summary refs log tree commit diff
path: root/nixos/tests
diff options
context:
space:
mode:
authorEelco Dolstra <eelco.dolstra@logicblox.com>2014-04-11 17:15:56 +0200
committerEelco Dolstra <eelco.dolstra@logicblox.com>2014-04-11 17:16:44 +0200
commit13185280fee4111dc07f794e528fa3a73f421f3a (patch)
tree40f813ae0cf436e9bbe3a8364b046c6f93ffc2fc /nixos/tests
parent017408e048ae2419baf0adba424b51d85b063a30 (diff)
downloadnixpkgs-13185280fee4111dc07f794e528fa3a73f421f3a.tar
nixpkgs-13185280fee4111dc07f794e528fa3a73f421f3a.tar.gz
nixpkgs-13185280fee4111dc07f794e528fa3a73f421f3a.tar.bz2
nixpkgs-13185280fee4111dc07f794e528fa3a73f421f3a.tar.lz
nixpkgs-13185280fee4111dc07f794e528fa3a73f421f3a.tar.xz
nixpkgs-13185280fee4111dc07f794e528fa3a73f421f3a.tar.zst
nixpkgs-13185280fee4111dc07f794e528fa3a73f421f3a.zip
Fix tests broken due to the firewall being enabled by default
Diffstat (limited to 'nixos/tests')
-rw-r--r--nixos/tests/bittorrent.nix8


-rw-r--r--nixos/tests/containers.nix4


-rw-r--r--nixos/tests/firewall.nix3


-rw-r--r--nixos/tests/installer.nix2


-rw-r--r--nixos/tests/ipv6.nix1


-rw-r--r--nixos/tests/jenkins.nix14


-rw-r--r--nixos/tests/mumble.nix1


-rw-r--r--nixos/tests/mysql-replication.nix9


-rw-r--r--nixos/tests/nat.nix3


-rw-r--r--nixos/tests/nfs.nix2


-rw-r--r--nixos/tests/printing.nix3


-rw-r--r--nixos/tests/proxy.nix11


-rw-r--r--nixos/tests/quake3.nix1


-rw-r--r--nixos/tests/tomcat.nix9


14 files changed, 47 insertions, 24 deletions
diff --git a/nixos/tests/bittorrent.nix b/nixos/tests/bittorrent.nix
index 6e67edb0b82..f84b65699d3 100644
--- a/nixos/tests/bittorrent.nix
+++ b/nixos/tests/bittorrent.nix
@@ -33,6 +33,8 @@ in
           services.httpd.enable = true;
           services.httpd.adminAddr = "foo@example.org";
           services.httpd.documentRoot = "/tmp";
+
+          networking.firewall.enable = false; # FIXME: figure out what ports we actually need
         };
 
       router =
@@ -50,11 +52,13 @@ in
           virtualisation.vlans = [ 2 ];
           networking.defaultGateway =
             nodes.router.config.networking.interfaces.eth2.ipAddress;
+          networking.firewall.enable = false;
         };
 
       client2 =
         { config, pkgs, ... }:
         { environment.systemPackages = [ pkgs.transmission ];
+          networking.firewall.enable = false;
         };
     };
 
@@ -66,8 +70,8 @@ in
       # Enable NAT on the router and start miniupnpd.
       $router->waitForUnit("nat");
       $router->succeed(
-          "iptables -t nat -N MINIUPNPD",
-          "iptables -t nat -A PREROUTING -i eth1 -j MINIUPNPD",
+          "iptables -w -t nat -N MINIUPNPD",
+          "iptables -w -t nat -A PREROUTING -i eth1 -j MINIUPNPD",
           "echo 1 > /proc/sys/net/ipv4/ip_forward",
           "miniupnpd -f ${miniupnpdConf nodes}"
       );
diff --git a/nixos/tests/containers.nix b/nixos/tests/containers.nix
index d72e80b71af..06b793ed7ac 100644
--- a/nixos/tests/containers.nix
+++ b/nixos/tests/containers.nix
@@ -17,6 +17,8 @@
           config =
             { services.httpd.enable = true;
               services.httpd.adminAddr = "foo@example.org";
+              networking.firewall.allowedTCPPorts = [ 80 ];
+              networking.firewall.allowPing = true;
             };
         };
 
@@ -65,7 +67,7 @@
       $machine->succeed("nixos-container start $id1");
 
       # Execute commands via the root shell.
-      $machine->succeed("echo uname | nixos-container root-shell $id1") =~ /Linux/;
+      $machine->succeed("nixos-container run $id1 -- uname") =~ /Linux/;
       $machine->succeed("nixos-container set-root-password $id1 foobar");
 
       # Destroy the containers.
diff --git a/nixos/tests/firewall.nix b/nixos/tests/firewall.nix
index de32b98e5d2..15653dedf3c 100644
--- a/nixos/tests/firewall.nix
+++ b/nixos/tests/firewall.nix
@@ -17,6 +17,7 @@
         { config, pkgs, ... }:
         { services.httpd.enable = true;
           services.httpd.adminAddr = "foo@example.org";
+          networking.firewall.enable = false;
         };
     };
 
