nixpkgs/nixos/tests/containers-extra_veth.nix

# Test for NixOS' container support.

import ./make-test-python.nix ({ pkgs, ...} : {
  name = "containers-extra_veth";
  meta = with pkgs.stdenv.lib.maintainers; {
    maintainers = [ kampfschlaefer ];
  };

  machine =
    { pkgs, ... }:
    { imports = [ ../modules/installer/cd-dvd/channel.nix ];
      virtualisation.writableStore = true;
      virtualisation.memorySize = 768;
      virtualisation.vlans = [];

      networking.useDHCP = false;
      networking.bridges = {
        br0 = {
          interfaces = [];
        };
        br1 = { interfaces = []; };
      };
      networking.interfaces = {
        br0 = {
          ipv4.addresses = [{ address = "192.168.0.1"; prefixLength = 24; }];
          ipv6.addresses = [{ address = "fc00::1"; prefixLength = 7; }];
        };
        br1 = {
          ipv4.addresses = [{ address = "192.168.1.1"; prefixLength = 24; }];
        };
      };

      containers.webserver =
        {
          autoStart = true;
          privateNetwork = true;
          hostBridge = "br0";
          localAddress = "192.168.0.100/24";
          localAddress6 = "fc00::2/7";
          extraVeths = {
            veth1 = { hostBridge = "br1"; localAddress = "192.168.1.100/24"; };
            veth2 = { hostAddress = "192.168.2.1"; localAddress = "192.168.2.100"; };
          };
          config =
            {
              networking.firewall.allowedTCPPorts = [ 80 ];
            };
        };

      virtualisation.pathsInNixDB = [ pkgs.stdenv ];
    };

  testScript =
    ''
      machine.wait_for_unit("default.target")
      assert "webserver" in machine.succeed("nixos-container list")

      with subtest("Status of the webserver container is up"):
          assert "up" in machine.succeed("nixos-container status webserver")

      with subtest("Ensure that the veths are inside the container"):
          assert "state UP" in machine.succeed(
              "nixos-container run webserver -- ip link show veth1"
          )
          assert "state UP" in machine.succeed(
              "nixos-container run webserver -- ip link show veth2"
          )

      with subtest("Ensure the presence of the extra veths"):
          assert "state UP" in machine.succeed("ip link show veth1")
          assert "state UP" in machine.succeed("ip link show veth2")

      with subtest("Ensure the veth1 is part of br1 on the host"):
          assert "master br1" in machine.succeed("ip link show veth1")

      with subtest("Ping on main veth"):
          machine.succeed("ping -n -c 1 192.168.0.100")
          machine.succeed("ping -n -c 1 fc00::2")

      with subtest("Ping on the first extra veth"):
          machine.succeed("ping -n -c 1 192.168.1.100 >&2")

      with subtest("Ping on the second extra veth"):
          machine.succeed("ping -n -c 1 192.168.2.100 >&2")

      with subtest("Container can be stopped"):
          machine.succeed("nixos-container stop webserver")
          machine.fail("ping -n -c 1 192.168.1.100 >&2")
          machine.fail("ping -n -c 1 192.168.2.100 >&2")

      with subtest("Destroying a declarative container should fail"):
          machine.fail("nixos-container destroy webserver")
    '';
})
declarative containers: additional veths With these changes, a container can have more then one veth-pair. This allows for example to have LAN and DMZ as bridges on the host and add dedicated containers for proxies, ipv4-firewall and ipv6-firewall. Or to have a bridge for normal WAN, one bridge for administration and one bridge for customer-internal communication. So that web-server containers can be reached from outside per http, from the management via ssh and can talk to their database via the customer network. The scripts to set up the containers are now rendered several times instead of just one template. The scripts now contain per-container code to configure the extra veth interfaces. The default template without support for extra-veths is still rendered for the imperative containers. Also a test is there to see if extra veths can be placed into host-bridges or can be reached via routing. 2016-05-07 00:04:28 +02:00			`# Test for NixOS' container support.`

