mir/criu
2
0
Fork 0
mirror of https://github.com/checkpoint-restore/criu synced 2025-08-22 09:58:09 +00:00
Code Issues Releases Wiki Activity
criu/test/zdtm/static/netns_lock_iptables.hook

157 lines
4.5 KiB
Plaintext
Raw Normal View History

zdtm: add network namespace locking test When criu dumps a process in a network namespace it locks the network so that no packets from peer enters the stack, otherwise RST will be sent by a kernel causing the connection to fail. In netns_lock.c we try to enter the netns created by post-start hook so that criu locks the network namespace between dump and restore. A TCP server is started in post-start hook inside the test netns and runs in the background detached from its parent so that it stays alive for the duration of the test. Other hooks (pre-dump, pre-restore, post-restore) try to connect to the server. Pre-dump and post-restore hooks should be able to connect successfully. Pre-restore hook client with SOCCR_MARK should also connect successfully. Pre-restore hook client without SOCCR_MARK should not be able to connect but also should not get connection refused as all packets are dropped in the namespace so the kernel shouldn't send an RST packet as a result. Instead we check that the connect operation causes a timeout. This test would be useful when testing that the network is locked using different ways (using iptables currently and other methods later). v2: - check that packets with SOCCR_MARK are allowed to pass when the netns is locked. v3: - fix pre-restore hook skipping non SOCCR_MARK connection test due to early exit in SOCCR_MARK variant. Signed-off-by: Zeyad Yasser <zeyady98@gmail.com>
2021-04-29 21:18:58 +02:00
#!/usr/bin/env python
import subprocess
import socket
import sys
import os
from ctypes import CDLL
libc = CDLL('libc.so.6')
SO_MARK = 36 # Define socket option for python2 compatibility
SOCCR_MARK = 0xC114
CLONE_NEWNET = 0x40000000
PORT = 8880
NETNS = "criu-net-lock-test"
TIMEOUT = 0.1
test/ci: sync netns_lock test and its --post-start hook The --post-start hook creates a netns which the test should enter at the beginning of the test. The test randomly failed in CI tests, it is most likely caused by a race condition. I suspect this flow is root cause: 1. --post-start hook starts just after the test (in parallel) 2. --post-start hook calls ip netns add to create the test netns 3. ip creates the netns file 4. netns_lock test opens that file and uses it in setns 5. ip mounts the netns to the file Of course test fails at step 4 because the netns is not yet mounted to the file. I made the test wait for SYNCFILE to be created by the --post-start hook before it tries to open the netns file and call setns. Signed-off-by: Zeyad Yasser <zeyady98@gmail.com>
2021-06-30 18:59:54 +02:00
SYNCFILE = "zdtm/static/net_lock.sync"
zdtm: add network namespace locking test When criu dumps a process in a network namespace it locks the network so that no packets from peer enters the stack, otherwise RST will be sent by a kernel causing the connection to fail. In netns_lock.c we try to enter the netns created by post-start hook so that criu locks the network namespace between dump and restore. A TCP server is started in post-start hook inside the test netns and runs in the background detached from its parent so that it stays alive for the duration of the test. Other hooks (pre-dump, pre-restore, post-restore) try to connect to the server. Pre-dump and post-restore hooks should be able to connect successfully. Pre-restore hook client with SOCCR_MARK should also connect successfully. Pre-restore hook client without SOCCR_MARK should not be able to connect but also should not get connection refused as all packets are dropped in the namespace so the kernel shouldn't send an RST packet as a result. Instead we check that the connect operation causes a timeout. This test would be useful when testing that the network is locked using different ways (using iptables currently and other methods later). v2: - check that packets with SOCCR_MARK are allowed to pass when the netns is locked. v3: - fix pre-restore hook skipping non SOCCR_MARK connection test due to early exit in SOCCR_MARK variant. Signed-off-by: Zeyad Yasser <zeyady98@gmail.com>
