Merge pull request #615 from kylemanna/dev

Cleanup some tests and documentation

Author: kylemanna

README.md

@@ -69,7 +69,7 @@ If you prefer to use `docker-compose` please refer to the [documentation](docs/d
 
 * Create an environment variable with the name DEBUG and value of 1 to enable debug output (using "docker -e").
 
-        docker run -v $OVPN_DATA:/etc/openvpn -p 1194:1194/udp --privileged -e DEBUG=1 kylemanna/openvpn
+        docker run -v $OVPN_DATA:/etc/openvpn -p 1194:1194/udp --cap-add=NET_ADMIN -e DEBUG=1 kylemanna/openvpn
 
 * Test using a client that has openvpn installed correctly
 

bin/ovpn_run

@@ -39,11 +39,11 @@ function addArg {
 # this allows rules/routing to be altered by supplying this function
 # in an included file, such as ovpn_env.sh
 function setupIptablesAndRouting {
-    iptables -t nat -C POSTROUTING -s $OVPN_SERVER -o $OVPN_NATDEVICE -j MASQUERADE || {
+    iptables -t nat -C POSTROUTING -s $OVPN_SERVER -o $OVPN_NATDEVICE -j MASQUERADE 2>/dev/null || {
       iptables -t nat -A POSTROUTING -s $OVPN_SERVER -o $OVPN_NATDEVICE -j MASQUERADE
     }
     for i in "${OVPN_ROUTES[@]}"; do
-        iptables -t nat -C POSTROUTING -s "$i" -o $OVPN_NATDEVICE -j MASQUERADE || {
+        iptables -t nat -C POSTROUTING -s "$i" -o $OVPN_NATDEVICE -j MASQUERADE 2>/dev/null || {
           iptables -t nat -A POSTROUTING -s "$i" -o $OVPN_NATDEVICE -j MASQUERADE
         }
     done
@@ -87,13 +87,18 @@ fi
 
 ip -6 route show default 2>/dev/null
 if [ $? = 0 ]; then
-    echo "Enabling IPv6 Forwarding"
-    # If this fails, ensure the docker container is run with --privileged
-    # Could be side stepped with `ip netns` madness to drop privileged flag
+    echo "Checking IPv6 Forwarding"
+    if [ "$(</proc/sys/net/ipv6/conf/all/disable_ipv6)" != "0" ]; then
+        echo "Sysctl error for disable_ipv6, please run docker with '--sysctl net.ipv6.conf.all.disable_ipv6=0'"
+    fi
+
+    if [ "$(</proc/sys/net/ipv6/conf/default/forwarding)" != "1" ]; then
+        echo "Sysctl error for default forwarding, please run docker with '--sysctl net.ipv6.conf.default.forwarding=1'"
+    fi
 
-    sysctl -w net.ipv6.conf.all.disable_ipv6=0 || echo "Failed to enable IPv6 support"
-    sysctl -w net.ipv6.conf.default.forwarding=1 || echo "Failed to enable IPv6 Forwarding default"
-    sysctl -w net.ipv6.conf.all.forwarding=1 || echo "Failed to enable IPv6 Forwarding"
+    if [ "$(</proc/sys/net/ipv6/conf/all/forwarding)" != "1" ]; then
+        echo "Sysctl error for all forwarding, please run docker with '--sysctl net.ipv6.conf.all.forwarding=1'"
+    fi
 fi
 
 echo "Running 'openvpn ${ARGS[@]} ${USER_ARGS[@]}'"

docs/advanced.md

@@ -17,4 +17,4 @@ The [`ovpn_genconfig`](/bin/ovpn_genconfig) script is intended for simple config
 
 * Start the server with:
 
-        docker run -v $PWD:/etc/openvpn -d -p 1194:1194/udp --privileged kylemanna/openvpn
+        docker run -v $PWD:/etc/openvpn -d -p 1194:1194/udp --cap-add=NET_ADMIN kylemanna/openvpn

docs/tcp.md

@@ -21,7 +21,7 @@ specified protocol, adjust the mapping appropriately:
 ## Running a Second Fallback TCP Container
 Instead of choosing between UDP and TCP, you can use both. A single instance of OpenVPN can only listen for a single protocol on a single port, but this image makes it easy to run two instances simultaneously. After building, configuring, and starting a standard container listening for UDP traffic on 1194, you can start a second container listening for tcp traffic on port 443:
 
-    docker run -v $OVPN_DATA:/etc/openvpn --rm -p 443:1194/tcp --privileged kylemanna/openvpn ovpn_run --proto tcp
+    docker run -v $OVPN_DATA:/etc/openvpn --rm -p 443:1194/tcp --cap-add=NET_ADMIN kylemanna/openvpn ovpn_run --proto tcp
 