@@ -33,7 +34,7 @@
       $walled->succeed("curl -v http://localhost/ >&2");
 
       # Connections to the firewalled machine should fail.
-      $attacker->fail("curl -v http://walled/ >&2");
+      $attacker->fail("curl --fail --connect-timeout 2 http://walled/ >&2");
       $attacker->fail("ping -c 1 walled >&2");
 
       # Outgoing connections/pings should still work.
diff --git a/nixos/tests/installer.nix b/nixos/tests/installer.nix
index 151458fbd5e..b0c0aa328f0 100644
--- a/nixos/tests/installer.nix
+++ b/nixos/tests/installer.nix
@@ -79,6 +79,8 @@ let
       virtualisation.writableStore = true;
       virtualisation.pathsInNixDB = channelContents ++ [ pkgs.hello.src ];
       virtualisation.memorySize = 768;
+
+      networking.firewall.allowedTCPPorts = [ 80 ];
     };
 
   channelContents = [ pkgs.rlwrap ];
diff --git a/nixos/tests/ipv6.nix b/nixos/tests/ipv6.nix
index 29d675e180a..48c20d7f5c9 100644
--- a/nixos/tests/ipv6.nix
+++ b/nixos/tests/ipv6.nix
@@ -12,6 +12,7 @@
         { config, pkgs, ... }:
         { services.httpd.enable = true;
           services.httpd.adminAddr = "foo@example.org";
+          networking.firewall.allowedTCPPorts = [ 80 ];
         };
 
       router =
diff --git a/nixos/tests/jenkins.nix b/nixos/tests/jenkins.nix
index e6524ec5653..40223482791 100644
--- a/nixos/tests/jenkins.nix
+++ b/nixos/tests/jenkins.nix
@@ -3,21 +3,27 @@
 #   2. jenkins user can be extended on both master and slave
 #   3. jenkins service not started on slave node
 { pkgs, ... }:
+
 {
   nodes = {
-    master = { pkgs, config, ... }: {
-        services.jenkins.enable = true;
+
+    master =
+      { config, pkgs, ... }:
+      { services.jenkins.enable = true;
 
         # should have no effect
         services.jenkinsSlave.enable = true;
 
         users.extraUsers.jenkins.extraGroups = [ "users" ];
       };
-    slave = { pkgs, config, ... }: {
-        services.jenkinsSlave.enable = true;
+
+    slave =
+      { config, pkgs, ... }:
+      { services.jenkinsSlave.enable = true;
 
         users.extraUsers.jenkins.extraGroups = [ "users" ];
       };
+
   };
 
   testScript = ''
diff --git a/nixos/tests/mumble.nix b/nixos/tests/mumble.nix
index 509742f2899..10658eb5f02 100644
--- a/nixos/tests/mumble.nix
+++ b/nixos/tests/mumble.nix
@@ -11,6 +11,7 @@ in
     server = { config, pkgs, ... }: {
       services.murmur.enable       = true;
       services.murmur.registerName = "NixOS tests";
+      networking.firewall.allowedTCPPorts = [ config.services.murmur.port ];
     };
 
     client1 = client;
diff --git a/nixos/tests/mysql-replication.nix b/nixos/tests/mysql-replication.nix
index f8c82f7ce9c..44586322600 100644
--- a/nixos/tests/mysql-replication.nix
+++ b/nixos/tests/mysql-replication.nix
@@ -15,10 +15,11 @@ in
         services.mysql.replication.role = "master";
         services.mysql.initialDatabases = [ { name = "testdb"; schema = ./testdb.sql; } ];
         services.mysql.initialScript = pkgs.writeText "initmysql"
-        ''
-          create user '${replicateUser}'@'%' identified by '${replicatePassword}';
-          grant replication slave on *.* to '${replicateUser}'@'%';
-        '';
+          ''
+            create user '${replicateUser}'@'%' identified by '${replicatePassword}';
+            grant replication slave on *.* to '${replicateUser}'@'%';
+          '';
+        networking.firewall.allowedTCPPorts = [ 3306 ];
       };
 
