[libvirt] [tck PATCH 0/9] Fix libvirt-tck nwfilter tests
libvirt-tck happens to have the most thorough set of nwfilter tests around. Unfortunately they haven't been run in quite awhile, and have suffered from some bit rot. This patch series (along with Dan's patch to force virt-builder to redo selinux labels after installing extra packages) gets the nwfilter tests all completing successfully again *on a Fedora 26 host* with libvirt 3.2.1 and libvirt 4.0.0+. The concurrency tests (at least) still fail on an F27 host - in that case they are actually revealing a bug due to something in libvirt, libpcap, or maybe the kernel (and since the kernels in F26 and F27 are nearly the same, and I tried both of the above libvirt versions on F27 with the same failure (two threads hung in a polling loop in libpcap) Once I got this all running, I noticed that there are several domain and network tests that are failing, and at least the ones I looked into were due to bugs in the tests (e.g. the netdev hotplug test uses multicast MAC addresses, and assumes that device detaches are synchronous), so there's more work to do, but the nwfilter tests are what's most important right now. Laine Stump (9): create vms that use virt-builder images with no graphics and virtio-net Use $net->get_dhcp_leases() when available Use Net::OpenSSH instead of Net::SSH::Perl Fix no-ip-spoofing test script generation Fix no-arp-spoof test script generation parameterize filterref in generic_domain Fix ebtables check in no-mac-broadcast test filter for proper IP address in tcpdump looking for broadcast packet Eliminate unnecessary path specifications in binary names lib/Sys/Virt/TCK.pm | 22 +++++------- lib/Sys/Virt/TCK/NetworkHelpers.pm | 9 +++++ perl-Sys-Virt-TCK.spec.PL | 3 +- scripts/nwfilter/100-ping-still-working.t | 6 ++-- scripts/nwfilter/210-no-mac-spoofing.t | 52 ++++++++++++++------------- scripts/nwfilter/220-no-ip-spoofing.t | 59 ++++++++++++++++--------------- scripts/nwfilter/230-no-mac-broadcast.t | 39 ++++++++++---------- scripts/nwfilter/240-no-arp-spoofing.t | 36 ++++++++++--------- scripts/nwfilter/300-vsitype.t | 1 - scripts/nwfilter/nwfilter_concurrent.sh | 4 +-- 10 files changed, 121 insertions(+), 110 deletions(-) -- 2.13.6
This is consistent with what is used to create the disk image supplied by virt-builder. It doesn't currently affect the outcome of the test, but it's possible that in the future it could. In particular, the network device name changes depending on whether or not there is a graphics device (due to change in PCI address). The virt-builder image is create by installing Fedora on a guest that has no graphics card, so it sees the network device as "ens2" and creates an appropriate ifcfg-ens2, but if you boot the image with a graphics card, then the network device will be named "ens3". It turns out that NetworkManager is enabled by default on the virt-builder images, and NetworkManager will listen for dhcp on *all* interfaces (not just those with a configuration file), so networking still functions on the guest, but if a test script were to try to use "ifdown ens3" (for example) that wouldn't work. The best solution may be to have the image set "biosdevnames=0 net.ifnames=0" on the kernel commandline (so that the netdev is always called "eth0" regardless of its PCI address), but that would also need to be done in the kickstart file used to create the image, which is done offline by libguestfs people, so it's not something we have control over here. --- lib/Sys/Virt/TCK.pm | 13 +++---------- 1 file changed, 3 insertions(+), 10 deletions(-) diff --git a/lib/Sys/Virt/TCK.pm b/lib/Sys/Virt/TCK.pm index b39f578..ce8e81b 100644 --- a/lib/Sys/Virt/TCK.pm +++ b/lib/Sys/Virt/TCK.pm @@ -781,11 +781,6 @@ sub generic_machine_domain { $b->boot_disk(); - $b->graphics(type => "vnc", - port => "-1", - autoport => "yes", - listen => "127.0.0.1"); - $b->disk(src => $config{root}, dst => $config{dev}, type => "file"); @@ -795,6 +790,7 @@ sub generic_machine_domain { $b->interface(type => "network", source => "default", + model => "virtio", mac => "52:54:00:11:11:11", filterref => "clean-traffic"); my $xml = $b->as_xml(); @@ -840,11 +836,6 @@ sub generic_machine_domain { # XXX boot CDROM or vroot for other HVs $b->boot_kernel($config{kernel}, $config{initrd}); - $b->graphics(type => "vnc", - port => "-1", - autoport => "yes", - listen => "127.0.0.1"); - $b->disk(src => $config{root}, dst => $config{dev}, type => "file"); @@ -930,6 +921,7 @@ sub generic_domain { if ($netmode eq "vepa") { $b->interface(type => "direct", source => "default", + model => "virtio", mac => "52:54:00:11:11:11", dev => $self->get_host_network_device(), mode => "vepa", @@ -937,6 +929,7 @@ sub generic_domain { } else { $b->interface(type => "network", source => "default", + model => "virtio", mac => "52:54:00:11:11:11", filterref => "clean-traffic"); } -- 2.13.6
On Wed, Feb 07, 2018 at 09:04:51PM -0500, Laine Stump wrote:
This is consistent with what is used to create the disk image supplied by virt-builder. It doesn't currently affect the outcome of the test, but it's possible that in the future it could.
In particular, the network device name changes depending on whether or not there is a graphics device (due to change in PCI address). The virt-builder image is create by installing Fedora on a guest that has no graphics card, so it sees the network device as "ens2" and creates an appropriate ifcfg-ens2, but if you boot the image with a graphics card, then the network device will be named "ens3". It turns out that NetworkManager is enabled by default on the virt-builder images, and NetworkManager will listen for dhcp on *all* interfaces (not just those with a configuration file), so networking still functions on the guest, but if a test script were to try to use "ifdown ens3" (for example) that wouldn't work.
The best solution may be to have the image set "biosdevnames=0 net.ifnames=0" on the kernel commandline (so that the netdev is always called "eth0" regardless of its PCI address), but that would also need to be done in the kickstart file used to create the image, which is done offline by libguestfs people, so it's not something we have control over here. --- lib/Sys/Virt/TCK.pm | 13 +++---------- 1 file changed, 3 insertions(+), 10 deletions(-)
diff --git a/lib/Sys/Virt/TCK.pm b/lib/Sys/Virt/TCK.pm index b39f578..ce8e81b 100644 --- a/lib/Sys/Virt/TCK.pm +++ b/lib/Sys/Virt/TCK.pm @@ -781,11 +781,6 @@ sub generic_machine_domain {
$b->boot_disk();
- $b->graphics(type => "vnc", - port => "-1", - autoport => "yes", - listen => "127.0.0.1"); - $b->disk(src => $config{root}, dst => $config{dev}, type => "file"); @@ -795,6 +790,7 @@ sub generic_machine_domain {
$b->interface(type => "network", source => "default", + model => "virtio", mac => "52:54:00:11:11:11", filterref => "clean-traffic"); my $xml = $b->as_xml(); @@ -840,11 +836,6 @@ sub generic_machine_domain { # XXX boot CDROM or vroot for other HVs $b->boot_kernel($config{kernel}, $config{initrd});
- $b->graphics(type => "vnc", - port => "-1", - autoport => "yes", - listen => "127.0.0.1"); - $b->disk(src => $config{root}, dst => $config{dev}, type => "file"); @@ -930,6 +921,7 @@ sub generic_domain { if ($netmode eq "vepa") { $b->interface(type => "direct", source => "default", + model => "virtio", mac => "52:54:00:11:11:11", dev => $self->get_host_network_device(), mode => "vepa", @@ -937,6 +929,7 @@ sub generic_domain { } else { $b->interface(type => "network", source => "default", + model => "virtio", mac => "52:54:00:11:11:11", filterref => "clean-traffic"); }
Yuk this file has a mix of tabs and spaces it in currently :-( We should clean that up by de-tabifying it, but I guess it is better to apply your patches first otherwise it'l be conflict hell for you. So Reviewed-by: Daniel P. Berrange <berrange@redhat.com> Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
On 02/08/2018 04:13 AM, Daniel P. Berrangé wrote:
Yuk this file has a mix of tabs and spaces it in currently :-( We should clean that up by de-tabifying it,
Yeah, I noticed that in a couple other files too (only because things looked misaligned when I ran git diff). I'll try to remember to do something about that after I get these pushed.
