def test_create_newnet_child(self): """Tests configuring veth pair (child)""" mock_event = multiprocessing.synchronize.Event.return_value newnet.create_newnet( 'foo1234', '192.168.0.100', '192.168.254.254', '10.0.0.1', ) self.assertTrue(mock_event.wait.called) treadmill.netdev.link_set_netns.assert_called_with( 'foo1234', 7777, ) treadmill.utils.sys_exit.assert_called_with(0)
def test_create_newnet_parent(self): """Tests configuring unshared network (parent)""" # Access protected _configure_veth # pylint: disable=W0212 mock_event = multiprocessing.synchronize.Event.return_value newnet.create_newnet( 'foo1234', '192.168.0.100', '192.168.254.254', '10.0.0.1', ) treadmill.syscall.unshare.unshare.assert_called_with( treadmill.syscall.unshare.CLONE_NEWNET ) self.assertTrue(mock_event.set.called) os.waitpid.assert_called_with(1234, 0) treadmill.newnet._configure_veth.assert_called_with( 'foo1234', '192.168.0.100', '192.168.254.254', '10.0.0.1', )
def _unshare_network(tm_env, container_dir, app): """Configures private app network. :param ``appenv.AppEnvironment`` tm_env: Treadmill application environment """ unique_name = appcfg.app_unique_name(app) # Configure DNAT rules while on host network. for endpoint in app.endpoints: _LOGGER.info('Creating DNAT rule: %s:%s -> %s:%s', app.network.external_ip, endpoint.real_port, app.network.vip, endpoint.port) dnatrule = firewall.DNATRule(proto=endpoint.proto, dst_ip=app.network.external_ip, dst_port=endpoint.real_port, new_ip=app.network.vip, new_port=endpoint.port) snatrule = firewall.SNATRule(proto=endpoint.proto, src_ip=app.network.vip, src_port=endpoint.port, new_ip=app.network.external_ip, new_port=endpoint.real_port) tm_env.rules.create_rule(chain=iptables.PREROUTING_DNAT, rule=dnatrule, owner=unique_name) tm_env.rules.create_rule(chain=iptables.POSTROUTING_SNAT, rule=snatrule, owner=unique_name) # See if this container requires vring service if app.vring: _LOGGER.debug('adding %r to VRing set', app.network.vip) iptables.add_ip_set( iptables.SET_VRING_CONTAINERS, app.network.vip ) # See if this was an "infra" endpoint and if so add it to the whitelist # set. if getattr(endpoint, 'type', None) == 'infra': _LOGGER.debug('adding %s:%s to infra services set', app.network.vip, endpoint.port) iptables.add_ip_set( iptables.SET_INFRA_SVC, '{ip},{proto}:{port}'.format( ip=app.network.vip, proto=endpoint.proto, port=endpoint.port, ) ) for port in app.ephemeral_ports.tcp: _LOGGER.info('Creating ephemeral DNAT rule: %s:%s -> %s:%s', app.network.external_ip, port, app.network.vip, port) dnatrule = firewall.DNATRule(proto='tcp', dst_ip=app.network.external_ip, dst_port=port, new_ip=app.network.vip, new_port=port) tm_env.rules.create_rule(chain=iptables.PREROUTING_DNAT, rule=dnatrule, owner=unique_name) # Treat ephemeral ports as infra, consistent with current prodperim # behavior. iptables.add_ip_set(iptables.SET_INFRA_SVC, '{ip},tcp:{port}'.format(ip=app.network.vip, port=port)) for port in app.ephemeral_ports.udp: _LOGGER.info('Creating ephemeral DNAT rule: %s:%s -> %s:%s', app.network.external_ip, port, app.network.vip, port) dnatrule = firewall.DNATRule(proto='udp', dst_ip=app.network.external_ip, dst_port=port, new_ip=app.network.vip, new_port=port) tm_env.rules.create_rule(chain=iptables.PREROUTING_DNAT, rule=dnatrule, owner=unique_name) # Treat ephemeral ports as infra, consistent with current prodperim # behavior. iptables.add_ip_set(iptables.SET_INFRA_SVC, '{ip},udp:{port}'.format(ip=app.network.vip, port=port)) # configure passthrough while on main network. if getattr(app, 'passthrough', None): _LOGGER.info('adding passthrough for: %r', app.passthrough) # Resolve all the hosts (+dedup) new_ips = { socket.gethostbyname(host) for host in app.passthrough } # Create a passthrough rule from each of the source IP to the # container IP and record these source IP in a set. for ipaddr in new_ips: passthroughrule = firewall.PassThroughRule( src_ip=ipaddr, dst_ip=app.network.vip, ) tm_env.rules.create_rule(chain=iptables.PREROUTING_PASSTHROUGH, rule=passthroughrule, owner=unique_name) # configure exception filter rules try: firewall_plugin = plugin_manager.load( 'treadmill.firewall.plugins', 'firewall' ) firewall_plugin.apply_exception_rules(tm_env, container_dir, app) except Exception: # pylint: disable=W0703 _LOGGER.exception( 'Error in firewall plugin, skip applying firewall exception rules.' ) service_ip = None if app.shared_ip: service_ip = app.network.external_ip # Unshare network and create virtual device newnet.create_newnet(app.network.veth, app.network.vip, app.network.gateway, service_ip)