New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Integrations tests for iptables (destructive and needs privileges) #31010

Open
wants to merge 3 commits into
base: devel
from

Conversation

Projects
None yet
8 participants
@sebastiendarocha
Contributor

sebastiendarocha commented Sep 27, 2017

SUMMARY

Added integration tests based on the examples of the documentation of the module iptables

ISSUE TYPE
  • Docs Pull Request
COMPONENT NAME

module/system/iptables

ANSIBLE VERSION
ansible 2.5.0 (iptables_integration_test a99289a289) last updated 2017/09/28 00:03:32 (GMT +200)
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/home/sebastien/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/sebastien/Source/ansible/lib/ansible
  executable location = /home/sebastien/Source/ansible/bin/ansible
  python version = 3.5.2 (default, Aug 18 2017, 17:48:00) [GCC 5.4.0 20160609]
ADDITIONAL INFORMATION

Tests for ubuntu/opensuse/centos
Privileges needed for iptables to access the kernel tables in docker
Won't run on Freebsd, OSX and Windows.
Pretty destructive because it flushes severals chains on the managed host

(ansible-dev) 00:02 sebastien@barbie: ~/Source/ansible$ test/runner/ansible-test integration --docker centos7 iptables --docker-privileged 
httptester: Pulling from ansible/ansible
Digest: sha256:17cde52d2c2e0f374546e68be95f113066b6c7520e5dd7dd025cff46ea0f579e
Status: Image is up to date for ansible/ansible:httptester
centos7: Pulling from ansible/ansible
Digest: sha256:bd571611112cccefdaa951ea640177cbb77c8ee011f958d2562781d90594ea9c
Status: Image is up to date for ansible/ansible:centos7
Ignoring sphinx: markers u"python_version < '2.7'" don't match your environment
Ignoring wheel: markers u"python_version < '2.7'" don't match your environment
Ignoring yamllint: markers u"python_version < '2.7'" don't match your environment
Ignoring ordereddict: markers u"python_version < '2.7'" don't match your environment
Requirement already satisfied (use --upgrade to upgrade): cryptography in /usr/lib64/python2.7/site-packages (from -r test/runner/requirements/integration.txt (line 1))
Requirement already satisfied (use --upgrade to upgrade): jinja2 in /usr/lib/python2.7/site-packages (from -r test/runner/requirements/integration.txt (line 2))
Requirement already satisfied (use --upgrade to upgrade): junit-xml in /usr/lib/python2.7/site-packages (from -r test/runner/requirements/integration.txt (line 3))
Requirement already satisfied (use --upgrade to upgrade): paramiko in /usr/lib/python2.7/site-packages (from -r test/runner/requirements/integration.txt (line 5))
Requirement already satisfied (use --upgrade to upgrade): pyyaml in /usr/lib64/python2.7/site-packages (from -r test/runner/requirements/integration.txt (line 6))
Requirement already satisfied (use --upgrade to upgrade): idna<2.6 in /usr/lib/python2.7/site-packages (from -c test/runner/requirements/constraints.txt (line 10))
Requirement already satisfied (use --upgrade to upgrade): pyasn1>=0.1.8 in /usr/lib/python2.7/site-packages (from cryptography->-r test/runner/requirements/integration.txt (line 1))
Requirement already satisfied (use --upgrade to upgrade): six>=1.4.1 in /usr/lib/python2.7/site-packages (from cryptography->-r test/runner/requirements/integration.txt (line 1))
Requirement already satisfied (use --upgrade to upgrade): setuptools in /usr/lib/python2.7/site-packages (from cryptography->-r test/runner/requirements/integration.txt (line 1))
Requirement already satisfied (use --upgrade to upgrade): enum34 in /usr/lib/python2.7/site-packages (from cryptography->-r test/runner/requirements/integration.txt (line 1))
Requirement already satisfied (use --upgrade to upgrade): ipaddress in /usr/lib/python2.7/site-packages (from cryptography->-r test/runner/requirements/integration.txt (line 1))
Requirement already satisfied (use --upgrade to upgrade): cffi>=1.4.1 in /usr/lib64/python2.7/site-packages (from cryptography->-r test/runner/requirements/integration.txt (line 1))
Requirement already satisfied (use --upgrade to upgrade): markupsafe in /usr/lib64/python2.7/site-packages (from jinja2->-r test/runner/requirements/integration.txt (line 2))
Requirement already satisfied (use --upgrade to upgrade): pycrypto>=2.6 in /usr/lib64/python2.7/site-packages (from -c test/runner/requirements/constraints.txt (line 8))
Requirement already satisfied (use --upgrade to upgrade): ecdsa>=0.11 in /usr/lib/python2.7/site-packages (from paramiko->-r test/runner/requirements/integration.txt (line 5))
Requirement already satisfied (use --upgrade to upgrade): pycparser in /usr/lib/python2.7/site-packages (from cffi>=1.4.1->cryptography->-r test/runner/requirements/integration.txt (line 1))
Running iptables integration test role