Newer versions of libvirt no longer let dnsmasq create a leases file, they keep track of it themselves and provide an API to retrieve the current list of leases. Use that to get the guest's IP address when it's available. --- I later realized that it might be more appropriate to use $dom->get_interface_addresses(), but I'd already rewritten the existing function this way and it works, so I left it. lib/Sys/Virt/TCK/NetworkHelpers.pm | 9 +++++++++ scripts/nwfilter/100-ping-still-working.t | 2 +- scripts/nwfilter/210-no-mac-spoofing.t | 2 +- scripts/nwfilter/220-no-ip-spoofing.t | 2 +- scripts/nwfilter/230-no-mac-broadcast.t | 2 +- scripts/nwfilter/240-no-arp-spoofing.t | 2 +- scripts/nwfilter/nwfilter_concurrent.sh | 4 ++-- 7 files changed, 16 insertions(+), 7 deletions(-) diff --git a/lib/Sys/Virt/TCK/NetworkHelpers.pm b/lib/Sys/Virt/TCK/NetworkHelpers.pm index 133064b..f6bf8f9 100644 --- a/lib/Sys/Virt/TCK/NetworkHelpers.pm +++ b/lib/Sys/Virt/TCK/NetworkHelpers.pm @@ -10,7 +10,16 @@ sub get_first_macaddress { } sub get_ip_from_leases{ + my $conn = shift; + my $netname = shift; my $mac = shift; + + my $net = $conn->get_network_by_name($netname); + if ($net->can('get_dhcp_leases')) { + my @leases = $net->get_dhcp_leases($mac); + return @leases ? @leases[0]->{'ipaddr'} : undef; + } + my $tmp = `grep $mac /var/lib/libvirt/dnsmasq/default.leases`; my @fields = split(/ /, $tmp); my $ip = $fields[2]; diff --git a/scripts/nwfilter/100-ping-still-working.t b/scripts/nwfilter/100-ping-still-working.t index a20b95d..dc1efd2 100644 --- a/scripts/nwfilter/100-ping-still-working.t +++ b/scripts/nwfilter/100-ping-still-working.t @@ -69,7 +69,7 @@ sleep(10); my $mac = get_first_macaddress($dom); diag "mac is $mac"; -my $guestip = get_ip_from_leases($mac); +my $guestip = get_ip_from_leases($conn, "default", $mac); diag "ip is $guestip"; # check ebtables entry diff --git a/scripts/nwfilter/210-no-mac-spoofing.t b/scripts/nwfilter/210-no-mac-spoofing.t index b81fc4a..03001a8 100644 --- a/scripts/nwfilter/210-no-mac-spoofing.t +++ b/scripts/nwfilter/210-no-mac-spoofing.t @@ -69,7 +69,7 @@ sleep(10); my $mac = get_first_macaddress($dom); diag "mac is $mac"; -my $guestip = get_ip_from_leases($mac); +my $guestip = get_ip_from_leases($conn, "default", $mac); diag "ip is $guestip"; # check ebtables entry diff --git a/scripts/nwfilter/220-no-ip-spoofing.t b/scripts/nwfilter/220-no-ip-spoofing.t index 3a0213d..d447a19 100644 --- a/scripts/nwfilter/220-no-ip-spoofing.t +++ b/scripts/nwfilter/220-no-ip-spoofing.t @@ -60,7 +60,7 @@ sleep(30); my $mac = get_first_macaddress($dom); diag "mac is $mac"; -my $guestip = get_ip_from_leases($mac); +my $guestip = get_ip_from_leases($conn, "default", $mac); diag "ip is $guestip"; # check ebtables entry diff --git a/scripts/nwfilter/230-no-mac-broadcast.t b/scripts/nwfilter/230-no-mac-broadcast.t index 16ce60d..9d00dc4 100644 --- a/scripts/nwfilter/230-no-mac-broadcast.t +++ b/scripts/nwfilter/230-no-mac-broadcast.t @@ -68,7 +68,7 @@ sleep(10); my $mac = get_first_macaddress($dom); diag "mac is $mac"; -my $guestip = get_ip_from_leases($mac); +my $guestip = get_ip_from_leases($conn, "default", $mac); diag "ip is $guestip"; # check ebtables entry diff --git a/scripts/nwfilter/240-no-arp-spoofing.t b/scripts/nwfilter/240-no-arp-spoofing.t index 284033d..f1e6870 100644 --- a/scripts/nwfilter/240-no-arp-spoofing.t +++ b/scripts/nwfilter/240-no-arp-spoofing.t @@ -70,7 +70,7 @@ sleep(10); my $mac = get_first_macaddress($dom); diag "mac is $mac"; -my $guestip = get_ip_from_leases($mac); +my $guestip = get_ip_from_leases($conn, "default", $mac); diag "ip is $guestip"; # check ebtables entry diff --git a/scripts/nwfilter/nwfilter_concurrent.sh b/scripts/nwfilter/nwfilter_concurrent.sh index 4c9b878..359e2ab 100644 --- a/scripts/nwfilter/nwfilter_concurrent.sh +++ b/scripts/nwfilter/nwfilter_concurrent.sh @@ -242,9 +242,9 @@ runTest() [ $? -ne 0 ] && rm -rf "${tmpdir}" && return 1; - # Test runs for a maximum of 5 minutes + # Test runs for a maximum of 10 minutes now=`date +%s` - test_end=$(($now + 5 * 60)) + test_end=$(($now + 10 * 60)) while :; do -- 2.13.6
On Wed, Feb 07, 2018 at 09:04:52PM -0500, Laine Stump wrote:
Newer versions of libvirt no longer let dnsmasq create a leases file, they keep track of it themselves and provide an API to retrieve the current list of leases. Use that to get the guest's IP address when it's available. ---
I later realized that it might be more appropriate to use $dom->get_interface_addresses(), but I'd already rewritten the existing function this way and it works, so I left it.
lib/Sys/Virt/TCK/NetworkHelpers.pm | 9 +++++++++ scripts/nwfilter/100-ping-still-working.t | 2 +- scripts/nwfilter/210-no-mac-spoofing.t | 2 +- scripts/nwfilter/220-no-ip-spoofing.t | 2 +- scripts/nwfilter/230-no-mac-broadcast.t | 2 +- scripts/nwfilter/240-no-arp-spoofing.t | 2 +- scripts/nwfilter/nwfilter_concurrent.sh | 4 ++-- 7 files changed, 16 insertions(+), 7 deletions(-)
diff --git a/lib/Sys/Virt/TCK/NetworkHelpers.pm b/lib/Sys/Virt/TCK/NetworkHelpers.pm index 133064b..f6bf8f9 100644 --- a/lib/Sys/Virt/TCK/NetworkHelpers.pm +++ b/lib/Sys/Virt/TCK/NetworkHelpers.pm @@ -10,7 +10,16 @@ sub get_first_macaddress { }
sub get_ip_from_leases{ + my $conn = shift; + my $netname = shift; my $mac = shift; + + my $net = $conn->get_network_by_name($netname); + if ($net->can('get_dhcp_leases')) { + my @leases = $net->get_dhcp_leases($mac); + return @leases ? @leases[0]->{'ipaddr'} : undef; + } + my $tmp = `grep $mac /var/lib/libvirt/dnsmasq/default.leases`; my @fields = split(/ /, $tmp); my $ip = $fields[2]; diff --git a/scripts/nwfilter/100-ping-still-working.t b/scripts/nwfilter/100-ping-still-working.t index a20b95d..dc1efd2 100644 --- a/scripts/nwfilter/100-ping-still-working.t +++ b/scripts/nwfilter/100-ping-still-working.t @@ -69,7 +69,7 @@ sleep(10); my $mac = get_first_macaddress($dom); diag "mac is $mac";
-my $guestip = get_ip_from_leases($mac); +my $guestip = get_ip_from_leases($conn, "default", $mac); diag "ip is $guestip";
# check ebtables entry diff --git a/scripts/nwfilter/210-no-mac-spoofing.t b/scripts/nwfilter/210-no-mac-spoofing.t index b81fc4a..03001a8 100644 --- a/scripts/nwfilter/210-no-mac-spoofing.t +++ b/scripts/nwfilter/210-no-mac-spoofing.t @@ -69,7 +69,7 @@ sleep(10); my $mac = get_first_macaddress($dom); diag "mac is $mac";
-my $guestip = get_ip_from_leases($mac); +my $guestip = get_ip_from_leases($conn, "default", $mac); diag "ip is $guestip";
# check ebtables entry diff --git a/scripts/nwfilter/220-no-ip-spoofing.t b/scripts/nwfilter/220-no-ip-spoofing.t index 3a0213d..d447a19 100644 --- a/scripts/nwfilter/220-no-ip-spoofing.t +++ b/scripts/nwfilter/220-no-ip-spoofing.t @@ -60,7 +60,7 @@ sleep(30); my $mac = get_first_macaddress($dom); diag "mac is $mac";
-my $guestip = get_ip_from_leases($mac); +my $guestip = get_ip_from_leases($conn, "default", $mac); diag "ip is $guestip";
# check ebtables entry diff --git a/scripts/nwfilter/230-no-mac-broadcast.t b/scripts/nwfilter/230-no-mac-broadcast.t index 16ce60d..9d00dc4 100644 --- a/scripts/nwfilter/230-no-mac-broadcast.t +++ b/scripts/nwfilter/230-no-mac-broadcast.t @@ -68,7 +68,7 @@ sleep(10); my $mac = get_first_macaddress($dom); diag "mac is $mac";
-my $guestip = get_ip_from_leases($mac); +my $guestip = get_ip_from_leases($conn, "default", $mac); diag "ip is $guestip";
# check ebtables entry diff --git a/scripts/nwfilter/240-no-arp-spoofing.t b/scripts/nwfilter/240-no-arp-spoofing.t index 284033d..f1e6870 100644 --- a/scripts/nwfilter/240-no-arp-spoofing.t +++ b/scripts/nwfilter/240-no-arp-spoofing.t @@ -70,7 +70,7 @@ sleep(10); my $mac = get_first_macaddress($dom); diag "mac is $mac";
-my $guestip = get_ip_from_leases($mac); +my $guestip = get_ip_from_leases($conn, "default", $mac); diag "ip is $guestip";
# check ebtables entry
Upto this point Reviewed-by: Daniel P. Berrange <berrange@redhat.com>
diff --git a/scripts/nwfilter/nwfilter_concurrent.sh b/scripts/nwfilter/nwfilter_concurrent.sh index 4c9b878..359e2ab 100644 --- a/scripts/nwfilter/nwfilter_concurrent.sh +++ b/scripts/nwfilter/nwfilter_concurrent.sh @@ -242,9 +242,9 @@ runTest()
[ $? -ne 0 ] && rm -rf "${tmpdir}" && return 1;
- # Test runs for a maximum of 5 minutes + # Test runs for a maximum of 10 minutes now=`date +%s` - test_end=$(($now + 5 * 60)) + test_end=$(($now + 10 * 60))
while :; do
Just split that into a second patch if still needed Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
On 02/08/2018 04:15 AM, Daniel P. Berrangé wrote:
diff --git a/scripts/nwfilter/nwfilter_concurrent.sh b/scripts/nwfilter/nwfilter_concurrent.sh index 4c9b878..359e2ab 100644 --- a/scripts/nwfilter/nwfilter_concurrent.sh +++ b/scripts/nwfilter/nwfilter_concurrent.sh @@ -242,9 +242,9 @@ runTest()
[ $? -ne 0 ] && rm -rf "${tmpdir}" && return 1;
- # Test runs for a maximum of 5 minutes + # Test runs for a maximum of 10 minutes now=`date +%s` - test_end=$(($now + 5 * 60)) + test_end=$(($now + 10 * 60))
while :; do Just split that into a second patch if still needed
Oops. I had that in for debugging and forgot to remove it.
