Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 904f9e1

Browse files
squeedMarcelo Guerrero Viveros
squeed
authored and
Marcelo Guerrero Viveros
committed
firewall: run CI in isolated "root" network namespace
Since the firewall plugin touches the root netns, we should run it in a fresh "root" namespace for each invocation. This matches the way ptp does it. Signed-off-by: Casey Callendrello <[email protected]>
1 parent a5d507e commit 904f9e1

1 file changed

Lines changed: 38 additions & 14 deletions

File tree

plugins/meta/firewall/firewall_integ_test.go

Lines changed: 38 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -45,8 +45,10 @@ var _ = Describe("firewall integration tests (ingressPolicy: same-bridge)", func
4545
configListFoo *libcni.NetworkConfigList // "foo", 10.88.3.0/24
4646
configListBar *libcni.NetworkConfigList // "bar", 10.88.4.0/24
4747
cniConf *libcni.CNIConfig
48+
testRootNS ns.NetNS
4849
namespaces [nsCount]ns.NetNS
4950
results [nsCount]*types100.Result
51+
dataDir string
5052
)
5153

5254
createNetworkConfig := func(name string, subnet string, gateway string, ingressPolicy string) string {
@@ -61,6 +63,7 @@ var _ = Describe("firewall integration tests (ingressPolicy: same-bridge)", func
6163
"ipMasq": true,
6264
"hairpinMode": true,
6365
"ipam": {
66+
"dataDir": "%s",
6467
"type": "host-local",
6568
"routes": [
6669
{
@@ -83,7 +86,7 @@ var _ = Describe("firewall integration tests (ingressPolicy: same-bridge)", func
8386
"ingressPolicy": "%s"
8487
}
8588
]
86-
}`, name, name, subnet, gateway, ingressPolicy)
89+
}`, name, name, dataDir, subnet, gateway, ingressPolicy)
8790
}
8891

8992
BeforeEach(func() {
@@ -95,6 +98,13 @@ var _ = Describe("firewall integration tests (ingressPolicy: same-bridge)", func
9598
dirs := filepath.SplitList(os.Getenv("PATH"))
9699
cniConf = &libcni.CNIConfig{Path: dirs}
97100

101+
dataDir, err = os.MkdirTemp("", "firewall_test")
102+
Expect(err).NotTo(HaveOccurred())
103+
104+
testRootNS, err = testutils.NewNS()
105+
Expect(err).NotTo(HaveOccurred())
106+
fmt.Fprintf(GinkgoWriter, "root namespace: %s\n", testRootNS.Path())
107+
98108
for i := 0; i < nsCount; i++ {
99109
targetNS, err := testutils.NewNS()
100110
Expect(err).NotTo(HaveOccurred())
@@ -107,8 +117,13 @@ var _ = Describe("firewall integration tests (ingressPolicy: same-bridge)", func
107117
for _, targetNS := range namespaces {
108118
if targetNS != nil {
109119
targetNS.Close()
120+
testutils.UnmountNS(targetNS)
110121
}
111122
}
123+
124+
Expect(testRootNS.Close()).To(Succeed())
125+
Expect(testutils.UnmountNS(testRootNS)).To(Succeed())
126+
Expect(os.RemoveAll(dataDir)).To(Succeed())
112127
})
113128

114129
Describe("Testing with ingress-policy 'same-bridge", func() {
@@ -122,7 +137,7 @@ var _ = Describe("firewall integration tests (ingressPolicy: same-bridge)", func
122137
createNetworkConfig("bar", "10.88.4.0/24", "10.88.4.1", "same-bridge")))
123138
Expect(err).NotTo(HaveOccurred())
124139

125-
results = setupNetworks(cniConf, namespaces, configListFoo, configListBar)
140+
results = setupNetworks(cniConf, testRootNS, namespaces, configListFoo, configListBar)
126141
})
127142

128143
Context("when testing connectivity", func() {
@@ -157,7 +172,7 @@ var _ = Describe("firewall integration tests (ingressPolicy: same-bridge)", func
157172
createNetworkConfig("bar", "10.88.4.0/24", "10.88.4.1", "isolated")))
158173
Expect(err).NotTo(HaveOccurred())
159174

160-
results = setupNetworks(cniConf, namespaces, configListFoo, configListBar)
175+
results = setupNetworks(cniConf, testRootNS, namespaces, configListFoo, configListBar)
161176
})
162177

163178
Context("when testing connectivity", func() {
@@ -182,7 +197,7 @@ var _ = Describe("firewall integration tests (ingressPolicy: same-bridge)", func
182197
})
183198
})
184199

185-
func setupNetworks(cniConf *libcni.CNIConfig, namespaces [nsCount]ns.NetNS,
200+
func setupNetworks(cniConf *libcni.CNIConfig, testRootNS ns.NetNS, namespaces [nsCount]ns.NetNS,
186201
configListFoo, configListBar *libcni.NetworkConfigList,
187202
) [nsCount]*types100.Result {
188203
var results [nsCount]*types100.Result
@@ -199,19 +214,28 @@ func setupNetworks(cniConf *libcni.CNIConfig, namespaces [nsCount]ns.NetNS,
199214
configList = configListBar
200215
}
201216

202-
// Cleanup any existing network
203-
_ = cniConf.DelNetworkList(context.TODO(), configList, &runtimeConfig)
217+
err := testRootNS.Do(func(ns.NetNS) error {
218+
defer GinkgoRecover()
204219

205-
// Create network
206-
res, err := cniConf.AddNetworkList(context.TODO(), configList, &runtimeConfig)
207-
Expect(err).NotTo(HaveOccurred())
220+
// Create network
221+
res, err := cniConf.AddNetworkList(context.TODO(), configList, &runtimeConfig)
208222

209-
// Setup cleanup
210-
DeferCleanup(func() {
211-
_ = cniConf.DelNetworkList(context.TODO(), configList, &runtimeConfig)
212-
})
223+
Expect(err).NotTo(HaveOccurred())
224+
225+
results[i], err = types100.NewResultFromResult(res)
226+
Expect(err).NotTo(HaveOccurred())
213227

214-
results[i], err = types100.NewResultFromResult(res)
228+
// Setup cleanup
229+
DeferCleanup(func() {
230+
testRootNS.Do(func(ns.NetNS) error {
231+
err := cniConf.DelNetworkList(context.TODO(), configList, &runtimeConfig)
232+
Expect(err).NotTo(HaveOccurred())
233+
return nil
234+
})
235+
})
236+
237+
return nil
238+
})
215239
Expect(err).NotTo(HaveOccurred())
216240
}
217241

0 commit comments

Comments
 (0)