centra/lightscale
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
lightscale/lab/test-firewall.nix

166 lines
6.7 KiB
Nix
Raw Permalink Blame History

{ pkgs, serverPkg, clientPkg }:
{
name = "lightscale-lab-firewall";
nodes = {
node1 = { ... }: {
networking.hostName = "node1";
networking.usePredictableInterfaceNames = false;
virtualisation.vlans = [ 1 ];
networking.interfaces.eth1.useDHCP = false;
networking.interfaces.eth1.ipv4.addresses = [
{ address = "10.0.0.1"; prefixLength = 24; }
];
networking.firewall.enable = false;
boot.kernelModules = [ "wireguard" ];
environment.systemPackages = [
serverPkg
clientPkg
pkgs.wireguard-tools
pkgs.iproute2
pkgs.iputils
pkgs.netcat-openbsd
pkgs.curl
pkgs.iptables
];
};
node2 = { ... }: {
networking.hostName = "node2";
networking.usePredictableInterfaceNames = false;
virtualisation.vlans = [ 1 ];
networking.interfaces.eth1.useDHCP = false;
networking.interfaces.eth1.ipv4.addresses = [
{ address = "10.0.0.2"; prefixLength = 24; }
];
networking.firewall.enable = false;
boot.kernelModules = [ "wireguard" ];
environment.systemPackages = [
clientPkg
pkgs.wireguard-tools
pkgs.iproute2
pkgs.iputils
pkgs.curl
pkgs.iptables
];
};
};
testScript = ''
start_all()
node1.wait_for_unit("multi-user.target")
node2.wait_for_unit("multi-user.target")
node1.wait_until_succeeds("ip -4 addr show dev eth1 | grep -q '10.0.0.1/24'")
node2.wait_until_succeeds("ip -4 addr show dev eth1 | grep -q '10.0.0.2/24'")
node1.succeed("touch /tmp/lightscale-server.log")
node1.execute("sh -c 'tail -n +1 -f /tmp/lightscale-server.log >/dev/console 2>&1 &'")
node1.succeed(
"systemd-run --no-block --unit=lightscale-server --service-type=simple "
"--property=Restart=on-failure --property=RestartSec=1 "
"--property=TimeoutStartSec=30 "
"--property=StandardOutput=append:/tmp/lightscale-server.log "
"--property=StandardError=append:/tmp/lightscale-server.log "
"--setenv=RUST_LOG=info -- "
"lightscale-server --listen 10.0.0.1:8080 --state /tmp/lightscale-state.json "
"--stream-relay 10.0.0.1:8443 --stream-relay-listen 10.0.0.1:8443"
)
node1.wait_for_unit("lightscale-server.service")
node1.wait_for_open_port(8080, addr="10.0.0.1", timeout=120)
node1.wait_for_open_port(8443, addr="10.0.0.1", timeout=120)
node1.succeed("tail -n 50 /tmp/lightscale-server.log || true")
import json
net = json.loads(node1.succeed(
"curl -sSf -X POST http://10.0.0.1:8080/v1/networks "
"-H 'content-type: application/json' "
"-d '{\"name\":\"lab\",\"bootstrap_token_ttl_seconds\":600," \
"\"bootstrap_token_uses\":10,\"bootstrap_token_tags\":[\"lab\"]}'"
))
token = net["bootstrap_token"]["token"]
def enroll(node, name, ip):
node.succeed(
"lightscale-client --profile test --config /tmp/ls-config.json "
"init http://10.0.0.1:8080"
)
node.succeed(
f"lightscale-client --profile test --config /tmp/ls-config.json "
f"--state-dir /tmp/ls-state register --node-name {name} -- {token}"
)
node.succeed(
f"lightscale-client --profile test --config /tmp/ls-config.json "
f"--state-dir /tmp/ls-state heartbeat --endpoint {ip}:51820"
)
enroll(node1, "node1", "10.0.0.1")
enroll(node2, "node2", "10.0.0.2")
def block_udp(node, peer_ip):
node.succeed(f"iptables -I OUTPUT -p udp --dport 51820 -d {peer_ip} -j DROP")
node.succeed(f"iptables -I INPUT -p udp --sport 51820 -s {peer_ip} -j DROP")
block_udp(node1, "10.0.0.2")
block_udp(node2, "10.0.0.1")
def start_agent(node, endpoints):
node.succeed("touch /tmp/lightscale-agent.log")
node.execute("sh -c 'tail -n +1 -f /tmp/lightscale-agent.log >/dev/console 2>&1 &'")
cmd = (
"lightscale-client --profile test --config /tmp/ls-config.json "
"--state-dir /tmp/ls-state agent --listen-port 51820 "
"--heartbeat-interval 5 --longpoll-timeout 5 "
"--endpoint-stale-after 5 --endpoint-max-rotations 1 "
"--stream-relay --backend boringtun"
)
for endpoint in endpoints:
cmd += f" --endpoint {endpoint}"
node.succeed(
"systemd-run --no-block --unit=lightscale-agent --service-type=simple "
"--property=Restart=on-failure --property=RestartSec=1 "
"--property=TimeoutStartSec=30 "
"--property=StandardOutput=append:/tmp/lightscale-agent.log "
"--property=StandardError=append:/tmp/lightscale-agent.log -- "
+ cmd
)
node.wait_for_unit("lightscale-agent.service")
node.wait_until_succeeds("ip link show ls-test", timeout=60)
start_agent(node1, ["10.0.0.1:51820"])
start_agent(node2, ["10.0.0.2:51820"])
node1.succeed("sleep 10")
node2.succeed("sleep 10")
print(node1.succeed("lightscale-client --profile test --state-dir /tmp/ls-state status --wg --interface ls-test || true"))
print(node2.succeed("lightscale-client --profile test --state-dir /tmp/ls-state status --wg --interface ls-test || true"))
data1 = json.loads(node1.succeed("cat /tmp/ls-state/state.json"))
data2 = json.loads(node2.succeed("cat /tmp/ls-state/state.json"))
nodes = [node1, node2]
ips = [data1["ipv4"], data2["ipv4"]]
node1.execute(f"ping -c 1 {ips[1]} || true")
node2.execute(f"ping -c 1 {ips[0]} || true")
node1.succeed("sleep 2")
print(node1.succeed("ip link show ls-test || true"))
print(node2.succeed("ip link show ls-test || true"))
print(node1.succeed("timeout 5 wg show ls-test || true"))
print(node2.succeed("timeout 5 wg show ls-test || true"))
print(node1.succeed("sysctl net.ipv4.conf.all.route_localnet net.ipv4.conf.lo.route_localnet || true"))
print(node2.succeed("sysctl net.ipv4.conf.all.route_localnet net.ipv4.conf.lo.route_localnet || true"))
print(node1.succeed("ss -u -lpn | grep lightscale-clie || true"))
print(node2.succeed("ss -u -lpn | grep lightscale-clie || true"))
print(node1.succeed(f"ip -4 route get {ips[1]} || true"))
print(node2.succeed(f"ip -4 route get {ips[0]} || true"))
print(node1.succeed("tail -n 200 /tmp/lightscale-agent.log || true"))
print(node2.succeed("tail -n 200 /tmp/lightscale-agent.log || true"))
def full_mesh_ping(nodes, ips):
for i, src in enumerate(nodes):
for j, dst in enumerate(nodes):
if i == j:
continue
src.wait_until_succeeds(f"ping -c 3 {ips[j]}", timeout=180)
full_mesh_ping(nodes, ips)
'';
}
Reference in a new issue View git blame Copy permalink