WIP: add chaosmesh debug example with Havoc for local and stage

skudasov · skudasov · commit 99a55e58857c · 2025-04-28T12:01:41.000+02:00
diff --git a/book/src/framework/components/troubleshooting.md b/book/src/framework/components/troubleshooting.md
@@ -1,5 +1,15 @@
 # Troubleshooting
 
+## Can't start `ctf obs u`
+```
+Error response from daemon: error while creating mount source path '/host_mnt/Users/fsldkfs/Downloads/compose/conf/provisioning/dashboards/cadvisor/cadvisor.json': mkdir /host_mnt/Users/sdfjskj/Downloads/compose/conf/provisioning: operation not permitted
+exit status 1
+```
+
+#### Solution
+
+Use another directory with write access or change the directory access
+
 ## Can't run `anvil`, issue with `Rosetta`
 ```
 2024/11/27 15:20:27 ⏳ Waiting for container id 79f8a68c07cc image: f4hrenh9it/foundry:latest. Waiting for: &{Port:8546 timeout:0x14000901278 PollInterval:100ms skipInternalCheck:false}
diff --git a/framework/components/clnode/clnode.go b/framework/components/clnode/clnode.go
@@ -36,6 +36,7 @@ var (
 
 // Input represents Chainlink node input
 type Input struct {
+	NoDNS   bool            `toml:"no_dns"`
 	DbInput *postgres.Input `toml:"db" validate:"required"`
 	Node    *NodeInput      `toml:"node" validate:"required"`
 	Out     *Output         `toml:"out"`
@@ -252,6 +253,7 @@ func newNode(in *Input, pgOut *postgres.Output) (*NodeOut, error) {
 	}
 	if in.Node.HTTPPort != 0 && in.Node.P2PPort != 0 {
 		req.HostConfigModifier = func(h *container.HostConfig) {
+			framework.NoDNS(in.NoDNS, h)
 			h.PortBindings = portBindings
 			framework.ResourceLimitsFunc(h, in.Node.ContainerResources)
 		}
diff --git a/framework/components/jd/jd.go b/framework/components/jd/jd.go
@@ -29,6 +29,7 @@ type Input struct {
 	DockerFilePath   string          `toml:"docker_file"`
 	DockerContext    string          `toml:"docker_ctx"`
 	DBInput          *postgres.Input `toml:"db"`
+	NoDNS            bool            `toml:"no_dns"`
 	Out              *Output         `toml:"out"`
 }
 
@@ -93,6 +94,8 @@ func NewJD(in *Input) (*Output, error) {
 		},
 		ExposedPorts: []string{bindPort},
 		HostConfigModifier: func(h *container.HostConfig) {
+			// JobDistributor service must be isolated from internet by default!
+			framework.NoDNS(true, h)
 			h.PortBindings = framework.MapTheSamePort(bindPort)
 		},
 		Env: map[string]string{
@@ -104,21 +107,6 @@ func NewJD(in *Input) (*Output, error) {
 		WaitingFor: tcwait.ForAll(
 			tcwait.ForListeningPort(nat.Port(fmt.Sprintf("%s/tcp", in.GRPCPort))),
 		),
-		LifecycleHooks: []tc.ContainerLifecycleHooks{
-			{
-				PostStarts: []tc.ContainerHook{
-					func(ctx context.Context, c tc.Container) error {
-						_, _, err := c.Exec(ctx, []string{
-							"sh", "-c", `iptables -A OUTPUT -d 10.0.0.0/8 -j ACCEPT && \
-                                     iptables -A OUTPUT -d 172.16.0.0/12 -j ACCEPT && \
-                                     iptables -A OUTPUT -d 192.168.0.0/16 -j ACCEPT && \
-                                     iptables -A OUTPUT -j DROP`,
-						})
-						return err
-					},
-				},
-			},
-		},
 	}
 	if req.Image == "" {
 		req.Image = TmpImageName
diff --git a/framework/components/networktest/nettest.go b/framework/components/networktest/nettest.go
@@ -1,5 +1,9 @@
 package networktest
 
+/*
+This component exists purely for Docker debug purposes
+*/
+
 import (
 	"context"
 	"fmt"
@@ -11,18 +15,18 @@ import (
 	"github.com/smartcontractkit/chainlink-testing-framework/framework"
 )
 
