nixos/nix
1
1
Fork 0
mirror of https://github.com/NixOS/nix.git synced 2025-11-20 17:29:36 +01:00
Code Activity
nix/tests/functional/pasta-network.sh
Jörg Thalheim b2c35b45d2 pasta: wip 
TODO: add original authors as commit authors
2025-09-17 23:19:55 +02:00

133 lines
4 KiB
Bash
Executable file
Raw Permalink Blame History

#!/usr/bin/env bash
source common.sh
# This test requires Linux sandbox support and pasta
needLocalStore "the sandbox only runs on the builder side"
requireSandboxSupport
requiresUnprivilegedUserNamespaces
# Skip test if pasta is not configured or available
PASTA_PATH="${pasta_path:-}"
if [[ -z "$PASTA_PATH" ]] || [[ "$PASTA_PATH" == "pasta" ]] || [[ ! -x "$PASTA_PATH" ]]; then
skipTest "pasta is not available (pasta_path=$PASTA_PATH)"
fi
# Ensure pasta is in a standard location that Nix can access
# If pasta is in a non-standard location, we need to add it to sandbox-paths
PASTA_DIR=$(dirname "$PASTA_PATH")
export NIX_SANDBOX_PATHS="$PASTA_DIR=$PASTA_DIR"
# Skip test if /dev/net/tun is not available (required for pasta)
if [[ ! -e /dev/net/tun ]]; then
skipTest "/dev/net/tun not available"
fi
clearStore
# Test that fixed-output derivations can access the network when pasta is enabled
echo 'testing fixed-output derivation with network access...'
# Create a test derivation that tries to access the network
cat > pasta-test.nix <<'EOF'
with import ./config.nix;
{
# Test basic network functionality with a fixed-output derivation
testNetworkAccess = mkDerivation {
name = "test-network-access";
builder = builtins.toFile "builder.sh" ''
${bash}/bin/bash -c '
# Test basic network connectivity
# Try to resolve a hostname
if getent hosts localhost >/dev/null 2>&1; then
echo "DNS resolution works"
else
echo "DNS resolution failed"
exit 1
fi
# Test if we can see network interfaces
if ${coreutils}/bin/test -e /sys/class/net/eth0; then
echo "Network interface eth0 exists"
else
echo "Network interface eth0 missing"
exit 1
fi
# Create output
echo "Network test passed" > $out
'
'';
outputHashMode = "flat";
outputHashAlgo = "sha256";
outputHash = "sha256-YCa7ssqLHbdFkPJEG4REJJbsZF9g3w1i+Eg21nUYCCk=";
};
# Test that non-fixed-output derivations cannot access the network
testNoNetworkAccess = mkDerivation {
name = "test-no-network-access";
builder = builtins.toFile "builder.sh" ''
${bash}/bin/bash -c '
# This should fail because non-fixed-output derivations
# should not have network access
if getent hosts localhost >/dev/null 2>&1; then
echo "ERROR: DNS resolution works but should not!"
exit 1
fi
# There should be no network interfaces
if ${coreutils}/bin/test -e /sys/class/net/eth0; then
echo "ERROR: Network interface exists but should not!"
exit 1
fi
echo "Network properly isolated" > $out
'
'';
};
}
EOF
# Test with pasta enabled
echo "Setting pasta-path for network isolation..."
NIX_CONFIG="pasta-path = $PASTA_PATH
sandbox-paths = $NIX_SANDBOX_PATHS" \
nix-build pasta-test.nix -A testNetworkAccess --no-out-link
# Test that non-fixed-output derivations are still isolated
echo "Testing non-fixed-output derivation isolation..."
nix-build pasta-test.nix -A testNoNetworkAccess --no-out-link
# Test that pasta process is properly cleaned up
echo "Testing pasta process cleanup..."
cat > pasta-cleanup-test.nix <<'EOF'
with import ./config.nix;
mkDerivation {
name = "pasta-cleanup-test";
builder = builtins.toFile "builder.sh" ''
${bash}/bin/bash -c '
# Just create output
echo "test" > $out
'
'';
outputHashMode = "flat";
outputHashAlgo = "sha256";
outputHash = "sha256-n4xS51kG4lw0bKJl5VUkJptBS0EbV8LPHZkFV3RJQBU=";
}
EOF
# Build with pasta and check that no pasta processes remain
PASTA_COUNT_BEFORE=$(pgrep -c pasta || echo 0)
NIX_CONFIG="pasta-path = $PASTA_PATH
sandbox-paths = $NIX_SANDBOX_PATHS" \
nix-build pasta-cleanup-test.nix --no-out-link
PASTA_COUNT_AFTER=$(pgrep -c pasta || echo 0)
if [[ $PASTA_COUNT_AFTER -gt $PASTA_COUNT_BEFORE ]]; then
echo "ERROR: pasta process was not cleaned up properly"
exit 1
fi
echo "pasta network isolation tests passed!"
View git blame Copy permalink