Skip to content

Commit 8931825

Browse files
committed
test: Drop --privileged docker run flag
* Fix all the test to not require this flag.
1 parent 52a91d2 commit 8931825

File tree

5 files changed

+51
-45
lines changed

5 files changed

+51
-45
lines changed

test/client/wait-for-connect.sh

Lines changed: 27 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -5,33 +5,46 @@ set -e
55

66
OPENVPN_CONFIG=${1:-/client/config.ovpn}
77

8+
# For some reason privileged mode creates the char device and cap-add=NET_ADMIN doesn't
9+
mkdir -p /dev/net
10+
if [ ! -c /dev/net/tun ]; then
11+
mknod /dev/net/tun c 10 200
12+
fi
13+
814
# Run in background using bash job management, setup trap to clean-up
915
trap "{ jobs -p | xargs -r kill; wait; }" EXIT
1016
openvpn --config "$OPENVPN_CONFIG" --management 127.0.0.1 9999 &
1117

1218
# Spin waiting for interface to exist signifying connection
1319
timeout=10
1420
for i in $(seq $timeout); do
21+
# Allow to start-up
22+
sleep 0.5
1523

16-
# Break when connected
17-
#echo state | busybox nc 127.0.0.1 9999 | grep -q "CONNECTED,SUCCESS" && break;
24+
# Use bash magic to open tcp socket on fd 3 and break when successful
25+
exec 3<>/dev/tcp/127.0.0.1/9999 && break
26+
done
27+
28+
if [ $i -ge $timeout ]; then
29+
echo "Error connecting to OpenVPN mgmt interface, i=$i, exiting."
30+
exit 2
31+
fi
1832

19-
# Bash magic for tcp sockets
20-
if exec 3<>/dev/tcp/127.0.0.1/9999; then
21-
# Consume all header input
22-
while read -t 0.1 <&3; do true; done
23-
echo "state" >&3
24-
read -t 1 <&3
25-
echo -n $REPLY | grep -q "CONNECTED,SUCCESS" && break || true
26-
exec 3>&-
27-
fi
33+
# Consume all header input and echo, look for errors here
34+
while read -t 0.1 <&3; do echo $REPLY; done
2835

29-
# Else sleep
36+
# Request state over mgmt interface
37+
timeout=10
38+
for i in $(seq $timeout); do
39+
echo "state" >&3
40+
state=$(head -n1 <&3)
41+
echo -n "$state" | grep -q 'CONNECTED,SUCCESS' && break
3042
sleep 1
3143
done
3244

3345
if [ $i -ge $timeout ]; then
34-
echo "Error starting OpenVPN, i=$i, exiting."
35-
exit 2
46+
echo "Error connecting to OpenVPN, i=$i, exiting."
47+
exit 3
3648
fi
3749

50+
exec 3>&-

test/tests/basic/run.sh

Lines changed: 9 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -25,21 +25,19 @@ docker run -v $OVPN_DATA:/etc/openvpn --rm $IMG ovpn_listclients | grep $CLIENT
2525
# Fire up the server and setup a trap to always clean it up
2626
#
2727
trap "{ jobs -p | xargs -r kill; wait; }" EXIT
28-
docker run --name "ovpn-test" -v $OVPN_DATA:/etc/openvpn --rm -p 1194:1194/udp --privileged $IMG &
28+
docker run --name "ovpn-test" -v $OVPN_DATA:/etc/openvpn --rm -e DEBUG --cap-add=NET_ADMIN $IMG &
2929

30-
#for i in $(seq 10); do
31-
# SERV_IP=$(docker inspect --format '{{ .NetworkSettings.IPAddress }}')
32-
# test -n "$SERV_IP" && break
33-
#done
34-
#sed -ie s:SERV_IP:$SERV_IP:g config.ovpn
30+
for i in $(seq 10); do
31+
SERV_IP_INTERNAL=$(docker inspect --format '{{ .NetworkSettings.IPAddress }}' "ovpn-test" 2>/dev/null || true)
32+
test -n "$SERV_IP_INTERNAL" && break
33+
sleep 0.1
34+
done
35+
sed -i -e s:$SERV_IP:$SERV_IP_INTERNAL:g ${CLIENT_DIR}/config.ovpn
3536

3637
#
37-
# Fire up a client in a container since openvpn is disallowed by Travis-CI, don't NAT
38-
# the host as it confuses itself:
39-
# "Incoming packet rejected from [AF_INET]172.17.42.1:1194[2], expected peer address: [AF_INET]10.240.118.86:1194"
38+
# Fire up a client in a container since openvpn is disallowed by Travis-CI
4039
#
41-
docker run --rm --net=host --privileged --volume $CLIENT_DIR:/client $IMG /client/wait-for-connect.sh
42-
40+
docker run --rm --cap-add=NET_ADMIN -e DEBUG --volume $CLIENT_DIR:/client $IMG /client/wait-for-connect.sh
4341

4442
#
4543
# Celebrate

test/tests/dual-proto/run.sh

Lines changed: 4 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -37,17 +37,16 @@ docker run -v $OVPN_DATA:/etc/openvpn --rm $IMG ovpn_listclients | grep $CLIENT_
3737

3838
# Run in shell bg to get logs, setup trap to clean-up
3939
trap "{ jobs -p | xargs -r kill; wait; }" EXIT
40-
docker run --name "ovpn-test-udp" -v $OVPN_DATA:/etc/openvpn --rm -p 1194:1194/udp --privileged $IMG &
41-
docker run --name "ovpn-test-tcp" -v $OVPN_DATA:/etc/openvpn --rm -p 443:1194/tcp --privileged $IMG ovpn_run --proto tcp &
40+
docker run --name "ovpn-test-udp" -v $OVPN_DATA:/etc/openvpn --rm -p 1194:1194/udp --cap-add=NET_ADMIN $IMG &
41+
docker run --name "ovpn-test-tcp" -v $OVPN_DATA:/etc/openvpn --rm -p 443:1194/tcp --cap-add=NET_ADMIN $IMG ovpn_run --proto tcp &
4242