-type AlpineInput struct {
-	Privileged    bool              // Whether to run in privileged mode
-	BlockInternet bool              // Whether to block internet access
-	Labels        map[string]string // Container labels
+type Input struct {
+	Name          string
+	NoDNS         bool
+	CustomNetwork bool
 }
 
-type AlpineOutput struct{}
+type Output struct{}
 
 // NewNetworkTest creates a minimal Alpine Linux container for network testing
-func NewNetworkTest(in AlpineInput) (*AlpineOutput, error) {
+func NewNetworkTest(in Input) error {
 	req := testcontainers.ContainerRequest{
-		Name:     "networktest",
+		Name:     in.Name,
 		Image:    "alpine:latest",
 		Networks: []string{framework.DefaultNetworkName},
 		NetworkAliases: map[string][]string{
@@ -32,39 +36,17 @@ func NewNetworkTest(in AlpineInput) (*AlpineOutput, error) {
 		WaitingFor: wait.ForLog(""),
 		Cmd:        []string{"/bin/sh", "-c", "while true; do sleep 30; done;"},
 	}
-
-	if in.BlockInternet {
-		req.HostConfigModifier = func(hc *container.HostConfig) {
-			hc.DNS = []string{"127.0.0.1"}
-			hc.CapAdd = []string{"NET_ADMIN"}
-			if in.Privileged {
-				hc.Privileged = true
-			}
-		}
-
-		req.LifecycleHooks = []testcontainers.ContainerLifecycleHooks{{
-			PostStarts: []testcontainers.ContainerHook{
-				func(ctx context.Context, c testcontainers.Container) error {
-					// Block all internet traffic while allowing local network
-					_, _, err := c.Exec(ctx, []string{
-						"sh", "-c", `iptables -A OUTPUT -d 10.0.0.0/8 -j ACCEPT &&
-		                          iptables -A OUTPUT -d 172.16.0.0/12 -j ACCEPT &&
-		                          iptables -A OUTPUT -d 192.168.0.0/16 -j ACCEPT &&
-		                          iptables -A OUTPUT -j DROP`,
-					})
-					return err
-				},
-			},
-		}}
+	req.HostConfigModifier = func(hc *container.HostConfig) {
+		// Remove external DNS
+		framework.NoDNS(in.NoDNS, hc)
 	}
 
 	_, err := testcontainers.GenericContainer(context.Background(), testcontainers.GenericContainerRequest{
 		ContainerRequest: req,
 		Started:          true,
 	})
 	if err != nil {
-		return nil, fmt.Errorf("failed to start alpine container: %w", err)
+		return fmt.Errorf("failed to start alpine container: %w", err)
 	}
-
-	return &AlpineOutput{}, nil
+	return nil
 }
diff --git a/framework/components/networktest/nettest_test.go b/framework/components/networktest/nettest_test.go
@@ -0,0 +1,36 @@
+package networktest_test
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+
+	"github.com/smartcontractkit/chainlink-testing-framework/framework"
+	"github.com/smartcontractkit/chainlink-testing-framework/framework/components/networktest"
+)
+
+func TestNetworkIsolationRules(t *testing.T) {
+	t.Run("can work without DNS isolation", func(t *testing.T) {
+		name := "nettest1"
+		err := networktest.NewNetworkTest(networktest.Input{NoDNS: false, Name: name})
+		require.NoError(t, err)
+		dc, err := framework.NewDockerClient()
+		require.NoError(t, err)
+		sOut, err := dc.ExecContainer(name, []string{"ping", "-c", "1", "google.com"})
+		require.NoError(t, err)
+		require.NotContains(t, sOut, "bad address")
+		fmt.Println(sOut)
+	})
+	t.Run("DNS isolation works", func(t *testing.T) {
+		name := "nettest2"
+		err := networktest.NewNetworkTest(networktest.Input{NoDNS: true, Name: name})
+		require.NoError(t, err)
+		dc, err := framework.NewDockerClient()
+		require.NoError(t, err)
+		sOut, err := dc.ExecContainer(name, []string{"ping", "-c", "1", "google.com"})
