github.com/schwarzm/garden-linux@v0.0.0-20150507151835-33bca2147c47/integration/lifecycle/security_over_restart_test.go (about) 1 package lifecycle_test 2 3 import ( 4 "fmt" 5 "strings" 6 "time" 7 8 "github.com/cloudfoundry-incubator/garden" 9 10 . "github.com/onsi/ginkgo" 11 . "github.com/onsi/gomega" 12 ) 13 14 var _ = Describe("Denying access to network ranges", func() { 15 var ( 16 blockedListener garden.Container 17 blockedListenerIP string 18 19 unblockedListener garden.Container 20 unblockedListenerIP string 21 22 allowedListener garden.Container 23 allowedListenerIP string 24 25 sender garden.Container 26 ) 27 28 BeforeEach(func() { 29 client = startGarden() 30 31 var err error 32 33 // create a listener to which we deny network access 34 blockedListener, err = client.Create(garden.ContainerSpec{}) 35 Expect(err).ToNot(HaveOccurred()) 36 blockedListenerIP = containerIP(blockedListener) 37 38 // create a listener to which we do not deny access 39 unblockedListener, err = client.Create(garden.ContainerSpec{}) 40 Expect(err).ToNot(HaveOccurred()) 41 unblockedListenerIP = containerIP(unblockedListener) 42 43 // create a listener to which we exclicitly allow access 44 allowedListener, err = client.Create(garden.ContainerSpec{}) 45 Expect(err).ToNot(HaveOccurred()) 46 allowedListenerIP = containerIP(allowedListener) 47 48 restartGarden( 49 "-denyNetworks", strings.Join([]string{ 50 blockedListenerIP + "/32", 51 allowedListenerIP + "/32", 52 }, ","), 53 "-allowNetworks", allowedListenerIP+"/32", 54 ) 55 56 // check that the IPs were preserved over restart 57 Expect(containerIP(blockedListener)).To(Equal(blockedListenerIP)) 58 Expect(containerIP(unblockedListener)).To(Equal(unblockedListenerIP)) 59 Expect(containerIP(allowedListener)).To(Equal(allowedListenerIP)) 60 61 // create a container with the new deny network configuration 62 sender, err = client.Create(garden.ContainerSpec{}) 63 Expect(err).ToNot(HaveOccurred()) 64 }) 65 66 AfterEach(func() { 67 err := client.Destroy(sender.Handle()) 68 Expect(err).ToNot(HaveOccurred()) 69 70 err = client.Destroy(blockedListener.Handle()) 71 Expect(err).ToNot(HaveOccurred()) 72 73 err = client.Destroy(unblockedListener.Handle()) 74 Expect(err).ToNot(HaveOccurred()) 75 76 err = client.Destroy(allowedListener.Handle()) 77 Expect(err).ToNot(HaveOccurred()) 78 }) 79 80 runInContainer := func(container garden.Container, script string) garden.Process { 81 process, err := container.Run(garden.ProcessSpec{ 82 Path: "sh", 83 Args: []string{"-c", script}, 84 }, garden.ProcessIO{ 85 Stdout: GinkgoWriter, 86 Stderr: GinkgoWriter, 87 }) 88 Expect(err).ToNot(HaveOccurred()) 89 90 return process 91 } 92 93 It("makes that block of ip addresses inaccessible to the container", func() { 94 runInContainer(blockedListener, "nc -l 0.0.0.0:12345") 95 runInContainer(unblockedListener, "nc -l 0.0.0.0:12345") 96 runInContainer(allowedListener, "nc -l 0.0.0.0:12345") 97 98 // a bit of time for the listeners to start, since they block 99 time.Sleep(time.Second) 100 101 process := runInContainer( 102 sender, 103 fmt.Sprintf("echo hello | nc -w 1 %s 12345", blockedListenerIP), 104 ) 105 Expect(process.Wait()).To(Equal(1)) 106 107 process = runInContainer( 108 sender, 109 fmt.Sprintf("echo hello | nc -w 1 %s 12345", unblockedListenerIP), 110 ) 111 Expect(process.Wait()).To(Equal(0)) 112 113 process = runInContainer( 114 sender, 115 fmt.Sprintf("echo hello | nc -w 1 %s 12345", allowedListenerIP), 116 ) 117 Expect(process.Wait()).To(Equal(0)) 118 }) 119 })