Project

General

Profile

Actions
Copy link

action #155395

closed

action #152590: [containers][epic] Container refactoring

[refactoring] Merge docker_firewall and podman_firewall

Added by ph03nix 10 months ago. Updated about 2 months ago.

Status:
Resolved
Priority:
High
Assignee:
rbranco
Target version:
-
Start date:
2024-02-13
Due date:
% Done:

0%

Estimated time:
Tags:
containers

Description

We currently have two different test modules to test the firewall together with the container engines: docker_firewall and podman_firewall. We should merge the two into one module.

In addition, the docker_firewall module runs checks on the underlying firewall backend, here iptables. We should change the design to not make any backend assumptions, but to test the effect of it. This means, instead of checking if some rules are present, we should check if the EFFECT of the rules is present, i.e. if a container can reach the external network and if a container can (or cannot) be reached.

So instead of checking for iptable rules, we should check:

  • can a container access the network, when the firewall is present?
  • Is the firewall blocking access to an exposed container port by default?
  • When adding firewalld rules to allow access to a container, can the container then be accessed?

For now, we should only test the default network backend.

Acceptance criterum

  • Merge docker_firewall and podman_firewall into one module
  • Get rid of all backend assumptions, i.e. remove the iptables function calls
  • Test the effect of the network rules, not probe for the rules themselves
Actions
Copy link
 #1

Updated by ph03nix 10 months ago

Note that check_containers_connectivity probably already fulfills most of our needed checks. We perhaps should see if we can use and/or extend this function for the firewall test.

Actions
Copy link
 #2

Updated by ph03nix 10 months ago

  • Tags set to refactoring
  • Subject changed from Merge docker_firewall and podman_firewall to [refactoring] Merge docker_firewall and podman_firewall
Actions
Copy link
 #3

Updated by ph03nix 10 months ago

  • Priority changed from Normal to High
Actions
Copy link
 #4

Updated by rbranco 10 months ago

  • Status changed from Workable to In Progress
Actions
Copy link
 #5

Updated by rbranco 10 months ago

  • Assignee set to rbranco
Actions
Copy link
 #6

Updated by rbranco 10 months ago

  • Status changed from In Progress to Resolved
Actions
Copy link
 #7

Updated by ph03nix 10 months ago

  • Status changed from Resolved to In Progress

Sorry Ricardo, this ticket is not yet done. Acceptance criterium 2 is not yet fulfilled: "Get rid of all backend assumptions, i.e. remove the iptables function calls"

The aim was to get rid of the test separation between docker and podman as a whole (if possible).

And yes, check_containers_connectivity looks like it can do most of the checks that we need.

Actions
Copy link
 #8

Updated by rbranco 10 months ago ยท Edited

ph03nix wrote in #note-7:

Sorry Ricardo, this ticket is not yet done. Acceptance criterium 2 is not yet fulfilled: "Get rid of all backend assumptions, i.e. remove the iptables function calls"

The iptables calls do not modify anything. They're only listing rules and stuff that should be there. They're absolutely needed here.

Getting rid of all backend assumptions is not easy because podman doesn't create rules like Docker.

Actions
Copy link
 #9

Updated by rbranco 10 months ago

  • Status changed from In Progress to Feedback
Actions
Copy link
 #10

Updated by rbranco 10 months ago

  • Status changed from Feedback to Resolved
Actions
Copy link
 #11

Updated by ph03nix about 2 months ago

  • Tags changed from refactoring to containers
Actions
Copy link

Also available in: Atom PDF