/spec/classes/rules/docker_ce_spec.rb - Annoter - puppet nftables - Koumbit's Redmine

Télécharger au format

root / spec / classes / rules / docker_ce_spec.rb @ 51850192

Historique | Voir | Annoter | Télécharger (6,97 ko)

1	c82b960a	Steve Traylen	# frozen_string_literal: true
2
3	6be2adf7	Luis Fernández Álvarez	require 'spec_helper'
4
5			describe 'nftables::rules::docker_ce' do
6			let(:pre_condition) { 'include nftables' }
7
8			on_supported_os.each do \|os, os_facts\|
9			context "on #{os}" do
10			let(:facts) { os_facts }
11	fcb79d73	Ben Morrice	let(:pre_condition) { 'include nftables' }
12	6be2adf7	Luis Fernández Álvarez
13			context 'default options' do
14			it { is_expected.to compile }
15			it { is_expected.to contain_nftables__chain('DOCKER') }
16			it { is_expected.to contain_nftables__chain('DOCKER_ISOLATION_STAGE_1') }
17			it { is_expected.to contain_nftables__chain('DOCKER_ISOLATION_STAGE_2') }
18			it { is_expected.to contain_nftables__chain('DOCKER_USER') }
19	c82b960a	Steve Traylen
20	6be2adf7	Luis Fernández Álvarez	it {
21	c82b960a	Steve Traylen	expect(subject).to contain_nftables__chain('DOCKER-nat').with(
22	6be2adf7	Luis Fernández Álvarez	chain: 'DOCKER',
23	fa92e118	Romain Tartière	table: 'ip-nat'
24	6be2adf7	Luis Fernández Álvarez	)
25			}
26	c82b960a	Steve Traylen
27	6be2adf7	Luis Fernández Álvarez	it {
28	c82b960a	Steve Traylen	expect(subject).to contain_nftables__chain('OUTPUT-nat').with(
29	6be2adf7	Luis Fernández Álvarez	chain: 'OUTPUT',
30	fa92e118	Romain Tartière	table: 'ip-nat'
31	6be2adf7	Luis Fernández Álvarez	)
32			}
33	c82b960a	Steve Traylen
34	6be2adf7	Luis Fernández Álvarez	it {
35	c82b960a	Steve Traylen	expect(subject).to contain_nftables__chain('INPUT-nat').with(
36	6be2adf7	Luis Fernández Álvarez	chain: 'INPUT',
37	fa92e118	Romain Tartière	table: 'ip-nat'
38	6be2adf7	Luis Fernández Álvarez	)
39			}
40	c82b960a	Steve Traylen
41	c3515492	Luis Fernández Álvarez	it { is_expected.to contain_nftables__rule('DOCKER_ISOLATION_STAGE_1-iifname').with_content('iifname "docker0" oifname != "docker0" counter jump DOCKER_ISOLATION_STAGE_2') }
42			it { is_expected.to contain_nftables__rule('DOCKER_ISOLATION_STAGE_1-counter').with_content('counter return') }
43	6be2adf7	Luis Fernández Álvarez	it { is_expected.to contain_nftables__rule('DOCKER_ISOLATION_STAGE_2-drop').with_content('oifname "docker0" counter drop') }
44	c3515492	Luis Fernández Álvarez	it { is_expected.to contain_nftables__rule('DOCKER_ISOLATION_STAGE_2-counter').with_content('counter return') }
45			it { is_expected.to contain_nftables__rule('DOCKER_USER-counter').with_content('counter return') }
46			it { is_expected.to contain_nftables__rule('default_fwd-jump_docker_user').with_content('counter jump DOCKER_USER') }
47			it { is_expected.to contain_nftables__rule('default_fwd-jump_docker_isolation_stage_1').with_content('counter jump DOCKER_ISOLATION_STAGE_1') }
48			it { is_expected.to contain_nftables__rule('default_fwd-out_docker_accept').with_content('oifname "docker0" ct state established,related counter accept') }