nixosTests.containers*: port rest to python 2019-12-01 02:29:24 +01:00			`import ./make-test-python.nix ({ pkgs, ...} : {`
			`name = "containers-extra_veth";`
declarative containers: additional veths With these changes, a container can have more then one veth-pair. This allows for example to have LAN and DMZ as bridges on the host and add dedicated containers for proxies, ipv4-firewall and ipv6-firewall. Or to have a bridge for normal WAN, one bridge for administration and one bridge for customer-internal communication. So that web-server containers can be reached from outside per http, from the management via ssh and can talk to their database via the customer network. The scripts to set up the containers are now rendered several times instead of just one template. The scripts now contain per-container code to configure the extra veth interfaces. The default template without support for extra-veths is still rendered for the imperative containers. Also a test is there to see if extra veths can be placed into host-bridges or can be reached via routing. 2016-05-07 00:04:28 +02:00			`meta = with pkgs.stdenv.lib.maintainers; {`
containers: add myself to the maintainers of the tests Seems like the right thing to do. 2016-05-16 13:06:40 +02:00			`maintainers = [ kampfschlaefer ];`
declarative containers: additional veths With these changes, a container can have more then one veth-pair. This allows for example to have LAN and DMZ as bridges on the host and add dedicated containers for proxies, ipv4-firewall and ipv6-firewall. Or to have a bridge for normal WAN, one bridge for administration and one bridge for customer-internal communication. So that web-server containers can be reached from outside per http, from the management via ssh and can talk to their database via the customer network. The scripts to set up the containers are now rendered several times instead of just one template. The scripts now contain per-container code to configure the extra veth interfaces. The default template without support for extra-veths is still rendered for the imperative containers. Also a test is there to see if extra veths can be placed into host-bridges or can be reached via routing. 2016-05-07 00:04:28 +02:00			`};`

			`machine =`
[bot] nixos/*: remove unused arguments in lambdas 2018-07-20 20:56:59 +00:00			`{ pkgs, ... }:`
declarative containers: additional veths With these changes, a container can have more then one veth-pair. This allows for example to have LAN and DMZ as bridges on the host and add dedicated containers for proxies, ipv4-firewall and ipv6-firewall. Or to have a bridge for normal WAN, one bridge for administration and one bridge for customer-internal communication. So that web-server containers can be reached from outside per http, from the management via ssh and can talk to their database via the customer network. The scripts to set up the containers are now rendered several times instead of just one template. The scripts now contain per-container code to configure the extra veth interfaces. The default template without support for extra-veths is still rendered for the imperative containers. Also a test is there to see if extra veths can be placed into host-bridges or can be reached via routing. 2016-05-07 00:04:28 +02:00			`{ imports = [ ../modules/installer/cd-dvd/channel.nix ];`
			`virtualisation.writableStore = true;`
			`virtualisation.memorySize = 768;`
			`virtualisation.vlans = [];`

