nixos/tests/qemu-vm-restrictnetwork.nix at 24.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs

lol

nixpkgs / nixos / tests / qemu-vm-restrictnetwork.nix

at 24.11-pre 1.2 kB view raw

 1import ./make-test-python.nix ({
 2  name = "qemu-vm-restrictnetwork";
 3
 4  nodes = {
 5    unrestricted = { config, pkgs, ... }: {
 6      virtualisation.restrictNetwork = false;
 7    };
 8
 9    restricted = { config, pkgs, ... }: {
10      virtualisation.restrictNetwork = true;
11    };
12  };
13
14  testScript = ''
15    import os
16
17    if os.fork() == 0:
18      # Start some HTTP server on the qemu host to test guest isolation.
19      from http.server import HTTPServer, BaseHTTPRequestHandler
20      HTTPServer(("", 8000), BaseHTTPRequestHandler).serve_forever()
21
22    else:
23      start_all()
24      unrestricted.systemctl("start network-online.target")
25      restricted.systemctl("start network-online.target")
26      unrestricted.wait_for_unit("network-online.target")
27      restricted.wait_for_unit("network-online.target")
28
29      # Guests should be able to reach each other on the same VLAN.
30      unrestricted.succeed("ping -c1 restricted")
31      restricted.succeed("ping -c1 unrestricted")
32
33      # Only the unrestricted guest should be able to reach host services.
34      # 10.0.2.2 is the gateway mapping to the host's loopback interface.
35      unrestricted.succeed("curl -s http://10.0.2.2:8000")
36      restricted.fail("curl -s http://10.0.2.2:8000")
37    '';
38})