Net::SSH::Perl is out of date in the Fedora git repos. The version currently supported in Fedora fails to connect to most modern sshd's, and updating to the new version would require adding several new perl packages to Fedora. Instead, this patch switches to using Net::OpenSSH, whose current version in Fedora works properly *EXCEPT* that it is missing the line "Requires: perl(IO:TTy)" in its specfiles (I filed https://bugzilla.redhat.com/1542666 requesting that fix to be applied to Fedora git repos. For now, just run "dnf install perl-IO-Tty" separately) NB: prior to this patch, Net::SSH::Perl was required, but had no Required: line in the specfile, so you would have to install it by hand. If you had done that, you can probably now dnf erase it. --- perl-Sys-Virt-TCK.spec.PL | 3 ++- scripts/nwfilter/100-ping-still-working.t | 1 - scripts/nwfilter/210-no-mac-spoofing.t | 27 ++++++++++++++------------- scripts/nwfilter/220-no-ip-spoofing.t | 23 ++++++++++++----------- scripts/nwfilter/230-no-mac-broadcast.t | 23 ++++++++++++----------- scripts/nwfilter/240-no-arp-spoofing.t | 23 ++++++++++++----------- scripts/nwfilter/300-vsitype.t | 1 - 7 files changed, 52 insertions(+), 49 deletions(-) diff --git a/perl-Sys-Virt-TCK.spec.PL b/perl-Sys-Virt-TCK.spec.PL index 9a10880..4172499 100644 --- a/perl-Sys-Virt-TCK.spec.PL +++ b/perl-Sys-Virt-TCK.spec.PL @@ -37,7 +37,7 @@ __DATA__ Summary: Sys::Virt::TCK - libvirt Technology Compatibility Kit Name: perl-%{appname} Version: @VERSION@ -Release: 1%{_extra_release} +Release: 99%{_extra_release} License: GPLv2 Group: Development/Tools Source: http://libvirt.org/sources/tck/%{appname}-v%{version}.tar.gz @@ -73,6 +73,7 @@ Requires: perl(Test::Exception) Requires: perl(TAP::Formatter::HTML) Requires: perl(TAP::Formatter::JUnit) Requires: perl(TAP::Harness::Archive) +Requires: perl(Net::OpenSSH) Requires: /usr/bin/mkisofs BuildArchitectures: noarch diff --git a/scripts/nwfilter/100-ping-still-working.t b/scripts/nwfilter/100-ping-still-working.t index dc1efd2..5afc6a6 100644 --- a/scripts/nwfilter/100-ping-still-working.t +++ b/scripts/nwfilter/100-ping-still-working.t @@ -32,7 +32,6 @@ use Test::More tests => 4; use Sys::Virt::TCK; use Sys::Virt::TCK::NetworkHelpers; use Test::Exception; -use Net::SSH::Perl; use File::Spec::Functions qw(catfile catdir rootdir); diff --git a/scripts/nwfilter/210-no-mac-spoofing.t b/scripts/nwfilter/210-no-mac-spoofing.t index 03001a8..eb01d13 100644 --- a/scripts/nwfilter/210-no-mac-spoofing.t +++ b/scripts/nwfilter/210-no-mac-spoofing.t @@ -31,7 +31,7 @@ use Test::More tests => 5; use Sys::Virt::TCK; use Sys::Virt::TCK::NetworkHelpers; use Test::Exception; -use Net::SSH::Perl; +use Net::OpenSSH; use File::Spec::Functions qw(catfile catdir rootdir); @@ -88,9 +88,10 @@ diag $ping; ok($ping =~ "10 received", "ping $guestip test"); # log into guest -my $ssh = Net::SSH::Perl->new($guestip); diag "ssh'ing into $guestip"; -$ssh->login("root", $tck->root_password()); +my $ssh = Net::OpenSSH->new($guestip, + user => "root", + password => $tck->root_password()); # now bring eth0 down, change MAC and bring it up again diag "fiddling with mac"; @@ -108,26 +109,26 @@ echo "DEV=`ip link | head -3 | tail -1 | awk '{print \\\$2}' | sed -e 's/://'` /sbin/ip addr show dev \\\$DEV" > /test.sh EOF diag $cmdfile; -my ($stdout, $stderr, $exit) = $ssh->cmd($cmdfile); +my ($stdout, $stderr) = $ssh->capture2($cmdfile); diag $stdout; diag $stderr; -diag $exit; -($stdout, $stderr, $exit) = $ssh->cmd("chmod +x /test.sh"); +diag "Exit Code: $?"; +($stdout, $stderr) = $ssh->capture2("chmod +x /test.sh"); diag $stdout; diag $stderr; -diag $exit; -($stdout, $stderr, $exit) = $ssh->cmd("/test.sh > /test.log"); +diag "Exit Code: $?"; +($stdout, $stderr) = $ssh->capture2("/test.sh > /test.log"); diag $stdout; diag $stderr; -diag $exit; -($stdout, $stderr, $exit) = $ssh->cmd("cat /test.sh"); +diag "Exit Code: $?"; +($stdout, $stderr) = $ssh->capture2("cat /test.sh"); diag $stdout; diag $stderr; -diag $exit; -($stdout, $stderr, $exit) = $ssh->cmd("cat /test.log"); +diag "Exit Code: $?"; +($stdout, $stderr) = $ssh->capture2("cat /test.log"); diag $stdout; diag $stderr; -diag $exit; +diag "Exit Code: $?"; ok($stdout =~ /100% packet loss|Network is unreachable/, "packet loss expected"); shutdown_vm_gracefully($dom); diff --git a/scripts/nwfilter/220-no-ip-spoofing.t b/scripts/nwfilter/220-no-ip-spoofing.t index d447a19..872dcc3 100644 --- a/scripts/nwfilter/220-no-ip-spoofing.t +++ b/scripts/nwfilter/220-no-ip-spoofing.t @@ -31,7 +31,7 @@ use Test::More tests => 4; use Sys::Virt::TCK; use Sys::Virt::TCK::NetworkHelpers; use Test::Exception; -use Net::SSH::Perl; +use Net::OpenSSH; use File::Spec::Functions qw(catfile catdir rootdir); @@ -71,9 +71,10 @@ diag $ebtable; ok($ebtable =~ "$guestip", "check ebtables entry"); # log into guest -my $ssh = Net::SSH::Perl->new($guestip); diag "ssh'ing into $guestip"; -$ssh->login("root", $tck->root_password()); +my $ssh = Net::OpenSSH->new($guestip, + user => "root", + password => $tck->root_password()); # now bring eth0 down, change IP and bring it up again diag "preparing ip spoof"; @@ -95,23 +96,23 @@ MASK=`ip addr show \\\$DEV | grep 'inet ' | awk '{print \\\$2}' | sed -e 's/.*\\ /sbin/ip addr show \\\$DEV" > /test.sh EOF diag $cmdfile; -my ($stdout, $stderr, $exit) = $ssh->cmd($cmdfile); +my ($stdout, $stderr) = $ssh->capture2($cmdfile); diag $stdout; diag $stderr; -diag $exit; -($stdout, $stderr, $exit) = $ssh->cmd("chmod +x /test.sh"); +diag "Exit Code: $?"; +($stdout, $stderr) = $ssh->capture2("chmod +x /test.sh"); diag $stdout; diag $stderr; -diag $exit; -($stdout, $stderr, $exit) = $ssh->cmd("cat /test.sh"); +diag "Exit Code: $?"; +($stdout, $stderr) = $ssh->capture2("cat /test.sh"); diag $stdout; diag $stderr; -diag $exit; +diag "Exit Code: $?"; diag "running ip spoof"; -($stdout, $stderr, $exit) = $ssh->cmd("/test.sh"); +($stdout, $stderr) = $ssh->capture2("/test.sh"); diag $stdout; diag $stderr; -diag $exit; +diag "Exit Code: $?"; diag "checking result"; ok($stdout =~ "100% packet loss", "packet loss expected"); diff --git a/scripts/nwfilter/230-no-mac-broadcast.t b/scripts/nwfilter/230-no-mac-broadcast.t index 9d00dc4..70c1ab4 100644 --- a/scripts/nwfilter/230-no-mac-broadcast.t +++ b/scripts/nwfilter/230-no-mac-broadcast.t @@ -31,7 +31,7 @@ use Test::More tests => 4; use Sys::Virt::TCK; use Sys::Virt::TCK::NetworkHelpers; use Test::Exception; -use Net::SSH::Perl; +use Net::OpenSSH; use File::Spec::Functions qw(catfile catdir rootdir); my $tck = Sys::Virt::TCK->new(); @@ -85,9 +85,10 @@ diag "prepare tcpdump"; system("/usr/sbin/tcpdump -v -i virbr0 -n host 255.255.255.255 2> /tmp/tcpdump.log &"); # log into guest -my $ssh = Net::SSH::Perl->new($guestip); diag "ssh'ing into $guestip"; -$ssh->login("root", $tck->root_password()); +my $ssh = Net::OpenSSH->new($guestip, + user => "root", + password => $tck->root_password()); # now generate a mac broadcast paket diag "generate mac broadcast"; @@ -95,22 +96,22 @@ my $cmdfile = <<EOF; echo '/bin/ping -c 1 192.168.122.255 -b' > /test.sh EOF diag $cmdfile; -my ($stdout, $stderr, $exit) = $ssh->cmd($cmdfile); +my ($stdout, $stderr) = $ssh->capture2($cmdfile); diag $stdout; diag $stderr; -diag $exit; -($stdout, $stderr, $exit) = $ssh->cmd("chmod +x /test.sh"); +diag "Exit Code: $?"; +($stdout, $stderr) = $ssh->capture2("chmod +x /test.sh"); diag $stdout; diag $stderr; -diag $exit; -($stdout, $stderr, $exit) = $ssh->cmd("/test.sh > /test.log"); +diag "Exit Code: $?"; +($stdout, $stderr) = $ssh->capture2("/test.sh > /test.log"); diag $stdout; diag $stderr; -diag $exit; -($stdout, $stderr, $exit) = $ssh->cmd("cat /test.log"); +diag "Exit Code: $?"; +($stdout, $stderr) = $ssh->capture2("cat /test.log"); diag $stdout; diag $stderr; -diag $exit; +diag "Exit Code: $?"; # now stop tcpdump and verify result diag "stopping tcpdump"; diff --git a/scripts/nwfilter/240-no-arp-spoofing.t b/scripts/nwfilter/240-no-arp-spoofing.t index f1e6870..141fb92 100644 --- a/scripts/nwfilter/240-no-arp-spoofing.t +++ b/scripts/nwfilter/240-no-arp-spoofing.t @@ -31,7 +31,7 @@ use Test::More tests => 4; use Sys::Virt::TCK; use Sys::Virt::TCK::NetworkHelpers; use Test::Exception; -use Net::SSH::Perl; +use Net::OpenSSH; use File::Spec::Functions qw(catfile catdir rootdir); my $spoofid = "192.168.122.183"; @@ -85,9 +85,10 @@ diag "prepare tcpdump"; system("/usr/sbin/tcpdump -v -i virbr0 not ip > /tmp/tcpdump.log &"); # log into guest -my $ssh = Net::SSH::Perl->new($guestip); diag "ssh'ing into $guestip"; -$ssh->login("root", $tck->root_password()); +my $ssh = Net::OpenSSH->new($guestip, + user => "root", + password => $tck->root_password()); # now generate a arp spoofing packets diag "generate arpspoof"; @@ -100,23 +101,23 @@ EOF diag "content of cmdfile:"; diag $cmdfile; diag "creating cmdfile"; -my ($stdout, $stderr, $exit) = $ssh->cmd($cmdfile); +my ($stdout, $stderr) = $ssh->capture2($cmdfile); diag $stdout; diag $stderr; -diag $exit; -($stdout, $stderr, $exit) = $ssh->cmd("chmod +x /test.sh"); +diag "Exit Code: $?"; +($stdout, $stderr) = $ssh->capture2("chmod +x /test.sh"); diag $stdout; diag $stderr; -diag $exit; +diag "Exit Code: $?"; diag "excuting cmdfile"; -($stdout, $stderr, $exit) = $ssh->cmd("/test.sh > /test.log"); +($stdout, $stderr) = $ssh->capture2("/test.sh > /test.log"); diag $stdout; diag $stderr; -diag $exit; -($stdout, $stderr, $exit) = $ssh->cmd("echo test.log\ncat /test.log"); +diag "Exit Code: $?"; +($stdout, $stderr) = $ssh->capture2("echo test.log\ncat /test.log"); diag $stdout; diag $stderr; -diag $exit; +diag "Exit Code: $?"; # now stop tcpdump and verify result diag "stopping tcpdump"; diff --git a/scripts/nwfilter/300-vsitype.t b/scripts/nwfilter/300-vsitype.t index 430618f..d169339 100644 --- a/scripts/nwfilter/300-vsitype.t +++ b/scripts/nwfilter/300-vsitype.t @@ -31,7 +31,6 @@ use Test::More; use Sys::Virt::TCK; use Sys::Virt::TCK::NetworkHelpers; use Test::Exception; -use Net::SSH::Perl; use File::Spec::Functions qw(catfile catdir rootdir); my $tck = Sys::Virt::TCK->new(); -- 2.13.6
On Wed, Feb 07, 2018 at 09:04:53PM -0500, Laine Stump wrote:
Net::SSH::Perl is out of date in the Fedora git repos. The version currently supported in Fedora fails to connect to most modern sshd's, and updating to the new version would require adding several new perl packages to Fedora. Instead, this patch switches to using Net::OpenSSH, whose current version in Fedora works properly *EXCEPT* that it is missing the line "Requires: perl(IO:TTy)" in its specfiles (I filed https://bugzilla.redhat.com/1542666 requesting that fix to be applied to Fedora git repos. For now, just run "dnf install perl-IO-Tty" separately)
NB: prior to this patch, Net::SSH::Perl was required, but had no Required: line in the specfile, so you would have to install it by hand. If you had done that, you can probably now dnf erase it.
Fedora RPM has magic dependancy generators - it should have added a Requires: perl(Net::SSH::Perl) line automatically at build time
diff --git a/perl-Sys-Virt-TCK.spec.PL b/perl-Sys-Virt-TCK.spec.PL index 9a10880..4172499 100644 --- a/perl-Sys-Virt-TCK.spec.PL +++ b/perl-Sys-Virt-TCK.spec.PL @@ -37,7 +37,7 @@ __DATA__ Summary: Sys::Virt::TCK - libvirt Technology Compatibility Kit Name: perl-%{appname} Version: @VERSION@ -Release: 1%{_extra_release} +Release: 99%{_extra_release}
Opps can revert that bit :-)
License: GPLv2 Group: Development/Tools Source: http://libvirt.org/sources/tck/%{appname}-v%{version}.tar.gz @@ -73,6 +73,7 @@ Requires: perl(Test::Exception) Requires: perl(TAP::Formatter::HTML) Requires: perl(TAP::Formatter::JUnit) Requires: perl(TAP::Harness::Archive) +Requires: perl(Net::OpenSSH) Requires: /usr/bin/mkisofs BuildArchitectures: noarch
diff --git a/scripts/nwfilter/100-ping-still-working.t b/scripts/nwfilter/100-ping-still-working.t index dc1efd2..5afc6a6 100644 --- a/scripts/nwfilter/100-ping-still-working.t +++ b/scripts/nwfilter/100-ping-still-working.t @@ -32,7 +32,6 @@ use Test::More tests => 4; use Sys::Virt::TCK; use Sys::Virt::TCK::NetworkHelpers; use Test::Exception; -use Net::SSH::Perl;
use File::Spec::Functions qw(catfile catdir rootdir);
diff --git a/scripts/nwfilter/210-no-mac-spoofing.t b/scripts/nwfilter/210-no-mac-spoofing.t index 03001a8..eb01d13 100644 --- a/scripts/nwfilter/210-no-mac-spoofing.t +++ b/scripts/nwfilter/210-no-mac-spoofing.t @@ -31,7 +31,7 @@ use Test::More tests => 5; use Sys::Virt::TCK; use Sys::Virt::TCK::NetworkHelpers; use Test::Exception; -use Net::SSH::Perl; +use Net::OpenSSH;
use File::Spec::Functions qw(catfile catdir rootdir);
@@ -88,9 +88,10 @@ diag $ping; ok($ping =~ "10 received", "ping $guestip test");
# log into guest -my $ssh = Net::SSH::Perl->new($guestip); diag "ssh'ing into $guestip"; -$ssh->login("root", $tck->root_password()); +my $ssh = Net::OpenSSH->new($guestip, + user => "root", + password => $tck->root_password());
# now bring eth0 down, change MAC and bring it up again diag "fiddling with mac"; @@ -108,26 +109,26 @@ echo "DEV=`ip link | head -3 | tail -1 | awk '{print \\\$2}' | sed -e 's/://'` /sbin/ip addr show dev \\\$DEV" > /test.sh EOF diag $cmdfile; -my ($stdout, $stderr, $exit) = $ssh->cmd($cmdfile); +my ($stdout, $stderr) = $ssh->capture2($cmdfile); diag $stdout; diag $stderr; -diag $exit; -($stdout, $stderr, $exit) = $ssh->cmd("chmod +x /test.sh"); +diag "Exit Code: $?"; +($stdout, $stderr) = $ssh->capture2("chmod +x /test.sh"); diag $stdout; diag $stderr; -diag $exit; -($stdout, $stderr, $exit) = $ssh->cmd("/test.sh > /test.log"); +diag "Exit Code: $?"; +($stdout, $stderr) = $ssh->capture2("/test.sh > /test.log"); diag $stdout; diag $stderr; -diag $exit; -($stdout, $stderr, $exit) = $ssh->cmd("cat /test.sh"); +diag "Exit Code: $?"; +($stdout, $stderr) = $ssh->capture2("cat /test.sh"); diag $stdout; diag $stderr; -diag $exit; -($stdout, $stderr, $exit) = $ssh->cmd("cat /test.log"); +diag "Exit Code: $?"; +($stdout, $stderr) = $ssh->capture2("cat /test.log"); diag $stdout; diag $stderr; -diag $exit; +diag "Exit Code: $?"; ok($stdout =~ /100% packet loss|Network is unreachable/, "packet loss expected");
shutdown_vm_gracefully($dom); diff --git a/scripts/nwfilter/220-no-ip-spoofing.t b/scripts/nwfilter/220-no-ip-spoofing.t index d447a19..872dcc3 100644 --- a/scripts/nwfilter/220-no-ip-spoofing.t +++ b/scripts/nwfilter/220-no-ip-spoofing.t @@ -31,7 +31,7 @@ use Test::More tests => 4; use Sys::Virt::TCK; use Sys::Virt::TCK::NetworkHelpers; use Test::Exception; -use Net::SSH::Perl; +use Net::OpenSSH;
use File::Spec::Functions qw(catfile catdir rootdir);
@@ -71,9 +71,10 @@ diag $ebtable; ok($ebtable =~ "$guestip", "check ebtables entry");
