@@ -19,6 +19,7 @@ package network
19
19
import (
20
20
"fmt"
21
21
"net"
22
+ "path/filepath"
22
23
"strings"
23
24
"testing"
24
25
@@ -29,6 +30,7 @@ import (
29
30
"github.com/containerd/nerdctl/mod/tigron/test"
30
31
"github.com/containerd/nerdctl/mod/tigron/tig"
31
32
33
+ "github.com/containerd/nerdctl/v2/pkg/defaults"
32
34
"github.com/containerd/nerdctl/v2/pkg/testutil"
33
35
"github.com/containerd/nerdctl/v2/pkg/testutil/nerdtest"
34
36
)
@@ -122,6 +124,47 @@ func TestNetworkCreateICC(t *testing.T) {
122
124
)
123
125
124
126
testCase .SubTests = []* test.Case {
127
+ {
128
+ Description : "debug ICC feature" ,
129
+ Require : nerdtest .CNIFirewallVersion ("1.7.1" ),
130
+ NoParallel : true ,
131
+ Setup : func (data test.Data , helpers test.Helpers ) {
132
+ // Create a network with ICC disabled
133
+ helpers .Ensure ("network" , "create" , data .Identifier (), "--driver" , "bridge" ,
134
+ "--opt" , "com.docker.network.bridge.enable_icc=false" )
135
+
136
+ // Run a container in that network
137
+ data .Labels ().Set ("container1" , helpers .Capture ("run" , "-d" , "--net" , data .Identifier (),
138
+ "--name" , data .Identifier ("c1" ), testutil .CommonImage , "sleep" , "infinity" ))
139
+
140
+ // Wait for container to be running
141
+ nerdtest .EnsureContainerStarted (helpers , data .Identifier ("c1" ))
142
+ },
143
+ Cleanup : func (data test.Data , helpers test.Helpers ) {
144
+ helpers .Anyhow ("container" , "rm" , "-f" , data .Identifier ("c1" ))
145
+ helpers .Anyhow ("network" , "rm" , data .Identifier ())
146
+ },
147
+ Command : func (data test.Data , helpers test.Helpers ) test.TestableCommand {
148
+ // DEBUG: Show firewall plugin version
149
+ firewall_cni_path := filepath .Join (defaults .CNIPath (), "firewall" )
150
+ helpers .Custom ("sh" , "-ec" , fmt .Sprintf ("%s --version || echo 'firewall plugin not found'" , firewall_cni_path )).Run (& test.Expected {})
151
+ helpers .Ensure ("network" , "ls" )
152
+ helpers .Ensure ("network" , "inspect" , data .Identifier ())
153
+ helpers .Custom ("sh" , "-ec" , "ls /etc/cni/net.d" ).Run (& test.Expected {})
154
+ helpers .Custom ("iptables-save" ).Run (& test.Expected {})
155
+ containerIP := helpers .Capture ("container" , "inspect" , data .Identifier ("c1" ), "--format" , "{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}" )
156
+ helpers .Custom ("echo" , fmt .Sprintf ("Container IP: %s" , containerIP )).Run (& test.Expected {})
157
+ helpers .Custom ("sh" , "-ec" , "ip link show | grep br- || true" ).Run (& test.Expected {})
158
+ helpers .Custom ("sh" , "-ec" , "brctl show || true" ).Run (& test.Expected {})
159
+ helpers .Custom ("sleep" , "3" ).Run (& test.Expected {})
160
+
161
+ // Try to ping the other container in the same network
162
+ // This should fail when ICC is disabled
163
+ return helpers .Command ("run" , "--rm" , "--net" , data .Identifier (),
164
+ testutil .CommonImage , "ping" , "-c" , "1" , "-W" , "1" , data .Identifier ("c1" ))
165
+ },
166
+ Expected : test .Expects (expect .ExitCodeGenericFail , nil , nil ), // Expect ping to fail with exit code 1
167
+ },
125
168
{
126
169
Description : "with enable_icc=false" ,
127
170
Require : nerdtest .CNIFirewallVersion ("1.7.1" ),
@@ -143,9 +186,16 @@ func TestNetworkCreateICC(t *testing.T) {
143
186
helpers .Anyhow ("network" , "rm" , data .Identifier ())
144
187
},
145
188
Command : func (data test.Data , helpers test.Helpers ) test.TestableCommand {
146
- // DEBUG
147
- iptablesSave := "iptables-save | grep CNI-ISOLATION || true"
148
- helpers .Custom ("sh" , "-ec" , iptablesSave ).Run (& test.Expected {})
189
+ firewall_cni_path := filepath .Join (defaults .CNIPath (), "firewall" )
190
+ helpers .Custom ("sh" , "-ec" , fmt .Sprintf ("%s --version || echo 'firewall plugin not found'" , firewall_cni_path )).Run (& test.Expected {})
191
+ helpers .Ensure ("network" , "inspect" , data .Identifier ())
192
+ helpers .Custom ("sh" , "-ec" , fmt .Sprintf ("find /etc/cni/net.d/ -name '*%s*' -exec cat {} \\ ; || true" , data .Identifier ())).Run (& test.Expected {})
193
+ helpers .Custom ("iptables-save" ).Run (& test.Expected {})
194
+ containerIP := helpers .Capture ("container" , "inspect" , data .Identifier ("c1" ), "--format" , "{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}" )
195
+ helpers .Custom ("echo" , fmt .Sprintf ("Container IP: %s" , containerIP )).Run (& test.Expected {})
196
+ helpers .Custom ("sh" , "-ec" , "ip link show | grep br- || true" ).Run (& test.Expected {})
197
+ helpers .Custom ("sh" , "-ec" , "brctl show || true" ).Run (& test.Expected {})
198
+ helpers .Custom ("sleep" , "3" ).Run (& test.Expected {})
149
199
// Try to ping the other container in the same network
150
200
// This should fail when ICC is disabled
151
201
return helpers .Command ("run" , "--rm" , "--net" , data .Identifier (),
0 commit comments