+		require.NoError(t, err)
+		require.Contains(t, sOut, "bad address")
+		fmt.Println(sOut)
+	})
+}
diff --git a/framework/components/simple_node_set/node_set.go b/framework/components/simple_node_set/node_set.go
@@ -30,6 +30,7 @@ type Input struct {
 	OverrideMode       string          `toml:"override_mode" validate:"required,oneof=all each"`
 	DbInput            *postgres.Input `toml:"db" validate:"required"`
 	NodeSpecs          []*clnode.Input `toml:"node_specs" validate:"required"`
+	NoDNS              bool            `toml:"no_dns"`
 	Out                *Output         `toml:"out"`
 }
 
diff --git a/framework/docker.go b/framework/docker.go
@@ -412,6 +412,7 @@ func ResourceLimitsFunc(h *container.HostConfig, resources *ContainerResources)
 	}
 }
 
+// GenerateCustomPortsData generate custom ports data: exposed and forwarded port map
 func GenerateCustomPortsData(portsProvided []string) ([]string, nat.PortMap, error) {
 	exposedPorts := make([]string, 0)
 	portBindings := nat.PortMap{}
@@ -438,3 +439,10 @@ func GenerateCustomPortsData(portsProvided []string) ([]string, nat.PortMap, err
 	exposedPorts = append(exposedPorts, customPorts...)
 	return exposedPorts, portBindings, nil
 }
+
+// NoDNS removes default DNS server and sets it to localhost
+func NoDNS(noDNS bool, hc *container.HostConfig) {
+	if noDNS {
+		hc.DNS = []string{"127.0.0.1"}
+	}
+}
diff --git a/framework/examples/myproject/smoke_test.go b/framework/examples/myproject/smoke_test.go
@@ -35,7 +35,7 @@ func TestSmoke(t *testing.T) {
 	_, err = jd.NewJD(in.JD)
 	require.NoError(t, err)
 	spew.Dump(in.NodeSets[0])
-	_, err = networktest.NewNetworkTest(networktest.AlpineInput{Privileged: true, BlockInternet: true})
+	_, err = networktest.NewNetworkTest(networktest.Input{Privileged: true, BlockInternet: true})
 	require.NoError(t, err)
 	dc, err := framework.NewDockerClient()
 	require.NoError(t, err)
diff --git a/framework/examples/myproject_cll/README.md b/framework/examples/myproject_cll/README.md
@@ -12,4 +12,5 @@ docker build -t job-distributor:0.9.0 -f e2e/Dockerfile.e2e .
 Run the tests locally
 ```
 CTF_CONFIGS=jd.toml go test -v -count 1 -run TestJD
+CTF_CONFIGS=jd_fork.toml go test -v -count 1 -run TestJDFork
 ```
diff --git a/framework/examples/myproject_cll/go.mod b/framework/examples/myproject_cll/go.mod
@@ -8,6 +8,7 @@ replace (
 )
 
 require (
+	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc
 	github.com/smartcontractkit/chainlink-testing-framework/framework v0.0.0-00010101000000-000000000000
 	github.com/stretchr/testify v1.10.0
 )
@@ -16,6 +17,8 @@ require (
 	dario.cat/mergo v1.0.1 // indirect
 	github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 // indirect
 	github.com/Microsoft/go-winio v0.6.2 // indirect
+	github.com/StackExchange/wmi v1.2.1 // indirect
+	github.com/avast/retry-go/v4 v4.6.1 // indirect
 	github.com/aws/aws-sdk-go-v2 v1.32.5 // indirect
 	github.com/aws/aws-sdk-go-v2/config v1.28.4 // indirect
 	github.com/aws/aws-sdk-go-v2/credentials v1.17.45 // indirect
@@ -30,41 +33,65 @@ require (
 	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.4 // indirect
 	github.com/aws/aws-sdk-go-v2/service/sts v1.33.0 // indirect
 	github.com/aws/smithy-go v1.22.1 // indirect
+	github.com/bits-and-blooms/bitset v1.17.0 // indirect
 	github.com/block-vision/sui-go-sdk v1.0.6 // indirect
+	github.com/bytedance/sonic v1.12.3 // indirect
+	github.com/bytedance/sonic/loader v0.2.0 // indirect
 	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