nixos/containers: explicitly set link up on host for extraVeths 2019-01-11 19:50:15 +01:00			`networking.useDHCP = false;`
declarative containers: additional veths With these changes, a container can have more then one veth-pair. This allows for example to have LAN and DMZ as bridges on the host and add dedicated containers for proxies, ipv4-firewall and ipv6-firewall. Or to have a bridge for normal WAN, one bridge for administration and one bridge for customer-internal communication. So that web-server containers can be reached from outside per http, from the management via ssh and can talk to their database via the customer network. The scripts to set up the containers are now rendered several times instead of just one template. The scripts now contain per-container code to configure the extra veth interfaces. The default template without support for extra-veths is still rendered for the imperative containers. Also a test is there to see if extra veths can be placed into host-bridges or can be reached via routing. 2016-05-07 00:04:28 +02:00			`networking.bridges = {`
			`br0 = {`
			`interfaces = [];`
			`};`
			`br1 = { interfaces = []; };`
			`};`
			`networking.interfaces = {`
			`br0 = {`
nixos/tests: rename IP addresses/routes options 2017-12-03 05:14:54 +01:00			`ipv4.addresses = [{ address = "192.168.0.1"; prefixLength = 24; }];`
			`ipv6.addresses = [{ address = "fc00::1"; prefixLength = 7; }];`
declarative containers: additional veths With these changes, a container can have more then one veth-pair. This allows for example to have LAN and DMZ as bridges on the host and add dedicated containers for proxies, ipv4-firewall and ipv6-firewall. Or to have a bridge for normal WAN, one bridge for administration and one bridge for customer-internal communication. So that web-server containers can be reached from outside per http, from the management via ssh and can talk to their database via the customer network. The scripts to set up the containers are now rendered several times instead of just one template. The scripts now contain per-container code to configure the extra veth interfaces. The default template without support for extra-veths is still rendered for the imperative containers. Also a test is there to see if extra veths can be placed into host-bridges or can be reached via routing. 2016-05-07 00:04:28 +02:00			`};`
			`br1 = {`
nixos/tests: rename IP addresses/routes options 2017-12-03 05:14:54 +01:00			`ipv4.addresses = [{ address = "192.168.1.1"; prefixLength = 24; }];`
declarative containers: additional veths With these changes, a container can have more then one veth-pair. This allows for example to have LAN and DMZ as bridges on the host and add dedicated containers for proxies, ipv4-firewall and ipv6-firewall. Or to have a bridge for normal WAN, one bridge for administration and one bridge for customer-internal communication. So that web-server containers can be reached from outside per http, from the management via ssh and can talk to their database via the customer network. The scripts to set up the containers are now rendered several times instead of just one template. The scripts now contain per-container code to configure the extra veth interfaces. The default template without support for extra-veths is still rendered for the imperative containers. Also a test is there to see if extra veths can be placed into host-bridges or can be reached via routing. 2016-05-07 00:04:28 +02:00			`};`
			`};`

			`containers.webserver =`
			`{`
			`autoStart = true;`
			`privateNetwork = true;`
			`hostBridge = "br0";`
			`localAddress = "192.168.0.100/24";`
			`localAddress6 = "fc00::2/7";`
			`extraVeths = {`
			`veth1 = { hostBridge = "br1"; localAddress = "192.168.1.100/24"; };`
			`veth2 = { hostAddress = "192.168.2.1"; localAddress = "192.168.2.100"; };`
			`};`
			`config =`
			`{`
			`networking.firewall.allowedTCPPorts = [ 80 ];`
			`};`
			`};`

			`virtualisation.pathsInNixDB = [ pkgs.stdenv ];`
			`};`

			`testScript =`
			`''`
nixosTests.containers*: port rest to python 2019-12-01 02:29:24 +01:00			`machine.wait_for_unit("default.target")`
			`assert "webserver" in machine.succeed("nixos-container list")`
declarative containers: additional veths With these changes, a container can have more then one veth-pair. This allows for example to have LAN and DMZ as bridges on the host and add dedicated containers for proxies, ipv4-firewall and ipv6-firewall. Or to have a bridge for normal WAN, one bridge for administration and one bridge for customer-internal communication. So that web-server containers can be reached from outside per http, from the management via ssh and can talk to their database via the customer network. The scripts to set up the containers are now rendered several times instead of just one template. The scripts now contain per-container code to configure the extra veth interfaces. The default template without support for extra-veths is still rendered for the imperative containers. Also a test is there to see if extra veths can be placed into host-bridges or can be reached via routing. 2016-05-07 00:04:28 +02:00
nixosTests.containers*: port rest to python 2019-12-01 02:29:24 +01:00			`with subtest("Status of the webserver container is up"):`
			`assert "up" in machine.succeed("nixos-container status webserver")`
declarative containers: additional veths With these changes, a container can have more then one veth-pair. This allows for example to have LAN and DMZ as bridges on the host and add dedicated containers for proxies, ipv4-firewall and ipv6-firewall. Or to have a bridge for normal WAN, one bridge for administration and one bridge for customer-internal communication. So that web-server containers can be reached from outside per http, from the management via ssh and can talk to their database via the customer network. The scripts to set up the containers are now rendered several times instead of just one template. The scripts now contain per-container code to configure the extra veth interfaces. The default template without support for extra-veths is still rendered for the imperative containers. Also a test is there to see if extra veths can be placed into host-bridges or can be reached via routing. 2016-05-07 00:04:28 +02:00
nixosTests.containers*: port rest to python 2019-12-01 02:29:24 +01:00			`with subtest("Ensure that the veths are inside the container"):`
			`assert "state UP" in machine.succeed(`
			`"nixos-container run webserver -- ip link show veth1"`
			`)`
			`assert "state UP" in machine.succeed(`
			`"nixos-container run webserver -- ip link show veth2"`
			`)`
declarative containers: additional veths With these changes, a container can have more then one veth-pair. This allows for example to have LAN and DMZ as bridges on the host and add dedicated containers for proxies, ipv4-firewall and ipv6-firewall. Or to have a bridge for normal WAN, one bridge for administration and one bridge for customer-internal communication. So that web-server containers can be reached from outside per http, from the management via ssh and can talk to their database via the customer network. The scripts to set up the containers are now rendered several times instead of just one template. The scripts now contain per-container code to configure the extra veth interfaces. The default template without support for extra-veths is still rendered for the imperative containers. Also a test is there to see if extra veths can be placed into host-bridges or can be reached via routing. 2016-05-07 00:04:28 +02:00
nixosTests.containers*: port rest to python 2019-12-01 02:29:24 +01:00			`with subtest("Ensure the presence of the extra veths"):`
			`assert "state UP" in machine.succeed("ip link show veth1")`
			`assert "state UP" in machine.succeed("ip link show veth2")`
declarative containers: additional veths With these changes, a container can have more then one veth-pair. This allows for example to have LAN and DMZ as bridges on the host and add dedicated containers for proxies, ipv4-firewall and ipv6-firewall. Or to have a bridge for normal WAN, one bridge for administration and one bridge for customer-internal communication. So that web-server containers can be reached from outside per http, from the management via ssh and can talk to their database via the customer network. The scripts to set up the containers are now rendered several times instead of just one template. The scripts now contain per-container code to configure the extra veth interfaces. The default template without support for extra-veths is still rendered for the imperative containers. Also a test is there to see if extra veths can be placed into host-bridges or can be reached via routing. 2016-05-07 00:04:28 +02:00
nixosTests.containers*: port rest to python 2019-12-01 02:29:24 +01:00			`with subtest("Ensure the veth1 is part of br1 on the host"):`
			`assert "master br1" in machine.succeed("ip link show veth1")`
declarative containers: additional veths With these changes, a container can have more then one veth-pair. This allows for example to have LAN and DMZ as bridges on the host and add dedicated containers for proxies, ipv4-firewall and ipv6-firewall. Or to have a bridge for normal WAN, one bridge for administration and one bridge for customer-internal communication. So that web-server containers can be reached from outside per http, from the management via ssh and can talk to their database via the customer network. The scripts to set up the containers are now rendered several times instead of just one template. The scripts now contain per-container code to configure the extra veth interfaces. The default template without support for extra-veths is still rendered for the imperative containers. Also a test is there to see if extra veths can be placed into host-bridges or can be reached via routing. 2016-05-07 00:04:28 +02:00
