Skip to content

Commit

Permalink
smoketest: T7023: add tac_plus container to live validate login (#4285)
Browse files Browse the repository at this point in the history 
* smoketest: T7023: unify container image loading

* smoketest: T7023: add tac_plus container to live validate login

TACACS is pretty sensible to its configuration. Instead of manual testing,
extend the smoketest platform to ship a tac_plus container and perform logins
against a locally running tac_plus server in a container.

The login username/password and TACACS shared secret is generated randomly on
the fly for every testcase.
  • Loading branch information
@c-po
c-po authored Jan 7, 2025
1 parent 8b517e2 commit fb651c0
Show file tree
Hide file tree
Showing 3 changed files with 178 additions and 34 deletions.
15 changes: 10 additions & 5 deletions debian/vyos-1x-smoketest.postinst
View file
Original file line number Diff line number Diff line change
@@ -1,10 +1,15 @@
#!/bin/sh -e

BUSYBOX_TAG="docker.io/library/busybox:stable"
OUTPUT_PATH="/usr/share/vyos/busybox-stable.tar"

if [[ -f $OUTPUT_PATH ]]; then
rm -f $OUTPUT_PATH
BUSYBOX_PATH="/usr/share/vyos/busybox-stable.tar"
if [[ -f $BUSYBOX_PATH ]]; then
rm -f $BUSYBOX_PATH
fi
skopeo copy --additional-tag "$BUSYBOX_TAG" "docker://$BUSYBOX_TAG" "docker-archive:/$BUSYBOX_PATH"

skopeo copy --additional-tag "$BUSYBOX_TAG" "docker://$BUSYBOX_TAG" "docker-archive:/$OUTPUT_PATH"
TACPLUS_TAG="docker.io/lfkeitel/tacacs_plus:alpine"
TACPLUS_PATH="/usr/share/vyos/tacplus-alpine.tar"
if [[ -f $TACPLUS_PATH ]]; then
rm -f $TACPLUS_PATH
fi
skopeo copy --additional-tag "$TACPLUS_TAG" "docker://$TACPLUS_TAG" "docker-archive:/$TACPLUS_PATH"
37 changes: 18 additions & 19 deletions smoketest/scripts/cli/test_container.py
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
#!/usr/bin/env python3
#
# Copyright (C) 2021-2024 VyOS maintainers and contributors
# Copyright (C) 2021-2025 VyOS maintainers and contributors
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 or later as
Expand All @@ -14,6 +14,7 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.

import os
import unittest
import glob
import json
Expand All @@ -26,10 +27,10 @@
from vyos.utils.process import process_named_running

base_path = ['container']
cont_image = 'busybox:stable' # busybox is included in vyos-build
PROCESS_NAME = 'conmon'
PROCESS_PIDFILE = '/run/vyos-container-{0}.service.pid'

busybox_image = 'busybox:stable'
busybox_image_path = '/usr/share/vyos/busybox-stable.tar'

def cmd_to_json(command):
Expand All @@ -42,11 +43,10 @@ class TestContainer(VyOSUnitTestSHIM.TestCase):
def setUpClass(cls):
super(TestContainer, cls).setUpClass()

# Load image for smoketest provided in vyos-build
try:
cmd(f'cat {busybox_image_path} | sudo podman load')
except:
cls.skipTest(cls, reason='busybox image not available')
# Load image for smoketest provided in vyos-1x-smoketest
if not os.path.exists(busybox_image_path):
cls.fail(cls, f'{busybox_image} image not available')
cmd(f'sudo podman load -i {busybox_image_path}')

# ensure we can also run this test on a live system - so lets clean
# out the current configuration :)
Expand All @@ -55,9 +55,8 @@ def setUpClass(cls):
@classmethod
def tearDownClass(cls):
super(TestContainer, cls).tearDownClass()

# Cleanup podman image
cmd(f'sudo podman image rm -f {cont_image}')
cmd(f'sudo podman image rm -f {busybox_image}')

def tearDown(self):
self.cli_delete(base_path)
Expand All @@ -78,7 +77,7 @@ def test_basic(self):
self.cli_set(['system', 'name-server', '1.1.1.1'])
self.cli_set(['system', 'name-server', '8.8.8.8'])

self.cli_set(base_path + ['name', cont_name, 'image', cont_image])
self.cli_set(base_path + ['name', cont_name, 'image', busybox_image])
self.cli_set(base_path + ['name', cont_name, 'allow-host-networks'])
self.cli_set(base_path + ['name', cont_name, 'sysctl', 'parameter', 'kernel.msgmax', 'value', '4096'])

