHSETUP_VM_CONF="$SCRIPT_DIR/archsetup-vm.conf"
 
 # Initialize logging
 mkdir -p "$TEST_RESULTS_DIR"
@@ -108,8 +124,8 @@ info "Target: $TARGET_HOST"
 # Test SSH connectivity
 step "Testing SSH connectivity to $TARGET_HOST"
 if ! sshpass -p "$ROOT_PASSWORD" ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null \
-       -o ConnectTimeout=10 "root@$TARGET_HOST" "echo connected" &>/dev/null; then
-    fatal "Cannot connect to $TARGET_HOST via SSH"
+       -o ConnectTimeout=10 -p "$PORT" "root@$TARGET_HOST" "echo connected" &>/dev/null; then
+    fatal "Cannot connect to $TARGET_HOST:$PORT via SSH"
 fi
 success "SSH connection OK"
 
@@ -146,6 +162,15 @@ if $ROLLBACK_FIRST; then
     success "Reconnected"
 fi
 
+# Authorize a throwaway root key before archsetup hardens sshd. archsetup sets
+# PermitRootLogin prohibit-password and reloads sshd partway through, which kills
+# root *password* SSH; key auth survives it, so every later ssh_cmd and the
+# Testinfra sweep keep working. Placed after any genesis rollback so the key
+# isn't rolled away. Best-effort: a failure only risks the post-hardening steps.
+step "Authorizing throwaway root key (survives sshd hardening)"
+inject_root_key "$TEST_RESULTS_DIR/root_key" || \
+    warn "Continuing without an injected root key — SSH may fail after archsetup hardens sshd"
+
 if ! $VALIDATE_ONLY; then
     # Capture pre-install state
     capture_pre_install_state "$TEST_RESULTS_DIR"
@@ -160,7 +185,7 @@ if ! $VALIDATE_ONLY; then
     step "Transferring to $TARGET_HOST"
     ssh_cmd "rm -rf /tmp/archsetup-test && mkdir -p /tmp/archsetup-test"
     sshpass -p "$ROOT_PASSWORD" scp -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null \
-        "$BUNDLE_FILE" "root@$TARGET_HOST:/tmp/archsetup.bundle" >> "$LOGFILE" 2>&1
+        ${SSH_KEY_OPT:-} -P "$PORT" "$BUNDLE_FILE" "root@$TARGET_HOST:/tmp/archsetup.bundle" >> "$LOGFILE" 2>&1
 
     step "Extracting on target"
     ssh_cmd "cd /tmp && git clone /tmp/archsetup.bundle archsetup-test && rm /tmp/archsetup.bundle" >> "$LOGFILE" 2>&1
@@ -222,12 +247,12 @@ if ! $VALIDATE_ONLY; then
 
     step "Copying archsetup log"
     sshpass -p "$ROOT_PASSWORD" scp -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null \
-        "root@$TARGET_HOST:/var/log/archsetup-*.log" "$TEST_RESULTS_DIR/" 2>> "$LOGFILE" || \
+        ${SSH_KEY_OPT:-} -P "$PORT" "root@$TARGET_HOST:/var/log/archsetup-*.log" "$TEST_RESULTS_DIR/" 2>> "$LOGFILE" || \
         warn "Could not copy archsetup log"
 
     step "Copying archsetup output"
     sshpass -p "$ROOT_PASSWORD" scp -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null \
-        "root@$TARGET_HOST:$REMOTE_LOG" "$TEST_RESULTS_DIR/archsetup-output.log" 2>> "$LOGFILE" || \
+        ${SSH_KEY_OPT:-} -P "$PORT" "root@$TARGET_HOST:$REMOTE_LOG" "$TEST_RESULTS_DIR/archsetup-output.log" 2>> "$LOGFILE" || \
         warn "Could not copy output log"
 
     # Capture post-install state
@@ -238,13 +263,14 @@ else
     mkdir -p "$TEST_RESULTS_DIR/pre-install" "$TEST_RESULTS_DIR/post-install"
 fi
 
-# Run validations
-run_all_validations
-validate_all_services
-
-# Additional ZFS-specific validations
-section "ZFS-Specific Validations"
-validate_zfs_services
+# Run validations. Testinfra is the authoritative validator (same as the VM
+# runner); its ZFS-conditional pytest checks cover what validate_zfs_services
+# used to, and it connects over the key authorized above. set +e because it
+# returns pytest's rc (non-zero on failures) and the report + summary below must
+# still run; the verdict is carried by testinfra_rc and the exit code at the end.
+set +e
+run_testinfra_validation "$TEST_RESULTS_DIR"
+testinfra_rc=$?
 
 # Analyze logs if we ran archsetup
 if ! $VALIDATE_ONLY; then
@@ -254,8 +280,8 @@ fi
 # Generate reports
 generate_issue_report "$TEST_RESULTS_DIR" "$ARCHZFS_INBOX"
 
-# Set validation result (TEST_PASSED is the boolean; VALIDATION_PASSED stays the counter)
-if [ "$VALIDATION_FAILED" -eq 0 ]; then
+# The run passes only if the Testinfra sweep passed.
+if [ "$testinfra_rc" -eq 0 ]; then
     TEST_PASSED=true
 else
     TEST_PASSED=false