tests/manual: add iptables-nft upgrade tests

These are manual upgrade tests that verify various upgrade paths for iptables-nft. It's manual in that you have to update the `OCIARCHIVE_URL` to point to a URL of an ociarchive of a build with `35coreos-iptables`. Long-term, I'd like to add external tests support directly in upgrade tests so that we could have access to the artifacts vis e.g. `KOLA_EXT_DATA` or a mount. But for now, this will do. To run the tests, first update `OCIARCHIVE_URL`, and then: ``` kola run -E /path/to/tests/manual/iptables-nft-migration ext.iptables-nft-migration.* ```
coreos · Feb 16, 2022 · 886869a · 886869a
1 parent 63e2f81
commit 886869a
Show file tree

Hide file tree

Showing 9 changed files with 144 additions and 0 deletions.
diff --git a/tests/manual/iptables-nft-migration/tests/kola/already-migrated/config.bu b/tests/manual/iptables-nft-migration/tests/kola/already-migrated/config.bu
@@ -0,0 +1,28 @@
+variant: fcos
+version: 1.4.0
+storage:
+  links:
+    - path: /etc/alternatives/iptables
+      target: /usr/sbin/iptables-nft
+      overwrite: true
+      hard: false
+    - path: /etc/alternatives/iptables-restore
+      target: /usr/sbin/iptables-nft-restore
+      overwrite: true
+      hard: false
+    - path: /etc/alternatives/iptables-save
+      target: /usr/sbin/iptables-nft-save
+      overwrite: true
+      hard: false
+    - path: /etc/alternatives/ip6tables
+      target: /usr/sbin/ip6tables-nft
+      overwrite: true
+      hard: false
+    - path: /etc/alternatives/ip6tables-restore
+      target: /usr/sbin/ip6tables-nft-restore
+      overwrite: true
+      hard: false
+    - path: /etc/alternatives/ip6tables-save
+      target: /usr/sbin/ip6tables-nft-save
+      overwrite: true
+      hard: false
diff --git a/tests/manual/iptables-nft-migration/tests/kola/already-migrated/data/common.sh b/tests/manual/iptables-nft-migration/tests/kola/already-migrated/data/common.sh
@@ -0,0 +1 @@
+../../data/common.sh
diff --git a/tests/manual/iptables-nft-migration/tests/kola/already-migrated/test.sh b/tests/manual/iptables-nft-migration/tests/kola/already-migrated/test.sh
@@ -0,0 +1,21 @@
+#!/bin/bash
+set -xeuo pipefail
+
+# kola: { "tags": "needs-internet" }
+
+. $KOLA_EXT_DATA/common.sh
+
+case "${AUTOPKGTEST_REBOOT_MARK:-}" in
+  "")
+      assert_iptables_nft
+      assert_iptables_differs_from_default
+      upgrade
+      /tmp/autopkgtest-reboot rebooted
+      ;;
+
+  rebooted)
+      assert_iptables_nft
+      assert_iptables_matches_default
+      ;;
+  *) fatal "unexpected mark: ${AUTOPKGTEST_REBOOT_MARK}";;
+esac
diff --git a/tests/manual/iptables-nft-migration/tests/kola/data/common.sh b/tests/manual/iptables-nft-migration/tests/kola/data/common.sh
@@ -0,0 +1,22 @@
+OCIARCHIVE_URL=http://192.168.0.13:8000/fedora-coreos-35.20220210.dev.0-ostree.x86_64.ociarchive
+
+upgrade() {
+    curl -Lo /var/tmp/update.ociarchive "${OCIARCHIVE_URL}"
+    rpm-ostree rebase --experimental ostree-unverified-image:oci-archive:/var/tmp/update.ociarchive
+}
+
+assert_iptables_legacy() {
+    iptables --version | grep legacy
+}
+
+assert_iptables_nft() {
+    iptables --version | grep nf_tables
+}
+
+assert_iptables_differs_from_default() {
+    ostree admin config-diff | grep alternatives/iptables
+}
+
+assert_iptables_matches_default() {
+    ! ostree admin config-diff | grep alternatives/iptables
+}
diff --git a/tests/manual/iptables-nft-migration/tests/kola/migrate-to-nft b/tests/manual/iptables-nft-migration/tests/kola/migrate-to-nft
@@ -0,0 +1,21 @@
+#!/bin/bash
+set -xeuo pipefail
+
+# kola: { "tags": "needs-internet" }
+
+. $KOLA_EXT_DATA/common.sh
+
+case "${AUTOPKGTEST_REBOOT_MARK:-}" in
+  "")
+      assert_iptables_legacy
+      assert_iptables_matches_default
+      upgrade
+      /tmp/autopkgtest-reboot rebooted
+      ;;
+
+  rebooted)
+      assert_iptables_nft
+      assert_iptables_matches_default
+      ;;
+  *) fatal "unexpected mark: ${AUTOPKGTEST_REBOOT_MARK}";;
+esac
diff --git a/tests/manual/iptables-nft-migration/tests/kola/stay-on-legacy.day1/config.bu b/tests/manual/iptables-nft-migration/tests/kola/stay-on-legacy.day1/config.bu
@@ -0,0 +1,6 @@
+variant: fcos
+version: 1.4.0
+storage:
+  files:
+    - path: /etc/coreos/iptables-legacy.stamp
+      mode: 0644
diff --git a/tests/manual/iptables-nft-migration/tests/kola/stay-on-legacy.day1/data/common.sh b/tests/manual/iptables-nft-migration/tests/kola/stay-on-legacy.day1/data/common.sh
@@ -0,0 +1 @@
+../../data/common.sh
diff --git a/tests/manual/iptables-nft-migration/tests/kola/stay-on-legacy.day1/test.sh b/tests/manual/iptables-nft-migration/tests/kola/stay-on-legacy.day1/test.sh
@@ -0,0 +1,21 @@
+#!/bin/bash
+set -xeuo pipefail
+
+# kola: { "tags": "needs-internet" }
+
+. $KOLA_EXT_DATA/common.sh
+
+case "${AUTOPKGTEST_REBOOT_MARK:-}" in
+  "")
+      assert_iptables_legacy
+      assert_iptables_matches_default
+      upgrade
+      /tmp/autopkgtest-reboot rebooted
+      ;;
+
+  rebooted)
+      assert_iptables_legacy
+      assert_iptables_differs_from_default
+      ;;
+  *) fatal "unexpected mark: ${AUTOPKGTEST_REBOOT_MARK}";;
+esac
diff --git a/tests/manual/iptables-nft-migration/tests/kola/stay-on-legacy.day2 b/tests/manual/iptables-nft-migration/tests/kola/stay-on-legacy.day2
@@ -0,0 +1,23 @@
+#!/bin/bash
+set -xeuo pipefail
+
+# kola: { "tags": "needs-internet" }
+
+. $KOLA_EXT_DATA/common.sh
+
+case "${AUTOPKGTEST_REBOOT_MARK:-}" in
+  "")
+      assert_iptables_legacy
+      assert_iptables_matches_default
+      mkdir -m 755 /etc/coreos/
+      touch /etc/coreos/iptables-legacy.stamp
+      upgrade
+      /tmp/autopkgtest-reboot rebooted
+      ;;
+
+  rebooted)
+      assert_iptables_legacy
+      assert_iptables_differs_from_default
+      ;;
+  *) fatal "unexpected mark: ${AUTOPKGTEST_REBOOT_MARK}";;
+esac