PLAY [testhost] ****************************************************************

TASK [Gathering Facts] *********************************************************
ok: [testhost]

TASK [iptables : install iptables for ubuntu] **********************************
skipping: [testhost]

TASK [iptables : install iptables for opensuse] ********************************
skipping: [testhost]

TASK [iptables : set_fact] *****************************************************
ok: [testhost]

TASK [iptables : clear INPUT chain / of filter table] **************************
changed: [testhost]

TASK [iptables : Allow related and established connections] ********************
changed: [testhost]

TASK [iptables : include_tasks] ************************************************
included: /root/ansible/test/integration/targets/iptables/tasks/check-table.yml for testhost

TASK [iptables : Allow related and established connections assert changed False] ***
ok: [testhost] => {
    "changed": false, 
    "failed": false, 
    "msg": "All assertions passed"
}

TASK [iptables : Allow related and established connections check result] *******
changed: [testhost]

TASK [iptables : Allow related and established connections assert result False] ***
ok: [testhost] => {
    "changed": false, 
    "failed": false, 
    "msg": "All assertions passed"
}

TASK [iptables : Allow related and established connections check rules created] ***
changed: [testhost]

TASK [iptables : Allow related and established connections assert rules created False] ***
ok: [testhost] => {
    "changed": false, 
    "failed": false, 
    "msg": "All assertions passed"
}

TASK [iptables : set_fact] *****************************************************
ok: [testhost]

TASK [iptables : Allow related and established connections idempotent] *********
ok: [testhost]

TASK [iptables : include_tasks] ************************************************
included: /root/ansible/test/integration/targets/iptables/tasks/check-table.yml for testhost

TASK [iptables : Allow related and established connections assert changed True] ***
ok: [testhost] => {
    "changed": false, 
    "failed": false, 
    "msg": "All assertions passed"
}

TASK [iptables : Allow related and established connections check result idempotent] ***
changed: [testhost]

TASK [iptables : Allow related and established connections assert result True] ***
ok: [testhost] => {
    "changed": false, 
    "failed": false, 
    "msg": "All assertions passed"
}

TASK [iptables : Allow related and established connections check rules created idempotent] ***
changed: [testhost]

TASK [iptables : Allow related and established connections assert rules created True] ***
ok: [testhost] => {
    "changed": false, 
    "failed": false, 
    "msg": "All assertions passed"
}

TASK [iptables : set_fact] *****************************************************
ok: [testhost]

TASK [iptables : clear INPUT chain / of filter table] **************************
changed: [testhost]

TASK [iptables : Block specific IP] ********************************************
changed: [testhost]

TASK [iptables : include_tasks] ************************************************
included: /root/ansible/test/integration/targets/iptables/tasks/check-table.yml for testhost

TASK [iptables : Block specific IP assert changed False] ***********************
ok: [testhost] => {
    "changed": false, 
    "failed": false, 
    "msg": "All assertions passed"
}

TASK [iptables : Block specific IP check result] *******************************
changed: [testhost]

TASK [iptables : Block specific IP assert result False] ************************
ok: [testhost] => {
    "changed": false, 
    "failed": false, 
    "msg": "All assertions passed"
}

TASK [iptables : Block specific IP check rules created] ************************
changed: [testhost]

TASK [iptables : Block specific IP assert rules created False] *****************
ok: [testhost] => {
    "changed": false, 
    "failed": false, 
    "msg": "All assertions passed"
}

TASK [iptables : set_fact] *****************************************************
ok: [testhost]

TASK [iptables : Block specific IP indempotent] ********************************
ok: [testhost]