 `ovpn_run` will load all the values from the default config file, and `--proto tcp` will override the protocol setting.
 

test/client/wait-for-connect.sh

@@ -5,34 +5,46 @@ set -e
 
 OPENVPN_CONFIG=${1:-/client/config.ovpn}
 
-# Run in background, rely on bash for job management
+# For some reason privileged mode creates the char device and cap-add=NET_ADMIN doesn't
+mkdir -p /dev/net
+if [ ! -c /dev/net/tun ]; then
+    mknod /dev/net/tun c 10 200
+fi
+
+# Run in background using bash job management, setup trap to clean-up
+trap "{ jobs -p | xargs -r kill; wait; }" EXIT
 openvpn --config "$OPENVPN_CONFIG" --management 127.0.0.1 9999 &
 
 # Spin waiting for interface to exist signifying connection
 timeout=10
 for i in $(seq $timeout); do
+    # Allow to start-up
+    sleep 0.5
+
+    # Use bash magic to open tcp socket on fd 3 and break when successful
+    exec 3<>/dev/tcp/127.0.0.1/9999 && break
+done
 
-    # Break when connected
-    #echo state | busybox nc 127.0.0.1 9999 | grep -q "CONNECTED,SUCCESS" && break;
+if [ $i -ge $timeout ]; then
+    echo "Error connecting to OpenVPN mgmt interface, i=$i, exiting."
+    exit 2
+fi
 
-    # Bash magic for tcp sockets
-    if exec 3<>/dev/tcp/127.0.0.1/9999; then
-        # Consume all header input
-        while read -t 0.1 <&3; do true; done
-        echo "state" >&3
-        read -t 1 <&3
-        echo -n $REPLY | grep -q "CONNECTED,SUCCESS" && break || true
-        exec 3>&-
-    fi
+# Consume all header input and echo, look for errors here
+while read -t 0.1 <&3; do echo $REPLY; done
 
-    # Else sleep
+# Request state over mgmt interface
+timeout=10
+for i in $(seq $timeout); do
+    echo "state" >&3
+    state=$(head -n1 <&3)
+    echo -n "$state" | grep -q 'CONNECTED,SUCCESS' && break
     sleep 1
 done
 
 if [ $i -ge $timeout ]; then
-    echo "Error starting OpenVPN, i=$i, exiting."
-    exit 2;
+    echo "Error connecting to OpenVPN, i=$i, exiting."
+    exit 3
 fi
 
-# The show is over.
-kill %1
+exec 3>&-

test/tests/basic/run.sh

@@ -22,27 +22,22 @@ docker run -v $OVPN_DATA:/etc/openvpn --rm $IMG ovpn_getclient $CLIENT | tee $CL
 docker run -v $OVPN_DATA:/etc/openvpn --rm $IMG ovpn_listclients | grep $CLIENT
 
 #
-# Fire up the server
+# Fire up the server and setup a trap to always clean it up
 #
-docker run --name "ovpn-test" -v $OVPN_DATA:/etc/openvpn --rm -p 1194:1194/udp --privileged $IMG &
+trap "{ jobs -p | xargs -r kill; wait; }" EXIT
+docker run --name "ovpn-test" -v $OVPN_DATA:/etc/openvpn --rm -e DEBUG --cap-add=NET_ADMIN $IMG &
 
-#for i in $(seq 10); do
-#    SERV_IP=$(docker inspect --format '{{ .NetworkSettings.IPAddress }}')
-#    test -n "$SERV_IP" && break
-#done
-#sed -ie s:SERV_IP:$SERV_IP:g config.ovpn
+for i in $(seq 10); do
+    SERV_IP_INTERNAL=$(docker inspect --format '{{ .NetworkSettings.IPAddress }}' "ovpn-test" 2>/dev/null || true)
+    test -n "$SERV_IP_INTERNAL" && break
+    sleep 0.1
+done
+sed -i -e s:$SERV_IP:$SERV_IP_INTERNAL:g ${CLIENT_DIR}/config.ovpn
 
 #
-# Fire up a client in a container since openvpn is disallowed by Travis-CI, don't NAT
-# the host as it confuses itself:
-# "Incoming packet rejected from [AF_INET]172.17.42.1:1194[2], expected peer address: [AF_INET]10.240.118.86:1194"
+# Fire up a client in a container since openvpn is disallowed by Travis-CI
 #
-docker run --rm --net=host --privileged --volume $CLIENT_DIR:/client $IMG /client/wait-for-connect.sh
-
-#
-# Client either connected or timed out, kill server
-#
-kill %1
+docker run --rm --cap-add=NET_ADMIN -e DEBUG --volume $CLIENT_DIR:/client $IMG /client/wait-for-connect.sh
 
