FFI: tests: CI/CD pipeline (tmt) - make sure QM partition cannot change network settings in the host

dougsland commented 4 months ago

Related to #408

Please note this issue is SIMILAR but NOT equal of #370. The ticket 370 is about execute the sysctl inside a nested container environment and this one is about to execute the tests inside the QM partition. We need to test both scenarios to cover Risk Assessments cases.

Step 1 - Build and run the CentOS Auto VM.

#  git clone https://gitlab.com/CentOS/automotive/sample-images.git
# cd sample-images/osbuild-manifests/
# make cs9-qemu-qmcontainer-regular.x86_64.qcow2 'DEFINES=extra_repos=[{"id":"local","baseurl":"file:///root/rpmbuild/RPMS/noarch"}] extra_rpms=["qm-6.0","vim-enhanced","strace","dnf","gdb","polkit","rsync","python3","openssh-server","openssh-clients"]
ssh_permit_root_login=true osname="autosd" ssh_permit_password_auth=true'
# ./runvm --nographics ./cs9-qemu-qmcontainer-regular.x86_64.qcow2

Step 2 - Set SSH to be able to login into the VM and use as SECOND terminal

- Login into the VM (user: root / pass: password)
- Set /etc/ssh/sshd_config -> PermitRootLogin yes (systemctl restart sshd)
- In another shell login:  
netstat -na | more (look for ports like 2222 or 2223 .... )
ssh root@127.0.0.1 -p 2222 -oStrictHostKeyChecking=no -oUserKnownHostsFile=/dev/null

Step 3 - Execute the tests.

Lets start with some bash kung-fu to generate random numbers to be used in the tests

[root@localhost ~]# podman exec -it qm bash
bash-5.1#
bash-5.1# generate_random_number() {
    local min=$1
    local max=$2
    echo $((RANDOM % (max - min + 1) + min))
}

Execute these commands in the QM side (the numbers should keep changing randomly, as expected):

# sysctl -w net.ipv4.tcp_max_syn_backlog=$(generate_random_number 128 1024)

net.ipv4.tcp_max_syn_backlog = 219 <-- changed to 219 in the QM partition

# sysctl -w net.ipv4.tcp_max_syn_backlog=$(generate_random_number 128 1024)

net.ipv4.tcp_max_syn_backlog = 167 <-- changed to 167 in the QM partition

# sysctl -w net.ipv4.tcp_max_syn_backlog=$(generate_random_number 128 1024)

net.ipv4.tcp_max_syn_backlog = 812 <-- changed to 812 in the QM partition

In another window, keep executing in the HOST the same command to see if the the value has changed (it should NOT change):

# sysctl net.ipv4.tcp_max_syn_backlog

net.ipv4.tcp_max_syn_backlog = 128 <-- kept 128 in the host

[root@localhost ~]# sysctl net.ipv4.tcp_max_syn_backlog

net.ipv4.tcp_max_syn_backlog = 128 <-- kept 128 in the host

[root@localhost ~]# sysctl net.ipv4.tcp_max_syn_backlog

net.ipv4.tcp_max_syn_backlog = 128 <-- kept 128 in the host

Done!

There is another way of double check this (as learned from @rhatdan), see if the namespace id for net is different from the HOST and QM (it should be different).

HOST

[root@localhost ~]# ls -l /proc/self/ns/net
lrwxrwxrwx. 1 root root 0 May  1 04:33 /proc/self/ns/net -> 'net:[4026531840]'

QM

bash-5.1# ls -l /proc/self/ns/net
lrwxrwxrwx. 1 root root 0 May  1 04:33 /proc/self/ns/net -> 'net:[4026532287]'

dougsland commented 4 months ago

cc @Yarboa @pbrilla-rh

nsednev commented 1 week ago

@dougsland Can we close this issue due to Jira-19564? The code was merged https://github.com/nsednev/qm/blob/main/tests/ffi/tcp_max_syn_backlog/test.sh

dougsland commented 1 week ago

@dougsland Can we close this issue due to Jira-19564? The code was merged https://github.com/nsednev/qm/blob/main/tests/ffi/tcp_max_syn_backlog/test.sh

@nsednev correct, let's close it. Thanks for your patch!

containers / qm

FFI: tests: CI/CD pipeline (tmt) - make sure QM partition cannot change network settings in the host #417