File: run_test.sh

package info (click to toggle)
golang-github-rootless-containers-bypass4netns 0.4.2-1
  • links: PTS, VCS
  • area: main
  • in suites: sid
  • size: 596 kB
  • sloc: sh: 1,936; python: 542; makefile: 33
file content (213 lines) | stat: -rwxr-xr-x 6,988 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
 
#!/bin/bash

set -eu -o pipefail

source ~/.profile

ALPINE_IMAGE="public.ecr.aws/docker/library/alpine:3.16"
nerdctl pull --quiet "${ALPINE_IMAGE}"

SCRIPT_DIR=$(cd $(dirname $0); pwd)
set +u
if [ "$1" == "SYNC" ]; then
  echo "updating source code"
  rm -rf ~/bypass4netns
  sudo cp -r /host ~/bypass4netns
  sudo chown -R ubuntu:ubuntu ~/bypass4netns
  cd ~/bypass4netns
  echo "source code is updated"
  exec $0 "FORK"
  exit 0
fi
cd ~/bypass4netns
rm -f bypass4netns bypass4netnsd
make
sudo make install
set -u
cd $SCRIPT_DIR

set +e
systemctl --user stop run-iperf3
systemctl --user reset-failed
sleep 1
systemctl --user restart containerd
sleep 1
systemctl --user restart buildkit
sleep 3
set -e

systemd-run --user --unit run-iperf3 iperf3 -s
HOST_IP=$(HOST=$(hostname -I); for i in ${HOST[@]}; do echo $i | grep -q "192.168.6."; if [ $? -eq 0 ]; then echo $i; fi; done)
~/bypass4netns/test/seccomp.json.sh | tee /tmp/seccomp.json

sudo journalctl --rotate
sudo journalctl --vacuum-time=1s

echo "===== rootful mode ===="
(
  set +e
  sudo nerdctl rm -f test
  set -ex

  sudo nerdctl run -d --name test $ALPINE_IMAGE sleep infinity
  sudo nerdctl exec test apk add --no-cache iperf3
  sudo nerdctl exec test iperf3 -c $HOST_IP -t 1 --connect-timeout 1000 # it must success to connect.

  sudo nerdctl rm -f test
)

echo "===== static linked binary test ====="
(
  set +e
  systemctl --user stop run-bypass4netns-static
  nerdctl rm -f test1
  nerdctl rm -f test2
  systemctl --user reset-failed
  set -ex

  IMAGE_NAME="b4ns:static"
  nerdctl build -f ./DockerfileHttpServer -t $IMAGE_NAME .

  systemd-run --user --unit run-bypass4netns-static bypass4netns --ignore "127.0.0.0/8,10.0.0.0/8"
  sleep 1
  nerdctl run -d -p 8081:8080 --name test1 $IMAGE_NAME /httpserver -mode server
  nerdctl run --security-opt seccomp=/tmp/seccomp.json -d --name test2 $IMAGE_NAME sleep infinity
  nerdctl exec test2 /httpserver -mode client -url http://$HOST_IP:8081/ping
  nerdctl exec test2 /httpserver -mode client -url http://$HOST_IP:8081/ping
  nerdctl exec test2 /httpserver -mode client -url http://$HOST_IP:8081/ping

  COUNT=$(journalctl --user -u run-bypass4netns-static.service | grep 'bypassed connect socket' | wc -l)
  if [ $COUNT != 3 ]; then
    echo "static linked binary bypassing not working correctly."
    exit 1
  fi

  nerdctl rm -f test1
  nerdctl rm -f test2
  systemctl --user stop run-bypass4netns-static
)

echo "===== '--ignore' option test ====="
(
  set +e
  systemctl --user stop run-bypass4netns
  nerdctl rm -f test
  set -ex

  systemd-run --user --unit run-bypass4netns bypass4netns --ignore "127.0.0.0/8,10.0.0.0/8,192.168.6.0/24" --debug
  nerdctl run --security-opt seccomp=/tmp/seccomp.json -d --name test "${ALPINE_IMAGE}" sleep infinity
  nerdctl exec test apk add --no-cache iperf3
  nerdctl exec test iperf3 -c $HOST_IP -t 1
  # TODO: this check is dirty. we want better method to check the connect(2) is ignored.
  journalctl --user -u run-bypass4netns.service | grep "is not bypassed"
  nerdctl rm -f test
  systemctl --user stop run-bypass4netns.service
)

echo "===== connect(2) test ====="
(
  systemd-run --user --unit run-bypass4netns bypass4netns --ignore "127.0.0.0/8,10.0.0.0/8" -p 8080:5201
  set -x
  cd $SCRIPT_DIR
  /bin/bash test_syscalls.sh /tmp/seccomp.json $HOST_IP
  systemctl --user stop run-bypass4netns.service
)