2021-04-29 21:18:58 +02:00
def nsenter():
with open("/var/run/netns/{}".format(NETNS)) as f:
libc.setns(f.fileno(), CLONE_NEWNET)
test/ci: sync netns_lock test and its --post-start hook The --post-start hook creates a netns which the test should enter at the beginning of the test. The test randomly failed in CI tests, it is most likely caused by a race condition. I suspect this flow is root cause: 1. --post-start hook starts just after the test (in parallel) 2. --post-start hook calls ip netns add to create the test netns 3. ip creates the netns file 4. netns_lock test opens that file and uses it in setns 5. ip mounts the netns to the file Of course test fails at step 4 because the netns is not yet mounted to the file. I made the test wait for SYNCFILE to be created by the --post-start hook before it tries to open the netns file and call setns. Signed-off-by: Zeyad Yasser <zeyady98@gmail.com>
2021-06-30 18:59:54 +02:00
def create_sync_file():
open(SYNCFILE, "wb").close()
zdtm: add network namespace locking test When criu dumps a process in a network namespace it locks the network so that no packets from peer enters the stack, otherwise RST will be sent by a kernel causing the connection to fail. In netns_lock.c we try to enter the netns created by post-start hook so that criu locks the network namespace between dump and restore. A TCP server is started in post-start hook inside the test netns and runs in the background detached from its parent so that it stays alive for the duration of the test. Other hooks (pre-dump, pre-restore, post-restore) try to connect to the server. Pre-dump and post-restore hooks should be able to connect successfully. Pre-restore hook client with SOCCR_MARK should also connect successfully. Pre-restore hook client without SOCCR_MARK should not be able to connect but also should not get connection refused as all packets are dropped in the namespace so the kernel shouldn't send an RST packet as a result. Instead we check that the connect operation causes a timeout. This test would be useful when testing that the network is locked using different ways (using iptables currently and other methods later). v2: - check that packets with SOCCR_MARK are allowed to pass when the netns is locked. v3: - fix pre-restore hook skipping non SOCCR_MARK connection test due to early exit in SOCCR_MARK variant. Signed-off-by: Zeyad Yasser <zeyady98@gmail.com>
2021-04-29 21:18:58 +02:00
if sys.argv[1] == "--post-start":
# Add test netns
subprocess.Popen(["ip", "netns", "add", NETNS]).wait()
nsenter() # Enter test netns
subprocess.Popen(["ip", "link", "set", "up", "dev", "lo"]).wait()
Fix some codespell warnings Brought to you by codespell -w (using codespell v2.1.0). Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2022-03-30 18:45:16 -07:00
# Lets test know that the netns is initialized successfully
test/ci: sync netns_lock test and its --post-start hook The --post-start hook creates a netns which the test should enter at the beginning of the test. The test randomly failed in CI tests, it is most likely caused by a race condition. I suspect this flow is root cause: 1. --post-start hook starts just after the test (in parallel) 2. --post-start hook calls ip netns add to create the test netns 3. ip creates the netns file 4. netns_lock test opens that file and uses it in setns 5. ip mounts the netns to the file Of course test fails at step 4 because the netns is not yet mounted to the file. I made the test wait for SYNCFILE to be created by the --post-start hook before it tries to open the netns file and call setns. Signed-off-by: Zeyad Yasser <zeyady98@gmail.com>
2021-06-30 18:59:54 +02:00
# by checking the access of SYNCFILE
create_sync_file()
