-
Notifications
You must be signed in to change notification settings - Fork 7
/
Copy pathVagrantfile
132 lines (114 loc) · 4.46 KB
/
Vagrantfile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
# -*- mode: ruby -*-
# vi: set ft=ruby :
Vagrant.configure("2") do |config|
config.vm.box = "ubuntu/impish64"
memory = 4096
cpus = 2
config.vm.provider :virtualbox do |v|
v.memory = memory
v.cpus = cpus
# Avoid 10.0.0.0/8 and 172.0.0.0/8: https://github.com/rootless-containers/bypass4netns/pull/5#issuecomment-1026602768
v.customize ["modifyvm", :id, "--natnet1", "192.168.6.0/24"]
end
config.vm.provider :libvirt do |v|
v.memory = memory
v.cpus = cpus
end
config.vm.provision "shell", privileged: false, inline: <<~SHELL
#!/bin/bash
set -eu -o pipefail
NERDCTL_VERSION="0.16.1"
NERDCTL_GIT_HASH="3e0e5d1bd1a6312f48473e6a1c5dcf9dbe723b0c"
ALPINE_IMAGE="public.ecr.aws/docker/library/alpine:3.15"
echo "===== Prepare ====="
(
set -x
sudo apt-get update
sudo DEBIAN_FRONTEND=noninteractive apt-get install -q -y build-essential curl dbus-user-session iperf3 libseccomp-dev uidmap golang python3
systemctl --user start dbus
cd /vagrant
make
sudo make install
curl -fsSL https://github.com/containerd/nerdctl/releases/download/v${NERDCTL_VERSION}/nerdctl-full-${NERDCTL_VERSION}-linux-amd64.tar.gz | sudo tar Cxzv /usr/local
containerd-rootless-setuptool.sh install
containerd-rootless-setuptool.sh install-buildkit
# replace nerdctl with bypass4netns patched one
cd /tmp
git clone https://github.com/naoki9911/nerdctl
cd nerdctl
git checkout $NERDCTL_GIT_HASH
echo "replace github.com/rootless-containers/bypass4netns => /vagrant" >> go.mod
make
sudo cp _output/nerdctl /usr/local/bin/.
nerdctl info
nerdctl pull --quiet "${ALPINE_IMAGE}"
hostname -I | awk '{print $1}' | tee /tmp/host_ip
/vagrant/test/seccomp.json.sh | tee /tmp/seccomp.json
systemd-run --user --unit run-iperf3 iperf3 -s
)
echo "===== `--ignore` option test ====="
(
set -x
systemd-run --user --unit run-bypass4netns bypass4netns --ignore "127.0.0.0/8,10.0.0.0/8,192.168.6.0/24" --debug
nerdctl run --security-opt seccomp=/tmp/seccomp.json -d --name test "${ALPINE_IMAGE}" sleep infinity
nerdctl exec test apk add --no-cache iperf3
nerdctl exec test iperf3 -c $(cat /tmp/host_ip)
# TODO: this check is dirty. we want better method to check the connect(2) is ignored.
journalctl --user -u run-bypass4netns.service | grep "is ignored, skipping."
nerdctl rm -f test
systemctl --user stop run-bypass4netns.service
)
echo "===== connect(2),sendto(2) test ====="
(
systemd-run --user --unit run-bypass4netns bypass4netns --ignore "127.0.0.0/8,10.0.0.0/8" -p 8080:5201
set -x
cd /vagrant/test
/bin/bash test.sh /tmp/seccomp.json $(cat /tmp/host_ip)
systemctl --user stop run-bypass4netns.service
)
echo "===== Test bypass4netnsd ====="
(
set -x
/vagrant/test/test_b4nnd.sh
)
echo "===== Benchmark: netns -> host With bypass4netns ====="
(
set -x
# start bypass4netnsd for nerdctl integration
systemd-run --user --unit run-bypass4netnsd bypass4netnsd
sleep 1
nerdctl run --label nerdctl/bypass4netns=true -d --name test "${ALPINE_IMAGE}" sleep infinity
nerdctl exec test apk add --no-cache iperf3
nerdctl exec test iperf3 -c "$(cat /tmp/host_ip)"
nerdctl rm -f test
)
echo "===== Benchmark: netns -> host Without bypass4netns (for comparison) ====="
(
set -x
nerdctl run -d --name test "${ALPINE_IMAGE}" sleep infinity
nerdctl exec test apk add --no-cache iperf3
nerdctl exec test iperf3 -c "$(cat /tmp/host_ip)"
nerdctl rm -f test
)
echo "===== Benchmark: host -> netns With bypass4netns ====="
(
set -x
nerdctl run --label nerdctl/bypass4netns=true -d --name test -p 8080:5201 "${ALPINE_IMAGE}" sleep infinity
nerdctl exec test apk add --no-cache iperf3
systemd-run --user --unit run-iperf3-netns nerdctl exec test iperf3 -s -4
sleep 1 # waiting `iperf3 -s -4` becomes ready
iperf3 -c "$(cat /tmp/host_ip)" -p 8080
nerdctl rm -f test
)
echo "===== Benchmark: host -> netns Without bypass4netns (for comparison) ====="
(
set -x
nerdctl run -d --name test -p 8080:5201 "${ALPINE_IMAGE}" sleep infinity
nerdctl exec test apk add --no-cache iperf3
systemd-run --user --unit run-iperf3-netns2 nerdctl exec test iperf3 -s -4
sleep 1
iperf3 -c "$(cat /tmp/host_ip)" -p 8080
nerdctl rm -f test
)
SHELL
end