nixosTests.containers*: port rest to python 2019-12-01 02:29:24 +01:00			`with subtest("Ping on main veth"):`
			`machine.succeed("ping -n -c 1 192.168.0.100")`
			`machine.succeed("ping -n -c 1 fc00::2")`
declarative containers: additional veths With these changes, a container can have more then one veth-pair. This allows for example to have LAN and DMZ as bridges on the host and add dedicated containers for proxies, ipv4-firewall and ipv6-firewall. Or to have a bridge for normal WAN, one bridge for administration and one bridge for customer-internal communication. So that web-server containers can be reached from outside per http, from the management via ssh and can talk to their database via the customer network. The scripts to set up the containers are now rendered several times instead of just one template. The scripts now contain per-container code to configure the extra veth interfaces. The default template without support for extra-veths is still rendered for the imperative containers. Also a test is there to see if extra veths can be placed into host-bridges or can be reached via routing. 2016-05-07 00:04:28 +02:00
nixosTests.containers*: port rest to python 2019-12-01 02:29:24 +01:00			`with subtest("Ping on the first extra veth"):`
			`machine.succeed("ping -n -c 1 192.168.1.100 >&2")`
declarative containers: additional veths With these changes, a container can have more then one veth-pair. This allows for example to have LAN and DMZ as bridges on the host and add dedicated containers for proxies, ipv4-firewall and ipv6-firewall. Or to have a bridge for normal WAN, one bridge for administration and one bridge for customer-internal communication. So that web-server containers can be reached from outside per http, from the management via ssh and can talk to their database via the customer network. The scripts to set up the containers are now rendered several times instead of just one template. The scripts now contain per-container code to configure the extra veth interfaces. The default template without support for extra-veths is still rendered for the imperative containers. Also a test is there to see if extra veths can be placed into host-bridges or can be reached via routing. 2016-05-07 00:04:28 +02:00
nixosTests.containers*: port rest to python 2019-12-01 02:29:24 +01:00			`with subtest("Ping on the second extra veth"):`
			`machine.succeed("ping -n -c 1 192.168.2.100 >&2")`
declarative containers: additional veths With these changes, a container can have more then one veth-pair. This allows for example to have LAN and DMZ as bridges on the host and add dedicated containers for proxies, ipv4-firewall and ipv6-firewall. Or to have a bridge for normal WAN, one bridge for administration and one bridge for customer-internal communication. So that web-server containers can be reached from outside per http, from the management via ssh and can talk to their database via the customer network. The scripts to set up the containers are now rendered several times instead of just one template. The scripts now contain per-container code to configure the extra veth interfaces. The default template without support for extra-veths is still rendered for the imperative containers. Also a test is there to see if extra veths can be placed into host-bridges or can be reached via routing. 2016-05-07 00:04:28 +02:00
nixosTests.containers*: port rest to python 2019-12-01 02:29:24 +01:00			`with subtest("Container can be stopped"):`
			`machine.succeed("nixos-container stop webserver")`
			`machine.fail("ping -n -c 1 192.168.1.100 >&2")`
			`machine.fail("ping -n -c 1 192.168.2.100 >&2")`
declarative containers: additional veths With these changes, a container can have more then one veth-pair. This allows for example to have LAN and DMZ as bridges on the host and add dedicated containers for proxies, ipv4-firewall and ipv6-firewall. Or to have a bridge for normal WAN, one bridge for administration and one bridge for customer-internal communication. So that web-server containers can be reached from outside per http, from the management via ssh and can talk to their database via the customer network. The scripts to set up the containers are now rendered several times instead of just one template. The scripts now contain per-container code to configure the extra veth interfaces. The default template without support for extra-veths is still rendered for the imperative containers. Also a test is there to see if extra veths can be placed into host-bridges or can be reached via routing. 2016-05-07 00:04:28 +02:00
nixosTests.containers*: port rest to python 2019-12-01 02:29:24 +01:00			`with subtest("Destroying a declarative container should fail"):`
			`machine.fail("nixos-container destroy webserver")`
declarative containers: additional veths With these changes, a container can have more then one veth-pair. This allows for example to have LAN and DMZ as bridges on the host and add dedicated containers for proxies, ipv4-firewall and ipv6-firewall. Or to have a bridge for normal WAN, one bridge for administration and one bridge for customer-internal communication. So that web-server containers can be reached from outside per http, from the management via ssh and can talk to their database via the customer network. The scripts to set up the containers are now rendered several times instead of just one template. The scripts now contain per-container code to configure the extra veth interfaces. The default template without support for extra-veths is still rendered for the imperative containers. Also a test is there to see if extra veths can be placed into host-bridges or can be reached via routing. 2016-05-07 00:04:28 +02:00			`'';`
			`})`