TASK [iptables : assert] *******************************************************
ok: [testhost] => {
    "changed": false, 
    "failed": false, 
    "msg": "All assertions passed"
}

TASK [iptables : include_tasks] ************************************************
included: /root/ansible/test/integration/targets/iptables/tasks/check-table.yml for testhost

TASK [iptables : Block specific IP assert changed True] ************************
ok: [testhost] => {
    "changed": false, 
    "failed": false, 
    "msg": "All assertions passed"
}

TASK [iptables : Block specific IP check result idempotent] ********************
changed: [testhost]

TASK [iptables : Block specific IP assert result True] *************************
ok: [testhost] => {
    "changed": false, 
    "failed": false, 
    "msg": "All assertions passed"
}

TASK [iptables : Block specific IP check rules created idempotent] *************
changed: [testhost]

TASK [iptables : Block specific IP assert rules created True] ******************
ok: [testhost] => {
    "changed": false, 
    "failed": false, 
    "msg": "All assertions passed"
}

TASK [iptables : set_fact] *****************************************************
ok: [testhost]

TASK [iptables : clear input table] ********************************************
changed: [testhost]

TASK [iptables : Forward port 80 to 8600] **************************************
changed: [testhost]

TASK [iptables : include_tasks] ************************************************
included: /root/ansible/test/integration/targets/iptables/tasks/check-table.yml for testhost

TASK [iptables : Forward port 80 to 8600 assert changed False] *****************
ok: [testhost] => {
    "changed": false, 
    "failed": false, 
    "msg": "All assertions passed"
}

TASK [iptables : Forward port 80 to 8600 check result] *************************
changed: [testhost]

TASK [iptables : Forward port 80 to 8600 assert result False] ******************
ok: [testhost] => {
    "changed": false, 
    "failed": false, 
    "msg": "All assertions passed"
}

TASK [iptables : Forward port 80 to 8600 check rules created] ******************
changed: [testhost]

TASK [iptables : Forward port 80 to 8600 assert rules created False] ***********
ok: [testhost] => {
    "changed": false, 
    "failed": false, 
    "msg": "All assertions passed"
}

TASK [iptables : set_fact] *****************************************************
ok: [testhost]

TASK [iptables : Forward port 80 to 8600 idempotent] ***************************
ok: [testhost]

TASK [iptables : include_tasks] ************************************************
included: /root/ansible/test/integration/targets/iptables/tasks/check-table.yml for testhost

TASK [iptables : Forward port 80 to 8600 assert changed True] ******************
ok: [testhost] => {
    "changed": false, 
    "failed": false, 
    "msg": "All assertions passed"
}

TASK [iptables : Forward port 80 to 8600 check result idempotent] **************
changed: [testhost]

TASK [iptables : Forward port 80 to 8600 assert result True] *******************
ok: [testhost] => {
    "changed": false, 
    "failed": false, 
    "msg": "All assertions passed"
}

TASK [iptables : Forward port 80 to 8600 check rules created idempotent] *******
changed: [testhost]

TASK [iptables : Forward port 80 to 8600 assert rules created True] ************
ok: [testhost] => {
    "changed": false, 
    "failed": false, 
    "msg": "All assertions passed"
}

TASK [iptables : set_fact] *****************************************************
ok: [testhost]

TASK [iptables : clear INPUT chain / of filter table] **************************
changed: [testhost]

TASK [iptables : Set the policy for the INPUT chain to DROP] *******************
changed: [testhost]

TASK [iptables : include_tasks] ************************************************
included: /root/ansible/test/integration/targets/iptables/tasks/check-table.yml for testhost

TASK [iptables : Set the policy for the INPUT chain to DROP assert changed False] ***
ok: [testhost] => {
    "changed": false, 
    "failed": false, 
    "msg": "All assertions passed"
}

TASK [iptables : Set the policy for the INPUT chain to DROP check result] ******
skipping: [testhost]

TASK [iptables : Set the policy for the INPUT chain to DROP assert result False] ***
skipping: [testhost]

TASK [iptables : Set the policy for the INPUT chain to DROP check rules created] ***
changed: [testhost]

TASK [iptables : Set the policy for the INPUT chain to DROP assert rules created False] ***
ok: [testhost] => {
    "changed": false, 
    "failed": false, 
    "msg": "All assertions passed"
}