49			it { is_expected.to contain_nftables__rule('default_fwd-jump_docker').with_content('oifname "docker0" counter jump DOCKER') }
50			it { is_expected.to contain_nftables__rule('default_fwd-idocker_onot_accept').with_content('iifname "docker0" oifname != "docker0" counter accept') }
51			it { is_expected.to contain_nftables__rule('default_fwd-idocker_odocker_accept').with_content('iifname "docker0" oifname "docker0" counter accept') }
52
53	6be2adf7	Luis Fernández Álvarez	it {
54	c82b960a	Steve Traylen	expect(subject).to contain_nftables__rule('POSTROUTING-docker').with(
55	6be2adf7	Luis Fernández Álvarez	content: 'oifname != "docker0" ip saddr 172.17.0.0/16 counter masquerade',
56	fa92e118	Romain Tartière	table: 'ip-nat'
57	6be2adf7	Luis Fernández Álvarez	)
58			}
59	c82b960a	Steve Traylen
60	c3515492	Luis Fernández Álvarez	it {
61	c82b960a	Steve Traylen	expect(subject).to contain_nftables__rule('PREROUTING-docker').with(
62	c3515492	Luis Fernández Álvarez	content: 'fib daddr type local counter jump DOCKER',
63	fa92e118	Romain Tartière	table: 'ip-nat'
64	c3515492	Luis Fernández Álvarez	)
65			}
66	c82b960a	Steve Traylen
67	c3515492	Luis Fernández Álvarez	it {
68	c82b960a	Steve Traylen	expect(subject).to contain_nftables__rule('OUTPUT-jump_docker@ip-nat').with(
69	b61ccb4a	Luis Fernández Álvarez	rulename: 'OUTPUT-jump_docker',
70	c3515492	Luis Fernández Álvarez	content: 'ip daddr != 127.0.0.0/8 fib daddr type local counter jump DOCKER',
71	fa92e118	Romain Tartière	table: 'ip-nat'
72	c3515492	Luis Fernández Álvarez	)
73			}
74	c82b960a	Steve Traylen
75	c3515492	Luis Fernández Álvarez	it {
76	c82b960a	Steve Traylen	expect(subject).to contain_nftables__rule('DOCKER-counter').with(
77	c3515492	Luis Fernández Álvarez	content: 'iifname "docker0" counter return',
78	fa92e118	Romain Tartière	table: 'ip-nat'
79	c3515492	Luis Fernández Álvarez	)
80			}
81	c82b960a	Steve Traylen
82	c3515492	Luis Fernández Álvarez	it {
83	c82b960a	Steve Traylen	expect(subject).to contain_nftables__rule('INPUT-type@ip-nat').with(
84	283e1c3c	Luis Fernández Álvarez	rulename: 'INPUT-type',
85	c3515492	Luis Fernández Álvarez	content: 'type nat hook input priority 100',
86	fa92e118	Romain Tartière	table: 'ip-nat'
87	c3515492	Luis Fernández Álvarez	)
88			}
89	c82b960a	Steve Traylen
90	c3515492	Luis Fernández Álvarez	it {
91	c82b960a	Steve Traylen	expect(subject).to contain_nftables__rule('INPUT-policy@ip-nat').with(
92	283e1c3c	Luis Fernández Álvarez	rulename: 'INPUT-policy',
93	c3515492	Luis Fernández Álvarez	content: 'policy accept',
94	fa92e118	Romain Tartière	table: 'ip-nat'
95	c3515492	Luis Fernández Álvarez	)
96			}
97	6be2adf7	Luis Fernández Álvarez	end
98
99	1bf717d9	Luis Fernández Álvarez	context 'with base chain management false' do
100			let(:params) do
101			{
102			manage_base_chains: false,
103			}
104			end
105
106			it { is_expected.to compile }
107
108			it { is_expected.to contain_nftables__chain('DOCKER') }
109			it { is_expected.to contain_nftables__chain('DOCKER_ISOLATION_STAGE_1') }
110			it { is_expected.to contain_nftables__chain('DOCKER_ISOLATION_STAGE_2') }
