c60613475c
This change moves all Docker images to a standard location, and abstracts the build process so that they can be maintained in an automated fashion. This also allows the images to be architecture-independent. All images will now be referred to by the test framework via the canonical `gvisor.dev/images/<name>`, where `<name>` is a function of the path within the source tree. In a subsequent change, continuous integration will be added so that the images will always be correct and available locally. In the end, using `bazel` for Docker containers is simply not possible. Given that we already have the need to use `make` with the base container (for Docker), we extend this approach to get more flexibility. This change also adds a self-documenting and powerful Makefile that is intended to replace the collection of scripts in scripts. Canonical (self-documenting) targets can be added here for targets that understand which images need to be loaded and/or built. PiperOrigin-RevId: 308322438 |
||
---|---|---|
.. | ||
runner | ||
BUILD | ||
README.md | ||
filter_input.go | ||
filter_output.go | ||
iptables.go | ||
iptables_test.go | ||
iptables_util.go | ||
nat.go |
README.md
iptables Tests
iptables tests are run via scripts/iptables_test.sh
.
iptables requires raw socket support, so you must add the --net-raw=true
flag
to /etc/docker/daemon.json
in order to use it.
Test Structure
Each test implements TestCase
, providing (1) a function to run inside the
container and (2) a function to run locally. Those processes are given each
others' IP addresses. The test succeeds when both functions succeed.
The function inside the container (ContainerAction
) typically sets some
iptables rules and then tries to send or receive packets. The local function
(LocalAction
) will typically just send or receive packets.
Adding Tests
-
Add your test to the
iptables
package. -
Register the test in an
init
function viaRegisterTestCase
(seefilter_input.go
as an example). -
Add it to
iptables_test.go
(see the other tests in that file).
Your test is now runnable with bazel!
Run individual tests
Build and install runsc
. Re-run this when you modify gVisor:
$ bazel build //runsc && sudo cp bazel-bin/runsc/linux_amd64_pure_stripped/runsc $(which runsc)
Build the testing Docker container. Re-run this when you modify the test code in this directory:
$ make load-iptables
Run an individual test via:
$ bazel test //test/iptables:iptables_test --test_filter=<TESTNAME>
To run an individual test with runc
:
$ bazel test //test/iptables:iptables_test --test_filter=<TESTNAME> --test_arg=--runtime=runc