TASK [iptables : Set the policy for the INPUT chain to DROP assert policy set] ***
ok: [testhost] => {
    "changed": false, 
    "failed": false, 
    "msg": "All assertions passed"
}

TASK [iptables : set_fact] *****************************************************
ok: [testhost]

TASK [iptables : Set the policy for the INPUT chain to DROP idempotent] ********
ok: [testhost]

TASK [iptables : include_tasks] ************************************************
included: /root/ansible/test/integration/targets/iptables/tasks/check-table.yml for testhost

TASK [iptables : Set the policy for the INPUT chain to DROP assert changed True] ***
ok: [testhost] => {
    "changed": false, 
    "failed": false, 
    "msg": "All assertions passed"
}

TASK [iptables : Set the policy for the INPUT chain to DROP check result idempotent] ***
skipping: [testhost]

TASK [iptables : Set the policy for the INPUT chain to DROP assert result True] ***
skipping: [testhost]

TASK [iptables : Set the policy for the INPUT chain to DROP check rules created idempotent] ***
changed: [testhost]

TASK [iptables : Set the policy for the INPUT chain to DROP assert rules created True] ***
ok: [testhost] => {
    "changed": false, 
    "failed": false, 
    "msg": "All assertions passed"
}

TASK [iptables : Set the policy for the INPUT chain to DROP assert policy set] ***
ok: [testhost] => {
    "changed": false, 
    "failed": false, 
    "msg": "All assertions passed"
}

TASK [iptables : set_fact] *****************************************************
ok: [testhost]

TASK [iptables : clear OUTPUT chain / of mangle table] *************************
changed: [testhost]

TASK [iptables : Tag all outbound tcp packets with DSCP mark 8] ****************
changed: [testhost]

TASK [iptables : include_tasks] ************************************************
included: /root/ansible/test/integration/targets/iptables/tasks/check-table.yml for testhost

TASK [iptables : Tag all outbound tcp packets with DSCP mark 8 assert changed False] ***
ok: [testhost] => {
    "changed": false, 
    "failed": false, 
    "msg": "All assertions passed"
}

TASK [iptables : Tag all outbound tcp packets with DSCP mark 8 check result] ***
changed: [testhost]

TASK [iptables : Tag all outbound tcp packets with DSCP mark 8 assert result False] ***
ok: [testhost] => {
    "changed": false, 
    "failed": false, 
    "msg": "All assertions passed"
}

TASK [iptables : Tag all outbound tcp packets with DSCP mark 8 check rules created] ***
changed: [testhost]

TASK [iptables : Tag all outbound tcp packets with DSCP mark 8 assert rules created False] ***
ok: [testhost] => {
    "changed": false, 
    "failed": false, 
    "msg": "All assertions passed"
}

TASK [iptables : set_fact] *****************************************************
ok: [testhost]

TASK [iptables : Tag all outbound tcp packets with DSCP mark 8 idempotent] *****
ok: [testhost]

TASK [iptables : include_tasks] ************************************************
included: /root/ansible/test/integration/targets/iptables/tasks/check-table.yml for testhost

TASK [iptables : Tag all outbound tcp packets with DSCP mark 8 assert changed True] ***
ok: [testhost] => {
    "changed": false, 
    "failed": false, 
    "msg": "All assertions passed"
}

TASK [iptables : Tag all outbound tcp packets with DSCP mark 8 check result idempotent] ***
changed: [testhost]

TASK [iptables : Tag all outbound tcp packets with DSCP mark 8 assert result True] ***
ok: [testhost] => {
    "changed": false, 
    "failed": false, 
    "msg": "All assertions passed"
}

TASK [iptables : Tag all outbound tcp packets with DSCP mark 8 check rules created idempotent] ***
changed: [testhost]

TASK [iptables : Tag all outbound tcp packets with DSCP mark 8 assert rules created True] ***
ok: [testhost] => {
    "changed": false, 
    "failed": false, 
    "msg": "All assertions passed"
}

TASK [iptables : set_fact] *****************************************************
ok: [testhost]

TASK [iptables : clear OUTPUT chain / of mangle table] *************************
changed: [testhost]

TASK [iptables : Tag all outbound tcp packets with DSCP DiffServClass CS1] *****
changed: [testhost]

TASK [iptables : include_tasks] ************************************************
included: /root/ansible/test/integration/targets/iptables/tasks/check-table.yml for testhost

