Add test that nerdctl run binds to 0.0.0.0 by default

jandubois · jandubois · commit aa23c525f03d · 2022-02-19T01:33:34.000-08:00
and that lima can detect this with guestIPMustBeZero.

Signed-off-by: Jan Dubois &lt;jan.dubois@suse.com&gt;
diff --git a/.cirrus.yml b/.cirrus.yml
@@ -30,7 +30,7 @@ task:
   - cat /proc/cpuinfo
   install_deps_script:
   - apt-get update
-  - apt-get install -y --no-install-recommends ca-certificates curl git golang openssh-client make netcat ovmf sudo qemu-system-x86 qemu-utils
+  - apt-get install -y --no-install-recommends ca-certificates curl git golang jq openssh-client make netcat ovmf sudo qemu-system-x86 qemu-utils
   go_cache:
     fingerprint_script: uname -s ; cat go.sum
     folder: $GOPATH/pkg/mod
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -121,6 +121,9 @@ jobs:
       # QEMU:      required by Lima itself
       # bash:      required by test-example.sh (OS version of bash is too old)
       # coreutils: required by test-example.sh for the "timeout" command
+      # These would need to be added to run the alpine.yaml config on the macOS runner:
+      # curl:      required by test-example.sh to download nerdctl for alpine
+      # jq:        required by test-example.sh to determine download URL for nerdctl
       run: |
         set -x
         # Github runners seem to symlink to python2.7 version of 2to3,
diff --git a/hack/test-example.sh b/hack/test-example.sh
@@ -168,12 +168,14 @@ if [[ -n ${CHECKS["mount-home"]} ]]; then
 	fi
 fi
 
+# Use GHCR to avoid hitting Docker Hub rate limit
+nginx_image="ghcr.io/stargz-containers/nginx:1.19-alpine-org"
+alpine_image="ghcr.io/containerd/alpine:3.14.0"
+
 if [[ -n ${CHECKS["containerd-user"]} ]]; then
 	INFO "Run a nginx container with port forwarding 127.0.0.1:8080"
 	set -x
 	limactl shell "$NAME" nerdctl info
-	# Use GHCR to avoid hitting Docker Hub rate limit
-	nginx_image="ghcr.io/stargz-containers/nginx:1.19-alpine-org"
 	limactl shell "$NAME" nerdctl pull --quiet ${nginx_image}
 	limactl shell "$NAME" nerdctl run -d --name nginx -p 127.0.0.1:8080:80 ${nginx_image}
 
@@ -189,7 +191,6 @@ if [[ -n ${CHECKS["containerd-user"]} ]]; then
 		mkdir -p "$hometmp"
 		defer "rm -rf \"$hometmp\""
 		set -x
-		alpine_image="ghcr.io/containerd/alpine:3.14.0"
 		limactl shell "$NAME" nerdctl pull --quiet ${alpine_image}
 		echo "random-content-${RANDOM}" >"$hometmp/random"
 		expected="$(cat "$hometmp/random")"
@@ -219,6 +220,34 @@ if [[ -n ${CHECKS["port-forwards"]} ]]; then
 		limactl shell "$NAME" sudo zypper in -y netcat-openbsd
 	fi
 	"${scriptdir}/test-port-forwarding.pl" "${NAME}"
+
+	if [[ -n ${CHECKS["containerd-user"]} || ${NAME} == "alpine" ]]; then
+		INFO "Testing that 'nerdctl run' binds to 0.0.0.0 by default and is forwarded to the host"
+		if [ "$(uname)" = "Darwin" ]; then
+			# macOS runners seem to use `localhost` as the hostname, so the perl lookup just returns `127.0.0.1`
+			hostip=$(system_profiler SPNetworkDataType -json | jq -r 'first(.SPNetworkDataType[] | select(.ip_address) | .ip_address) | first')
+		else
+			hostip=$(perl -MSocket -MSys::Hostname -E 'say inet_ntoa(scalar gethostbyname(hostname()))')
+		fi
+		if [ -n "${hostip}" ]; then
+			sudo=""
+			if [ "${NAME}" = "alpine" ]; then
+				arch=$(limactl info | jq -r .defaultTemplate.arch)
+				nerdctl=$(limactl info | jq -r ".defaultTemplate.containerd.archives[] | select(.arch==\"$arch\").location")
+				curl -Lso nerdctl-full.tgz "${nerdctl}"
+				limactl shell "$NAME" sudo apk add containerd
+				limactl shell "$NAME" sudo rc-service containerd start
+				limactl shell "$NAME" sudo tar xzf "${PWD}/nerdctl-full.tgz" -C /usr/local
+				rm nerdctl-full.tgz
+				sudo="sudo"
+			fi
+			limactl shell "$NAME" $sudo nerdctl info
+			limactl shell "$NAME" $sudo nerdctl pull --quiet ${nginx_image}
+			limactl shell "$NAME" $sudo nerdctl run -d --name nginx -p 8888:80 ${nginx_image}
+
+			timeout 3m bash -euxc "until curl -f --retry 30 --retry-connrefused http://${hostip}:8888; do sleep 3; done"
+		fi
+	fi
 	set +x
 fi
 
diff --git a/hack/test-port-forwarding.pl b/hack/test-port-forwarding.pl
@@ -304,3 +304,10 @@ sub JoinHostPort {
   # forward: ::             4041 → 127.0.0.1 4041
   # ignore:  127.0.0.1      4043 → 127.0.0.1 4043
   # ignore:  192.168.5.15   4044 → 127.0.0.1 4044
+
+# This rule exist to test `nerdctl run` binding to 0.0.0.0 by default,
+# and making sure it gets forwarded to the external host IP.
+# The actual test code is in test-example.sh in the "port-forwarding" block.
+- guestIPMustBeZero: true
+  guestPort: 8888
+  hostIP: 0.0.0.0
