-
Notifications
You must be signed in to change notification settings - Fork 270
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Test for firewalld container in ALP product
- Loading branch information
Showing
3 changed files
with
148 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
--- | ||
name: Firewalld in a Container | ||
description: > | ||
Install and test firewalld container | ||
conditional_schedule: | ||
firewalld_container: | ||
HOSTNAME: | ||
'client': | ||
- microos/workloads/firewalld-container/firewalld_client | ||
'server': | ||
- microos/workloads/firewalld-container/firewalld_server | ||
schedule: | ||
- microos/disk_boot | ||
- '{{firewalld_container}}' |
48 changes: 48 additions & 0 deletions
48
tests/microos/workloads/firewalld-container/firewalld_client.pm
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,48 @@ | ||
# SUSE"s openQA tests | ||
# | ||
# Copyright 2023 SUSE LLC | ||
# SPDX-License-Identifier: FSFAP | ||
# | ||
# Package: podman firewalld-container | ||
# Summary: install and verify firewalld container. | ||
# Maintainer: QE Core <qe-core@suse.de> | ||
|
||
use base 'consoletest'; | ||
use warnings; | ||
use strict; | ||
use testapi; | ||
use serial_terminal 'select_serial_terminal'; | ||
use lockapi; | ||
use utils qw(set_hostname); | ||
use mm_network 'setup_static_mm_network'; | ||
use utils 'script_retry'; | ||
|
||
# MM network check: try to ping the gateway, and the server | ||
sub ensure_server_reachable { | ||
assert_script_run('ping -c 1 10.0.2.2'); | ||
assert_script_run('ping -c 1 10.0.2.101'); | ||
} | ||
|
||
sub run { | ||
my ($self) = @_; | ||
select_console 'root-console'; | ||
set_hostname(get_var('HOSTNAME') // 'client'); | ||
# 101 = server, 102 = client | ||
setup_static_mm_network('10.0.2.102/24'); | ||
mutex_wait 'barrier_setup_done'; | ||
barrier_wait 'FIREWALLD_CLIENT_READY'; | ||
barrier_wait 'FIREWALLD_SERVER_READY'; | ||
ensure_server_reachable(); | ||
barrier_wait 'FIREWALLD_SERVER_PORT_OPEN'; | ||
# ensure the port is open on the server | ||
my $network_probe = 'curl http://10.0.2.101:8080/'; | ||
script_retry($network_probe, retry => 3, delay => 30); | ||
# wait for port being closed by firewall | ||
barrier_wait 'FIREWALLD_SERVER_PORT_CLOSED'; | ||
# the next command should fail because port 8080 is closed | ||
die if (script_run($network_probe) == 0); | ||
barrier_wait 'FIREWALLD_TEST_FINISHED'; | ||
} | ||
|
||
1; | ||
|
86 changes: 86 additions & 0 deletions
86
tests/microos/workloads/firewalld-container/firewalld_server.pm
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,86 @@ | ||
# SUSE"s openQA tests | ||
# | ||
# Copyright 2023 SUSE LLC | ||
# SPDX-License-Identifier: FSFAP | ||
# | ||
# Package: podman firewalld-container | ||
# Summary: install and verify firewalld container. | ||
# Maintainer: QE Core <qe-core@suse.de> | ||
|
||
use base 'consoletest'; | ||
use warnings; | ||
use strict; | ||
use testapi; | ||
use serial_terminal 'select_serial_terminal'; | ||
use lockapi; | ||
use mmapi; | ||
use utils qw(set_hostname); | ||
use transactional qw(trup_call check_reboot_changes); | ||
use mm_network 'setup_static_mm_network'; | ||
use Utils::Systemd qw(disable_and_stop_service systemctl check_unit_file); | ||
|
||
|
||
sub remove_builtin_pkg_firewalld { | ||
record_info("SERVER DEBUG", "removing firewalld and reboot if needed"); | ||
trup_call('pkg remove firewalld'); | ||
check_reboot_changes; | ||
} | ||
|
||
sub start_firewalld_container { | ||
record_info("SERVER DEBUG", "installing firewalld container"); | ||
my $containerpath = 'registry.opensuse.org/suse/alp/workloads/tumbleweed_images/suse/alp/workloads/firewalld'; | ||
assert_script_run 'podman search firewalld'; | ||
assert_script_run "podman container runlabel install $containerpath"; | ||
assert_script_run "podman container runlabel run $containerpath"; | ||
} | ||
|
||
sub firewall_port { | ||
my $arg = shift; | ||
record_info("SERVER DEBUG", "$arg firewall port"); | ||
my $podman_prefix = "podman exec firewalld firewall-cmd "; | ||
my $options = '--zone=public --permanent '; | ||
if ($arg eq 'open') { $options .= '--add-port=8080/tcp'; } | ||
elsif ($arg eq 'close') { $options .= '--remove-port=8080/tcp'; } | ||
else { die "invalid command for firewalld action"; } | ||
assert_script_run $podman_prefix . $options; | ||
assert_script_run $podman_prefix . '--reload'; | ||
} | ||
|
||
# MM network check: try to ping the gateway, the client and the internet | ||
sub ensure_client_reachable { | ||
assert_script_run('ping -c 1 10.0.2.2'); | ||
assert_script_run('ping -c 1 10.0.2.102'); | ||
assert_script_run('curl conncheck.opensuse.org'); | ||
} | ||
|
||
sub run { | ||
my ($self) = @_; | ||
select_console 'root-console'; | ||
disable_and_stop_service($self->firewall) if check_unit_file($self->firewall); | ||
remove_builtin_pkg_firewalld(); # on ALP this needs a reboot | ||
set_hostname(get_var('HOSTNAME') // 'server'); | ||
barrier_create($_, 2) for ('FIREWALLD_SERVER_READY', 'FIREWALLD_CLIENT_READY', 'FIREWALLD_SERVER_PORT_OPEN', | ||
'FIREWALLD_SERVER_PORT_CLOSED', 'FIREWALLD_TEST_FINISHED'); | ||
mutex_create 'barrier_setup_done'; | ||
setup_static_mm_network('10.0.2.101/24'); | ||
barrier_wait 'FIREWALLD_CLIENT_READY'; | ||
ensure_client_reachable(); | ||
barrier_wait 'FIREWALLD_SERVER_READY'; | ||
start_firewalld_container(); | ||
# start a basic python http server | ||
my $python_pid = background_script_run("python3 -m http.server 8080"); | ||
firewall_port('open'); | ||
barrier_wait 'FIREWALLD_SERVER_PORT_OPEN'; | ||
# tells the client server is ready so can probe the port | ||
# client is checking the server port | ||
firewall_port('close'); | ||
barrier_wait 'FIREWALLD_SERVER_PORT_CLOSED'; | ||
# here client is checking the port | ||
barrier_wait 'FIREWALLD_TEST_FINISHED'; | ||
assert_script_run "kill $python_pid"; | ||
assert_script_run "podman kill firewalld"; | ||
wait_for_children(); | ||
} | ||
|
||
1; | ||
|