7ecf36cc84
First, this change moves the internal config API to use flag.FlagSet, which allows more flexibility and fixes many test usages. Second, the runtime flags are validated during install. The platform is opened and a warning issued if this fails, but this is not fatal. This change requires moving the Makefile to --test_env, since the attribute is not properly supported by test targets. Therefore, the targets can use args while the Makefile must pass in configuration via --test_env. PiperOrigin-RevId: 428048274 |
||
---|---|---|
.. | ||
runner | ||
BUILD | ||
README.md | ||
filter_input.go | ||
filter_output.go | ||
iptables.go | ||
iptables_test.go | ||
iptables_unsafe.go | ||
iptables_util.go | ||
nat.go |
README.md
iptables Tests
iptables tests are run via make iptables-tests
.
iptables require some extra Docker configuration to work. Enable IPv6 in
/etc/docker/daemon.json
(make sure to restart Docker if you change this file):
{
"experimental": true,
"fixed-cidr-v6": "2001:db8:1::/64",
"ipv6": true,
// Runtimes and other Docker config...
}
And if you're running manually (i.e. not using the make
target), you'll need
to:
- Enable iptables via
modprobe iptable_filter && modprobe ip6table_filter
. - Enable
--net-raw
in your chosen runtime in/etc/docker/daemon.json
(make sure to restart Docker if you change this file).
The resulting runtime should look something like this:
"runsc": {
"path": "/tmp/iptables/runsc",
"runtimeArgs": [
"--debug-log",
"/tmp/iptables/logs/runsc.log.%TEST%.%TIMESTAMP%.%COMMAND%",
"--net-raw"
]
},
// ...
Test Structure
Each test implements TestCase
, providing (1) a function to run inside the
container and (2) a function to run locally. Those processes are given each
others' IP addresses. The test succeeds when both functions succeed.
The function inside the container (ContainerAction
) typically sets some
iptables rules and then tries to send or receive packets. The local function
(LocalAction
) will typically just send or receive packets.
Adding Tests
-
Add your test to the
iptables
package. -
Register the test in an
init
function viaRegisterTestCase
(seefilter_input.go
as an example). -
Add it to
iptables_test.go
(see the other tests in that file).
Your test is now runnable with bazel!
Run individual tests
Build and install runsc
. Re-run this when you modify gVisor:
$ bazel build //runsc && sudo cp bazel-out/k8-fastbuild-ST-4c64f0b3d5c7/bin/runsc/runsc_/runsc $(which runsc)
Build the testing Docker container. Re-run this when you modify the test code in this directory:
$ make load-iptables
Run an individual test via:
$ bazel test //test/iptables:iptables_test --test_filter=<TESTNAME>
To run an individual test with runc
:
$ bazel test //test/iptables:iptables_test --test_filter=<TESTNAME> --test_env=RUNTIME=runc