diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index fbbebc2520a3..7ed310c0d7c3 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -533,6 +533,7 @@ in { public-inbox = handleTest ./public-inbox.nix {}; pulseaudio = discoverTests (import ./pulseaudio.nix); qboot = handleTestOn ["x86_64-linux" "i686-linux"] ./qboot.nix {}; + qemu-vm-restrictnetwork = handleTest ./qemu-vm-restrictnetwork.nix {}; quorum = handleTest ./quorum.nix {}; quake3 = handleTest ./quake3.nix {}; rabbitmq = handleTest ./rabbitmq.nix {}; diff --git a/nixos/tests/qemu-vm-restrictnetwork.nix b/nixos/tests/qemu-vm-restrictnetwork.nix new file mode 100644 index 000000000000..49a105ef1076 --- /dev/null +++ b/nixos/tests/qemu-vm-restrictnetwork.nix @@ -0,0 +1,36 @@ +import ./make-test-python.nix ({ + name = "qemu-vm-restrictnetwork"; + + nodes = { + unrestricted = { config, pkgs, ... }: { + virtualisation.restrictNetwork = false; + }; + + restricted = { config, pkgs, ... }: { + virtualisation.restrictNetwork = true; + }; + }; + + testScript = '' + import os + + if os.fork() == 0: + # Start some HTTP server on the qemu host to test guest isolation. + from http.server import HTTPServer, BaseHTTPRequestHandler + HTTPServer(("", 8000), BaseHTTPRequestHandler).serve_forever() + + else: + start_all() + unrestricted.wait_for_unit("network-online.target") + restricted.wait_for_unit("network-online.target") + + # Guests should be able to reach each other on the same VLAN. + unrestricted.succeed("ping -c1 restricted") + restricted.succeed("ping -c1 unrestricted") + + # Only the unrestricted guest should be able to reach host services. + # 10.0.2.2 is the gateway mapping to the host's loopback interface. + unrestricted.succeed("curl -s http://10.0.2.2:8000") + restricted.fail("curl -s http://10.0.2.2:8000") + ''; +})