Project

General

Profile

Actions
Copy link

action #94132

closed

Test running container networking with firewall

Added by jlausuch about 3 years ago. Updated over 2 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
pdostal
Target version:
-
Start date:
2021-06-17
Due date:
% Done:

0%

Estimated time:

Description

In container tests we are purely testing containers with firewall disabled.

QE shall have at least 1 test to check the functionality of containers with firewall running to avoid these kind of problems.

At least, this use case should be covered:
1) Enable firewall
2) Install docker/podman
3) Create containers
4) Ping/netcat host and outside world from the container

In some cases this works out of the box, but I have the experience that firewall might need to be restarted.

We should also check the iptables rules that are created when starting docker service. For example I have seen some warning messages like this in the firewall log:

> Jun 16 11:56:25 localhost firewalld[4824]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -X DOCKER' failed: iptables: No chain/target/match by that name.
> Jun 16 11:56:26 localhost firewalld[4824]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -F DOCKER' failed: iptables: No chain/target/match by that name.
> Jun 16 11:56:26 localhost firewalld[4824]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -X DOCKER' failed: iptables: No chain/target/match by that name.
> Jun 16 11:56:26 localhost firewalld[4824]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -F DOCKER-ISOLATION-STAGE-1' failed: iptables: No chain/target/match by that name.
> Jun 16 11:56:26 localhost firewalld[4824]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -X DOCKER-ISOLATION-STAGE-1' failed: iptables: No chain/target/match by that name.
> Jun 16 11:56:26 localhost firewalld[4824]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -F DOCKER-ISOLATION-STAGE-2' failed: iptables: No chain/target/match by that name.
> Jun 16 11:56:26 localhost firewalld[4824]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -X DOCKER-ISOLATION-STAGE-2' failed: iptables: No chain/target/match by that name.
> Jun 16 11:56:26 localhost firewalld[4824]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -F DOCKER-ISOLATION' failed: iptables: No chain/target/match by that name.
> Jun 16 11:56:26 localhost firewalld[4824]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -X DOCKER-ISOLATION' failed: iptables: No chain/target/match by that name.

The test should also double check that the iptable rules/forwarding are correct.

Related issues 1 (0 open1 closed)

Related to Containers - action #87805: Investigate security test cases for automationRejectedrbranco2021-01-15

Actions
Actions
Copy link

Also available in: Atom PDF