Merge pull request #23234 from Luap99/test-nftables

test netavark nftables driver
containers · Jul 11, 2024 · 360c4f3 · 360c4f3
2 parents 04bd415 + 926547f
commit 360c4f3
Show file tree

Hide file tree

Showing 4 changed files with 45 additions and 46 deletions.
diff --git a/contrib/cirrus/setup_environment.sh b/contrib/cirrus/setup_environment.sh
@@ -147,6 +147,11 @@ case "$OS_RELEASE_ID" in
             msg "Enabling container_manage_cgroup"
             showrun setsebool container_manage_cgroup true
         fi
+
+        # Test nftables driver, https://fedoraproject.org/wiki/Changes/NetavarkNftablesDefault
+        # We can drop this once this implemented and pushed into fedora stable. We cannot test it on
+        # debian because the netavark version there is way to old for nftables support.
+        printf "[network]\nfirewall_driver=\"nftables\"\n" > /etc/containers/containers.conf.d/90-nftables.conf
         ;;
     *) die_unknown OS_RELEASE_ID
 esac

diff --git a/test/e2e/run_networking_test.go b/test/e2e/run_networking_test.go
@@ -187,17 +187,6 @@ var _ = Describe("Podman run networking", func() {
 		Expect(session.OutputToString()).To(ContainSubstring("nameserver 1.1.1.1"))
 	})
 
-	It("podman run network expose port 222", func() {
-		SkipIfRootless("iptables is not supported for rootless users")
-		session := podmanTest.Podman([]string{"run", "-dt", "--expose", "222-223", "-P", ALPINE, "/bin/sh"})
-		session.WaitWithDefaultTimeout()
-		Expect(session).Should(ExitCleanly())
-		results := SystemExec("iptables", []string{"-t", "nat", "-nvL"})
-		Expect(results).Should(ExitCleanly())
-		Expect(results.OutputToString()).To(ContainSubstring("222"))
-		Expect(results.OutputToString()).To(ContainSubstring("223"))
-	})
-
 	It("podman run -p 80", func() {
 		name := "testctr"
 		session := podmanTest.Podman([]string{"create", "-t", "-p", "80", "--name", name, ALPINE, "/bin/sh"})
@@ -361,7 +350,7 @@ var _ = Describe("Podman run networking", func() {
 
 	It("podman run --expose 80 -P", func() {
 		name := "testctr"
-		session := podmanTest.Podman([]string{"create", "-t", "--expose", "80", "-P", "--name", name, ALPINE, "/bin/sh"})
+		session := podmanTest.Podman([]string{"run", "-d", "--expose", "80", "-P", "--name", name, ALPINE, "sleep", "100"})
 		session.WaitWithDefaultTimeout()
 		inspectOut := podmanTest.InspectContainer(name)
 		Expect(inspectOut).To(HaveLen(1))
@@ -373,7 +362,7 @@ var _ = Describe("Podman run networking", func() {
 
 	It("podman run --expose 80/udp -P", func() {
 		name := "testctr"
-		session := podmanTest.Podman([]string{"create", "-t", "--expose", "80/udp", "-P", "--name", name, ALPINE, "/bin/sh"})
+		session := podmanTest.Podman([]string{"run", "-d", "--expose", "80/udp", "-P", "--name", name, ALPINE, "sleep", "100"})
 		session.WaitWithDefaultTimeout()
 		inspectOut := podmanTest.InspectContainer(name)
 		Expect(inspectOut).To(HaveLen(1))
@@ -383,6 +372,22 @@ var _ = Describe("Podman run networking", func() {
 		Expect(inspectOut[0].NetworkSettings.Ports["80/udp"][0]).To(HaveField("HostIP", "0.0.0.0"))
 	})
 
+	It("podman run --expose port range", func() {
+		name := "testctr"
+		session := podmanTest.Podman([]string{"run", "-d", "--expose", "222-223", "-P", "--name", name, ALPINE, "sleep", "100"})
+		session.WaitWithDefaultTimeout()
+		Expect(session).Should(ExitCleanly())
+		inspectOut := podmanTest.InspectContainer(name)
+		Expect(inspectOut).To(HaveLen(1))
+		Expect(inspectOut[0].NetworkSettings.Ports).To(HaveLen(2))
+		Expect(inspectOut[0].NetworkSettings.Ports["222/tcp"]).To(HaveLen(1))
+		Expect(inspectOut[0].NetworkSettings.Ports["222/tcp"][0].HostPort).To(Not(Equal("0")))
+		Expect(inspectOut[0].NetworkSettings.Ports["222/tcp"][0]).To(HaveField("HostIP", "0.0.0.0"))
+		Expect(inspectOut[0].NetworkSettings.Ports["223/tcp"]).To(HaveLen(1))
+		Expect(inspectOut[0].NetworkSettings.Ports["223/tcp"][0].HostPort).To(Not(Equal("0")))
+		Expect(inspectOut[0].NetworkSettings.Ports["223/tcp"][0]).To(HaveField("HostIP", "0.0.0.0"))
+	})
+
 	It("podman run --expose 80 -p 80", func() {
 		name := "testctr"
 		session := podmanTest.Podman([]string{"create", "-t", "--expose", "80", "-p", "80", "--name", name, ALPINE, "/bin/sh"})
@@ -484,32 +489,6 @@ EXPOSE 2004-2005/tcp`, ALPINE)
 		Expect(inspectOut[0].NetworkSettings.Ports["80/tcp"][0]).To(HaveField("HostIP", "0.0.0.0"))
 	})
 
