blob: 49a105ef10767fdec6a52015bf51819ad48e05cf (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
|
import ./make-test-python.nix ({
name = "qemu-vm-restrictnetwork";
nodes = {
unrestricted = { config, pkgs, ... }: {
virtualisation.restrictNetwork = false;
};
restricted = { config, pkgs, ... }: {
virtualisation.restrictNetwork = true;
};
};
testScript = ''
import os
if os.fork() == 0:
# Start some HTTP server on the qemu host to test guest isolation.
from http.server import HTTPServer, BaseHTTPRequestHandler
HTTPServer(("", 8000), BaseHTTPRequestHandler).serve_forever()
else:
start_all()
unrestricted.wait_for_unit("network-online.target")
restricted.wait_for_unit("network-online.target")
# Guests should be able to reach each other on the same VLAN.
unrestricted.succeed("ping -c1 restricted")
restricted.succeed("ping -c1 unrestricted")
# Only the unrestricted guest should be able to reach host services.
# 10.0.2.2 is the gateway mapping to the host's loopback interface.
unrestricted.succeed("curl -s http://10.0.2.2:8000")
restricted.fail("curl -s http://10.0.2.2:8000")
'';
})
|