     slave1 =
diff --git a/nixos/tests/nat.nix b/nixos/tests/nat.nix
index a13714d60a9..259ab99d301 100644
--- a/nixos/tests/nat.nix
+++ b/nixos/tests/nat.nix
@@ -12,6 +12,7 @@
     { client =
         { config, pkgs, nodes, ... }:
         { virtualisation.vlans = [ 1 ];
+          networking.firewall.allowPing = true;
           networking.defaultGateway =
             nodes.router.config.networking.interfaces.eth2.ipAddress;
         };
@@ -19,6 +20,7 @@
       router =
         { config, pkgs, ... }:
         { virtualisation.vlans = [ 2 1 ];
+          networking.firewall.allowPing = true;
           networking.nat.enable = true;
           networking.nat.internalIPs = [ "192.168.1.0/24" ];
           networking.nat.externalInterface = "eth1";
@@ -27,6 +29,7 @@
       server =
         { config, pkgs, ... }:
         { virtualisation.vlans = [ 2 ];
+          networking.firewall.enable = false;
           services.httpd.enable = true;
           services.httpd.adminAddr = "foo@example.org";
           services.vsftpd.enable = true;
diff --git a/nixos/tests/nfs.nix b/nixos/tests/nfs.nix
index 51abf57e1b7..7bc99aef3b5 100644
--- a/nixos/tests/nfs.nix
+++ b/nixos/tests/nfs.nix
@@ -13,6 +13,7 @@ let
             options = "vers=${toString version}";
           }
         ];
+      networking.firewall.enable = false; # FIXME: only open statd
     };
 
 in
@@ -31,6 +32,7 @@ in
               /data 192.168.1.0/255.255.255.0(rw,no_root_squash,no_subtree_check,fsid=0)
             '';
           services.nfs.server.createMountPoints = true;
+          networking.firewall.enable = false; # FIXME: figure out what ports need to be allowed
         };
     };
 
diff --git a/nixos/tests/printing.nix b/nixos/tests/printing.nix
index 13cc3115d50..b5ca0f25e21 100644
--- a/nixos/tests/printing.nix
+++ b/nixos/tests/printing.nix
@@ -17,6 +17,7 @@
               Allow from all
             </Location>
           '';
+        networking.firewall.allowedTCPPorts = [ 631 ];
       };
 
     client =
@@ -37,7 +38,7 @@
       $client->succeed("lpstat -H") =~ "/var/run/cups/cups.sock" or die;
       $client->succeed("curl --fail http://localhost:631/");
       $client->succeed("curl --fail http://server:631/");
-      $server->fail("curl --fail http://client:631/");
+      $server->fail("curl --fail --connect-timeout 2  http://client:631/");
 
       # Add a HP Deskjet printer connected via USB to the server.
       $server->succeed("lpadmin -p DeskjetLocal -v usb://HP/Deskjet%205400%20series?serial=TH93I152S123XY -m 'drv:///sample.drv/deskjet.ppd' -E");
diff --git a/nixos/tests/proxy.nix b/nixos/tests/proxy.nix
index 3b79c16ea2c..dd64ca02e16 100644
--- a/nixos/tests/proxy.nix
+++ b/nixos/tests/proxy.nix
@@ -5,12 +5,10 @@ let
   backend =
     { config, pkgs, ... }:
 
-    {
-      services.openssh.enable = true;
-
-      services.httpd.enable = true;
+    { services.httpd.enable = true;
       services.httpd.adminAddr = "foo@example.org";
       services.httpd.documentRoot = "${pkgs.valgrind}/share/doc/valgrind/html";
+      networking.firewall.allowedTCPPorts = [ 80 ];
     };
 
 in
@@ -21,8 +19,7 @@ in
     { proxy =
         { config, pkgs, nodes, ... }:
 
-        {
-          services.httpd.enable = true;
+        { services.httpd.enable = true;
           services.httpd.adminAddr = "bar@example.org";
           services.httpd.extraModules = ["proxy_balancer"];
 
@@ -50,6 +47,8 @@ in
               # For testing; don't want to wait forever for dead backend servers.
               ProxyTimeout      5
             '';
+
+          networking.firewall.allowedTCPPorts = [ 80 ];
         };
 
       backend1 = backend;
diff --git a/nixos/tests/quake3.nix b/nixos/tests/quake3.nix
index fefbd75b4a3..2ebac84ca06 100644
--- a/nixos/tests/quake3.nix
+++ b/nixos/tests/quake3.nix
@@ -37,6 +37,7 @@ rec {
                 "'+map q3dm7' '+addbot grunt' '+addbot daemia' 2> /tmp/log";
             };
           nixpkgs.config.packageOverrides = overrides;
+          networking.firewall.allowedUDPPorts = [ 27960 ];
         };
 
       client1 = client;
diff --git a/nixos/tests/tomcat.nix b/nixos/tests/tomcat.nix
index 6bc88ec82fa..6ec21a72192 100644
--- a/nixos/tests/tomcat.nix
+++ b/nixos/tests/tomcat.nix
@@ -5,13 +5,12 @@
     server =
       { pkgs, config, ... }:
 
-      {
-        services.tomcat.enable = true;
+      { services.tomcat.enable = true;
         services.httpd.enable = true;
         services.httpd.adminAddr = "foo@bar.com";
-        services.httpd.extraSubservices = [
-          { serviceType = "tomcat-connector"; }
-        ];
+        services.httpd.extraSubservices =
+          [ { serviceType = "tomcat-connector"; } ];
+        networking.firewall.allowedTCPPorts = [ 80 ];
       };
 
     client = { };

 

generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-06-19 20:23:19 +0000