Adin Scannell
1481499fe2
This change adds a layer of abstraction around the internal Docker APIs, and eliminates all direct dependencies on Dockerfiles in the infrastructure. A subsequent change will automated the generation of local images (with efficient caching). Note that this change drops the use of bazel container rules, as that experiment does not seem to be viable. PiperOrigin-RevId: 308095430
1.5 KiB
iptables Tests
iptables tests are run via scripts/iptables_test.sh.
iptables requires raw socket support, so you must add the --net-raw=true flag
to /etc/docker/daemon.json in order to use it.
Test Structure
Each test implements TestCase, providing (1) a function to run inside the
container and (2) a function to run locally. Those processes are given each
others' IP addresses. The test succeeds when both functions succeed.
The function inside the container (ContainerAction) typically sets some
iptables rules and then tries to send or receive packets. The local function
(LocalAction) will typically just send or receive packets.
Adding Tests
-
Add your test to the
iptablespackage. -
Register the test in an
initfunction viaRegisterTestCase(seefilter_input.goas an example). -
Add it to
iptables_test.go(see the other tests in that file).
Your test is now runnable with bazel!
Run individual tests
Build and install runsc. Re-run this when you modify gVisor:
$ bazel build //runsc && sudo cp bazel-bin/runsc/linux_amd64_pure_stripped/runsc $(which runsc)
Build the testing Docker container. Re-run this when you modify the test code in this directory:
$ make load-iptables
Run an individual test via:
$ bazel test //test/iptables:iptables_test --test_filter=<TESTNAME>
To run an individual test with runc:
$ bazel test //test/iptables:iptables_test --test_filter=<TESTNAME> --test_arg=--runtime=runc