tests: add netns to testing framework
This commit is contained in:
parent
25adce29e5
commit
8783f38fba
|
@ -9,6 +9,12 @@ def assert_matches(cmd, regexp):
|
||||||
raise Exception(f"Pattern '{regexp}' not found in '{out}'")
|
raise Exception(f"Pattern '{regexp}' not found in '{out}'")
|
||||||
|
|
||||||
|
|
||||||
|
def assert_matches_exactly(cmd, regexp):
|
||||||
|
out = succeed(cmd)
|
||||||
|
if not re.fullmatch(regexp, out):
|
||||||
|
raise Exception(f"Pattern '{regexp}' doesn't match '{out}'")
|
||||||
|
|
||||||
|
|
||||||
def log_has_string(unit, str):
|
def log_has_string(unit, str):
|
||||||
return f"journalctl -b --output=cat -u {unit} --grep='{str}'"
|
return f"journalctl -b --output=cat -u {unit} --grep='{str}'"
|
||||||
|
|
||||||
|
@ -27,6 +33,18 @@ def assert_running(unit):
|
||||||
if "is_interactive" in vars():
|
if "is_interactive" in vars():
|
||||||
raise Exception()
|
raise Exception()
|
||||||
|
|
||||||
|
# netns IP addresses
|
||||||
|
bitcoind_ip = "169.254.1.12"
|
||||||
|
clightning_ip = "169.254.1.13"
|
||||||
|
lnd_ip = "169.254.1.14"
|
||||||
|
liquidd_ip = "169.254.1.15"
|
||||||
|
electrs_ip = "169.254.1.16"
|
||||||
|
sparkwallet_ip = "169.254.1.17"
|
||||||
|
lightningcharge_ip = "169.254.1.18"
|
||||||
|
nanopos_ip = "169.254.1.19"
|
||||||
|
recurringdonations_ip = "169.254.1.20"
|
||||||
|
nginx_ip = "169.254.1.21"
|
||||||
|
|
||||||
### Tests
|
### Tests
|
||||||
|
|
||||||
assert_running("setup-secrets")
|
assert_running("setup-secrets")
|
||||||
|
@ -38,13 +56,15 @@ machine.wait_until_succeeds("bitcoin-cli getnetworkinfo")
|
||||||
assert_matches("su operator -c 'bitcoin-cli getnetworkinfo' | jq", '"version"')
|
assert_matches("su operator -c 'bitcoin-cli getnetworkinfo' | jq", '"version"')
|
||||||
|
|
||||||
assert_running("electrs")
|
assert_running("electrs")
|
||||||
machine.wait_for_open_port(4224) # prometeus metrics provider
|
machine.wait_until_succeeds(
|
||||||
|
"ip netns exec nb-electrs nc -z localhost 4224"
|
||||||
|
) # prometeus metrics provider
|
||||||
# Check RPC connection to bitcoind
|
# Check RPC connection to bitcoind
|
||||||
machine.wait_until_succeeds(log_has_string("electrs", "NetworkInfo"))
|
machine.wait_until_succeeds(log_has_string("electrs", "NetworkInfo"))
|
||||||
assert_running("nginx")
|
assert_running("nginx")
|
||||||
# SSL stratum server via nginx. Only check for open port, no content is served here
|
# SSL stratum server via nginx. Only check for open port, no content is served here
|
||||||
# as electrs isn't ready.
|
# as electrs isn't ready.
|
||||||
machine.wait_for_open_port(50003)
|
machine.wait_until_succeeds("ip netns exec nb-nginx nc -z localhost 50003")
|
||||||
# Stop electrs from spamming the test log with 'wait for bitcoind sync' messages
|
# Stop electrs from spamming the test log with 'wait for bitcoind sync' messages
|
||||||
succeed("systemctl stop electrs")
|
succeed("systemctl stop electrs")
|
||||||
|
|
||||||
|
@ -58,17 +78,23 @@ assert_matches("su operator -c 'lightning-cli getinfo' | jq", '"id"')
|
||||||
|
|
||||||
assert_running("spark-wallet")
|
assert_running("spark-wallet")
|
||||||
spark_auth = re.search("login=(.*)", succeed("cat /secrets/spark-wallet-login"))[1]
|
spark_auth = re.search("login=(.*)", succeed("cat /secrets/spark-wallet-login"))[1]
|
||||||
machine.wait_for_open_port(9737)
|
machine.wait_until_succeeds("ip netns exec nb-spark-wallet nc -z %s 9737" % sparkwallet_ip)
|
||||||
assert_matches(f"curl -s {spark_auth}@localhost:9737", "Spark")
|
assert_matches(
|
||||||
|
f"ip netns exec nb-spark-wallet curl -s {spark_auth}@%s:9737" % sparkwallet_ip, "Spark"
|
||||||
|
)
|
||||||
|
|
||||||
assert_running("lightning-charge")
|
assert_running("lightning-charge")
|
||||||
charge_auth = re.search("API_TOKEN=(.*)", succeed("cat /secrets/lightning-charge-env"))[1]
|
charge_auth = re.search("API_TOKEN=(.*)", succeed("cat /secrets/lightning-charge-env"))[1]
|
||||||
machine.wait_for_open_port(9112)
|
machine.wait_until_succeeds("ip netns exec nb-nanopos nc -z %s 9112" % lightningcharge_ip)
|
||||||
assert_matches(f"curl -s api-token:{charge_auth}@localhost:9112/info | jq", '"id"')
|
assert_matches(
|
||||||
|
f"ip netns exec nb-nanopos curl -s api-token:{charge_auth}@%s:9112/info | jq"
|
||||||
|
% lightningcharge_ip,
|
||||||
|
'"id"',
|
||||||
|
)
|
||||||
|
|
||||||
assert_running("nanopos")
|
assert_running("nanopos")
|
||||||
machine.wait_for_open_port(9116)
|
machine.wait_until_succeeds("ip netns exec nb-lightning-charge nc -z %s 9116" % nanopos_ip)
|
||||||
assert_matches("curl localhost:9116", "tshirt")
|
assert_matches("ip netns exec nb-lightning-charge curl %s:9116" % nanopos_ip, "tshirt")
|
||||||
|
|
||||||
assert_running("onion-chef")
|
assert_running("onion-chef")
|
||||||
|
|
||||||
|
@ -76,13 +102,55 @@ assert_running("onion-chef")
|
||||||
# to incomplete unit dependencies.
|
# to incomplete unit dependencies.
|
||||||
# 'create-web-index' implicitly tests 'nodeinfo'.
|
# 'create-web-index' implicitly tests 'nodeinfo'.
|
||||||
machine.wait_for_unit("create-web-index")
|
machine.wait_for_unit("create-web-index")
|
||||||
machine.wait_for_open_port(80)
|
machine.wait_until_succeeds("ip netns exec nb-nginx nc -z localhost 80")
|
||||||
assert_matches("curl localhost", "nix-bitcoin")
|
assert_matches("ip netns exec nb-nginx curl localhost", "nix-bitcoin")
|
||||||
assert_matches("curl -L localhost/store", "tshirt")
|
assert_matches("ip netns exec nb-nginx curl -L localhost/store", "tshirt")
|
||||||
|
|
||||||
machine.wait_until_succeeds(log_has_string("bitcoind-import-banlist", "Importing node banlist"))
|
machine.wait_until_succeeds(log_has_string("bitcoind-import-banlist", "Importing node banlist"))
|
||||||
assert_no_failure("bitcoind-import-banlist")
|
assert_no_failure("bitcoind-import-banlist")
|
||||||
|
|
||||||
|
### Security tests
|
||||||
|
|
||||||
|
ping_bitcoind = "ip netns exec nb-bitcoind ping -c 1 -w 1"
|
||||||
|
ping_nanopos = "ip netns exec nb-nanopos ping -c 1 -w 1"
|
||||||
|
|
||||||
|
# Positive ping tests (non-exhaustive)
|
||||||
|
machine.succeed(
|
||||||
|
"%s %s &&" % (ping_bitcoind, bitcoind_ip)
|
||||||
|
+ "%s %s &&" % (ping_bitcoind, clightning_ip)
|
||||||
|
+ "%s %s &&" % (ping_bitcoind, liquidd_ip)
|
||||||
|
+ "%s %s &&" % (ping_nanopos, lightningcharge_ip)
|
||||||
|
+ "%s %s &&" % (ping_nanopos, nanopos_ip)
|
||||||
|
+ "%s %s" % (ping_nanopos, nginx_ip)
|
||||||
|
)
|
||||||
|
|
||||||
|
# Negative ping tests (non-exhaustive)
|
||||||
|
machine.fail(
|
||||||
|
"%s %s ||" % (ping_bitcoind, sparkwallet_ip)
|
||||||
|
+ "%s %s ||" % (ping_bitcoind, lightningcharge_ip)
|
||||||
|
+ "%s %s ||" % (ping_bitcoind, nanopos_ip)
|
||||||
|
+ "%s %s ||" % (ping_bitcoind, recurringdonations_ip)
|
||||||
|
+ "%s %s ||" % (ping_bitcoind, nginx_ip)
|
||||||
|
+ "%s %s ||" % (ping_nanopos, bitcoind_ip)
|
||||||
|
+ "%s %s ||" % (ping_nanopos, clightning_ip)
|
||||||
|
+ "%s %s ||" % (ping_nanopos, lnd_ip)
|
||||||
|
+ "%s %s ||" % (ping_nanopos, liquidd_ip)
|
||||||
|
+ "%s %s ||" % (ping_nanopos, electrs_ip)
|
||||||
|
+ "%s %s ||" % (ping_nanopos, sparkwallet_ip)
|
||||||
|
+ "%s %s" % (ping_nanopos, recurringdonations_ip)
|
||||||
|
)
|
||||||
|
|
||||||
|
# test that netns-exec can't be run for unauthorized namespace
|
||||||
|
machine.fail("netns-exec nb-electrs ip a")
|
||||||
|
|
||||||
|
# test that netns-exec drops capabilities
|
||||||
|
assert_matches_exactly(
|
||||||
|
"su operator -c 'netns-exec nb-bitcoind capsh --print | grep Current '", "Current: =\n"
|
||||||
|
)
|
||||||
|
|
||||||
|
# test that netns-exec can not be executed by users that are not operator
|
||||||
|
machine.fail("sudo -u clightning netns-exec nb-bitcoind ip a")
|
||||||
|
|
||||||
### Additional tests
|
### Additional tests
|
||||||
|
|
||||||
# Current time in µs
|
# Current time in µs
|
||||||
|
|
|
@ -16,6 +16,8 @@ import ./make-test.nix rec {
|
||||||
# hardened
|
# hardened
|
||||||
];
|
];
|
||||||
|
|
||||||
|
nix-bitcoin.netns-isolation.enable = mkForce true;
|
||||||
|
|
||||||
services.bitcoind.extraConfig = mkForce "connect=0";
|
services.bitcoind.extraConfig = mkForce "connect=0";
|
||||||
|
|
||||||
services.clightning.enable = true;
|
services.clightning.enable = true;
|
||||||
|
|
Loading…
Reference in New Issue
Block a user