nixos/tests/isolate.nix at master · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / tests / isolate.nix
at master 1.4 kB view raw
 1{ lib, ... }:
 2{
 3  name = "isolate";
 4  meta.maintainers = with lib.maintainers; [ virchau13 ];
 5
 6  nodes.machine =
 7    { ... }:
 8    {
 9      security.isolate = {
10        enable = true;
11      };
12    };
13
14  testScript = ''
15    bash_path = machine.succeed('realpath $(which bash)').strip()
16    sleep_path = machine.succeed('realpath $(which sleep)').strip()
17    def sleep_test(walltime, sleeptime):
18        return f'isolate --no-default-dirs --wall-time {walltime} ' + \
19            f'--dir=/box={box_path} --dir=/nix=/nix --run -- ' + \
20            f"{bash_path} -c 'exec -a sleep {sleep_path} {sleeptime}'"
21
22    def sleep_test_cg(walltime, sleeptime):
23        return f'isolate --cg --no-default-dirs --wall-time {walltime} ' + \
24            f'--dir=/box={box_path} --dir=/nix=/nix --processes=2 --run -- ' + \
25            f"{bash_path} -c '( exec -a sleep {sleep_path} {sleeptime} )'"
26
27    with subtest("without cgroups"):
28        box_path = machine.succeed('isolate --init').strip()
29        machine.succeed(sleep_test(1, 0.5))
30        machine.fail(sleep_test(0.5, 1))
31        machine.succeed('isolate --cleanup')
32    with subtest("with cgroups"):
33        box_path = machine.succeed('isolate --cg --init').strip()
34        machine.succeed(sleep_test_cg(1, 0.5))
35        machine.fail(sleep_test_cg(0.5, 1))
36        machine.succeed('isolate --cg --cleanup')
37  '';
38}