TASK [iptables : Tag all outbound tcp packets with DSCP DiffServClass CS1 assert changed False] ***
ok: [testhost] => {
    "changed": false, 
    "failed": false, 
    "msg": "All assertions passed"
}

TASK [iptables : Tag all outbound tcp packets with DSCP DiffServClass CS1 check result] ***
changed: [testhost]

TASK [iptables : Tag all outbound tcp packets with DSCP DiffServClass CS1 assert result False] ***
ok: [testhost] => {
    "changed": false, 
    "failed": false, 
    "msg": "All assertions passed"
}

TASK [iptables : Tag all outbound tcp packets with DSCP DiffServClass CS1 check rules created] ***
changed: [testhost]

TASK [iptables : Tag all outbound tcp packets with DSCP DiffServClass CS1 assert rules created False] ***
ok: [testhost] => {
    "changed": false, 
    "failed": false, 
    "msg": "All assertions passed"
}

TASK [iptables : set_fact] *****************************************************
ok: [testhost]

TASK [iptables : Tag all outbound tcp packets with DSCP DiffServClass CS1 idempotent] ***
ok: [testhost]

TASK [iptables : include_tasks] ************************************************
included: /root/ansible/test/integration/targets/iptables/tasks/check-table.yml for testhost

TASK [iptables : Tag all outbound tcp packets with DSCP DiffServClass CS1 assert changed True] ***
ok: [testhost] => {
    "changed": false, 
    "failed": false, 
    "msg": "All assertions passed"
}

TASK [iptables : Tag all outbound tcp packets with DSCP DiffServClass CS1 check result idempotent] ***
changed: [testhost]

TASK [iptables : Tag all outbound tcp packets with DSCP DiffServClass CS1 assert result True] ***
ok: [testhost] => {
    "changed": false, 
    "failed": false, 
    "msg": "All assertions passed"
}

TASK [iptables : Tag all outbound tcp packets with DSCP DiffServClass CS1 check rules created idempotent] ***
changed: [testhost]

TASK [iptables : Tag all outbound tcp packets with DSCP DiffServClass CS1 assert rules created True] ***
ok: [testhost] => {
    "changed": false, 
    "failed": false, 
    "msg": "All assertions passed"
}

TASK [iptables : uninstall iptables for ubuntu] ********************************
skipping: [testhost]

TASK [iptables : uninstall iptables for opensuse] ******************************
skipping: [testhost]

PLAY RECAP *********************************************************************
testhost                   : ok=102  changed=34   unreachable=0    failed=0   

@ansibot

This comment has been minimized.

Contributor

ansibot commented Sep 27, 2017

@ansibot

This comment has been minimized.

Contributor

ansibot commented Sep 27, 2017

The test ansible-test sanity --test yamllint [?] failed with the following error:

test/integration/targets/iptables/tasks/check-table.yml:29:1: too many blank lines (1 > 0) (empty-lines)

click here for bot help

sebastiendarocha added some commits Sep 28, 2017

Fix test "Set the policy ... INPUT chain to DROP"
- Changed policy of chain Foward that isn't used for communication

@ansibot ansibot removed the needs_revision label Sep 28, 2017

@ansibot ansibot added the stale_ci label Oct 6, 2017

@gundalow gundalow added test and removed test labels Oct 17, 2017

@ansibot ansibot removed the new_contributor label Nov 3, 2017

@mscherer

Seems good to me, minor question on it, but not blocking.

when: ansible_distribution == "Ubuntu"
- name: install iptables for opensuse
zypper:

This comment has been minimized.

@mscherer

mscherer Nov 21, 2017

Contributor

Any reason to not use package module here ?

@ansibot ansibot added the docs label Mar 2, 2018

@ansibot ansibot added the core_review label Oct 25, 2018

@samccann samccann added candidate_to_close and removed docs labels Nov 28, 2018

@maxamillion maxamillion requested a review from mattclay Nov 30, 2018

@ansibot

This comment has been minimized.

Contributor

ansibot commented Nov 30, 2018

The test ansible-test sanity --test integration-aliases [explain] failed with 1 error:

test/integration/targets/iptables/aliases:0:0: missing alias `shippable/posix/group[1-3]` or `unsupported`

click here for bot help

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment