英文:
NixOS test with local network/internet access
问题
我有一个包含一些检查的 "flake.nix" 文件,其中一个检查需要在测试运行期间从测试环境外部(互联网、本地网络)拉取一些资源。然而,这些测试在一个沙盒中运行,阻止访问外部网络(互联网和本地网络)。
问题是:是否可以配置一个检查,或者配置检查中使用的机器,以允许访问外部网络?如何配置?
示例
# flake.nix
{
inputs = {
nixpkgs.url = "nixpkgs/nixos-22.11";
flake-utils.url = "github:numtide/flake-utils";
};
outputs = { self, nixpkgs, flake-utils }:
flake-utils.lib.eachSystem
(with flake-utils.lib.system; [ x86_64-linux ])
(system:
let
pkgs = import nixpkgs {
inherit system;
};
in
{
checks.test = pkgs.nixosTest {
name = "test";
nodes.n1 = { };
testScript = ''
n1.succeed("ping -c 1 8.8.8.8") # ping google's DNS
'';
};
formatter = pkgs.nixpkgs-fmt;
}
);
}
当使用 "nix flake check" 命令运行(与 "flake.nix" 文件位于同一目录中)时,该测试会在 ping 操作中(正确地)失败,并显示 "Exception: command ping -c 1 8.8.8.8 failed (exit code 2)"。我想让它成功。(如何)可以实现这一点?
注意:我知道与测试环境外部的资源进行交互是一种不好的做法,我完全意识到这一点。我仍然想要这样做,自担风险。
英文:
I have a flake.nix with some checks, one of which needs to pull some resources from outside the testing environment (internet, local network) during the run of the test. However, the tests run in a sandbox, preventing access to the outside network (the internet, and the local network).
The question is: Is it possible to configure a check, or the machine(s) used within a check, to allow access to the outside network? How?
Example
# flake.nix
{
inputs = {
nixpkgs.url = "nixpkgs/nixos-22.11";
flake-utils.url = "github:numtide/flake-utils";
};
outputs = { self, nixpkgs, flake-utils }:
flake-utils.lib.eachSystem
(with flake-utils.lib.system; [ x86_64-linux ])
(system:
let
pkgs = import nixpkgs {
inherit system;
};
in
{
checks.test = pkgs.nixosTest {
name = "test";
nodes.n1 = { };
testScript = ''
n1.succeed("ping -c 1 8.8.8.8") # ping google's DNS
'';
};
formatter = pkgs.nixpkgs-fmt;
}
);
}
When run with nix flake check (in the same directory as the flake.nix), the test (correctly) fails on the ping with Exception: command `ping -c 1 8.8.8.8` failed (exit code 2). I would like it succeed. (How) can I achieve that?
Note: I know that interacting with resources outside the testing environment is a bad practice, I'm fully aware of that. I would like to do it anyway, at my own risk.
答案1
得分: 1
你可以通过在派生中设置__noChroot = true;来禁用构建的沙盒功能。
这对于一个派生来说很容易,但对于 NixOS 测试来说就不那么容易了,因为你还需要更改虚拟机的网络配置。
但如果你只需要一个派生,那就没问题。
另一种获取网络访问权限的方式是创建一个固定输出派生 (FOD),通过指定输出哈希值来实现 - 但这可能不是你测试所需的。
关于__noChroot的更多解释在这里:https://zimbatm.com/notes/nix-packaging-the-heretic-way
英文:
You can disable the sandbox for the build by setting __noChroot = true; in your derivation.
That’s easy for a derivation, not so much for a NixOS test, where you would also need to change the network configuration of the VMs.
But if a derivation is all you need, that’s fine.
The other way to get network access is making a fixed-output derivation (FOD), by specifying the output hash – but that’s probably not what you want for tests.
More explanation on __noChroot here: https://zimbatm.com/notes/nix-packaging-the-heretic-way
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论