nix-bitcoin/test/scenarios/withnetns.py

# netns IP addresses
bitcoind_ip = "169.254.1.12"
clightning_ip = "169.254.1.13"
lnd_ip = "169.254.1.14"
liquidd_ip = "169.254.1.15"
electrs_ip = "169.254.1.16"
sparkwallet_ip = "169.254.1.17"
lightningcharge_ip = "169.254.1.18"
nanopos_ip = "169.254.1.19"
recurringdonations_ip = "169.254.1.20"
nginx_ip = "169.254.1.21"

## electrs
# the main test body stops electrs
succeed("systemctl start electrs")
machine.wait_until_succeeds(
    "ip netns exec nb-electrs nc -z localhost 4224"
)  # prometeus metrics provider

## spark-wallet
machine.wait_until_succeeds("ip netns exec nb-spark-wallet nc -z %s 9737" % sparkwallet_ip)
assert_matches(
    f"ip netns exec nb-spark-wallet curl -s {spark_auth}@%s:9737" % sparkwallet_ip, "Spark"
)

## lightning-charge
machine.wait_until_succeeds("ip netns exec nb-nanopos nc -z %s 9112" % lightningcharge_ip)
assert_matches(
    f"ip netns exec nb-nanopos curl -s api-token:{charge_auth}@%s:9112/info | jq"
    % lightningcharge_ip,
    '"id"',
)

## nanopos
machine.wait_until_succeeds("ip netns exec nb-lightning-charge nc -z %s 9116" % nanopos_ip)
assert_matches("ip netns exec nb-lightning-charge curl %s:9116" % nanopos_ip, "tshirt")

## webindex
machine.wait_until_succeeds("ip netns exec nb-nginx nc -z localhost 80")
assert_matches("ip netns exec nb-nginx curl localhost", "nix-bitcoin")
assert_matches("ip netns exec nb-nginx curl -L localhost/store", "tshirt")


### Security tests

ping_bitcoind = "ip netns exec nb-bitcoind ping -c 1 -w 1"
ping_nanopos = "ip netns exec nb-nanopos ping -c 1 -w 1"

# Positive ping tests (non-exhaustive)
machine.succeed(
    "%s %s &&" % (ping_bitcoind, bitcoind_ip)
    + "%s %s &&" % (ping_bitcoind, clightning_ip)
    + "%s %s &&" % (ping_bitcoind, liquidd_ip)
    + "%s %s &&" % (ping_nanopos, lightningcharge_ip)
    + "%s %s &&" % (ping_nanopos, nanopos_ip)
    + "%s %s" % (ping_nanopos, nginx_ip)
)

# Negative ping tests (non-exhaustive)
machine.fail(
    "%s %s ||" % (ping_bitcoind, sparkwallet_ip)
    + "%s %s ||" % (ping_bitcoind, lightningcharge_ip)
    + "%s %s ||" % (ping_bitcoind, nanopos_ip)
    + "%s %s ||" % (ping_bitcoind, recurringdonations_ip)
    + "%s %s ||" % (ping_bitcoind, nginx_ip)
    + "%s %s ||" % (ping_nanopos, bitcoind_ip)
    + "%s %s ||" % (ping_nanopos, clightning_ip)
    + "%s %s ||" % (ping_nanopos, lnd_ip)
    + "%s %s ||" % (ping_nanopos, liquidd_ip)
    + "%s %s ||" % (ping_nanopos, electrs_ip)
    + "%s %s ||" % (ping_nanopos, sparkwallet_ip)
    + "%s %s" % (ping_nanopos, recurringdonations_ip)
)

# test that netns-exec can't be run for unauthorized namespace
machine.fail("netns-exec nb-electrs ip a")

# test that netns-exec drops capabilities
assert_matches_exactly(
    "su operator -c 'netns-exec nb-bitcoind capsh --print | grep Current '", "Current: =\n"
)

# test that netns-exec can not be executed by users that are not operator
machine.fail("sudo -u clightning netns-exec nb-bitcoind ip a")