4343
#
4444
# Fire up a clients in a containers since openvpn is disallowed by Travis-CI, don't NAT
4545
# the host as it confuses itself:
4646
# "Incoming packet rejected from [AF_INET]172.17.42.1:1194[2], expected peer address: [AF_INET]10.240.118.86:1194"
4747
#
48-
docker run --rm --net=host --privileged --volume $CLIENT_DIR:/client $IMG /client/wait-for-connect.sh
49-
docker run --rm --net=host --privileged --volume $CLIENT_DIR:/client $IMG /client/wait-for-connect.sh "/client/config-tcp.ovpn"
50-
48+
docker run --rm --net=host --cap-add=NET_ADMIN --volume $CLIENT_DIR:/client $IMG /client/wait-for-connect.sh
49+
docker run --rm --net=host --cap-add=NET_ADMIN --volume $CLIENT_DIR:/client $IMG /client/wait-for-connect.sh "/client/config-tcp.ovpn"
5150

5251
#
5352
# Celebrate

test/tests/otp/run.sh

Lines changed: 8 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -50,21 +50,17 @@ grep 'reneg-sec 0' $CLIENT_DIR/config.ovpn || abort 'reneg-sec not set to 0 in c
5050
# Fire up the server
5151
#
5252
trap "{ jobs -p | xargs -r kill; wait; }" EXIT
53-
docker run --name "ovpn-test" -v $OVPN_DATA:/etc/openvpn --rm -p 1194:1194/udp --privileged $IMG &
53+
docker run --name "ovpn-test" -v $OVPN_DATA:/etc/openvpn --rm --cap-add=NET_ADMIN $IMG &
5454

55-
#for i in $(seq 10); do
56-
# SERV_IP=$(docker inspect --format '{{ .NetworkSettings.IPAddress }}')
57-
# test -n "$SERV_IP" && break
58-
#done
59-
#sed -ie s:SERV_IP:$SERV_IP:g $CLIENT_DIR/config.ovpn
55+
for i in $(seq 10); do
56+
SERV_IP_INTERNAL=$(docker inspect --format '{{ .NetworkSettings.IPAddress }}')
57+
test -n "$SERV_IP_INTERNAL" && break
58+
done
59+
sed -ie s:$SERV_IP:$SERV_IP:g $CLIENT_DIR/config.ovpn
6060

6161
#
62-
# Fire up a client in a container since openvpn is disallowed by Travis-CI, don't NAT
63-
# the host as it confuses itself:
64-
# "Incoming packet rejected from [AF_INET]172.17.42.1:1194[2], expected peer address: [AF_INET]10.240.118.86:1194"
65-
#
66-
docker run --rm --net=host --privileged --volume $CLIENT_DIR:/client $IMG /client/wait-for-connect.sh
67-
62+
# Fire up a client in a container since openvpn is disallowed by Travis-CI
63+
docker run --rm --net=host --cap-add=NET_ADMIN --volume $CLIENT_DIR:/client $IMG /client/wait-for-connect.sh
6864

6965
#
7066
# Celebrate

test/tests/revocation/run.sh

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -54,7 +54,7 @@ docker exec -it $NAME bash -c "echo 'yes' | ovpn_revokeclient $CLIENT1"
5454
#
5555
# Test that openvpn client can't connect using $CLIENT1 config.
5656
#
57-
if docker run --rm -v $CLIENT_DIR:/client --cap-add=NET_ADMIN --privileged --net=host $IMG /client/wait-for-connect.sh; then
57+
if docker run --rm -v $CLIENT_DIR:/client --cap-add=NET_ADMIN --cap-add=NET_ADMIN --net=host $IMG /client/wait-for-connect.sh; then
5858
echo "Client was able to connect after revocation test #1." >&2
5959
exit 2
6060
fi
@@ -66,7 +66,7 @@ docker exec -it $NAME easyrsa build-client-full $CLIENT2 nopass
6666
docker exec -it $NAME ovpn_getclient $CLIENT2 > $CLIENT_DIR/config.ovpn
6767
docker exec -it $NAME bash -c "echo 'yes' | ovpn_revokeclient $CLIENT2"
6868

69-
if docker run --rm -v $CLIENT_DIR:/client --cap-add=NET_ADMIN --privileged --net=host $IMG /client/wait-for-connect.sh; then
69+
if docker run --rm -v $CLIENT_DIR:/client --cap-add=NET_ADMIN --cap-add=NET_ADMIN --net=host $IMG /client/wait-for-connect.sh; then
7070
echo "Client was able to connect after revocation test #2." >&2
7171
exit 2
7272
fi
@@ -79,7 +79,7 @@ docker stop $NAME && docker start $NAME
7979
#
8080
# Test for failed connection using $CLIENT2 config again.
8181
#
82-
if docker run --rm -v $CLIENT_DIR:/client --cap-add=NET_ADMIN --privileged --net=host $IMG /client/wait-for-connect.sh; then
82+
if docker run --rm -v $CLIENT_DIR:/client --cap-add=NET_ADMIN --cap-add=NET_ADMIN --net=host $IMG /client/wait-for-connect.sh; then
8383
echo "Client was able to connect after revocation test #3." >&2
8484
exit 2
8585
fi

0 commit comments

Comments
 (0)