Fix tests broken due to the firewall being enabled by default

Author: edolstra

nixos/modules/services/continuous-integration/jenkins/default.nix

@@ -43,7 +43,7 @@ in {
         default = 8080;
         type = types.uniq types.int;
         description = ''
-          Specifies port number on which the jenkins HTTP interface listens. The default is 8080
+          Specifies port number on which the jenkins HTTP interface listens. The default is 8080.
         '';
       };
 

nixos/modules/services/networking/avahi-daemon.nix

@@ -142,6 +142,10 @@ in
     services.dbus.enable = true;
     services.dbus.packages = [avahi];
 
+    # Enabling Avahi without exposing it in the firewall doesn't make
+    # sense.
+    networking.firewall.allowedUDPPorts = [ 5353 ];
+
   };
 
 }

nixos/tests/bittorrent.nix

@@ -33,6 +33,8 @@ in
           services.httpd.enable = true;
           services.httpd.adminAddr = "foo@example.org";
           services.httpd.documentRoot = "/tmp";
+
+          networking.firewall.enable = false; # FIXME: figure out what ports we actually need
         };
 
       router =
@@ -50,11 +52,13 @@ in
           virtualisation.vlans = [ 2 ];
           networking.defaultGateway =
             nodes.router.config.networking.interfaces.eth2.ipAddress;
+          networking.firewall.enable = false;
         };
 
       client2 =
         { config, pkgs, ... }:
         { environment.systemPackages = [ pkgs.transmission ];
+          networking.firewall.enable = false;
         };
     };
 
@@ -66,8 +70,8 @@ in
       # Enable NAT on the router and start miniupnpd.
       $router->waitForUnit("nat");
       $router->succeed(
-          "iptables -t nat -N MINIUPNPD",
-          "iptables -t nat -A PREROUTING -i eth1 -j MINIUPNPD",
+          "iptables -w -t nat -N MINIUPNPD",
+          "iptables -w -t nat -A PREROUTING -i eth1 -j MINIUPNPD",
           "echo 1 > /proc/sys/net/ipv4/ip_forward",
           "miniupnpd -f ${miniupnpdConf nodes}"
       );

nixos/tests/containers.nix

@@ -17,6 +17,8 @@
           config =
             { services.httpd.enable = true;
               services.httpd.adminAddr = "foo@example.org";
+              networking.firewall.allowedTCPPorts = [ 80 ];
+              networking.firewall.allowPing = true;
             };
         };
 
@@ -65,7 +67,7 @@
       $machine->succeed("nixos-container start $id1");
 
       # Execute commands via the root shell.
-      $machine->succeed("echo uname | nixos-container root-shell $id1") =~ /Linux/;
+      $machine->succeed("nixos-container run $id1 -- uname") =~ /Linux/;
       $machine->succeed("nixos-container set-root-password $id1 foobar");
 
       # Destroy the containers.

nixos/tests/firewall.nix

@@ -17,6 +17,7 @@
         { config, pkgs, ... }:
         { services.httpd.enable = true;
           services.httpd.adminAddr = "foo@example.org";
+          networking.firewall.enable = false;
         };
     };
 
@@ -33,7 +34,7 @@
       $walled->succeed("curl -v http://localhost/ >&2");
 
       # Connections to the firewalled machine should fail.
-      $attacker->fail("curl -v http://walled/ >&2");
+      $attacker->fail("curl --fail --connect-timeout 2 http://walled/ >&2");
       $attacker->fail("ping -c 1 walled >&2");
 
       # Outgoing connections/pings should still work.

nixos/tests/installer.nix

@@ -79,6 +79,8 @@ let
       virtualisation.writableStore = true;
       virtualisation.pathsInNixDB = channelContents ++ [ pkgs.hello.src ];
       virtualisation.memorySize = 768;
+
+      networking.firewall.allowedTCPPorts = [ 80 ];
     };
 
   channelContents = [ pkgs.rlwrap ];

nixos/tests/ipv6.nix

@@ -12,6 +12,7 @@
         { config, pkgs, ... }:
         { services.httpd.enable = true;
           services.httpd.adminAddr = "foo@example.org";
+          networking.firewall.allowedTCPPorts = [ 80 ];
         };
 
       router =

nixos/tests/jenkins.nix

@@ -3,21 +3,27 @@
 #   2. jenkins user can be extended on both master and slave
 #   3. jenkins service not started on slave node
 { pkgs, ... }:
+
 {
   nodes = {
-    master = { pkgs, config, ... }: {
-        services.jenkins.enable = true;
+
+    master =
+      { config, pkgs, ... }:
+      { services.jenkins.enable = true;
 
         # should have no effect
         services.jenkinsSlave.enable = true;
 
         users.extraUsers.jenkins.extraGroups = [ "users" ];
       };
-    slave = { pkgs, config, ... }: {
-        services.jenkinsSlave.enable = true;
+
+    slave =
+      { config, pkgs, ... }:
+      { services.jenkinsSlave.enable = true;
 
         users.extraUsers.jenkins.extraGroups = [ "users" ];
       };
+
   };
 
   testScript = ''

nixos/tests/mumble.nix

@@ -11,6 +11,7 @@ in
     server = { config, pkgs, ... }: {
       services.murmur.enable       = true;
       services.murmur.registerName = "NixOS tests";
+      networking.firewall.allowedTCPPorts = [ config.services.murmur.port ];
     };
 
     client1 = client;

nixos/tests/mysql-replication.nix

@@ -15,10 +15,11 @@ in
         services.mysql.replication.role = "master";
         services.mysql.initialDatabases = [ { name = "testdb"; schema = ./testdb.sql; } ];
         services.mysql.initialScript = pkgs.writeText "initmysql"
-        ''
-          create user '${replicateUser}'@'%' identified by '${replicatePassword}';
-          grant replication slave on *.* to '${replicateUser}'@'%';
-        '';
+          ''
+            create user '${replicateUser}'@'%' identified by '${replicatePassword}';
+            grant replication slave on *.* to '${replicateUser}'@'%';
+          '';
+        networking.firewall.allowedTCPPorts = [ 3306 ];
       };
 
     slave1 =