+	github.com/cloudwego/base64x v0.1.4 // indirect
+	github.com/cloudwego/iasm v0.2.0 // indirect
+	github.com/consensys/bavard v0.1.22 // indirect
+	github.com/consensys/gnark-crypto v0.14.0 // indirect
 	github.com/containerd/log v0.1.0 // indirect
 	github.com/containerd/platforms v0.2.1 // indirect
 	github.com/cpuguy83/dockercfg v0.3.2 // indirect
-	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
+	github.com/crate-crypto/go-ipa v0.0.0-20240724233137-53bbb0ceb27a // indirect
+	github.com/crate-crypto/go-kzg-4844 v1.1.0 // indirect
+	github.com/deckarep/golang-set/v2 v2.6.0 // indirect
+	github.com/decred/dcrd/dcrec/secp256k1/v4 v4.0.1 // indirect
 	github.com/distribution/reference v0.6.0 // indirect
 	github.com/docker/docker v28.0.1+incompatible // indirect
 	github.com/docker/go-connections v0.5.0 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
 	github.com/ebitengine/purego v0.8.2 // indirect
+	github.com/ethereum/c-kzg-4844 v1.0.0 // indirect
+	github.com/ethereum/go-ethereum v1.15.0 // indirect
+	github.com/ethereum/go-verkle v0.2.2 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
+	github.com/fsnotify/fsnotify v1.6.0 // indirect
 	github.com/gabriel-vasile/mimetype v1.4.6 // indirect
+	github.com/gin-contrib/sse v0.1.0 // indirect
+	github.com/gin-gonic/gin v1.10.0 // indirect
 	github.com/go-logr/logr v1.4.2 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-ole/go-ole v1.3.0 // indirect
 	github.com/go-playground/locales v0.14.1 // indirect
 	github.com/go-playground/universal-translator v0.18.1 // indirect
 	github.com/go-playground/validator/v10 v10.22.1 // indirect
 	github.com/go-resty/resty/v2 v2.15.3 // indirect
+	github.com/goccy/go-json v0.10.3 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/google/uuid v1.6.0 // indirect
+	github.com/gorilla/websocket v1.5.1 // indirect
 	github.com/grpc-ecosystem/grpc-gateway/v2 v2.23.0 // indirect
+	github.com/holiman/uint256 v1.3.2 // indirect
+	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/klauspost/compress v1.17.9 // indirect
+	github.com/klauspost/cpuid/v2 v2.2.8 // indirect
 	github.com/leodido/go-urn v1.4.0 // indirect
 	github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0 // indirect
 	github.com/magiconair/properties v1.8.9 // indirect
 	github.com/mattn/go-colorable v0.1.13 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
+	github.com/mmcloughlin/addchain v0.4.0 // indirect
 	github.com/moby/docker-image-spec v1.3.1 // indirect
 	github.com/moby/patternmatcher v0.6.0 // indirect
 	github.com/moby/sys/sequential v0.5.0 // indirect
 	github.com/moby/sys/user v0.1.0 // indirect
 	github.com/moby/sys/userns v0.1.0 // indirect
 	github.com/moby/term v0.5.0 // indirect
+	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
+	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/morikuni/aec v1.0.0 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/opencontainers/image-spec v1.1.1 // indirect
@@ -73,14 +100,18 @@ require (
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c // indirect
 	github.com/rs/zerolog v1.33.0 // indirect
+	github.com/shirou/gopsutil v3.21.4-0.20210419000835-c7a38de76ee5+incompatible // indirect
 	github.com/shirou/gopsutil/v4 v4.25.1 // indirect
 	github.com/sirupsen/logrus v1.9.3 // indirect
+	github.com/supranational/blst v0.3.13 // indirect
 	github.com/testcontainers/testcontainers-go v0.36.0 // indirect
 	github.com/tidwall/gjson v1.14.4 // indirect
 	github.com/tidwall/match v1.1.1 // indirect