 #
 # Celebrate

test/tests/dual-proto/run.sh

@@ -35,22 +35,31 @@ docker run -v $OVPN_DATA:/etc/openvpn --rm $IMG ovpn_listclients | grep $CLIENT_
 # Fire up the server
 #
 
-# run in shell bg to get logs
-docker run --name "ovpn-test-udp" -v $OVPN_DATA:/etc/openvpn --rm -p 1194:1194/udp --privileged $IMG &
-docker run --name "ovpn-test-tcp" -v $OVPN_DATA:/etc/openvpn --rm -p 443:1194/tcp --privileged $IMG ovpn_run --proto tcp &
+# Run in shell bg to get logs, setup trap to clean-up
+trap "{ jobs -p | xargs -r kill; wait; docker volume rm ${OVPN_DATA}; }" EXIT
+docker run --name "ovpn-test-udp" -v $OVPN_DATA:/etc/openvpn --rm --cap-add=NET_ADMIN -e DEBUG $IMG &
+docker run --name "ovpn-test-tcp" -v $OVPN_DATA:/etc/openvpn --rm --cap-add=NET_ADMIN -e DEBUG $IMG ovpn_run --proto tcp --port 443 &
 
-#
-# Fire up a clients in a containers since openvpn is disallowed by Travis-CI, don't NAT
-# the host as it confuses itself:
-# "Incoming packet rejected from [AF_INET]172.17.42.1:1194[2], expected peer address: [AF_INET]10.240.118.86:1194"
-#
-docker run --rm --net=host --privileged --volume $CLIENT_DIR:/client $IMG /client/wait-for-connect.sh
-docker run --rm --net=host --privileged --volume $CLIENT_DIR:/client $IMG /client/wait-for-connect.sh "/client/config-tcp.ovpn"
+# Update configs
+for i in $(seq 10); do
+    SERV_IP_INTERNAL=$(docker inspect --format '{{ .NetworkSettings.IPAddress }}' "ovpn-test-udp" 2>/dev/null || true)
+    test -n "$SERV_IP_INTERNAL" && break
+    sleep 0.1
+done
+sed -i -e s:$SERV_IP:$SERV_IP_INTERNAL:g $CLIENT_DIR/config.ovpn
+
+for i in $(seq 10); do
+    SERV_IP_INTERNAL=$(docker inspect --format '{{ .NetworkSettings.IPAddress }}' "ovpn-test-tcp" 2>/dev/null || true)
+    test -n "$SERV_IP_INTERNAL" && break
+    sleep 0.1
+done
+sed -i -e s:$SERV_IP:$SERV_IP_INTERNAL:g $CLIENT_DIR/config-tcp.ovpn
 
 #
-# Client either connected or timed out, kill server
+# Fire up a clients in a containers since openvpn is disallowed by Travis-CI
 #
-kill %1 %2
+docker run --rm --cap-add=NET_ADMIN -v $CLIENT_DIR:/client -e DEBUG $IMG /client/wait-for-connect.sh
+docker run --rm --cap-add=NET_ADMIN -v $CLIENT_DIR:/client -e DEBUG $IMG /client/wait-for-connect.sh "/client/config-tcp.ovpn"
 
 #
 # Celebrate

test/tests/otp/run.sh

@@ -49,25 +49,19 @@ grep 'reneg-sec 0' $CLIENT_DIR/config.ovpn || abort 'reneg-sec not set to 0 in c
 #
 # Fire up the server
 #
-docker run --name "ovpn-test" -v $OVPN_DATA:/etc/openvpn --rm -p 1194:1194/udp --privileged $IMG &
+trap "{ jobs -p | xargs -r kill; wait; }" EXIT
+docker run --name "ovpn-test" -v $OVPN_DATA:/etc/openvpn --rm --cap-add=NET_ADMIN $IMG &
 
-#for i in $(seq 10); do
-#    SERV_IP=$(docker inspect --format '{{ .NetworkSettings.IPAddress }}')
-#    test -n "$SERV_IP" && break
-#done
-#sed -ie s:SERV_IP:$SERV_IP:g $CLIENT_DIR/config.ovpn
+for i in $(seq 10); do
+    SERV_IP_INTERNAL=$(docker inspect --format '{{ .NetworkSettings.IPAddress }}' "ovpn-test" 2>/dev/null || true)
+    test -n "$SERV_IP_INTERNAL" && break
+    sleep 0.1
+done
+sed -i -e s:$SERV_IP:$SERV_IP_INTERNAL:g $CLIENT_DIR/config.ovpn
 
