Fix unit tests for an nftables host#49248
Merged
thaJeztah merged 1 commit intomoby:masterfrom Jan 10, 2025
Merged
Conversation
On a freshly rebooted Linux host that's configured to use nftables with the iptables front-end, "make test-unit" fails "TestUserChains" on the first run - it's ok in subsequent runs. The unit tests run in moby's dev container. The first test in TestUserChain runs with ip6tables disabled, so the bridge driver doesn't try to load the ip6_tables module. Then, because the module isn't loaded (it wasn't needed by the daemon running on the nftables host when it started), the test fails because it can't check what's in the ip6tables filter chain. The next test in TestUserChain does the same thing, but with ip6tables enabled. So the module gets loaded by the bridge driver, and everything works normally after that. The dev container used to try to load the module on startup, but that was removed in commit 2af19b6 ("Don't try to modprobe ip6_tables in the moby dev container"), as part of a change to give the daemon a way to load modules itself. Rather that put back the dev container's code to load ip6_tables on startup (which would mean the daemon's module-loading code not getting to run on nftables/firewalld hosts) ... Run the tests in TestUserChains in a different order, with iptables enabled in the first test will make it happen to work. At least for now. It's not ideal, but we'll be switching to nftables soon, so the issue will go away. Signed-off-by: Rob Murray <[email protected]>
robmry
added
area/networking
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
- What I did
On a freshly rebooted Linux host that's configured to use nftables with the iptables front-end,
make test-unitfails "TestUserChains" on the first run - it's ok in subsequent runs.The unit tests run in moby's dev container.
The first test in TestUserChain runs with ip6tables disabled, so the bridge driver doesn't try to load the ip6_tables module. Then, because the module isn't loaded (it wasn't needed by the daemon running on the nftables host when it started), the test fails because it can't check what's in the ip6tables filter chain.
The next test in TestUserChain does the same thing, but with ip6tables enabled. So the module gets loaded by the bridge driver, and everything works normally after that.
The dev container used to try to load the module on startup, but that was removed in commit 2af19b6 ("Don't try to modprobe ip6_tables in the moby dev container"), as part of a change to give the daemon a way to load modules itself.
- How I did it
Rather that put back the dev container's code to load ip6_tables on startup (which would mean the daemon's module-loading code not getting to run on nftables/firewalld hosts) ...
Run the tests in TestUserChains in a different order, with iptables enabled in the first test will make it happen to work. At least for now.
It's not ideal, but we'll be switching to nftables soon, so the issue will go away.
- How to verify it
make test-unitworks on a freshly rebootednftables-based host (tested on an Ubuntu 24.04 VM).- Description for the changelog
- A picture of a cute animal (not mandatory but encouraged)