# log into guest -my $ssh = Net::SSH::Perl->new($guestip); diag "ssh'ing into $guestip"; -$ssh->login("root", $tck->root_password()); +my $ssh = Net::OpenSSH->new($guestip, + user => "root", + password => $tck->root_password());
# now bring eth0 down, change IP and bring it up again diag "preparing ip spoof"; @@ -95,23 +96,23 @@ MASK=`ip addr show \\\$DEV | grep 'inet ' | awk '{print \\\$2}' | sed -e 's/.*\\ /sbin/ip addr show \\\$DEV" > /test.sh EOF diag $cmdfile; -my ($stdout, $stderr, $exit) = $ssh->cmd($cmdfile); +my ($stdout, $stderr) = $ssh->capture2($cmdfile); diag $stdout; diag $stderr; -diag $exit; -($stdout, $stderr, $exit) = $ssh->cmd("chmod +x /test.sh"); +diag "Exit Code: $?"; +($stdout, $stderr) = $ssh->capture2("chmod +x /test.sh"); diag $stdout; diag $stderr; -diag $exit; -($stdout, $stderr, $exit) = $ssh->cmd("cat /test.sh"); +diag "Exit Code: $?"; +($stdout, $stderr) = $ssh->capture2("cat /test.sh"); diag $stdout; diag $stderr; -diag $exit; +diag "Exit Code: $?"; diag "running ip spoof"; -($stdout, $stderr, $exit) = $ssh->cmd("/test.sh"); +($stdout, $stderr) = $ssh->capture2("/test.sh"); diag $stdout; diag $stderr; -diag $exit; +diag "Exit Code: $?"; diag "checking result"; ok($stdout =~ "100% packet loss", "packet loss expected");
diff --git a/scripts/nwfilter/230-no-mac-broadcast.t b/scripts/nwfilter/230-no-mac-broadcast.t index 9d00dc4..70c1ab4 100644 --- a/scripts/nwfilter/230-no-mac-broadcast.t +++ b/scripts/nwfilter/230-no-mac-broadcast.t @@ -31,7 +31,7 @@ use Test::More tests => 4; use Sys::Virt::TCK; use Sys::Virt::TCK::NetworkHelpers; use Test::Exception; -use Net::SSH::Perl; +use Net::OpenSSH; use File::Spec::Functions qw(catfile catdir rootdir);
my $tck = Sys::Virt::TCK->new(); @@ -85,9 +85,10 @@ diag "prepare tcpdump"; system("/usr/sbin/tcpdump -v -i virbr0 -n host 255.255.255.255 2> /tmp/tcpdump.log &");
# log into guest -my $ssh = Net::SSH::Perl->new($guestip); diag "ssh'ing into $guestip"; -$ssh->login("root", $tck->root_password()); +my $ssh = Net::OpenSSH->new($guestip, + user => "root", + password => $tck->root_password());
# now generate a mac broadcast paket diag "generate mac broadcast"; @@ -95,22 +96,22 @@ my $cmdfile = <<EOF; echo '/bin/ping -c 1 192.168.122.255 -b' > /test.sh EOF diag $cmdfile; -my ($stdout, $stderr, $exit) = $ssh->cmd($cmdfile); +my ($stdout, $stderr) = $ssh->capture2($cmdfile); diag $stdout; diag $stderr; -diag $exit; -($stdout, $stderr, $exit) = $ssh->cmd("chmod +x /test.sh"); +diag "Exit Code: $?"; +($stdout, $stderr) = $ssh->capture2("chmod +x /test.sh"); diag $stdout; diag $stderr; -diag $exit; -($stdout, $stderr, $exit) = $ssh->cmd("/test.sh > /test.log"); +diag "Exit Code: $?"; +($stdout, $stderr) = $ssh->capture2("/test.sh > /test.log"); diag $stdout; diag $stderr; -diag $exit; -($stdout, $stderr, $exit) = $ssh->cmd("cat /test.log"); +diag "Exit Code: $?"; +($stdout, $stderr) = $ssh->capture2("cat /test.log"); diag $stdout; diag $stderr; -diag $exit; +diag "Exit Code: $?";
# now stop tcpdump and verify result diag "stopping tcpdump"; diff --git a/scripts/nwfilter/240-no-arp-spoofing.t b/scripts/nwfilter/240-no-arp-spoofing.t index f1e6870..141fb92 100644 --- a/scripts/nwfilter/240-no-arp-spoofing.t +++ b/scripts/nwfilter/240-no-arp-spoofing.t @@ -31,7 +31,7 @@ use Test::More tests => 4; use Sys::Virt::TCK; use Sys::Virt::TCK::NetworkHelpers; use Test::Exception; -use Net::SSH::Perl; +use Net::OpenSSH; use File::Spec::Functions qw(catfile catdir rootdir);
my $spoofid = "192.168.122.183"; @@ -85,9 +85,10 @@ diag "prepare tcpdump"; system("/usr/sbin/tcpdump -v -i virbr0 not ip > /tmp/tcpdump.log &");
# log into guest -my $ssh = Net::SSH::Perl->new($guestip); diag "ssh'ing into $guestip"; -$ssh->login("root", $tck->root_password()); +my $ssh = Net::OpenSSH->new($guestip, + user => "root", + password => $tck->root_password());
# now generate a arp spoofing packets diag "generate arpspoof"; @@ -100,23 +101,23 @@ EOF diag "content of cmdfile:"; diag $cmdfile; diag "creating cmdfile"; -my ($stdout, $stderr, $exit) = $ssh->cmd($cmdfile); +my ($stdout, $stderr) = $ssh->capture2($cmdfile); diag $stdout; diag $stderr; -diag $exit; -($stdout, $stderr, $exit) = $ssh->cmd("chmod +x /test.sh"); +diag "Exit Code: $?"; +($stdout, $stderr) = $ssh->capture2("chmod +x /test.sh"); diag $stdout; diag $stderr; -diag $exit; +diag "Exit Code: $?"; diag "excuting cmdfile"; -($stdout, $stderr, $exit) = $ssh->cmd("/test.sh > /test.log"); +($stdout, $stderr) = $ssh->capture2("/test.sh > /test.log"); diag $stdout; diag $stderr; -diag $exit; -($stdout, $stderr, $exit) = $ssh->cmd("echo test.log\ncat /test.log"); +diag "Exit Code: $?"; +($stdout, $stderr) = $ssh->capture2("echo test.log\ncat /test.log"); diag $stdout; diag $stderr; -diag $exit; +diag "Exit Code: $?";
# now stop tcpdump and verify result diag "stopping tcpdump"; diff --git a/scripts/nwfilter/300-vsitype.t b/scripts/nwfilter/300-vsitype.t index 430618f..d169339 100644 --- a/scripts/nwfilter/300-vsitype.t +++ b/scripts/nwfilter/300-vsitype.t @@ -31,7 +31,6 @@ use Test::More; use Sys::Virt::TCK; use Sys::Virt::TCK::NetworkHelpers; use Test::Exception; -use Net::SSH::Perl; use File::Spec::Functions qw(catfile catdir rootdir);
my $tck = Sys::Virt::TCK->new(); --
Reviewed-by: Daniel P. Berrange <berrange@redhat.com> Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
The setting of the environment variable MASK was for some reason producing "8" instead of "24". Changing from using back-ticks "`" that resolved at the time the script was created, to using $(blah) resolved when the script is *run* magically fixed the problem. Note that this doesn't change the outcome of the test at all, since the guest never needs to connect outside the local subnet, and is immediately halted after setting the IP using $MASK. It just bothered me that the value was incorrect (and that backticks were being used, when $() is more portable - again it is duly noted that portability doesn't matter in this case, since we know that the script will always be executed on Fedora with bash). --- scripts/nwfilter/220-no-ip-spoofing.t | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/scripts/nwfilter/220-no-ip-spoofing.t b/scripts/nwfilter/220-no-ip-spoofing.t index 872dcc3..5903961 100644 --- a/scripts/nwfilter/220-no-ip-spoofing.t +++ b/scripts/nwfilter/220-no-ip-spoofing.t @@ -79,9 +79,10 @@ my $ssh = Net::OpenSSH->new($guestip, # now bring eth0 down, change IP and bring it up again diag "preparing ip spoof"; my $cmdfile = <<EOF; -echo "DEV=`ip link | head -3 | tail -1 | awk '{print \\\$2}' | sed -e 's/://'` -MASK=`ip addr show \\\$DEV | grep 'inet ' | awk '{print \\\$2}' | sed -e 's/.*\\///;q'` +echo "DEV=\\\$(ip link | head -3 | tail -1 | awk '{print \\\$2}' | sed -e 's/://') +MASK=\\\$(ip addr show \\\$DEV | grep 'inet ' | awk '{print \\\$2}' | sed -e 's/.*\\///;q') /sbin/ip addr show \\\$DEV +kill \\\$(pidof dhclient) /sbin/ip link set \\\$DEV down /sbin/ip addr flush dev \\\$DEV /sbin/ip addr add 192.168.122.183/\\\$MASK dev \\\$DEV -- 2.13.6
On Wed, Feb 07, 2018 at 09:04:54PM -0500, Laine Stump wrote:
The setting of the environment variable MASK was for some reason producing "8" instead of "24". Changing from using back-ticks "`" that resolved at the time the script was created, to using $(blah) resolved when the script is *run* magically fixed the problem.