zdtm: add network namespace locking test When criu dumps a process in a network namespace it locks the network so that no packets from peer enters the stack, otherwise RST will be sent by a kernel causing the connection to fail. In netns_lock.c we try to enter the netns created by post-start hook so that criu locks the network namespace between dump and restore. A TCP server is started in post-start hook inside the test netns and runs in the background detached from its parent so that it stays alive for the duration of the test. Other hooks (pre-dump, pre-restore, post-restore) try to connect to the server. Pre-dump and post-restore hooks should be able to connect successfully. Pre-restore hook client with SOCCR_MARK should also connect successfully. Pre-restore hook client without SOCCR_MARK should not be able to connect but also should not get connection refused as all packets are dropped in the namespace so the kernel shouldn't send an RST packet as a result. Instead we check that the connect operation causes a timeout. This test would be useful when testing that the network is locked using different ways (using iptables currently and other methods later). v2: - check that packets with SOCCR_MARK are allowed to pass when the netns is locked. v3: - fix pre-restore hook skipping non SOCCR_MARK connection test due to early exit in SOCCR_MARK variant. Signed-off-by: Zeyad Yasser <zeyady98@gmail.com>
2021-04-29 21:18:58 +02:00
# TCP server daemon
pid = os.fork()
if(pid == 0):
os.setsid() # Detach from parent
# Run server
srv = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
srv.bind(("127.0.0.1", PORT))
srv.listen(1)
test/jenkins: fix netns_lock test multiple iterations failure netns_lock is highly dependent on the order of the hooks, and iterations causes the --pre-dump hook to be called multiple times which expectedly caused the test to fail. The server loop accommodates for multiple iterations. https://ci.kernoops.org/job/CRIU/job/CRIU-iter/job/criu-dev/431/testReport/(root)/criu/zdtm_static_netns_lock/ Signed-off-by: Zeyad Yasser <zeyady98@gmail.com>
2021-07-01 15:11:50 +02:00
# Loop allows zdtm multiple iterations to work (i.e. --iter 3)
while True:
# We should accept connections normally from
# pre-dump client, post-restore client and
# the pre-restore client using SOCCR_MARK
# The pre-restore client without SOCCR_MARK
# should fail with a timeout
zdtm: add network namespace locking test When criu dumps a process in a network namespace it locks the network so that no packets from peer enters the stack, otherwise RST will be sent by a kernel causing the connection to fail. In netns_lock.c we try to enter the netns created by post-start hook so that criu locks the network namespace between dump and restore. A TCP server is started in post-start hook inside the test netns and runs in the background detached from its parent so that it stays alive for the duration of the test. Other hooks (pre-dump, pre-restore, post-restore) try to connect to the server. Pre-dump and post-restore hooks should be able to connect successfully. Pre-restore hook client with SOCCR_MARK should also connect successfully. Pre-restore hook client without SOCCR_MARK should not be able to connect but also should not get connection refused as all packets are dropped in the namespace so the kernel shouldn't send an RST packet as a result. Instead we check that the connect operation causes a timeout. This test would be useful when testing that the network is locked using different ways (using iptables currently and other methods later). v2: - check that packets with SOCCR_MARK are allowed to pass when the netns is locked. v3: - fix pre-restore hook skipping non SOCCR_MARK connection test due to early exit in SOCCR_MARK variant. Signed-off-by: Zeyad Yasser <zeyady98@gmail.com>
2021-04-29 21:18:58 +02:00
test/jenkins: fix netns_lock test multiple iterations failure netns_lock is highly dependent on the order of the hooks, and iterations causes the --pre-dump hook to be called multiple times which expectedly caused the test to fail. The server loop accommodates for multiple iterations. https://ci.kernoops.org/job/CRIU/job/CRIU-iter/job/criu-dev/431/testReport/(root)/criu/zdtm_static_netns_lock/ Signed-off-by: Zeyad Yasser <zeyady98@gmail.com>
2021-07-01 15:11:50 +02:00
# Accept pre-dump client
cln, addr = srv.accept()
cln.sendall(str.encode("--pre-dump"))
cln.close()
