646b892680
Some checks failed
Periodic Merges (6h) / master → staging-nixos (push) Failing after 12m50s
Periodic Merges (6h) / master → staging-next (push) Failing after 12m54s
Periodic Merges (24h) / merge-base(master,staging) → haskell-updates (push) Failing after 11m54s
Periodic Merges (6h) / staging-next → staging (push) Failing after 12m13s
Periodic Merges (24h) / staging-next-25.05 → staging-25.05 (push) Failing after 13m24s
Periodic Merges (24h) / release-25.05 → staging-next-25.05 (push) Failing after 14m28s
43 lines
1.2 KiB
Nix
43 lines
1.2 KiB
Nix
import ./make-test-python.nix {
|
|
name = "qemu-vm-restrictnetwork";
|
|
|
|
nodes = {
|
|
unrestricted =
|
|
{ config, pkgs, ... }:
|
|
{
|
|
virtualisation.restrictNetwork = false;
|
|
};
|
|
|
|
restricted =
|
|
{ config, pkgs, ... }:
|
|
{
|
|
virtualisation.restrictNetwork = true;
|
|
};
|
|
};
|
|
|
|
testScript = ''
|
|
import os
|
|
|
|
if os.fork() == 0:
|
|
# Start some HTTP server on the qemu host to test guest isolation.
|
|
from http.server import HTTPServer, BaseHTTPRequestHandler
|
|
HTTPServer(("", 8000), BaseHTTPRequestHandler).serve_forever()
|
|
|
|
else:
|
|
start_all()
|
|
unrestricted.systemctl("start network-online.target")
|
|
restricted.systemctl("start network-online.target")
|
|
unrestricted.wait_for_unit("network-online.target")
|
|
restricted.wait_for_unit("network-online.target")
|
|
|
|
# Guests should be able to reach each other on the same VLAN.
|
|
unrestricted.succeed("ping -c1 restricted")
|
|
restricted.succeed("ping -c1 unrestricted")
|
|
|
|
# Only the unrestricted guest should be able to reach host services.
|
|
# 10.0.2.2 is the gateway mapping to the host's loopback interface.
|
|
unrestricted.succeed("curl -s http://10.0.2.2:8000")
|
|
restricted.fail("curl -s http://10.0.2.2:8000")
|
|
'';
|
|
}
|