Oh, I bet the `` were being evaluated on the *host* when perl initializes the $cmdfile variable. Your change to $() means it is now correctly evaluated on the *guest* inside the SSH sesssion. Fun !
Note that this doesn't change the outcome of the test at all, since the guest never needs to connect outside the local subnet, and is immediately halted after setting the IP using $MASK. It just bothered me that the value was incorrect (and that backticks were being used, when $() is more portable - again it is duly noted that portability doesn't matter in this case, since we know that the script will always be executed on Fedora with bash).
--- scripts/nwfilter/220-no-ip-spoofing.t | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/scripts/nwfilter/220-no-ip-spoofing.t b/scripts/nwfilter/220-no-ip-spoofing.t index 872dcc3..5903961 100644 --- a/scripts/nwfilter/220-no-ip-spoofing.t +++ b/scripts/nwfilter/220-no-ip-spoofing.t @@ -79,9 +79,10 @@ my $ssh = Net::OpenSSH->new($guestip, # now bring eth0 down, change IP and bring it up again diag "preparing ip spoof"; my $cmdfile = <<EOF; -echo "DEV=`ip link | head -3 | tail -1 | awk '{print \\\$2}' | sed -e 's/://'` -MASK=`ip addr show \\\$DEV | grep 'inet ' | awk '{print \\\$2}' | sed -e 's/.*\\///;q'` +echo "DEV=\\\$(ip link | head -3 | tail -1 | awk '{print \\\$2}' | sed -e 's/://') +MASK=\\\$(ip addr show \\\$DEV | grep 'inet ' | awk '{print \\\$2}' | sed -e 's/.*\\///;q') /sbin/ip addr show \\\$DEV +kill \\\$(pidof dhclient) /sbin/ip link set \\\$DEV down /sbin/ip addr flush dev \\\$DEV /sbin/ip addr add 192.168.122.183/\\\$MASK dev \\\$DEV -- 2.13.6
Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
On Wed, Feb 07, 2018 at 09:04:54PM -0500, Laine Stump wrote:
The setting of the environment variable MASK was for some reason producing "8" instead of "24". Changing from using back-ticks "`" that resolved at the time the script was created, to using $(blah) resolved when the script is *run* magically fixed the problem.
Note that this doesn't change the outcome of the test at all, since the guest never needs to connect outside the local subnet, and is immediately halted after setting the IP using $MASK. It just bothered me that the value was incorrect (and that backticks were being used, when $() is more portable - again it is duly noted that portability doesn't matter in this case, since we know that the script will always be executed on Fedora with bash).
--- scripts/nwfilter/220-no-ip-spoofing.t | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/scripts/nwfilter/220-no-ip-spoofing.t b/scripts/nwfilter/220-no-ip-spoofing.t index 872dcc3..5903961 100644 --- a/scripts/nwfilter/220-no-ip-spoofing.t +++ b/scripts/nwfilter/220-no-ip-spoofing.t @@ -79,9 +79,10 @@ my $ssh = Net::OpenSSH->new($guestip, # now bring eth0 down, change IP and bring it up again diag "preparing ip spoof"; my $cmdfile = <<EOF; -echo "DEV=`ip link | head -3 | tail -1 | awk '{print \\\$2}' | sed -e 's/://'` -MASK=`ip addr show \\\$DEV | grep 'inet ' | awk '{print \\\$2}' | sed -e 's/.*\\///;q'` +echo "DEV=\\\$(ip link | head -3 | tail -1 | awk '{print \\\$2}' | sed -e 's/://') +MASK=\\\$(ip addr show \\\$DEV | grep 'inet ' | awk '{print \\\$2}' | sed -e 's/.*\\///;q') /sbin/ip addr show \\\$DEV +kill \\\$(pidof dhclient) /sbin/ip link set \\\$DEV down /sbin/ip addr flush dev \\\$DEV /sbin/ip addr add 192.168.122.183/\\\$MASK dev \\\$DEV
Reviewed-by: Daniel P. Berrange <berrange@redhat.com> Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
I'm not sure if or how this ever worked before - what is supposed to happen is that the shell script in $cmdfile is put into the file /test.sh on the guest, then /test.sh is executed. But the code was instead trying to directly execute the text of the entire script as a single command and write the generated output to /test.sh, then execute that. putting echo " ..... " around the whole thing fixed it. --- scripts/nwfilter/240-no-arp-spoofing.t | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/scripts/nwfilter/240-no-arp-spoofing.t b/scripts/nwfilter/240-no-arp-spoofing.t index 141fb92..45f790a 100644 --- a/scripts/nwfilter/240-no-arp-spoofing.t +++ b/scripts/nwfilter/240-no-arp-spoofing.t @@ -91,11 +91,11 @@ my $ssh = Net::OpenSSH->new($guestip, password => $tck->root_password()); # now generate a arp spoofing packets -diag "generate arpspoof"; +diag "generate arpspoof script"; my $cmdfile = <<EOF; -/usr/sbin/arpspoof ${spoofid} & +echo "/usr/sbin/arpspoof ${spoofid} & /bin/sleep 10 -kill -15 `/sbin/pidof arpspoof`' > /test.sh +kill -15 `/sbin/pidof arpspoof`" > /test.sh EOF diag "content of cmdfile:"; -- 2.13.6
On Wed, Feb 07, 2018 at 09:04:55PM -0500, Laine Stump wrote:
I'm not sure if or how this ever worked before - what is supposed to happen is that the shell script in $cmdfile is put into the file /test.sh on the guest, then /test.sh is executed. But the code was instead trying to directly execute the text of the entire script as a single command and write the generated output to /test.sh, then execute that.
Err, wow.
putting echo " ..... " around the whole thing fixed it. --- scripts/nwfilter/240-no-arp-spoofing.t | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/scripts/nwfilter/240-no-arp-spoofing.t b/scripts/nwfilter/240-no-arp-spoofing.t index 141fb92..45f790a 100644 --- a/scripts/nwfilter/240-no-arp-spoofing.t +++ b/scripts/nwfilter/240-no-arp-spoofing.t @@ -91,11 +91,11 @@ my $ssh = Net::OpenSSH->new($guestip, password => $tck->root_password());
# now generate a arp spoofing packets -diag "generate arpspoof"; +diag "generate arpspoof script"; my $cmdfile = <<EOF; -/usr/sbin/arpspoof ${spoofid} & +echo "/usr/sbin/arpspoof ${spoofid} & /bin/sleep 10 -kill -15 `/sbin/pidof arpspoof`' > /test.sh +kill -15 `/sbin/pidof arpspoof`" > /test.sh EOF
diag "content of cmdfile:";
Reviewed-by: Daniel P. Berrange <berrange@redhat.com> Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
...and set it properly in all the nwfilter tests (it's irrelevant for the others). This corrects a problem with the no-mac-broadcast test, which was checking to see that packets with a destination MAC address of ff:ff:ff:ff:ff:ff weren't allowed, but was neglecting to add the "no-mac-broadcast" nwfilter to the domain (the test was erroneously succeeding because it was checking for a different type of packet than it was generating, which is fixed in a separate patch). --- lib/Sys/Virt/TCK.pm | 9 ++++++--- scripts/nwfilter/100-ping-still-working.t | 3 ++- scripts/nwfilter/210-no-mac-spoofing.t | 3 ++- scripts/nwfilter/220-no-ip-spoofing.t | 3 ++- scripts/nwfilter/230-no-mac-broadcast.t | 3 ++- scripts/nwfilter/240-no-arp-spoofing.t | 3 ++- 6 files changed, 16 insertions(+), 8 deletions(-) diff --git a/lib/Sys/Virt/TCK.pm b/lib/Sys/Virt/TCK.pm index ce8e81b..2259042 100644 --- a/lib/Sys/Virt/TCK.pm +++ b/lib/Sys/Virt/TCK.pm @@ -766,6 +766,7 @@ sub generic_machine_domain { my $caps = exists $params{caps} ? $params{caps} : die "caps parameter is required"; my $ostype = exists $params{ostype} ? $params{ostype} : "hvm"; my $fullos = exists $params{fullos} ? $params{fullos} : 0; + my $filterref = exists $params{filterref} ? $params{filterref} : undef; if ($fullos) { my %config = $self->get_image($caps, $ostype); @@ -792,7 +793,7 @@ sub generic_machine_domain { source => "default", model => "virtio", mac => "52:54:00:11:11:11", - filterref => "clean-traffic"); + filterref => $filterref); my $xml = $b->as_xml(); # Cleanup the temporary interface $b->rminterface(); @@ -896,6 +897,7 @@ sub generic_domain { my $ostype = exists $params{ostype} ? $params{ostype} : "hvm"; my $fullos = exists $params{fullos} ? $params{fullos} : 0; my $netmode = exists $params{netmode} ? $params{netmode} : undef; + my $filterref = exists $params{filterref} ? $params{filterref} : undef; my $caps = Sys::Virt::TCK::Capabilities->new(xml => $self->conn->get_capabilities); @@ -915,7 +917,8 @@ sub generic_domain { $b = $self->generic_machine_domain(name => $name, caps => $caps, ostype => $ostype, - fullos => $fullos); + fullos => $fullos, + filterref => $filterref); } if ($netmode) { if ($netmode eq "vepa") { @@ -931,7 +934,7 @@ sub generic_domain { source => "default", model => "virtio", mac => "52:54:00:11:11:11", - filterref => "clean-traffic"); + filterref => $filterref); } } return $b; diff --git a/scripts/nwfilter/100-ping-still-working.t b/scripts/nwfilter/100-ping-still-working.t index 5afc6a6..1bbd7c5 100644 --- a/scripts/nwfilter/100-ping-still-working.t +++ b/scripts/nwfilter/100-ping-still-working.t @@ -44,7 +44,8 @@ END { # create first domain and start it my $xml = $tck->generic_domain(name => "tck", fullos => 1, - netmode => "network")->as_xml(); + netmode => "network", + filterref => "clean-traffic")->as_xml(); my $dom; ok_domain(sub { $dom = $conn->define_domain($xml) }, "created persistent domain object"); diff --git a/scripts/nwfilter/210-no-mac-spoofing.t b/scripts/nwfilter/210-no-mac-spoofing.t index eb01d13..b4a4990 100644 --- a/scripts/nwfilter/210-no-mac-spoofing.t +++ b/scripts/nwfilter/210-no-mac-spoofing.t @@ -44,7 +44,8 @@ END { # create first domain and start it my $xml = $tck->generic_domain(name => "tck", fullos => 1, - netmode => "network")->as_xml(); + netmode => "network", + filterref => "clean-traffic")->as_xml(); my $dom; ok_domain(sub { $dom = $conn->define_domain($xml) }, "created persistent domain object"); diff --git a/scripts/nwfilter/220-no-ip-spoofing.t b/scripts/nwfilter/220-no-ip-spoofing.t index 5903961..f3e4a38 100644 --- a/scripts/nwfilter/220-no-ip-spoofing.t +++ b/scripts/nwfilter/220-no-ip-spoofing.t @@ -44,7 +44,8 @@ END { # create first domain and start it my $xml = $tck->generic_domain(name => "tck", fullos => 1, - netmode => "network")->as_xml(); + netmode => "network", + filterref => "clean-traffic")->as_xml(); my $dom; ok_domain(sub { $dom = $conn->define_domain($xml) }, "created persistent domain object"); diff --git a/scripts/nwfilter/230-no-mac-broadcast.t b/scripts/nwfilter/230-no-mac-broadcast.t index 70c1ab4..292c056 100644 --- a/scripts/nwfilter/230-no-mac-broadcast.t +++ b/scripts/nwfilter/230-no-mac-broadcast.t @@ -43,7 +43,8 @@ END { # create first domain and start it my $xml = $tck->generic_domain(name => "tck", fullos => 1, - netmode => "network")->as_xml(); + netmode => "network", + filterref => "no-mac-broadcast")->as_xml(); my $dom; ok_domain(sub { $dom = $conn->define_domain($xml) }, "created persistent domain object"); diff --git a/scripts/nwfilter/240-no-arp-spoofing.t b/scripts/nwfilter/240-no-arp-spoofing.t index 45f790a..33febe9 100644 --- a/scripts/nwfilter/240-no-arp-spoofing.t +++ b/scripts/nwfilter/240-no-arp-spoofing.t @@ -45,7 +45,8 @@ END { # create first domain and start it my $xml = $tck->generic_domain(name => "tck", fullos => 1, - netmode => "network")->as_xml(); + netmode => "network", + filterref => "clean-traffic")->as_xml(); my $dom; ok_domain(sub { $dom = $conn->define_domain($xml) }, "created persistent domain object"); -- 2.13.6
On Wed, Feb 07, 2018 at 09:04:56PM -0500, Laine Stump wrote:
...and set it properly in all the nwfilter tests (it's irrelevant for the others).
This corrects a problem with the no-mac-broadcast test, which was checking to see that packets with a destination MAC address of ff:ff:ff:ff:ff:ff weren't allowed, but was neglecting to add the "no-mac-broadcast" nwfilter to the domain (the test was erroneously succeeding because it was checking for a different type of packet than it was generating, which is fixed in a separate patch). --- lib/Sys/Virt/TCK.pm | 9 ++++++--- scripts/nwfilter/100-ping-still-working.t | 3 ++- scripts/nwfilter/210-no-mac-spoofing.t | 3 ++- scripts/nwfilter/220-no-ip-spoofing.t | 3 ++- scripts/nwfilter/230-no-mac-broadcast.t | 3 ++- scripts/nwfilter/240-no-arp-spoofing.t | 3 ++- 6 files changed, 16 insertions(+), 8 deletions(-)
diff --git a/lib/Sys/Virt/TCK.pm b/lib/Sys/Virt/TCK.pm index ce8e81b..2259042 100644 --- a/lib/Sys/Virt/TCK.pm +++ b/lib/Sys/Virt/TCK.pm @@ -766,6 +766,7 @@ sub generic_machine_domain { my $caps = exists $params{caps} ? $params{caps} : die "caps parameter is required"; my $ostype = exists $params{ostype} ? $params{ostype} : "hvm"; my $fullos = exists $params{fullos} ? $params{fullos} : 0; + my $filterref = exists $params{filterref} ? $params{filterref} : undef;
You could put "clean-traffic" here instead of the 'undef' which....
diff --git a/scripts/nwfilter/100-ping-still-working.t b/scripts/nwfilter/100-ping-still-working.t index 5afc6a6..1bbd7c5 100644 --- a/scripts/nwfilter/100-ping-still-working.t +++ b/scripts/nwfilter/100-ping-still-working.t @@ -44,7 +44,8 @@ END {
# create first domain and start it my $xml = $tck->generic_domain(name => "tck", fullos => 1, - netmode => "network")->as_xml(); + netmode => "network", + filterref => "clean-traffic")->as_xml();
my $dom; ok_domain(sub { $dom = $conn->define_domain($xml) }, "created persistent domain object"); diff --git a/scripts/nwfilter/210-no-mac-spoofing.t b/scripts/nwfilter/210-no-mac-spoofing.t index eb01d13..b4a4990 100644 --- a/scripts/nwfilter/210-no-mac-spoofing.t +++ b/scripts/nwfilter/210-no-mac-spoofing.t @@ -44,7 +44,8 @@ END {
# create first domain and start it my $xml = $tck->generic_domain(name => "tck", fullos => 1, - netmode => "network")->as_xml(); + netmode => "network", + filterref => "clean-traffic")->as_xml();
my $dom; ok_domain(sub { $dom = $conn->define_domain($xml) }, "created persistent domain object"); diff --git a/scripts/nwfilter/220-no-ip-spoofing.t b/scripts/nwfilter/220-no-ip-spoofing.t index 5903961..f3e4a38 100644 --- a/scripts/nwfilter/220-no-ip-spoofing.t +++ b/scripts/nwfilter/220-no-ip-spoofing.t @@ -44,7 +44,8 @@ END {
# create first domain and start it my $xml = $tck->generic_domain(name => "tck", fullos => 1, - netmode => "network")->as_xml(); + netmode => "network", + filterref => "clean-traffic")->as_xml();
my $dom; ok_domain(sub { $dom = $conn->define_domain($xml) }, "created persistent domain object");
....avoids need for any of these changes.
