nixos/tests/qemu-vm-restrictnetwork.nix at master · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs

lol

nixpkgs / nixos / tests / qemu-vm-restrictnetwork.nix

at master 1.3 kB view raw

 1import ./make-test-python.nix ({
 2  name = "qemu-vm-restrictnetwork";
 3
 4  nodes = {
 5    unrestricted =
 6      { config, pkgs, ... }:
 7      {
 8        virtualisation.restrictNetwork = false;
 9      };
10
11    restricted =
12      { config, pkgs, ... }:
13      {
14        virtualisation.restrictNetwork = true;
15      };
16  };
17
18  testScript = ''
19    import os
20
21    if os.fork() == 0:
22      # Start some HTTP server on the qemu host to test guest isolation.
23      from http.server import HTTPServer, BaseHTTPRequestHandler
24      HTTPServer(("", 8000), BaseHTTPRequestHandler).serve_forever()
25
26    else:
27      start_all()
28      unrestricted.systemctl("start network-online.target")
29      restricted.systemctl("start network-online.target")
30      unrestricted.wait_for_unit("network-online.target")
31      restricted.wait_for_unit("network-online.target")
32
33      # Guests should be able to reach each other on the same VLAN.
34      unrestricted.succeed("ping -c1 restricted")
35      restricted.succeed("ping -c1 unrestricted")
36
37      # Only the unrestricted guest should be able to reach host services.
38      # 10.0.2.2 is the gateway mapping to the host's loopback interface.
39      unrestricted.succeed("curl -s http://10.0.2.2:8000")
40      restricted.fail("curl -s http://10.0.2.2:8000")
41  '';
42})