Expand All @@ -104,7 +103,7 @@ def test_name_server(self):

self.cli_set(base_path + ['network', net_name, 'prefix', prefix])

self.cli_set(base_path + ['name', cont_name, 'image', cont_image])
self.cli_set(base_path + ['name', cont_name, 'image', busybox_image])
self.cli_set(base_path + ['name', cont_name, 'name-server', name_server])
self.cli_set(base_path + ['name', cont_name, 'network', net_name, 'address', str(ip_interface(prefix).ip + 2)])

Expand All @@ -125,7 +124,7 @@ def test_cpu_limit(self):
cont_name = 'c2'

self.cli_set(base_path + ['name', cont_name, 'allow-host-networks'])
self.cli_set(base_path + ['name', cont_name, 'image', cont_image])
self.cli_set(base_path + ['name', cont_name, 'image', busybox_image])
self.cli_set(base_path + ['name', cont_name, 'cpu-quota', '1.25'])

self.cli_commit()
Expand All @@ -146,7 +145,7 @@ def test_ipv4_network(self):

for ii in range(1, 6):
name = f'{base_name}-{ii}'
self.cli_set(base_path + ['name', name, 'image', cont_image])
self.cli_set(base_path + ['name', name, 'image', busybox_image])
self.cli_set(base_path + ['name', name, 'network', net_name, 'address', str(ip_interface(prefix).ip + ii)])

# verify() - first IP address of a prefix can not be used by a container
Expand Down Expand Up @@ -176,7 +175,7 @@ def test_ipv6_network(self):

for ii in range(1, 6):
name = f'{base_name}-{ii}'
self.cli_set(base_path + ['name', name, 'image', cont_image])
self.cli_set(base_path + ['name', name, 'image', busybox_image])
self.cli_set(base_path + ['name', name, 'network', net_name, 'address', str(ip_interface(prefix).ip + ii)])

# verify() - first IP address of a prefix can not be used by a container
Expand Down Expand Up @@ -208,7 +207,7 @@ def test_dual_stack_network(self):

for ii in range(1, 6):
name = f'{base_name}-{ii}'
self.cli_set(base_path + ['name', name, 'image', cont_image])
self.cli_set(base_path + ['name', name, 'image', busybox_image])
self.cli_set(base_path + ['name', name, 'network', net_name, 'address', str(ip_interface(prefix4).ip + ii)])
self.cli_set(base_path + ['name', name, 'network', net_name, 'address', str(ip_interface(prefix6).ip + ii)])

Expand Down Expand Up @@ -242,7 +241,7 @@ def test_no_name_server(self):
self.cli_set(base_path + ['network', net_name, 'no-name-server'])

name = f'{base_name}-2'
self.cli_set(base_path + ['name', name, 'image', cont_image])
self.cli_set(base_path + ['name', name, 'image', busybox_image])
self.cli_set(base_path + ['name', name, 'network', net_name, 'address', str(ip_interface(prefix).ip + 2)])
self.cli_commit()

Expand All @@ -258,7 +257,7 @@ def test_network_mtu(self):
self.cli_set(base_path + ['network', net_name, 'mtu', '1280'])

name = f'{base_name}-2'
self.cli_set(base_path + ['name', name, 'image', cont_image])
self.cli_set(base_path + ['name', name, 'image', busybox_image])
self.cli_set(base_path + ['name', name, 'network', net_name, 'address', str(ip_interface(prefix).ip + 2)])
self.cli_commit()

Expand All @@ -271,7 +270,7 @@ def test_uid_gid(self):
uid = '1001'

self.cli_set(base_path + ['name', cont_name, 'allow-host-networks'])
self.cli_set(base_path + ['name', cont_name, 'image', cont_image])
self.cli_set(base_path + ['name', cont_name, 'image', busybox_image])
self.cli_set(base_path + ['name', cont_name, 'gid', gid])

# verify() - GID can only be set if UID is set
Expand All @@ -293,7 +292,7 @@ def test_api_socket(self):

for ii in container_list:
name = f'{base_name}-{ii}'
self.cli_set(base_path + ['name', name, 'image', cont_image])
self.cli_set(base_path + ['name', name, 'image', busybox_image])
self.cli_set(base_path + ['name', name, 'allow-host-networks'])

self.cli_commit()
Expand Down
Loading

0 comments on commit fb651c0

Please sign in to comment.