 #
-# Fire up a client in a container since openvpn is disallowed by Travis-CI, don't NAT
-# the host as it confuses itself:
-# "Incoming packet rejected from [AF_INET]172.17.42.1:1194[2], expected peer address: [AF_INET]10.240.118.86:1194"
-#
-docker run --rm --net=host --privileged --volume $CLIENT_DIR:/client $IMG /client/wait-for-connect.sh
-
-#
-# Client either connected or timed out, kill server
-#
-kill %1
+# Fire up a client in a container since openvpn is disallowed by Travis-CI
+docker run --rm --cap-add=NET_ADMIN --volume $CLIENT_DIR:/client -e DEBUG $IMG /client/wait-for-connect.sh
 
 #
 # Celebrate

test/tests/revocation/run.sh

@@ -23,11 +23,13 @@ function finish {
     # Stop the server and clean up
     docker rm -f $NAME
     docker volume rm $OVPN_DATA
+    jobs -p | xargs -r kill
+    wait
 }
 trap finish EXIT
 
 # Put the server in the background
-docker run -d -v $OVPN_DATA:/etc/openvpn --cap-add=NET_ADMIN -p 1194:1194/udp --name $NAME $IMG
+docker run -d -v $OVPN_DATA:/etc/openvpn --cap-add=NET_ADMIN --name $NAME $IMG
 
 #
 # Test that easy_rsa generate CRLs with 'next publish' set to 3650 days.
@@ -49,10 +51,18 @@ docker exec -it $NAME easyrsa build-client-full $CLIENT1 nopass
 docker exec -it $NAME ovpn_getclient $CLIENT1 > $CLIENT_DIR/config.ovpn
 docker exec -it $NAME bash -c "echo 'yes' | ovpn_revokeclient $CLIENT1"
 
+# Determine IP address of container running daemon and update config
+for i in $(seq 10); do
+    SERV_IP_INTERNAL=$(docker inspect --format '{{ .NetworkSettings.IPAddress }}' "$NAME" 2>/dev/null || true)
+    test -n "$SERV_IP_INTERNAL" && break
+    sleep 0.1
+done
+sed -i -e s:$SERV_IP:$SERV_IP_INTERNAL:g $CLIENT_DIR/config.ovpn
+
 #
 # Test that openvpn client can't connect using $CLIENT1 config.
 #
-if docker run --rm -v $CLIENT_DIR:/client --cap-add=NET_ADMIN --privileged --net=host $IMG /client/wait-for-connect.sh; then
+if docker run --rm -v $CLIENT_DIR:/client --cap-add=NET_ADMIN -e DEBUG $IMG /client/wait-for-connect.sh; then
     echo "Client was able to connect after revocation test #1." >&2
     exit 2
 fi
@@ -64,7 +74,14 @@ docker exec -it $NAME easyrsa build-client-full $CLIENT2 nopass
 docker exec -it $NAME ovpn_getclient $CLIENT2 > $CLIENT_DIR/config.ovpn
 docker exec -it $NAME bash -c "echo 'yes' | ovpn_revokeclient $CLIENT2"
 
-if docker run --rm -v $CLIENT_DIR:/client --cap-add=NET_ADMIN --privileged --net=host $IMG /client/wait-for-connect.sh; then
+# Determine IP address of container running daemon and update config
+for i in $(seq 10); do
+    SERV_IP_INTERNAL=$(docker inspect --format '{{ .NetworkSettings.IPAddress }}' "$NAME" 2>/dev/null || true)
+    test -n "$SERV_IP_INTERNAL" && break
+    sleep 0.1
+done
+
+if docker run --rm -v $CLIENT_DIR:/client --cap-add=NET_ADMIN -e DEBUG $IMG /client/wait-for-connect.sh; then
     echo "Client was able to connect after revocation test #2." >&2
     exit 2
 fi
@@ -77,7 +94,7 @@ docker stop $NAME && docker start $NAME
 #
 # Test for failed connection using $CLIENT2 config again.
 #
-if docker run --rm -v $CLIENT_DIR:/client --cap-add=NET_ADMIN --privileged --net=host $IMG /client/wait-for-connect.sh; then
+if docker run --rm -v $CLIENT_DIR:/client --cap-add=NET_ADMIN -e DEBUG $IMG /client/wait-for-connect.sh; then
     echo "Client was able to connect after revocation test #3." >&2
     exit 2
 fi