stackrox · Stringy · May 27, 2025 · May 28, 2025 · May 28, 2025 · May 28, 2025
@@ -1 +1 @@
-2.0.2
+2.0.3
@@ -1,6 +1,9 @@
-FROM  quay.io/rhacs-eng/qa:berserker-1.0-59-g87ad0d870e
+FROM  quay.io/rhacs-eng/qa:berserker-1.0-79-g617ec32386
+
+RUN dnf install -y which netcat iproute bpftool procps iptables
 
 COPY workloads/ /etc/berserker/
+COPY prepare-tap.sh /scripts/
 
 ENV PATH="${PATH}:/usr/local/bin"
 

@@ -0,0 +1,101 @@
+#!/usr/bin/env bash
+set -eou pipefail
+
+# This script helps to prepare an environment for developing berserker network
+# workload. It has the following preparatory steps:
+#   * Create and start up a new tun device for berserker to use
+#   * Optionally prepare iptables for the device to be visible
+#
+# The last step is optional, because iptables configuration could be different
+# between development environments. Meaning it's not guaranteed that this part of
+# the script is suitable for every case.
+
+stop() {
+         echo "$*" 1>&2
+                          exit 1
+}
+
+which ip &> /dev/null || stop "Don't have the ip tool"
+which whoami &> /dev/null || stop "Don't have the whoami tool"
+which sysctl &> /dev/null || stop "Don't have the sysctl tool"
+
+ADDRESS="10.0.0.1/16"
+NAME="berserker0"
+USER="$(whoami)"
+CONFIGURE_IPTABLE="false"
+CONFIGURE_FIREWALLD="false"
+CONFIGURE_TUNTAP_IF_EXISTS="false"
+
+while getopts ":a:t:u:i:fo" opt; do
+    case $opt in
+        a)
+            ADDRESS="${OPTARG}"
+            ;;
+        t)
+            NAME="${OPTARG}"
+            ;;
+        u)
+            USER="${OPTARG}"
+            ;;
+        i)
+            CONFIGURE_IPTABLE="true"
+            ;;
+        f)
+            CONFIGURE_FIREWALLD="true"
+            ;;
+        o)
+            CONFIGURE_TUNTAP_IF_EXISTS="true"
+            ;;
+        \?)
+            echo "Invalid option -$OPTARG" >&2
+            exit 1
+            ;;
+    esac
+done
+
+echo "Verifying if device ${NAME} is already created..."
+if ip tuntap | grep "${NAME}" &> /dev/null; then
+    echo "The devince ${NAME} already exists!"
+    if [[ "${CONFIGURE_TUNTAP_IF_EXISTS}" != "true" ]]; then
+        exit 1
+    fi
+
+    ip link delete "${NAME}"
+fi
+
+echo "Creating tun device ${NAME} for user ${USER}..."
+ip tuntap add name "${NAME}" mode tun user "${USER}"
+ip link set "${NAME}" up
+
+echo "Assigning address ${ADDRESS} to device ${NAME}..."
+ip addr add "${ADDRESS}" dev "${NAME}"
+
+if [[ "${CONFIGURE_FIREWALLD}" == "true" ]]; then
+    which firewall-cmd &> /dev/null || stop "Don't have the firewal-cmd tool"
+
+    echo "Adding to the trusted zone..."
+    firewall-cmd --zone=trusted --add-interface="${NAME}"
+fi
+
+if [[ "${CONFIGURE_IPTABLE}" == "true" ]]; then
+    which iptables &> /dev/null || stop "Don't have the iptables tool"
+
+    echo "Enabling ip forward..."
+    sysctl net.ipv4.ip_forward=1
+
+    echo "Preparing iptable..."
+    iptables -t nat -A POSTROUTING -s "${ADDRESS}" -j MASQUERADE
+    iptables -A FORWARD -i "${NAME}" -s "${ADDRESS}" -j ACCEPT
+    iptables -A FORWARD -o "${NAME}" -d "${ADDRESS}" -j ACCEPT
+
+    RULE_NR=$(iptables -t filter -L INPUT --line-numbers \
+                                                         | grep "REJECT     all" \
+                                      | awk '{print $1}')
+
+    # Excempt tun device from potentiall reject all rule
+    if [[ $RULE_NR == "" ]]; then
+        iptables -I INPUT -i "${NAME}" -s "${ADDRESS}" -j ACCEPT
+    else
+        iptables -I INPUT $((RULE_NR - 1)) -i "${NAME}" -s "${ADDRESS}" -j ACCEPT
+    fi
+fi
@@ -8,6 +8,7 @@ import (
 	"time"
 
