integration-cli: fix TestDaemonICC tests for newer iptables versions
Debian Woodworm ships with a newer version of iptables, which caused two
tests to fail:
=== FAIL: amd64.integration-cli TestDockerDaemonSuite/TestDaemonICCLinkExpose (1.18s)
docker_cli_daemon_test.go:841: assertion failed: false (matched bool) != true (true bool): iptables output should have contained "DROP.*all.*ext-bridge6.*ext-bridge6", but was "Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)\n pkts bytes target prot opt in out source destination \n 0 0 DOCKER-USER 0 -- * * 0.0.0.0/0 0.0.0.0/0 \n 0 0 DOCKER-ISOLATION-STAGE-1 0 -- * * 0.0.0.0/0 0.0.0.0/0 \n 0 0 ACCEPT 0 -- * ext-bridge6 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED\n 0 0 DOCKER 0 -- * ext-bridge6 0.0.0.0/0 0.0.0.0/0 \n 0 0 ACCEPT 0 -- ext-bridge6 !ext-bridge6 0.0.0.0/0 0.0.0.0/0 \n 0 0 DROP 0 -- ext-bridge6 ext-bridge6 0.0.0.0/0 0.0.0.0/0 \n"
--- FAIL: TestDockerDaemonSuite/TestDaemonICCLinkExpose (1.18s)
=== FAIL: amd64.integration-cli TestDockerDaemonSuite/TestDaemonICCPing (1.19s)
docker_cli_daemon_test.go:803: assertion failed: false (matched bool) != true (true bool): iptables output should have contained "DROP.*all.*ext-bridge5.*ext-bridge5", but was "Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)\n pkts bytes target prot opt in out source destination \n 0 0 DOCKER-USER 0 -- * * 0.0.0.0/0 0.0.0.0/0 \n 0 0 DOCKER-ISOLATION-STAGE-1 0 -- * * 0.0.0.0/0 0.0.0.0/0 \n 0 0 ACCEPT 0 -- * ext-bridge5 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED\n 0 0 DOCKER 0 -- * ext-bridge5 0.0.0.0/0 0.0.0.0/0 \n 0 0 ACCEPT 0 -- ext-bridge5 !ext-bridge5 0.0.0.0/0 0.0.0.0/0 \n 0 0 DROP 0 -- ext-bridge5 ext-bridge5 0.0.0.0/0 0.0.0.0/0 \n"
--- FAIL: TestDockerDaemonSuite/TestDaemonICCPing (1.19s)
Both the `TestDaemonICCPing`, and `TestDaemonICCLinkExpose` test were introduced
in dd0666e64f. These tests called `iptables` with
the `-n` (`--numeric`) option, which prevents it from doing a reverse-DNS lookup
as an optimization.
However, the `-n` option did not have an effect to the `prot` column before
commit [da8ecc62dd765b15df84c3aa6b83dcb7a81d4ffa] (iptables < v1.8.9 or v1.8.8).
Newer versions, such as the iptables version shipping with Debian Woodworm do,
so we need to update the expected output for this version.
This patch removes the `-n` option, to keep the test more portable, also when
run non-containerized, and removes the use of regular expressions to check the
result, as these regular expressions were quite permissive (using `.*` wild-
card matching). Instead, we're getting the
With this change;
make DOCKER_GRAPHDRIVER=vfs TEST_FILTER=TestDaemonICC TEST_IGNORE_CGROUP_CHECK=1 test-integration
...
--- PASS: TestDockerDaemonSuite (139.11s)
--- PASS: TestDockerDaemonSuite/TestDaemonICCLinkExpose (54.62s)
--- PASS: TestDockerDaemonSuite/TestDaemonICCPing (84.48s)
[da8ecc62dd765b15df84c3aa6b83dcb7a81d4ffa]: https://git.netfilter.org/iptables/commit/?id=da8ecc62dd765b15df84c3aa6b83dcb7a81d4ffa
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This commit is contained in:
Sebastiaan van Stijn
parent
f6533a1df1
commit
c3eed9fa3e
1 changed files with 38 additions and 16 deletions
|
|
@ -787,8 +787,8 @@ func (s *DockerDaemonSuite) TestDaemonICCPing(c *testing.T) {
|
|||
// which may happen if it was created with the same IP range.