zdtm: add network namespace locking test When criu dumps a process in a network namespace it locks the network so that no packets from peer enters the stack, otherwise RST will be sent by a kernel causing the connection to fail. In netns_lock.c we try to enter the netns created by post-start hook so that criu locks the network namespace between dump and restore. A TCP server is started in post-start hook inside the test netns and runs in the background detached from its parent so that it stays alive for the duration of the test. Other hooks (pre-dump, pre-restore, post-restore) try to connect to the server. Pre-dump and post-restore hooks should be able to connect successfully. Pre-restore hook client with SOCCR_MARK should also connect successfully. Pre-restore hook client without SOCCR_MARK should not be able to connect but also should not get connection refused as all packets are dropped in the namespace so the kernel shouldn't send an RST packet as a result. Instead we check that the connect operation causes a timeout. This test would be useful when testing that the network is locked using different ways (using iptables currently and other methods later). v2: - check that packets with SOCCR_MARK are allowed to pass when the netns is locked. v3: - fix pre-restore hook skipping non SOCCR_MARK connection test due to early exit in SOCCR_MARK variant. Signed-off-by: Zeyad Yasser <zeyady98@gmail.com>
2021-04-29 21:18:58 +02:00
test/jenkins: fix netns_lock test multiple iterations failure netns_lock is highly dependent on the order of the hooks, and iterations causes the --pre-dump hook to be called multiple times which expectedly caused the test to fail. The server loop accommodates for multiple iterations. https://ci.kernoops.org/job/CRIU/job/CRIU-iter/job/criu-dev/431/testReport/(root)/criu/zdtm_static_netns_lock/ Signed-off-by: Zeyad Yasser <zeyady98@gmail.com>
2021-07-01 15:11:50 +02:00
# Accept pre-restore client with SOCCR_MARK
srv.setsockopt(socket.SOL_SOCKET, SO_MARK, SOCCR_MARK)
cln, addr = srv.accept()
cln.sendall(str.encode("--pre-restore"))
cln.close()
srv.setsockopt(socket.SOL_SOCKET, SO_MARK, 0)
zdtm: add network namespace locking test When criu dumps a process in a network namespace it locks the network so that no packets from peer enters the stack, otherwise RST will be sent by a kernel causing the connection to fail. In netns_lock.c we try to enter the netns created by post-start hook so that criu locks the network namespace between dump and restore. A TCP server is started in post-start hook inside the test netns and runs in the background detached from its parent so that it stays alive for the duration of the test. Other hooks (pre-dump, pre-restore, post-restore) try to connect to the server. Pre-dump and post-restore hooks should be able to connect successfully. Pre-restore hook client with SOCCR_MARK should also connect successfully. Pre-restore hook client without SOCCR_MARK should not be able to connect but also should not get connection refused as all packets are dropped in the namespace so the kernel shouldn't send an RST packet as a result. Instead we check that the connect operation causes a timeout. This test would be useful when testing that the network is locked using different ways (using iptables currently and other methods later). v2: - check that packets with SOCCR_MARK are allowed to pass when the netns is locked. v3: - fix pre-restore hook skipping non SOCCR_MARK connection test due to early exit in SOCCR_MARK variant. Signed-off-by: Zeyad Yasser <zeyady98@gmail.com>
2021-04-29 21:18:58 +02:00
test/jenkins: fix netns_lock test multiple iterations failure netns_lock is highly dependent on the order of the hooks, and iterations causes the --pre-dump hook to be called multiple times which expectedly caused the test to fail. The server loop accommodates for multiple iterations. https://ci.kernoops.org/job/CRIU/job/CRIU-iter/job/criu-dev/431/testReport/(root)/criu/zdtm_static_netns_lock/ Signed-off-by: Zeyad Yasser <zeyady98@gmail.com>
2021-07-01 15:11:50 +02:00
# Accept post-restore client
cln, addr = srv.accept()
cln.sendall(str.encode("--post-restore"))
cln.close()
# Server will be closed when zdtm sends SIGKILL
zdtm: add network namespace locking test When criu dumps a process in a network namespace it locks the network so that no packets from peer enters the stack, otherwise RST will be sent by a kernel causing the connection to fail. In netns_lock.c we try to enter the netns created by post-start hook so that criu locks the network namespace between dump and restore. A TCP server is started in post-start hook inside the test netns and runs in the background detached from its parent so that it stays alive for the duration of the test. Other hooks (pre-dump, pre-restore, post-restore) try to connect to the server. Pre-dump and post-restore hooks should be able to connect successfully. Pre-restore hook client with SOCCR_MARK should also connect successfully. Pre-restore hook client without SOCCR_MARK should not be able to connect but also should not get connection refused as all packets are dropped in the namespace so the kernel shouldn't send an RST packet as a result. Instead we check that the connect operation causes a timeout. This test would be useful when testing that the network is locked using different ways (using iptables currently and other methods later). v2: - check that packets with SOCCR_MARK are allowed to pass when the netns is locked. v3: - fix pre-restore hook skipping non SOCCR_MARK connection test due to early exit in SOCCR_MARK variant. Signed-off-by: Zeyad Yasser <zeyady98@gmail.com>
2021-04-29 21:18:58 +02:00
if sys.argv[1] == "--pre-dump":
# Network is not locked yet
# Client should be able to connect normally
nsenter() # Enter test netns
socket.setdefaulttimeout(TIMEOUT)
cln = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
cln.connect(("127.0.0.1", PORT))
resp = cln.recv(100).decode()
if resp != sys.argv[1]:
print("Expected '{}', got '{}'".format(sys.argv[1], resp))
sys.exit(1)
except socket.timeout:
print("Timeout when trying to connect to server")
sys.exit(1)
else:
sys.exit(0)
finally:
cln.close()
if sys.argv[1] == "--pre-restore":
# Network should be locked now
# Only packets with SOCCR_MARK should be allowed
# Client should timeout when connecting without SOCCR_MARK
nsenter()
socket.setdefaulttimeout(TIMEOUT)
# SOCCR_MARK
try:
cln = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
cln.setsockopt(socket.SOL_SOCKET, SO_MARK, SOCCR_MARK)
cln.connect(("localhost", PORT))
resp = cln.recv(100).decode()
if resp != sys.argv[1]:
print("Expected '{}', got '{}'".format(sys.argv[1], resp))
sys.exit(1)
except socket.timeout:
print("Timeout when trying to connect to server")
sys.exit(1)
finally:
cln.close()
# No SOCCR_MARK
try:
cln = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
cln.connect(("localhost", PORT))
except socket.timeout:
sys.exit(0)
else:
print("Network should be locked, but client connected normally")
sys.exit(1)
finally:
cln.close()
if sys.argv[1] == "--post-restore":
# Network should be unlocked now
# Client should be able to connect normally
nsenter()
socket.setdefaulttimeout(TIMEOUT)
cln = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
cln.connect(("localhost", PORT))
resp = cln.recv(100).decode()
if resp != sys.argv[1]:
print("Expected '{}', got '{}'".format(sys.argv[1], resp))
sys.exit(1)
except socket.timeout:
print("Timeout when trying to connect to server")
sys.exit(1)
else:
sys.exit(0)
finally:
cln.close()
if sys.argv[1] == "--clean":
# Delete test netns
subprocess.Popen(["ip", "netns", "delete", NETNS]).wait()
test/ci: sync netns_lock test and its --post-start hook The --post-start hook creates a netns which the test should enter at the beginning of the test. The test randomly failed in CI tests, it is most likely caused by a race condition. I suspect this flow is root cause: 1. --post-start hook starts just after the test (in parallel) 2. --post-start hook calls ip netns add to create the test netns 3. ip creates the netns file 4. netns_lock test opens that file and uses it in setns 5. ip mounts the netns to the file Of course test fails at step 4 because the netns is not yet mounted to the file. I made the test wait for SYNCFILE to be created by the --post-start hook before it tries to open the netns file and call setns. Signed-off-by: Zeyad Yasser <zeyady98@gmail.com>
2021-06-30 18:59:54 +02:00
# Delete sync file
os.remove(SYNCFILE)
Reference in New Issue Copy Permalink