 	github.com/tidwall/pretty v1.2.0 // indirect
 	github.com/tklauser/go-sysconf v0.3.12 // indirect
 	github.com/tklauser/numcpus v0.6.1 // indirect
+	github.com/twitchyliquid64/golang-asm v0.15.1 // indirect
+	github.com/ugorji/go/codec v1.2.12 // indirect
 	github.com/yusufpapurcu/wmi v1.2.4 // indirect
 	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
 	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.54.0 // indirect
@@ -90,7 +121,9 @@ require (
 	go.opentelemetry.io/otel/sdk v1.32.0 // indirect
 	go.opentelemetry.io/otel/trace v1.35.0 // indirect
 	go.opentelemetry.io/proto/otlp v1.3.1 // indirect
+	golang.org/x/arch v0.11.0 // indirect
 	golang.org/x/crypto v0.32.0 // indirect
+	golang.org/x/exp v0.0.0-20240112132812-db7319d0e0e3 // indirect
 	golang.org/x/net v0.34.0 // indirect
 	golang.org/x/sync v0.10.0 // indirect
 	golang.org/x/sys v0.31.0 // indirect
@@ -100,5 +133,7 @@ require (
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20241104194629-dd2ea8efbc28 // indirect
 	google.golang.org/grpc v1.68.0 // indirect
 	google.golang.org/protobuf v1.36.1 // indirect
+	gopkg.in/guregu/null.v4 v4.0.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
+	rsc.io/tmplfunc v0.0.3 // indirect
 )
diff --git a/framework/examples/myproject_cll/go.sum b/framework/examples/myproject_cll/go.sum

Original file line number	Diff line number	Diff line change
`@@ -36,6 +36,7 @@ var (`
`36`	`36`
`37`	`37`	`// Input represents Chainlink node input`
`38`	`38`	`type Input struct {`
	`39`	+ NoDNS bool `toml:"no_dns"`
`39`	`40`	DbInput *postgres.Input `toml:"db" validate:"required"`
`40`	`41`	Node *NodeInput `toml:"node" validate:"required"`
`41`	`42`	Out *Output `toml:"out"`
`@@ -252,6 +253,7 @@ func newNode(in Input, pgOut postgres.Output) (*NodeOut, error) {`
`252`	`253`	`}`
`253`	`254`	`if in.Node.HTTPPort != 0 && in.Node.P2PPort != 0 {`
`254`	`255`	`req.HostConfigModifier = func(h *container.HostConfig) {`
	`256`	`+ framework.NoDNS(in.NoDNS, h)`
`255`	`257`	`h.PortBindings = portBindings`
`256`	`258`	`framework.ResourceLimitsFunc(h, in.Node.ContainerResources)`
`257`	`259`	`}`
Original file line number	Diff line number	Diff line change
`@@ -30,6 +30,7 @@ type Input struct {`
`30`	`30`	OverrideMode string `toml:"override_mode" validate:"required,oneof=all each"`
`31`	`31`	DbInput *postgres.Input `toml:"db" validate:"required"`
`32`	`32`	NodeSpecs []*clnode.Input `toml:"node_specs" validate:"required"`
	`33`	+ NoDNS bool `toml:"no_dns"`
`33`	`34`	Out *Output `toml:"out"`
`34`	`35`	`}`
`35`	`36`
Original file line number	Diff line number	Diff line change
`@@ -412,6 +412,7 @@ func ResourceLimitsFunc(h container.HostConfig, resources ContainerResources)`
`412`	`412`	`}`
`413`	`413`	`}`
`414`	`414`
	`415`	`+// GenerateCustomPortsData generate custom ports data: exposed and forwarded port map`
`415`	`416`	`func GenerateCustomPortsData(portsProvided []string) ([]string, nat.PortMap, error) {`
`416`	`417`	`exposedPorts := make([]string, 0)`
`417`	`418`	`portBindings := nat.PortMap{}`
`@@ -438,3 +439,10 @@ func GenerateCustomPortsData(portsProvided []string) ([]string, nat.PortMap, err`
`438`	`439`	`exposedPorts = append(exposedPorts, customPorts...)`
`439`	`440`	`return exposedPorts, portBindings, nil`
`440`	`441`	`}`
	`442`	`+`
	`443`	`+// NoDNS removes default DNS server and sets it to localhost`
	`444`	`+func NoDNS(noDNS bool, hc *container.HostConfig) {`
	`445`	`+ if noDNS {`
	`446`	`+ hc.DNS = []string{"127.0.0.1"}`
	`447`	`+ }`
	`448`	`+}`