tools: insert iptables rules after setting up LXD

Sergio Schvezov · Sergio Schvezov · commit 07c9fa149882 · 2022-11-25T11:21:04.000-03:00
Docker installed is not essentially the problem for this action, but the
firewall rule it sets up is.

Warn when docker related components are installed in case future issues arise.

Signed-off-by: Sergio Schvezov &lt;sergio.schvezov@canonical.com&gt;
diff --git a/__tests__/tools.test.ts b/__tests__/tools.test.ts
@@ -3,6 +3,7 @@
 import * as fs from 'fs'
 import * as os from 'os'
 import * as path from 'path'
+import * as core from '@actions/core'
 import * as exec from '@actions/exec'
 import * as tools from '../src/tools'
 
@@ -317,3 +318,105 @@ test('ensureSnapcraft refreshes if Snapcraft is installed', async () => {
     'snapcraft'
   ])
 })
+
+test('ensureLXDNetwork sets up iptables and warns about Docker', async () => {
+  expect.assertions(8)
+
+  const infoMock = jest
+    .spyOn(core, 'info')
+    .mockImplementation((info: string) => {})
+
+  const execMock = jest
+    .spyOn(exec, 'exec')
+    .mockImplementation(
+      async (program: string, args?: string[]): Promise<number> => {
+        if (args != undefined && args[1] == 'moby-runc') {
+          return 0
+        } else {
+          return 1
+        }
+      }
+    )
+
+  await tools.ensureLXDNetwork()
+
+  expect(infoMock).toHaveBeenCalledWith(
+    'Installed docker related packages might interfere with LXD networking: moby-runc'
+  )
+  expect(execMock).toHaveBeenNthCalledWith(1, 'dpkg', ['-l', 'moby-buildx'], {
+    silent: true
+  })
+  expect(execMock).toHaveBeenNthCalledWith(2, 'dpkg', ['-l', 'moby-engine'], {
+    silent: true
+  })
+  expect(execMock).toHaveBeenNthCalledWith(3, 'dpkg', ['-l', 'moby-cli'], {
+    silent: true
+  })
+  expect(execMock).toHaveBeenNthCalledWith(4, 'dpkg', ['-l', 'moby-compose'], {
+    silent: true
+  })
+  expect(execMock).toHaveBeenNthCalledWith(
+    5,
+    'dpkg',
+    ['-l', 'moby-containerd'],
+    {silent: true}
+  )
+  expect(execMock).toHaveBeenNthCalledWith(6, 'dpkg', ['-l', 'moby-runc'], {
+    silent: true
+  })
+  expect(execMock).toHaveBeenNthCalledWith(7, 'sudo', [
+    'iptables',
+    '-P',
+    'FORWARD',
+    'ACCEPT'
+  ])
+})
+
+test('ensureLXDNetwork sets up iptables and warns only about installed packages', async () => {
+  expect.assertions(8)
+
+  const infoMock = jest
+    .spyOn(core, 'info')
+    .mockImplementation((info: string) => {})
+  const execMock = jest
+    .spyOn(exec, 'exec')
+    .mockImplementation(
+      async (program: string, args?: string[]): Promise<number> => {
+        return 0
+      }
+    )
+
+  await tools.ensureLXDNetwork()
+
+  expect(infoMock).toHaveBeenCalledWith(
+    'Installed docker related packages might interfere with LXD networking: ' +
+      'moby-buildx,moby-engine,moby-cli,moby-compose,moby-containerd,moby-runc'
+  )
+  expect(execMock).toHaveBeenNthCalledWith(1, 'dpkg', ['-l', 'moby-buildx'], {
+    silent: true
+  })
+  expect(execMock).toHaveBeenNthCalledWith(2, 'dpkg', ['-l', 'moby-engine'], {
+    silent: true
+  })
+  expect(execMock).toHaveBeenNthCalledWith(3, 'dpkg', ['-l', 'moby-cli'], {
+    silent: true
+  })
+  expect(execMock).toHaveBeenNthCalledWith(4, 'dpkg', ['-l', 'moby-compose'], {
+    silent: true
+  })
+  expect(execMock).toHaveBeenNthCalledWith(
+    5,
+    'dpkg',
+    ['-l', 'moby-containerd'],
+    {silent: true}
+  )
+  expect(execMock).toHaveBeenNthCalledWith(6, 'dpkg', ['-l', 'moby-runc'], {
+    silent: true
+  })
+  expect(execMock).toHaveBeenNthCalledWith(7, 'sudo', [
+    'iptables',
+    '-P',
+    'FORWARD',
+    'ACCEPT'
+  ])
+})
diff --git a/dist/index.js b/dist/index.js
@@ -4164,6 +4164,28 @@ async function ensureSnapd() {
         await exec.exec('sudo', ['chown', 'root:root', '/']);
     }
 }
+async function ensureLXDNetwork() {
+    const mobyPackages = [
+        'moby-buildx',
+        'moby-engine',
+        'moby-cli',
+        'moby-compose',
+        'moby-containerd',
+        'moby-runc'
+    ];
+    const installedPackages = [];
+    const options = { silent: true };
+    for (const mobyPackage of mobyPackages) {
+        if ((await exec.exec('dpkg', ['-l', mobyPackage], options)) === 0) {
+            installedPackages.push(mobyPackage);
+        }
+    }
+    core.info(`Installed docker related packages might interfere with LXD networking: ${installedPackages}`);
+    // Removing docker is the best option, but some pipelines depend on it.
+    // https://linuxcontainers.org/lxd/docs/master/howto/network_bridge_firewalld/#prevent-issues-with-lxd-and-docker
+    // https://github.com/canonical/lxd-cloud/blob/f20a64a8af42485440dcbfd370faf14137d2f349/test/includes/lxd.sh#L13-L23
+    await exec.exec('sudo', ['iptables', '-P', 'FORWARD', 'ACCEPT']);
+}
 async function ensureLXD() {
     const haveDebLXD = await haveExecutable('/usr/bin/lxd');
     if (haveDebLXD) {
@@ -4195,6 +4217,7 @@ async function ensureLXD() {
     }
     core.info('Initialising LXD...');
     await exec.exec('sudo', ['lxd', 'init', '--auto']);
+    await ensureLXDNetwork();
 }
 async function ensureSnapcraft(channel) {
     const haveSnapcraft = await haveExecutable('/snap/bin/snapcraft');
diff --git a/src/tools.ts b/src/tools.ts
@@ -29,6 +29,31 @@ export async function ensureSnapd(): Promise<void> {
   }
 }
 
