action #94132
closedTest running container networking with firewall
0%
Description
In container tests we are purely testing containers with firewall disabled.
QE shall have at least 1 test to check the functionality of containers with firewall running to avoid these kind of problems.
At least, this use case should be covered:
1) Enable firewall
2) Install docker/podman
3) Create containers
4) Ping/netcat host and outside world from the container
In some cases this works out of the box, but I have the experience that firewall might need to be restarted.
We should also check the iptables rules that are created when starting docker service. For example I have seen some warning messages like this in the firewall log:
> Jun 16 11:56:25 localhost firewalld[4824]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -X DOCKER' failed: iptables: No chain/target/match by that name.
> Jun 16 11:56:26 localhost firewalld[4824]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -F DOCKER' failed: iptables: No chain/target/match by that name.
> Jun 16 11:56:26 localhost firewalld[4824]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -X DOCKER' failed: iptables: No chain/target/match by that name.
> Jun 16 11:56:26 localhost firewalld[4824]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -F DOCKER-ISOLATION-STAGE-1' failed: iptables: No chain/target/match by that name.
> Jun 16 11:56:26 localhost firewalld[4824]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -X DOCKER-ISOLATION-STAGE-1' failed: iptables: No chain/target/match by that name.
> Jun 16 11:56:26 localhost firewalld[4824]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -F DOCKER-ISOLATION-STAGE-2' failed: iptables: No chain/target/match by that name.
> Jun 16 11:56:26 localhost firewalld[4824]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -X DOCKER-ISOLATION-STAGE-2' failed: iptables: No chain/target/match by that name.
> Jun 16 11:56:26 localhost firewalld[4824]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -F DOCKER-ISOLATION' failed: iptables: No chain/target/match by that name.
> Jun 16 11:56:26 localhost firewalld[4824]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -X DOCKER-ISOLATION' failed: iptables: No chain/target/match by that name.
The test should also double check that the iptable rules/forwarding are correct.
Updated by jlausuch over 3 years ago
- Related to action #87805: Investigate security test cases for automation added
Updated by ph03nix about 3 years ago
- Status changed from Workable to In Progress
- Assignee set to ph03nix
Updated by jlausuch about 3 years ago
Just for the record, this is a host test that should apply only for maintenance jobs (or 15-SP4 under development).
It could be part of docker.pm and podman.pm or creating a new module container_firewall.pm or whatever suits best.
Updated by ph03nix about 3 years ago
- Status changed from In Progress to Workable
- Assignee deleted (
ph03nix)
I unassign myself, got caught up in other tasks and cannot do this at the moment.
Updated by pdostal about 3 years ago
- Status changed from Workable to In Progress
- Assignee set to pdostal
Updated by pdostal about 3 years ago
We are apparently already doin this in docker.pm via containers::utils::check_docker_firewall() - see the openqa. I'm going to do the same for podman.pm.
Updated by jlausuch about 3 years ago
pdostal wrote:
We are apparently already doin this in
docker.pmviacontainers::utils::check_docker_firewall()- see the [openqa]. I'm going to do the same forpodman.pm.[openqa]: https://openqa.suse.de/tests/7635224#step/docker/109
perfect!
Updated by pdostal about 3 years ago
Updated by pdostal about 3 years ago
The pull request has been reverted as it breaks MicroOS.
I'm working on pr#13758.
Updated by pdostal about 3 years ago
- Status changed from In Progress to Resolved