-	It("podman run network expose host port 80 to container port", func() {
-		SkipIfRootless("iptables is not supported for rootless users")
-		port1 := GetPort()
-		port2 := GetPort()
-		session := podmanTest.Podman([]string{"run", "-dt", "-p", fmt.Sprintf("%d:%d", port1, port2), ALPINE, "/bin/sh"})
-		session.WaitWithDefaultTimeout()
-		Expect(session).Should(ExitCleanly())
-		results := SystemExec("iptables", []string{"-t", "nat", "-nvL"})
-		Expect(results).Should(ExitCleanly())
-		Expect(results.OutputToString()).To(ContainSubstring(strconv.Itoa(port2)))
-
-		ncBusy := SystemExec("nc", []string{"-l", "-p", strconv.Itoa(port1)})
-		Expect(ncBusy).To(ExitWithError(2, fmt.Sprintf("Ncat: bind to 0.0.0.0:%d: Address already in use. QUITTING.", port1)))
-	})
-
-	It("podman run network expose host port 18081 to container port 8000 using rootlesskit port handler", func() {
-		port1 := GetPort()
-		port2 := GetPort()
-		session := podmanTest.Podman([]string{"run", "--network", "slirp4netns:port_handler=rootlesskit", "-dt", "-p", fmt.Sprintf("%d:%d", port2, port1), ALPINE, "/bin/sh"})
-		session.WaitWithDefaultTimeout()
-		Expect(session).Should(ExitCleanly())
-
-		ncBusy := SystemExec("nc", []string{"-l", "-p", strconv.Itoa(port2)})
-		Expect(ncBusy).To(ExitWithError(2, fmt.Sprintf("Ncat: bind to [::]:%d: Address already in use. QUITTING.", port2)))
-	})
-
 	It("podman run slirp4netns verify net.ipv6.conf.default.accept_dad=0", func() {
 		session := podmanTest.Podman([]string{"run", "--network", "slirp4netns:enable_ipv6=true", ALPINE, "ip", "addr"})
 		session.WaitWithDefaultTimeout()

diff --git a/test/system/500-networking.bats b/test/system/500-networking.bats
@@ -317,14 +317,16 @@ load helpers.network
     run curl -s -S $SERVER/index.txt
     is "$output" "$random_1" "curl 127.0.0.1:/index.txt"
 
-    # rootless cannot modify iptables
+    # rootless cannot modify the host firewall
     if ! is_rootless; then
-        # flush the port forwarding iptable rule here
-        chain="CNI-HOSTPORT-DNAT"
-        if is_netavark; then
-            chain="NETAVARK-HOSTPORT-DNAT"
-        fi
-        run iptables -t nat -F "$chain"
+        # for debugging only
+        iptables -t nat -nvL || true
+        nft list ruleset     || true
+
+        # flush the firewall rule here to break port forwarding
+        # netavark can use either iptables or nftables, so try flushing both
+        iptables -t nat -F "NETAVARK-HOSTPORT-DNAT" || true
+        nft delete table inet netavark              || true
 
         # check that we cannot curl (timeout after 1 sec)
         run curl --max-time 1 -s $SERVER/index.txt
@@ -726,6 +728,7 @@ nameserver 8.8.8.8" "nameserver order is correct"
     run_podman network rm -f $netname
 }
 
+# bats test_tags=distro-integration
 @test "podman run port forward range" {
     # we run a long loop of tests lets run all combinations before bailing out
     defer-assertion-failures
@@ -755,6 +758,12 @@ nameserver 8.8.8.8" "nameserver order is correct"
 
         run_podman run --network $netmode -p "$range:$range" -d $IMAGE sleep inf
         cid="$output"
+
+        # make sure binding the same port fails
+        run timeout 5 nc -l -p $port 127.0.0.1
+        assert "$status" -eq 2 "ncat unexpected exit code"
+        assert "$output" =~ "127.0.0.1:$port: Address already in use" "ncat error message"
+
         for port in $(seq $port $end_port); do
             run_podman exec -d $cid nc -l -p $port -e /bin/cat
 

diff --git a/test/upgrade/test-upgrade.bats b/test/upgrade/test-upgrade.bats
@@ -48,6 +48,11 @@ setup() {
     # skip_mount_home=true is required so we can share the storage mounts between host and container,
     # the default c/storage behavior is to make the mount propagation private.
     export _PODMAN_TEST_OPTS="--storage-opt=skip_mount_home=true --cgroup-manager=cgroupfs --root=$PODMAN_UPGRADE_WORKDIR/root --runroot=$PODMAN_UPGRADE_WORKDIR/runroot --tmpdir=$PODMAN_UPGRADE_WORKDIR/tmp"
+
+    # Old netavark used iptables but newer versions might uses nftables.
+    # Networking can only work correctly if both use the same firewall driver so force iptables.
+    printf "[network]\nfirewall_driver=\"iptables\"\n" > $PODMAN_UPGRADE_WORKDIR/containers.conf
+    export CONTAINERS_CONF_OVERRIDE=$PODMAN_UPGRADE_WORKDIR/containers.conf
 }
 
 ###############################################################################
@@ -180,6 +185,7 @@ EOF
             --net=host \
             --cgroupns=host \
             --pid=host \
+            --env CONTAINERS_CONF_OVERRIDE \
             $v_sconf \
             -v /dev/fuse:/dev/fuse \
             -v /run/crun:/run/crun \