|
||||
deleteInterface(c, "docker0")
|
||||
|
||||
bridgeName := "ext-bridge5"
|
||||
bridgeIP := "192.169.1.1/24"
|
||||
const bridgeName = "ext-bridge5"
|
||||
const bridgeIP = "192.169.1.1/24"
|
||||
|
||||
createInterface(c, "bridge", bridgeName, bridgeIP)
|
||||
defer deleteInterface(c, bridgeName)
|
||||
|
|
@ -796,19 +796,30 @@ func (s *DockerDaemonSuite) TestDaemonICCPing(c *testing.T) {
|
|||
d.StartWithBusybox(testutil.GetContext(c), c, "--bridge", bridgeName, "--icc=false")
|
||||
defer d.Restart(c)
|
||||
|
||||
result := icmd.RunCommand("iptables", "-nvL", "FORWARD")
|
||||
result := icmd.RunCommand("sh", "-c", "iptables -vL FORWARD | grep DROP")
|
||||
result.Assert(c, icmd.Success)
|
||||
regex := fmt.Sprintf("DROP.*all.*%s.*%s", bridgeName, bridgeName)
|
||||
matched, _ := regexp.MatchString(regex, result.Combined())
|
||||
assert.Equal(c, matched, true, fmt.Sprintf("iptables output should have contained %q, but was %q", regex, result.Combined()))
|
||||
|
||||
// strip whitespace and newlines to verify we only found a single DROP
|
||||
out := strings.TrimSpace(result.Stdout())
|
||||
assert.Assert(c, is.Equal(strings.Count(out, "\n"), 0), "only expected a single DROP rules")
|
||||
|
||||
// Column headers are stripped because of grep-ing, but should be:
|
||||
//
|
||||
// pkts bytes target prot opt in out source destination
|
||||
// 0 0 DROP all -- ext-bridge5 ext-bridge5 anywhere anywhere
|
||||
cols := strings.Fields(out)
|
||||
|
||||
expected := []string{"0", "0", "DROP", "all", "--", bridgeName, bridgeName, "anywhere", "anywhere"}
|
||||
assert.DeepEqual(c, cols, expected)
|
||||
|
||||
// Pinging another container must fail with --icc=false
|
||||
pingContainers(c, d, true)
|
||||
|
||||
ipStr := "192.171.1.1/24"
|
||||
ip, _, _ := net.ParseCIDR(ipStr)
|
||||
ifName := "icc-dummy"
|
||||
const cidr = "192.171.1.1/24"
|
||||
ip, _, _ := net.ParseCIDR(cidr)
|
||||
const ifName = "icc-dummy"
|
||||
|
||||
createInterface(c, "dummy", ifName, ipStr)
|
||||
createInterface(c, "dummy", ifName, cidr)
|
||||
defer deleteInterface(c, ifName)
|
||||
|
||||
// But, Pinging external or a Host interface must succeed
|
||||
|
|
@ -825,8 +836,8 @@ func (s *DockerDaemonSuite) TestDaemonICCLinkExpose(c *testing.T) {
|
|||
// which may happen if it was created with the same IP range.
|
||||
deleteInterface(c, "docker0")
|
||||
|
||||
bridgeName := "ext-bridge6"
|
||||
bridgeIP := "192.169.1.1/24"
|
||||
const bridgeName = "ext-bridge6"
|
||||
const bridgeIP = "192.169.1.1/24"
|
||||
|
||||
createInterface(c, "bridge", bridgeName, bridgeIP)
|
||||
defer deleteInterface(c, bridgeName)
|
||||
|
|
@ -834,11 +845,22 @@ func (s *DockerDaemonSuite) TestDaemonICCLinkExpose(c *testing.T) {
|
|||
d.StartWithBusybox(testutil.GetContext(c), c, "--bridge", bridgeName, "--icc=false")
|
||||
defer d.Restart(c)
|
||||
|
||||
result := icmd.RunCommand("iptables", "-nvL", "FORWARD")
|
||||
result := icmd.RunCommand("sh", "-c", "iptables -vL FORWARD | grep DROP")
|
||||
result.Assert(c, icmd.Success)
|
||||
regex := fmt.Sprintf("DROP.*all.*%s.*%s", bridgeName, bridgeName)
|
||||
matched, _ := regexp.MatchString(regex, result.Combined())
|
||||
assert.Equal(c, matched, true, fmt.Sprintf("iptables output should have contained %q, but was %q", regex, result.Combined()))
|
||||
|
||||
// strip whitespace and newlines to verify we only found a single DROP
|
||||
out := strings.TrimSpace(result.Stdout())
|
||||
assert.Assert(c, is.Equal(strings.Count(out, "\n"), 0), "only expected a single DROP rules")
|
||||
|
||||
// Column headers are stripped because of grep-ing, but should be:
|
||||
//
|
||||
// pkts bytes target prot opt in out source destination
|
||||
// 0 0 DROP all -- ext-bridge6 ext-bridge6 anywhere anywhere
|
||||
cols := strings.Fields(out)
|
||||
|
||||
expected := []string{"0", "0", "DROP", "all", "--", bridgeName, bridgeName, "anywhere", "anywhere"}
|
||||
assert.DeepEqual(c, cols, expected)
|
||||
|
||||
out, err := d.Cmd("run", "-d", "--expose", "4567", "--name", "icc1", "busybox", "nc", "-l", "-p", "4567")
|
||||
assert.NilError(c, err, out)
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue