Mingli-Yu
commented
2 months ago Open Mingli-Yu opened 2 months ago
Mingli-Yu
commented
2 months ago 
Luap99
commented
2 months ago Please provide all the detail of your environment, what distro? Which version of bats, firewalld, ncat, iptables, etc...
Luap99
commented
2 months ago sit0@NONE:
mtu 1480 qdisc noop state DOWN mode DEFAULT group default qlen 1000\ link/sit 0.0.0.0 brd 0.0.0.0
Looks like you are using the sit kernel module? If this device is automatically added to all network namespaces then this will break many test assumptions. I recommend to disable that if you want to run the tests.
Mingli-Yu
commented
2 months ago sit0@NONE: mtu 1480 qdisc noop state DOWN mode DEFAULT group default qlen 1000\ link/sit 0.0.0.0 brd 0.0.0.0
Looks like you are using the sit kernel module? If this device is automatically added to all network namespaces then this will break many test assumptions. I recommend to disable that if you want to run the tests.
Thanks very much for your respond!
BTW, do you mean netavark only works without CONFIG_IPV6_SIT or only the netavark tests works without CONFIG_IPV6_SIT?
We use an embedded Linux based on https://www.yoctoproject.org. And the related packages version as below:
bats-1.11.0-r0.core2_64
firewalld-1.3.2-r0.core2_64
/usr/bin/ncat
nmap-7.80-r0.core2_64
iptables-1.8.10-r0.core2_64
I am talking about the tests only, but I am not familiar with CONFIG_IPV6_SIT so I wouldn't know for sure. The main issue here is that having a second interface besides lo will break the test assumptions as we make sure that netavark deleted the interfaces by simply counting all interfaces and we only expect lo to be there (at least for one of the linked failures above). I suggest you try to run them without the kernel module loaded.
I have no idea about the firewall-cmd ones, timeout seems odd. If you do not use firewalld then I would suggest you just ignore/disable them.
For the ncat maybe the 5 seconds is not enough in your env so maybe try giving it more here https://github.com/containers/netavark/blob/395ace5c6ee887eb5c6063f4fceb8fd7865cbd6c/test/helpers.bash#L647-L647
Mingli-Yu
commented
1 month ago I am talking about the tests only, but I am not familiar with CONFIG_IPV6_SIT so I wouldn't know for sure. The main issue here is that having a second interface besides lo will break the test assumptions as we make sure that netavark deleted the interfaces by simply counting all interfaces and we only expect lo to be there (at least for one of the linked failures above). I suggest you try to run them without the kernel module loaded.
For some reason, we can't disable CONFIG_IPV6_SIT as it built-in kernel, not via module. Could you help to provide the cases which are maybe affected by sit module?
I have no idea about the firewall-cmd ones, timeout seems odd. If you do not use firewalld then I would suggest you just ignore/disable them.
Yes, we did not use firewalld, is there only options provided to skip the cases as I notice not any 200-bridge-firewalld.bats includes the test related to firewalld, but also 250-bridge-nftables.bats includes firewalld cases?
For the ncat maybe the 5 seconds is not enough in your env so maybe try giving it more here
After a simple search, it seems the timeout is hardcoded, is it possible to provide a option to configure timeout?
Thanks you very much!
Luap99
commented
1 month ago I am talking about the tests only, but I am not familiar with CONFIG_IPV6_SIT so I wouldn't know for sure. The main issue here is that having a second interface besides lo will break the test assumptions as we make sure that netavark deleted the interfaces by simply counting all interfaces and we only expect lo to be there (at least for one of the linked failures above). I suggest you try to run them without the kernel module loaded.
For some reason, we can't disable CONFIG_IPV6_SIT as it built-in kernel, not via module. Could you help to provide the cases which are maybe affected by sit module?
Sorry I don't have time to look into that, my only suggestion is to build the kernel without it to run the tests and see how the results differ.
I have no idea about the firewall-cmd ones, timeout seems odd. If you do not use firewalld then I would suggest you just ignore/disable them.
Yes, we did not use firewalld, is there only options provided to skip the cases as I notice not any 200-bridge-firewalld.bats includes the test related to firewalld, but also 250-bridge-nftables.bats includes firewalld cases?
There are some special cases that need to check that the iptables and nftables integration works with the firewalld reload service. I think it is possible to move them into the firewalld file as well but not a priority.
For the ncat maybe the 5 seconds is not enough in your env so maybe try giving it more here https://github.com/containers/netavark/blob/395ace5c6ee887eb5c6063f4fceb8fd7865cbd6c/test/helpers.bash#L647-L647
After a simple search, it seems the timeout is hardcoded, is it possible to provide a option to configure timeout?
I would suggest to bump the timeout in our tests, none should have a need to configure this. If 5s is not enough everywhere we can increase it by default.
Mingli-Yu
commented
1 month ago I am talking about the tests only, but I am not familiar with CONFIG_IPV6_SIT so I wouldn't know for sure. The main issue here is that having a second interface besides lo will break the test assumptions as we make sure that netavark deleted the interfaces by simply counting all interfaces and we only expect lo to be there (at least for one of the linked failures above). I suggest you try to run them without the kernel module loaded.
For some reason, we can't disable CONFIG_IPV6_SIT as it built-in kernel, not via module. Could you help to provide the cases which are maybe affected by sit module?
Sorry I don't have time to look into that, my only suggestion is to build the kernel without it to run the tests and see how the results differ.
After disable CONFIG_IPV6_SIT, some of the above failed cases did pass, but only two of them as below. iptables - bridge teardown iptables - port range forwarding dual - udp
And could you help to confirm again, if the netavark only works with CONFIG_IPV6_SIT disabled. Or just the netavark tests need to disable CONFIG_IPV6_SIT. If just the tests need, maybe improving the tests to make the tests work with CONFIG_IPV6_SIT is helpful.
But there still some cases failed such as: ✗ iptables - internal network (in test file test/100-bridge-iptables.bats, line 22) `assert "$output" == "$before" "make sure tables have not changed"' failed nsenter -n -m -w -t 960 ip link set lo up nsenter -n -m -w -t 960 iptables -t nat -nvL Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination nsenter -n -m -w -t 960 /usr/libexec/podman/netavark --rootless false --config /tmp/netavark_bats.KS84Nc/config --file /usr/lib64/netavark/ptest/test {"podman":{"dns_search_domains":[],"dns_server_ips":[],"interfaces":{"eth0":{"mac_address":"7a:98:74:21:e2:7d","subnets":[{"gateway":"10.88.0.1","ipn} nsenter -n -m -w -t 960 iptables -t nat -nvL Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 1 packets, 40 bytes) pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 1 packets, 40 bytes) pkts bytes target prot opt in out source destination
pkts bytes target prot opt in out source destinationChain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination '
I have no idea about the firewall-cmd ones, timeout seems odd. If you do not use firewalld then I would suggest you just ignore/disable them.
Yes, we did not use firewalld, is there only options provided to skip the cases as I notice not any 200-bridge-firewalld.bats includes the test related to firewalld, but also 250-bridge-nftables.bats includes firewalld cases?
There are some special cases that need to check that the iptables and nftables integration works with the firewalld reload service. I think it is possible to move them into the firewalld file as well but not a priority.
Thanks your feedback! It's more helpful if move the firewalld related tests in one file and I sent a PR as https://github.com/containers/netavark/pull/994.
For the ncat maybe the 5 seconds is not enough in your env so maybe try giving it more here https://github.com/containers/netavark/blob/395ace5c6ee887eb5c6063f4fceb8fd7865cbd6c/test/helpers.bash#L647-L647
After a simple search, it seems the timeout is hardcoded, is it possible to provide a option to configure timeout?
I would suggest to bump the timeout in our tests, none should have a need to configure this. If 5s is not enough everywhere we can increase it by default.
After a quick search for https://github.com/containers/netavark/blob/395ace5c6ee887eb5c6063f4fceb8fd7865cbd6c/test/helpers.bash#L647-L647, do you mean change the hardcoded timeout value?
BTW, is it possible to print the test result into a file? That is to say, gather the output as below into a file. 100-bridge-iptables.bats ✓ check iptables driver is in use ✗ iptables - internal network (in test file test/100-bridge-iptables.bats, line 22) `assert "$output" == "$before" "make sure tables have not changed"' failed nsenter -n -m -w -t 10844 ip link set lo up nsenter -n -m -w -t 10844 iptables -t nat -nvL Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination nsenter -n -m -w -t 10844 /usr/libexec/podman/netavark --rootless false --config /tmp/netavark_bats.PHBxtg/config --file /usr/lib64/netavark/ptest/tt {"podman":{"dns_search_domains":[],"dns_server_ips":[],"interfaces":{"eth0":{"mac_address":"4e:96:5c:d1:2e:eb","subnets":[{"gateway":"10.88.0.1","ipn} nsenter -n -m -w -t 10844 iptables -t nat -nvL Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 1 packets, 40 bytes) pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 1 packets, 40 bytes) pkts bytes target prot opt in out source destination
pkts bytes target prot opt in out source destinationChain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination '
[snip]
Thanks!