111			it { is_expected.to contain_nftables__chain('DOCKER_USER') }
112			it { is_expected.to contain_nftables__chain('DOCKER-nat') }
113
114			it { is_expected.not_to contain_nftables__chain('OUTPUT-nat') }
115			it { is_expected.not_to contain_nftables__chain('INPUT-nat') }
116			end
117
118			context 'with docker chain management false' do
119			let(:params) do
120			{
121			manage_docker_chains: false,
122			}
123			end
124
125			it { is_expected.to compile }
126
127			it { is_expected.not_to contain_nftables__chain('DOCKER') }
128			it { is_expected.not_to contain_nftables__chain('DOCKER_ISOLATION_STAGE_1') }
129			it { is_expected.not_to contain_nftables__chain('DOCKER_ISOLATION_STAGE_2') }
130			it { is_expected.not_to contain_nftables__chain('DOCKER_USER') }
131			it { is_expected.not_to contain_nftables__chain('DOCKER-nat') }
132
133			it { is_expected.to contain_nftables__chain('OUTPUT-nat') }
134			it { is_expected.to contain_nftables__chain('INPUT-nat') }
135			end
136
137	6be2adf7	Luis Fernández Álvarez	context 'with custom interface and subnet' do
138			let(:params) do
139			{
140			docker_interface: 'ifdo0',
141			docker_prefix: '192.168.4.0/24',
142			}
143			end
144
145			it { is_expected.to compile }
146	c3515492	Luis Fernández Álvarez	it { is_expected.to contain_nftables__rule('DOCKER_ISOLATION_STAGE_1-iifname').with_content('iifname "ifdo0" oifname != "ifdo0" counter jump DOCKER_ISOLATION_STAGE_2') }
147	6be2adf7	Luis Fernández Álvarez	it { is_expected.to contain_nftables__rule('DOCKER_ISOLATION_STAGE_2-drop').with_content('oifname "ifdo0" counter drop') }
148	c3515492	Luis Fernández Álvarez	it { is_expected.to contain_nftables__rule('default_fwd-out_docker_accept').with_content('oifname "ifdo0" ct state established,related counter accept') }
149			it { is_expected.to contain_nftables__rule('default_fwd-jump_docker').with_content('oifname "ifdo0" counter jump DOCKER') }
150			it { is_expected.to contain_nftables__rule('default_fwd-idocker_onot_accept').with_content('iifname "ifdo0" oifname != "ifdo0" counter accept') }
151			it { is_expected.to contain_nftables__rule('default_fwd-idocker_odocker_accept').with_content('iifname "ifdo0" oifname "ifdo0" counter accept') }
152
153	6be2adf7	Luis Fernández Álvarez	it {
154	c82b960a	Steve Traylen	expect(subject).to contain_nftables__rule('POSTROUTING-docker').with(
155	6be2adf7	Luis Fernández Álvarez	content: 'oifname != "ifdo0" ip saddr 192.168.4.0/24 counter masquerade',
156	fa92e118	Romain Tartière	table: 'ip-nat'
157	6be2adf7	Luis Fernández Álvarez	)
158			}
159	c82b960a	Steve Traylen
160	c3515492	Luis Fernández Álvarez	it {
161	c82b960a	Steve Traylen	expect(subject).to contain_nftables__rule('DOCKER-counter').with(
162	c3515492	Luis Fernández Álvarez	content: 'iifname "ifdo0" counter return',
163	fa92e118	Romain Tartière	table: 'ip-nat'
164	c3515492	Luis Fernández Álvarez	)
165			}
166	6be2adf7	Luis Fernández Álvarez	end
167			end
168			end
169	c3515492	Luis Fernández Álvarez	end

Projet

Général

Profil

puppet nftables

root / spec / classes / rules / docker_ce_spec.rb @ 51850192