Skip to content

TestConntrackFlowsLeak: use busybox "nc" #43031

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
thaJeztah merged 1 commit into from
Nov 19, 2021
Merged

TestConntrackFlowsLeak: use busybox "nc" #43031

thaJeztah merged 1 commit into from
Nov 19, 2021

Conversation

@thaJeztah
Copy link
Member

@thaJeztah thaJeztah commented Nov 18, 2021
edited
Loading

extracted from #42300
this is another attempt at #34832
replaces / closes #34832

to address:

The appropriate/nc image was last built over 6 years ago, and uses the deprecated v2 schema 1 format; https://github.com/appropriate/docker-nc/tree/master/latest

The image is just a plain "apk install" of netbsd-netcat, but was added in 1c4286b (#32505), because at the time the busybox nc had some bugs.

These appear to be resolved, so we can use the busybox nc, from the frozen images.

@thaJeztah thaJeztah added status/2-code-review area/networking Networking area/testing kind/refactor PR's that refactor, or clean-up code labels Nov 18, 2021
@thaJeztah thaJeztah added this to the 21.xx milestone Nov 18, 2021
@thaJeztah
Copy link
Member Author

thaJeztah commented Nov 18, 2021 

docker pull appropriate/nc
Using default tag: latest
latest: Pulling from appropriate/nc
Image docker.io/appropriate/nc:latest uses outdated schema1 manifest format. Please upgrade to a schema2 image for better future compatibility. More information at https://docs.docker.com/registry/spec/deprecated-schema-v1/
12b41071e6ce: Pull complete
d41ebf7a19c0: Pull complete
0b849cb5c85c: Pull complete
a3ed95caeb02: Pull complete
Digest: sha256:ff0f2b54fb1e1bfe277047fd660415310232d301e27bec9423aa741de961e6d4
Status: Downloaded newer image for appropriate/nc:latest
docker.io/appropriate/nc:latest

cpuguy83
cpuguy83 approved these changes Nov 18, 2021
View reviewed changes
Copy link
Member

@cpuguy83 cpuguy83 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is definitely better than the previous image, however I'd be happier if we had a cached image for this.

@fredericdalleau
Copy link
Contributor

fredericdalleau commented Nov 18, 2021

alpine3.14 already contains, busybox's nc, wouldn't it do the trick?

@thaJeztah
Copy link
Member Author

thaJeztah commented Nov 18, 2021

however I'd be happier if we had a cached image for this.

You mean, as a "frozen image", or pushing it somewhere to docker hub?
tbh, I was playing with the thought at some point to replace busybox with alpine in our frozen images (as it's a more flexible image), but then again, it's loaded in many tests, so even though it's "small", it's still a lot larger than the busybox image, so perhaps would make tests slower.

Installing the package is also very fast;

time apk add --no-cache -qq netcat-openbsd
real	0m 0.36s
user	0m 0.27s
sys	0m 0.05s

That said, we could run into outages of the alpine package repo (happens occasionally)

alpine3.14 already contains, busybox's nc, wouldn't it do the trick?

According to the PR that added it (discussion on that), that didn't work; #32505 (comment)

The nc version in alpine does not support for example the option -q. There is a bug in nc that let the command never return also when specify the -w option.
Feel free to try to change it to the alpine removing the -q option to let the command work, but most likely the test will fail timing out because the nc command will hang forever.

tianon
tianon reviewed Nov 18, 2021
View reviewed changes
integration-cli/docker_cli_network_unix_test.go Outdated
}).Assert(c, icmd.Success)

// Launch the server, this will remain listening on an exposed port and reply to any request in a ping/pong fashion
cmd := "while true; do echo hello | nc -w 1 -lu 8080; done"
Copy link
Member

@tianon tianon Nov 18, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we switch to the (already in our "frozen images") busybox image, I've had success with the following returning data correctly:

Suggested change
cmd := "while true; do echo hello | nc -w 1 -lu 8080; done"
cmd := "while true; do echo hello | nc -w 1 -l -u -p 8080; done"

integration-cli/docker_cli_network_unix_test.go Outdated
cli.DockerCmd(c, "run", "-d", "--name", "server", "--net", "testbind", "-p", "8080:8080/udp", imgName, "sh", "-c", cmd)

// Launch a container client, here the objective is to create a flow that is natted in order to expose the bug
cmd = "echo world | nc -q 1 -u 192.168.10.1 8080"
Copy link
Member