diff --git a/scripts/nwfilter/230-no-mac-broadcast.t b/scripts/nwfilter/230-no-mac-broadcast.t index 70c1ab4..292c056 100644 --- a/scripts/nwfilter/230-no-mac-broadcast.t +++ b/scripts/nwfilter/230-no-mac-broadcast.t @@ -43,7 +43,8 @@ END {
# create first domain and start it my $xml = $tck->generic_domain(name => "tck", fullos => 1, - netmode => "network")->as_xml(); + netmode => "network", + filterref => "no-mac-broadcast")->as_xml();
my $dom;
This one is needed to override the default
diff --git a/scripts/nwfilter/240-no-arp-spoofing.t b/scripts/nwfilter/240-no-arp-spoofing.t index 45f790a..33febe9 100644 --- a/scripts/nwfilter/240-no-arp-spoofing.t +++ b/scripts/nwfilter/240-no-arp-spoofing.t @@ -45,7 +45,8 @@ END {
# create first domain and start it my $xml = $tck->generic_domain(name => "tck", fullos => 1, - netmode => "network")->as_xml(); + netmode => "network", + filterref => "clean-traffic")->as_xml();
my $dom; ok_domain(sub { $dom = $conn->define_domain($xml) }, "created persistent domain object");
This one can be dropped Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
Once the correct filter is enabled for the no-mac-broadcast test, the original test to validate ebtables rules is no longer correct - it was checking for the presence of the test guest's MAC address in the ebtables output on the host, but the no-mac-broadcast filter doesn't have the guest's MAC address anywhere. This patch changes the code to look for "-d Broadcast -j DROP", which actually is added to ebtables for no-mac-broadcast. --- scripts/nwfilter/230-no-mac-broadcast.t | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/scripts/nwfilter/230-no-mac-broadcast.t b/scripts/nwfilter/230-no-mac-broadcast.t index 292c056..8895a53 100644 --- a/scripts/nwfilter/230-no-mac-broadcast.t +++ b/scripts/nwfilter/230-no-mac-broadcast.t @@ -74,12 +74,9 @@ diag "ip is $guestip"; # check ebtables entry my $ebtables = (-e '/sbin/ebtables') ? '/sbin/ebtables' : '/usr/sbin/ebtables'; -my $ebtable = `$ebtables -L;$ebtables -t nat -L`; +my $ebtable = `$ebtables -t nat -L`; diag $ebtable; -# ebtables shortens :00: to :0: so we need to do that too -$_ = $mac; -s/00/0/g; -ok($ebtable =~ $_, "check ebtables entry"); +ok($ebtable =~ "-d Broadcast -j DROP", "check ebtables entry for \"-d Broadcast -j DROP\""); # prepare tcpdump diag "prepare tcpdump"; -- 2.13.6
On Wed, Feb 07, 2018 at 09:04:57PM -0500, Laine Stump wrote:
Once the correct filter is enabled for the no-mac-broadcast test, the original test to validate ebtables rules is no longer correct - it was checking for the presence of the test guest's MAC address in the ebtables output on the host, but the no-mac-broadcast filter doesn't have the guest's MAC address anywhere. This patch changes the code to look for "-d Broadcast -j DROP", which actually is added to ebtables for no-mac-broadcast. --- scripts/nwfilter/230-no-mac-broadcast.t | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-)
diff --git a/scripts/nwfilter/230-no-mac-broadcast.t b/scripts/nwfilter/230-no-mac-broadcast.t index 292c056..8895a53 100644 --- a/scripts/nwfilter/230-no-mac-broadcast.t +++ b/scripts/nwfilter/230-no-mac-broadcast.t @@ -74,12 +74,9 @@ diag "ip is $guestip";
# check ebtables entry my $ebtables = (-e '/sbin/ebtables') ? '/sbin/ebtables' : '/usr/sbin/ebtables'; -my $ebtable = `$ebtables -L;$ebtables -t nat -L`; +my $ebtable = `$ebtables -t nat -L`; diag $ebtable; -# ebtables shortens :00: to :0: so we need to do that too -$_ = $mac; -s/00/0/g; -ok($ebtable =~ $_, "check ebtables entry"); +ok($ebtable =~ "-d Broadcast -j DROP", "check ebtables entry for \"-d Broadcast -j DROP\"");
# prepare tcpdump diag "prepare tcpdump";
Reviewed-by: Daniel P. Berrange <berrange@redhat.com> Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
In the no-mac-broadcast test, a ping is sent to 192.168.122.255, but tcpdump is set to look for packets with a destination IP of 255.255.255.255. Change it to check for the correct IP address and also for mac broadcast (which is what the no-mac-broadcast filter actually looks at). This should eliminate the "false success" that was happening because tcpdump wasn't actually seeing the broadcast packet the guest was sending, as well as catching the "false failure" caused by tcpdump seeing other traffic from the guest unrelated to the test (which happened to be broadcasts sent to 255.255.255.255). --- scripts/nwfilter/230-no-mac-broadcast.t | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/nwfilter/230-no-mac-broadcast.t b/scripts/nwfilter/230-no-mac-broadcast.t index 8895a53..f05a9c2 100644 --- a/scripts/nwfilter/230-no-mac-broadcast.t +++ b/scripts/nwfilter/230-no-mac-broadcast.t @@ -80,7 +80,7 @@ ok($ebtable =~ "-d Broadcast -j DROP", "check ebtables entry for \"-d Broadcast # prepare tcpdump diag "prepare tcpdump"; -system("/usr/sbin/tcpdump -v -i virbr0 -n host 255.255.255.255 2> /tmp/tcpdump.log &"); +system("/usr/sbin/tcpdump -v -i virbr0 -n host 192.168.122.255 and ether host ff:ff:ff:ff:ff:ff 2> /tmp/tcpdump.log &"); # log into guest diag "ssh'ing into $guestip"; -- 2.13.6
The root account in the Fedora image used for the tests has a properly specified path, so the extra verbiage just clutters up the screen. --- scripts/nwfilter/210-no-mac-spoofing.t | 20 ++++++++++---------- scripts/nwfilter/220-no-ip-spoofing.t | 26 +++++++++++++------------- scripts/nwfilter/230-no-mac-broadcast.t | 2 +- scripts/nwfilter/240-no-arp-spoofing.t | 6 +++--- 4 files changed, 27 insertions(+), 27 deletions(-) diff --git a/scripts/nwfilter/210-no-mac-spoofing.t b/scripts/nwfilter/210-no-mac-spoofing.t index b4a4990..3438f4a 100644 --- a/scripts/nwfilter/210-no-mac-spoofing.t +++ b/scripts/nwfilter/210-no-mac-spoofing.t @@ -98,16 +98,16 @@ my $ssh = Net::OpenSSH->new($guestip, diag "fiddling with mac"; my $cmdfile = <<EOF; echo "DEV=`ip link | head -3 | tail -1 | awk '{print \\\$2}' | sed -e 's/://'` -/sbin/ip addr show dev \\\$DEV -/sbin/ip link set \\\$DEV down -/sbin/ip link set \\\$DEV address ${macfalse} -/sbin/ip link set \\\$DEV up -/sbin/ip addr show dev \\\$DEV -/bin/ping -c 10 ${gateway} 2>&1 -/sbin/ip link set \\\$DEV down -/sbin/ip link set \\\$DEV address ${mac} -/sbin/ip link set \\\$DEV up -/sbin/ip addr show dev \\\$DEV" > /test.sh +ip addr show dev \\\$DEV +ip link set \\\$DEV down +ip link set \\\$DEV address ${macfalse} +ip link set \\\$DEV up +ip addr show dev \\\$DEV +ping -c 10 ${gateway} 2>&1 +ip link set \\\$DEV down +ip link set \\\$DEV address ${mac} +ip link set \\\$DEV up +ip addr show dev \\\$DEV" > /test.sh EOF diag $cmdfile; my ($stdout, $stderr) = $ssh->capture2($cmdfile); diff --git a/scripts/nwfilter/220-no-ip-spoofing.t b/scripts/nwfilter/220-no-ip-spoofing.t index f3e4a38..9e1bb70 100644 --- a/scripts/nwfilter/220-no-ip-spoofing.t +++ b/scripts/nwfilter/220-no-ip-spoofing.t @@ -82,20 +82,20 @@ diag "preparing ip spoof"; my $cmdfile = <<EOF; echo "DEV=\\\$(ip link | head -3 | tail -1 | awk '{print \\\$2}' | sed -e 's/://') MASK=\\\$(ip addr show \\\$DEV | grep 'inet ' | awk '{print \\\$2}' | sed -e 's/.*\\///;q') -/sbin/ip addr show \\\$DEV +ip addr show \\\$DEV kill \\\$(pidof dhclient) -/sbin/ip link set \\\$DEV down -/sbin/ip addr flush dev \\\$DEV -/sbin/ip addr add 192.168.122.183/\\\$MASK dev \\\$DEV -/sbin/ip link set \\\$DEV up -/sbin/ip addr show \\\$DEV -/bin/sleep 1 -/bin/ping -c 1 192.168.122.1 -/sbin/ip link set \\\$DEV down -/sbin/ip addr flush dev \\\$DEV -/sbin/ip addr add ${guestip}/\\\$MASK dev \\\$DEV -/sbin/ip link set \\\$DEV up -/sbin/ip addr show \\\$DEV" > /test.sh +ip link set \\\$DEV down +ip addr flush dev \\\$DEV +ip addr add 192.168.122.183/\\\$MASK dev \\\$DEV +ip link set \\\$DEV up +ip addr show \\\$DEV +sleep 1 +ping -c 1 192.168.122.1 +ip link set \\\$DEV down +ip addr flush dev \\\$DEV +ip addr add ${guestip}/\\\$MASK dev \\\$DEV +ip link set \\\$DEV up +ip addr show \\\$DEV" > /test.sh EOF diag $cmdfile; my ($stdout, $stderr) = $ssh->capture2($cmdfile); diff --git a/scripts/nwfilter/230-no-mac-broadcast.t b/scripts/nwfilter/230-no-mac-broadcast.t index f05a9c2..758005c 100644 --- a/scripts/nwfilter/230-no-mac-broadcast.t +++ b/scripts/nwfilter/230-no-mac-broadcast.t @@ -91,7 +91,7 @@ my $ssh = Net::OpenSSH->new($guestip, # now generate a mac broadcast paket diag "generate mac broadcast"; my $cmdfile = <<EOF; -echo '/bin/ping -c 1 192.168.122.255 -b' > /test.sh +echo 'ping -c 1 192.168.122.255 -b' > /test.sh EOF diag $cmdfile; my ($stdout, $stderr) = $ssh->capture2($cmdfile); diff --git a/scripts/nwfilter/240-no-arp-spoofing.t b/scripts/nwfilter/240-no-arp-spoofing.t index 33febe9..dfc8e08 100644 --- a/scripts/nwfilter/240-no-arp-spoofing.t +++ b/scripts/nwfilter/240-no-arp-spoofing.t @@ -94,9 +94,9 @@ my $ssh = Net::OpenSSH->new($guestip, # now generate a arp spoofing packets diag "generate arpspoof script"; my $cmdfile = <<EOF; -echo "/usr/sbin/arpspoof ${spoofid} & -/bin/sleep 10 -kill -15 `/sbin/pidof arpspoof`" > /test.sh +echo "arpspoof ${spoofid} & +sleep 10 +kill -15 \\\$(pidof arpspoof)" > /test.sh EOF diag "content of cmdfile:"; -- 2.13.6
On Wed, Feb 07, 2018 at 09:04:59PM -0500, Laine Stump wrote:
The root account in the Fedora image used for the tests has a properly specified path, so the extra verbiage just clutters up the screen. --- scripts/nwfilter/210-no-mac-spoofing.t | 20 ++++++++++---------- scripts/nwfilter/220-no-ip-spoofing.t | 26 +++++++++++++------------- scripts/nwfilter/230-no-mac-broadcast.t | 2 +- scripts/nwfilter/240-no-arp-spoofing.t | 6 +++--- 4 files changed, 27 insertions(+), 27 deletions(-)
Reviewed-by: Daniel P. Berrange <berrange@redhat.com> Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
participants (2)
-
Daniel P. Berrangé -
Laine Stump