search

sonic-net / sonic-buildimage

Scripts which perform an installable binary image build for SONiC
Other
728 stars 1.4k forks source link

[dhcp_server] [cacl] test_cacl_application_nondualtor is failing when dhcp_server is running #18486

Closed vivekrnv closed 2 months ago

vivekrnv commented 6 months ago

Description

test_cacl_application_nondualtor test fails when dhcp_server is installed because it expects some ACL rules that SONiC doesn't install

The test expects communication among docker containers 

admin@r-leopard-79:~$ docker inspect bridge
[
    {
................
        "IPAM": {
            "Config": [
                {
                    "Subnet": "240.127.1.0/24",
                    "Gateway": "240.127.1.1"
                },
                {
                    "Subnet": "fd00::/80",
                    "Gateway": "fd00::1"
                }
            ]
        },
        "Containers": {
            "861e47a78b4ea353183fe6cb00d15faa0dbcccd738902f317389b41b65622cc8": {
                "Name": "dhcp_server",
                "EndpointID": "5af373a47157dde86a2493e8c9ab5db52cb4cec081dac3ca265c07ba70400cec",
                "MacAddress": "02:42:f0:7f:01:02",
                "IPv4Address": "240.127.1.2/24",
                "IPv6Address": "fd00::242:f07f:102/80"
            }
        },
    }
]

https://github.com/sonic-net/sonic-mgmt/blob/master/tests/cacl/test_cacl_application.py#L395

    if asic_index is None:
        # Allow Communication among docker containers
        for k, v in list(docker_network['container'].items()):
            iptables_rules.append("-A INPUT -s {}/32 -d {}/32 -j ACCEPT"
                                  .format(docker_network['bridge']['IPv4Address'],
                                          docker_network['bridge']['IPv4Address']))
            iptables_rules.append("-A INPUT -s {}/32 -d {}/32 -j ACCEPT"
                                  .format(v['IPv4Address'],
                                          docker_network['bridge']['IPv4Address']))
            ip6tables_rules.append("-A INPUT -s {}/128 -d {}/128 -j ACCEPT"
                                   .format(docker_network['bridge']['IPv6Address'],
                                           docker_network['bridge']['IPv6Address']))
            ip6tables_rules.append("-A INPUT -s {}/128 -d {}/128 -j ACCEPT"
                                   .format(v['IPv6Address'],
                                           docker_network['bridge']['IPv6Address']))

Not sure if this is a test issue or something caclmgrd should install into SONiC

Steps to reproduce the issue:

  1. Enable dhcp_server
  2. Run test test_cacl_application_nondualtor

Describe the results you received:

Failed: Missing expected iptables rules: 
{'-A INPUT -s 240.127.1.1/32 -d 240.127.1.1/32 -j ACCEPT', '-A INPUT -s 240.127.1.2/32 -d 240.127.1.1/32 -j ACCEPT'}

Describe the results you expected:

No failure

Output of show version:

Seen on latest master

vivekrnv commented 6 months ago

@yaqiangz @Blueve PFA

Blueve commented 4 months ago

Update ETA: 31 July

yaqiangz commented 2 months ago

Fixed https://github.com/sonic-net/sonic-mgmt/pull/13748#issuecomment-2249228751