 	"github.com/davecgh/go-spew/spew"
+	"github.com/google/go-cmp/cmp"
 	"github.com/stretchr/testify/assert"
 
 	"github.com/stackrox/collector/integration-tests/pkg/collector"
@@ -17,25 +18,35 @@ import (
 
 var (
 	runtimeConfigErrorMsg = "Runtime configuration was not updated"
+
+	tickTime = 1 * time.Second
+	timeout  = 3 * time.Minute
 )
 
-func AssertExternalIps(t *testing.T, enabled string, collectorIP string) {
-	tickTime := 1 * time.Second
-	timeout := 3 * time.Minute
+func getCollectorRuntimeConfig(t *testing.T, collectorIP string) types.RuntimeConfig {
+	body, err := collector.IntrospectionQuery(collectorIP, "/state/runtime-config")
+	assert.NoError(t, err)
+	var response types.RuntimeConfig
+	err = json.Unmarshal(body, &response)
+	assert.NoError(t, err)
+	return response
+}
+
+func AssertRuntimeConfig(t *testing.T, collectorIP string, config types.RuntimeConfig) {
 	AssertRepeated(t, tickTime, timeout, runtimeConfigErrorMsg, func() bool {
-		body, err := collector.IntrospectionQuery(collectorIP, "/state/runtime-config")
-		assert.NoError(t, err)
-		var response types.RuntimeConfig
-		err = json.Unmarshal(body, &response)
-		assert.NoError(t, err)
+		collectorConfig := getCollectorRuntimeConfig(t, collectorIP)
+		return cmp.Equal(config, collectorConfig)
+	})
+}
 
-		return response.Networking.ExternalIps.Enabled == enabled
+func AssertExternalIps(t *testing.T, enabled string, collectorIP string) {
+	AssertRepeated(t, tickTime, timeout, runtimeConfigErrorMsg, func() bool {
+		collectorConfig := getCollectorRuntimeConfig(t, collectorIP)
+		return collectorConfig.Networking.ExternalIps.Enabled == enabled
 	})
 }
 
 func AssertNoRuntimeConfig(t *testing.T, collectorIP string) {
-	tickTime := 1 * time.Second
-	timeout := 3 * time.Minute
 	AssertRepeated(t, tickTime, timeout, runtimeConfigErrorMsg, func() bool {
 		body, err := collector.IntrospectionQuery(collectorIP, "/state/runtime-config")
 		assert.NoError(t, err)

@@ -10,6 +10,12 @@ import (
 
 const (
 	NilTimestamp = "<nil>"
+
+	// This sentinel value can be used for expected network infos
+	// where the timestamp is not known ahead of time, but is expected
+	// to be non-nil for the purposes of assertions (e.g. compared to
+	// NilTimestamp as seen in IsActive() below)
+	NotNilTimestamp = "Not Nil"
 )
 
 type NetworkInfo struct {

@@ -5,7 +5,8 @@ import (
 )
 
 type ExternalIpsConfig struct {
-	Enabled string `yaml:"enabled"`
+	Enabled   string `yaml:"enabled"`
+	Direction string `yaml:"direction,omitempty"`
 }
 
 type NetworkConfig struct {
@@ -29,12 +30,12 @@ func (n *RuntimeConfig) Equal(other RuntimeConfig) bool {
 	return n.Networking.ExternalIps.Enabled == other.Networking.ExternalIps.Enabled
 }
 
-func (n *RuntimeConfig) GetRuntimeConfigStr() (string, error) {
+func (n *RuntimeConfig) String() string {
 	yamlBytes, err := yaml.Marshal(n)
 
 	if err != nil {
-		return "", err
+		panic(err)
 	}
 
-	return string(yamlBytes), err
+	return string(yamlBytes)
 }
@@ -18,20 +18,13 @@ var (
 )
 
 func init() {
-	var err error
 	var runtimeConfig types.RuntimeConfig
 	runtimeConfig.Networking.ExternalIps.Enabled = "ENABLED"
 
-	EXT_IP_ENABLE, err = runtimeConfig.GetRuntimeConfigStr()
-	if err != nil {
-		panic(err)
-	}
-
+	EXT_IP_ENABLE = runtimeConfig.String()
 	runtimeConfig.Networking.ExternalIps.Enabled = "DISABLED"
-	EXT_IP_DISABLE, err = runtimeConfig.GetRuntimeConfigStr()
-	if err != nil {
-		panic(err)
-	}
+
+	EXT_IP_DISABLE = runtimeConfig.String()
 }
 
 type K8sConfigReloadTestSuite struct {