-
Notifications
You must be signed in to change notification settings - Fork 159
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
This is prep for enabling iptables-nft in `next`. Because tests are shared between streams, this is a bit awkward. The way this does it is: - Make the iptables-legacy test exclusive and attach a Butane config that sets the legacy symlinks. On next, this will verify that this config can be used to boot into legacy. On !next, this will verify that the config can safely be used even before migration. - Add an iptables-nft test non-exclusive test. On next, this will verify that the default backend is nft. On !next, it will verify that it is legacy. Once the migration is over on all streams, the latter check will be removed, so it'll purely check for nft.
- Loading branch information
Showing
6 changed files
with
57 additions
and
6 deletions.
There are no files selected for viewing
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,28 @@ | ||
| variant: fcos | ||
| version: 1.4.0 | ||
| storage: | ||
| links: | ||
| - path: /etc/alternatives/iptables | ||
| target: /usr/sbin/iptables-legacy | ||
| overwrite: true | ||
| hard: false | ||
| - path: /etc/alternatives/iptables-restore | ||
| target: /usr/sbin/iptables-legacy-restore | ||
| overwrite: true | ||
| hard: false | ||
| - path: /etc/alternatives/iptables-save | ||
| target: /usr/sbin/iptables-legacy-save | ||
| overwrite: true | ||
| hard: false | ||
| - path: /etc/alternatives/ip6tables | ||
| target: /usr/sbin/ip6tables-legacy | ||
| overwrite: true | ||
| hard: false | ||
| - path: /etc/alternatives/ip6tables-restore | ||
| target: /usr/sbin/ip6tables-legacy-restore | ||
| overwrite: true | ||
| hard: false | ||
| - path: /etc/alternatives/ip6tables-save | ||
| target: /usr/sbin/ip6tables-legacy-save | ||
| overwrite: true | ||
| hard: false |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1 @@ | ||
| ../../../data/commonlib.sh |
8 changes: 3 additions & 5 deletions
8
tests/kola/firewall/iptables-legacy → tests/kola/firewall/iptables-legacy/test.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,18 +1,16 @@ | ||
| #!/bin/bash | ||
| # kola: { "distros": "fcos", "exclusive": false } | ||
| # kola: { "distros": "fcos", "exclusive": true } | ||
| # This test is currently scoped to only FCOS because the RHCOS version of `iptables` | ||
| # is using the `nf_tables` backend. | ||
| # TODO: modify this test to check for `nf_tables` backend when FCOS switches. | ||
| # See https://github.com/coreos/fedora-coreos-config/pull/1324 | ||
|
|
||
| set -xeuo pipefail | ||
|
|
||
| . $KOLA_EXT_DATA/commonlib.sh | ||
|
|
||
| # Make sure we're still on legacy iptables for now | ||
| # https://github.com/coreos/fedora-coreos-tracker/issues/676#issuecomment-928028451 | ||
| # Make sure we're on legacy iptables | ||
| if ! iptables --version | grep legacy; then | ||
| iptables --version # output for logs | ||
| fatal "iptables version is not legacy" | ||
| fi | ||
| ok "iptables still in legacy mode" | ||
| ok "iptables in legacy mode" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1 @@ | ||
| ../../../data/commonlib.sh |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,24 @@ | ||
| #!/bin/bash | ||
| # kola: { "exclusive": false } | ||
| set -xeuo pipefail | ||
|
|
||
| . $KOLA_EXT_DATA/commonlib.sh | ||
|
|
||
| stream=$(rpm-ostree status -b --json | jq -r '.deployments[0]["base-commit-meta"]["fedora-coreos.stream"]') | ||
| case "$stream" in | ||
| "next-devel" | "next") | ||
| if ! iptables --version | grep nf_tables; then | ||
| iptables --version # output for logs | ||
| fatal "iptables version is not nft" | ||
| fi | ||
| ok "iptables in nft mode" | ||
| ;; | ||
| *) | ||
| # Make sure we're on legacy iptables | ||
| if ! iptables --version | grep legacy; then | ||
| iptables --version # output for logs | ||
| fatal "iptables version is not legacy" | ||
| fi | ||
| ok "iptables in legacy mode" | ||
| ;; | ||
| esac |