From 63e2f81ec006546cd681b3039952aa0925e213d9 Mon Sep 17 00:00:00 2001 From: Jonathan Lebon Date: Thu, 27 Jan 2022 17:07:43 -0500 Subject: [PATCH] tests: add iptables-nft test This is prep for enabling iptables-nft in `next`. Because tests are shared between streams, this is a bit awkward. The way this does it is: - Make the iptables-legacy test exclusive and attach a Butane config that sets the legacy symlinks. On next, this will verify that this config can be used to boot into legacy. On !next, this will verify that the config can safely be used even before migration. - Add an iptables non-exclusive test. On next, this will verify that the default backend is nft. On !next, it will verify that it is legacy. Once the migration is over on all streams, the latter check will be removed, so it'll purely check for nft. --- tests/kola/firewall/data/commonlib.sh | 1 - tests/kola/firewall/iptables-legacy | 18 ------------ tests/kola/firewall/iptables-legacy/config.bu | 28 +++++++++++++++++++ .../iptables-legacy/data/commonlib.sh | 1 + tests/kola/firewall/iptables-legacy/test.sh | 14 ++++++++++ .../kola/firewall/iptables/data/commonlib.sh | 1 + tests/kola/firewall/iptables/test.sh | 26 +++++++++++++++++ 7 files changed, 70 insertions(+), 19 deletions(-) delete mode 120000 tests/kola/firewall/data/commonlib.sh delete mode 100755 tests/kola/firewall/iptables-legacy create mode 100644 tests/kola/firewall/iptables-legacy/config.bu create mode 120000 tests/kola/firewall/iptables-legacy/data/commonlib.sh create mode 100755 tests/kola/firewall/iptables-legacy/test.sh create mode 120000 tests/kola/firewall/iptables/data/commonlib.sh create mode 100755 tests/kola/firewall/iptables/test.sh diff --git a/tests/kola/firewall/data/commonlib.sh b/tests/kola/firewall/data/commonlib.sh deleted file mode 120000 index 1742d51e67..0000000000 --- a/tests/kola/firewall/data/commonlib.sh +++ /dev/null @@ -1 +0,0 @@ -../../data/commonlib.sh \ No newline at end of file diff --git a/tests/kola/firewall/iptables-legacy b/tests/kola/firewall/iptables-legacy deleted file mode 100755 index 594f691a5d..0000000000 --- a/tests/kola/firewall/iptables-legacy +++ /dev/null @@ -1,18 +0,0 @@ -#!/bin/bash -# kola: { "distros": "fcos", "exclusive": false } -# This test is currently scoped to only FCOS because the RHCOS version of `iptables` -# is using the `nf_tables` backend. -# TODO: modify this test to check for `nf_tables` backend when FCOS switches. -# See https://github.com/coreos/fedora-coreos-config/pull/1324 - -set -xeuo pipefail - -. $KOLA_EXT_DATA/commonlib.sh - -# Make sure we're still on legacy iptables for now -# https://github.com/coreos/fedora-coreos-tracker/issues/676#issuecomment-928028451 -if ! iptables --version | grep legacy; then - iptables --version # output for logs - fatal "iptables version is not legacy" -fi -ok "iptables still in legacy mode" diff --git a/tests/kola/firewall/iptables-legacy/config.bu b/tests/kola/firewall/iptables-legacy/config.bu new file mode 100644 index 0000000000..c7092c4022 --- /dev/null +++ b/tests/kola/firewall/iptables-legacy/config.bu @@ -0,0 +1,28 @@ +variant: fcos +version: 1.4.0 +storage: + links: + - path: /etc/alternatives/iptables + target: /usr/sbin/iptables-legacy + overwrite: true + hard: false + - path: /etc/alternatives/iptables-restore + target: /usr/sbin/iptables-legacy-restore + overwrite: true + hard: false + - path: /etc/alternatives/iptables-save + target: /usr/sbin/iptables-legacy-save + overwrite: true + hard: false + - path: /etc/alternatives/ip6tables + target: /usr/sbin/ip6tables-legacy + overwrite: true + hard: false + - path: /etc/alternatives/ip6tables-restore + target: /usr/sbin/ip6tables-legacy-restore + overwrite: true + hard: false + - path: /etc/alternatives/ip6tables-save + target: /usr/sbin/ip6tables-legacy-save + overwrite: true + hard: false diff --git a/tests/kola/firewall/iptables-legacy/data/commonlib.sh b/tests/kola/firewall/iptables-legacy/data/commonlib.sh new file mode 120000 index 0000000000..b8dcbdca1a --- /dev/null +++ b/tests/kola/firewall/iptables-legacy/data/commonlib.sh @@ -0,0 +1 @@ +../../../data/commonlib.sh \ No newline at end of file diff --git a/tests/kola/firewall/iptables-legacy/test.sh b/tests/kola/firewall/iptables-legacy/test.sh new file mode 100755 index 0000000000..8ef28366cd --- /dev/null +++ b/tests/kola/firewall/iptables-legacy/test.sh @@ -0,0 +1,14 @@ +#!/bin/bash +# kola: { "distros": "fcos", "exclusive": true } +# This test verifies that one can configure a node to use the legacy iptables +# backend. It is scoped to only FCOS because RHCOS only supports nft. +set -xeuo pipefail + +. $KOLA_EXT_DATA/commonlib.sh + +# Make sure we're on legacy iptables +if ! iptables --version | grep legacy; then + iptables --version # output for logs + fatal "iptables version is not legacy" +fi +ok "iptables in legacy mode" diff --git a/tests/kola/firewall/iptables/data/commonlib.sh b/tests/kola/firewall/iptables/data/commonlib.sh new file mode 120000 index 0000000000..b8dcbdca1a --- /dev/null +++ b/tests/kola/firewall/iptables/data/commonlib.sh @@ -0,0 +1 @@ +../../../data/commonlib.sh \ No newline at end of file diff --git a/tests/kola/firewall/iptables/test.sh b/tests/kola/firewall/iptables/test.sh new file mode 100755 index 0000000000..3477f2f125 --- /dev/null +++ b/tests/kola/firewall/iptables/test.sh @@ -0,0 +1,26 @@ +#!/bin/bash +# kola: { "exclusive": false } +# Verifies that the expected iptables backend is configured. +# https://github.com/coreos/fedora-coreos-tracker/issues/676 +set -xeuo pipefail + +. $KOLA_EXT_DATA/commonlib.sh + +# we're currently rolling out to next first +case "$(get_fcos_stream)" in + "next-devel" | "next") + if ! iptables --version | grep nf_tables; then + iptables --version # output for logs + fatal "iptables version is not nft" + fi + ok "iptables in nft mode" + ;; + *) + # Make sure we're on legacy iptables + if ! iptables --version | grep legacy; then + iptables --version # output for logs + fatal "iptables version is not legacy" + fi + ok "iptables in legacy mode" + ;; +esac