pyrox.dev
1import ./make-test-python.nix ({
2 name = "qemu-vm-restrictnetwork";
3
4 nodes = {
5 unrestricted = { config, pkgs, ... }: {
6 virtualisation.restrictNetwork = false;
7 };
8
9 restricted = { config, pkgs, ... }: {
10 virtualisation.restrictNetwork = true;
11 };
12 };
13
14 testScript = ''
15 import os
16
17 if os.fork() == 0:
18 # Start some HTTP server on the qemu host to test guest isolation.
19 from http.server import HTTPServer, BaseHTTPRequestHandler
20 HTTPServer(("", 8000), BaseHTTPRequestHandler).serve_forever()
21
22 else:
23 start_all()
24 unrestricted.wait_for_unit("network-online.target")
25 restricted.wait_for_unit("network-online.target")
26
27 # Guests should be able to reach each other on the same VLAN.
28 unrestricted.succeed("ping -c1 restricted")
29 restricted.succeed("ping -c1 unrestricted")
30
31 # Only the unrestricted guest should be able to reach host services.
32 # 10.0.2.2 is the gateway mapping to the host's loopback interface.
33 unrestricted.succeed("curl -s http://10.0.2.2:8000")
34 restricted.fail("curl -s http://10.0.2.2:8000")
35 '';
36})