+export async function ensureLXDNetwork(): Promise<void> {
+  const mobyPackages: string[] = [
+    'moby-buildx',
+    'moby-engine',
+    'moby-cli',
+    'moby-compose',
+    'moby-containerd',
+    'moby-runc'
+  ]
+  const installedPackages: string[] = []
+  const options = {silent: true}
+  for (const mobyPackage of mobyPackages) {
+    if ((await exec.exec('dpkg', ['-l', mobyPackage], options)) === 0) {
+      installedPackages.push(mobyPackage)
+    }
+  }
+  core.info(
+    `Installed docker related packages might interfere with LXD networking: ${installedPackages}`
+  )
+  // Removing docker is the best option, but some pipelines depend on it.
+  // https://linuxcontainers.org/lxd/docs/master/howto/network_bridge_firewalld/#prevent-issues-with-lxd-and-docker
+  // https://github.com/canonical/lxd-cloud/blob/f20a64a8af42485440dcbfd370faf14137d2f349/test/includes/lxd.sh#L13-L23
+  await exec.exec('sudo', ['iptables', '-P', 'FORWARD', 'ACCEPT'])
+}
+
 export async function ensureLXD(): Promise<void> {
   const haveDebLXD = await haveExecutable('/usr/bin/lxd')
   if (haveDebLXD) {
@@ -60,6 +85,7 @@ export async function ensureLXD(): Promise<void> {
   }
   core.info('Initialising LXD...')
   await exec.exec('sudo', ['lxd', 'init', '--auto'])
+  await ensureLXDNetwork()
 }
 
 export async function ensureSnapcraft(channel: string): Promise<void> {