@tianon tianon Nov 18, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
cmd = "echo world | nc -q 1 -u 192.168.10.1 8080"
cmd = "echo world | nc -w 1 -u 192.168.10.1 8080"

Copy link
Member

@tianon tianon Nov 18, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(I ran these exact commands in two containers and both worked "correctly" although the server container having a constant repeated 1 second timeout is kind of cute)

Edit: I guess worst case we add timeout 2 in front of this nc too? (if we see issues with it and need it to be killed more actively)

integration-cli/docker_cli_network_unix_test.go Outdated
Comment on lines 1749 to 1754
// Replaces the image built from https://github.com/appropriate/docker-nc/tree/master/latest
imgName := "moby/nc"
icmd.RunCmd(icmd.Cmd{
Command: []string{dockerBinary, "build", "-t", imgName, "-"},
Stdin: strings.NewReader("FROM alpine:3.14\nRUN apk add --no-cache netcat-openbsd\n"),
}).Assert(c, icmd.Success)
Copy link
Member

@tianon tianon Nov 18, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
// Replaces the image built from https://github.com/appropriate/docker-nc/tree/master/latest
imgName := "moby/nc"
icmd.RunCmd(icmd.Cmd{
Command: []string{dockerBinary, "build", "-t", imgName, "-"},
Stdin: strings.NewReader("FROM alpine:3.14\nRUN apk add --no-cache netcat-openbsd\n"),
}).Assert(c, icmd.Success)
imgName := "busybox:latest"

@thaJeztah
TestConntrackFlowsLeak: use busybox "nc"
6d92d2c 
The appropriate/nc image was last built over 6 years ago, and uses the
deprecated v2 schema 1 format.
https://github.com/appropriate/docker-nc/tree/master/latest

The image is just a plain "apk install" of netbsd-netcat, but was added
in 1c4286b, because at the time the
busybox nc had some bugs.

These appear to be resolved, so we can use the busybox nc, from the
frozen images.

Signed-off-by: Sebastiaan van Stijn <[email protected]>
@thaJeztah thaJeztah force-pushed the fix_TestConntrackFlowsLeak_v1 branch from 6cb1cf0 to 6d92d2c Compare November 19, 2021 08:27
@thaJeztah thaJeztah changed the title TestConntrackFlowsLeak: build image instead of pulling TestConntrackFlowsLeak: use busybox "nc" Nov 19, 2021
@thaJeztah
Copy link
Member Author

thaJeztah commented Nov 19, 2021

Thanks @tianon ❤️. I applied your changes; let's see if it passes 🤞

@thaJeztah
Copy link
Member Author

thaJeztah commented Nov 19, 2021

TestWaitNodeAttachment failure on Windows 2022 / containerd looks unrelated (posting in case it becomes more flaky);

=== RUN   TestWaitNodeAttachment
    adapter_test.go:137: waitNodeAttachments did not exit yet, but should have
--- FAIL: TestWaitNodeAttachment (0.40s)

@thaJeztah
Copy link
Member Author

thaJeztah commented Nov 19, 2021

And.. another flaky (already tracked in #39352)

=== RUN   TestDockerSuite/TestRunInteractiveWithRestartPolicy
    docker_cli_run_test.go:1796: assertion failed: 
        Command:  d:\CI\PR-43031\3\binary\docker.exe run -i --name test-inter-restart --restart=always busybox sh
        ExitCode: 0
        Stdout:   
        Stderr:   
        
        Failures:
        ExitCode was 0 expected 11
    --- FAIL: TestDockerSuite/TestRunInteractiveWithRestartPolicy (7.32s)

@thaJeztah thaJeztah merged commit ea0f3dc into moby:master Nov 19, 2021
@thaJeztah thaJeztah deleted the fix_TestConntrackFlowsLeak_v1 branch November 19, 2021 12:39
@thaJeztah thaJeztah mentioned this pull request Nov 19, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tianon tianon tianon left review comments

@cpuguy83 cpuguy83 cpuguy83 approved these changes

@AkihiroSuda AkihiroSuda AkihiroSuda approved these changes

Assignees

No one assigned

Labels

area/networking Networking area/testing kind/refactor PR's that refactor, or clean-up code status/2-code-review

Projects

None yet

Milestone

23.0.0

Development

Successfully merging this pull request may close these issues.

5 participants

@thaJeztah @fredericdalleau @tianon @cpuguy83 @AkihiroSuda