echo "===== Test bypass4netnsd ====="
(
 set -x
 source ~/.profile
 ./test_b4nnd.sh
)

echo "===== tracer test (disabled) ====="
(
  set +e
  systemctl --user stop run-bypass4netnsd
  nerdctl rm -f test1
  nerdctl rm -f test2
  nerdctl network rm net-2
  systemctl --user reset-failed
  set -ex

  systemd-run --user --unit run-bypass4netnsd bypass4netnsd --handle-c2c-connections=true
  sleep 1
  nerdctl run --annotation nerdctl/bypass4netns=true -d -p 8080:5201 --name test1 "${ALPINE_IMAGE}" sleep infinity
  nerdctl exec test1 apk add --no-cache iperf3
  TEST1_ADDR=$(nerdctl exec test1 hostname -i)
  systemd-run --user --unit run-test1-iperf3 nerdctl exec test1 iperf3 -s
  nerdctl network create --subnet "10.4.1.0/24" net-2
  nerdctl run --net net-2 --annotation nerdctl/bypass4netns=true -d --name test2 "${ALPINE_IMAGE}" sleep infinity
  nerdctl exec test2 apk add --no-cache iperf3
  nerdctl exec test2 iperf3 -c $TEST1_ADDR -t 1 --connect-timeout 1000 # it must success to connect.

  nerdctl rm -f test1
  nerdctl rm -f test2
  nerdctl network rm net-2
  systemctl --user stop run-bypass4netnsd
)

echo "===== tracer test (enabled) ====="
(
  set +e
  systemctl --user stop run-bypass4netnsd
  nerdctl rm -f test1
  nerdctl rm -f test2
  nerdctl network rm net-2
  systemctl --user reset-failed
  set -ex

  systemd-run --user --unit run-bypass4netnsd bypass4netnsd --handle-c2c-connections=true --tracer=true --debug
  sleep 1
  nerdctl run --annotation nerdctl/bypass4netns=true -d -p 8080:5201 --name test1 "${ALPINE_IMAGE}" sleep infinity
  nerdctl exec test1 apk add --no-cache iperf3
  TEST1_ADDR=$(nerdctl exec test1 hostname -i)
  systemd-run --user --unit run-test1-iperf3 nerdctl exec test1 iperf3 -s
  nerdctl network create --subnet "10.4.1.0/24" net-2
  nerdctl run --net net-2 --annotation nerdctl/bypass4netns=true -d --name test2 "${ALPINE_IMAGE}" sleep infinity
  nerdctl exec test2 apk add --no-cache iperf3
  set +e
  nerdctl exec test2 iperf3 -c $TEST1_ADDR -t 1 --connect-timeout 1000 # it must not success to connect.
  if [ $? -eq 0 ]; then
    echo "tracer seems not working"
    exit 1
  fi
  set -e

  nerdctl rm -f test1
  nerdctl rm -f test2
  nerdctl network rm net-2
  systemctl --user stop run-bypass4netnsd
)


echo "===== multinode test (single node) ===="
(
  set +e
  nerdctl rm -f test1
  nerdctl rm -f test2
  nerdctl network rm net-2
  systemctl --user stop run-bypass4netnsd
  systemctl --user stop etcd.service
  systemctl --user reset-failed
  set -ex

  systemd-run --user --unit etcd.service /usr/bin/etcd --listen-client-urls http://${HOST_IP}:2379 --advertise-client-urls http://${HOST_IP}:2379
  systemd-run --user --unit run-bypass4netnsd bypass4netnsd --multinode=true --multinode-etcd-address=http://$HOST_IP:2379 --multinode-host-address=$HOST_IP --debug
  sleep 1
  nerdctl run --annotation nerdctl/bypass4netns=true -d -p 8080:5201 --name test1 "${ALPINE_IMAGE}" sleep infinity
  nerdctl exec test1 apk add --no-cache iperf3
  TEST1_ADDR=$(nerdctl exec test1 hostname -i)
  systemd-run --user --unit run-test1-iperf3 nerdctl exec test1 iperf3 -s
  nerdctl network create --subnet "10.4.1.0/24" net-2
  nerdctl run --net net-2 --annotation nerdctl/bypass4netns=true -d --name test2 "${ALPINE_IMAGE}" sleep infinity
  nerdctl exec test2 apk add --no-cache iperf3
  nerdctl exec test2 iperf3 -c $TEST1_ADDR -t 1 --connect-timeout 1000 # it must success to connect.

  nerdctl rm -f test1
  nerdctl rm -f test2
  nerdctl network rm net-2
  systemctl --user stop run-bypass4netnsd
  systemctl --user stop etcd.service
  systemctl --user reset-failed
)