Run acl test twice - with and without flow logging

Soon EVE will allow to disable flow logging, which reduces the amount of
data published to the controller and simplifies iptables rules installed
by EVE.
See: lf-edge/eve-api#62

However, the ACL implementation is quite different between enabled and
disabled flow logging. Therefore, it makes sense to run the ACL test
twice to test both cases.

Signed-off-by: Milan Lenco <milan@zededa.com>

cmd/edenNetwork.go

@@ -93,6 +93,7 @@ func newNetworkNetstatCmd() *cobra.Command {
 func newNetworkCreateCmd() *cobra.Command {
 	var networkType, networkName, uplinkAdapter string
 	var staticDNSEntries []string
+	var enableFlowlog bool
 
 	//networkCreateCmd is command for create network instance in EVE
 	var networkCreateCmd = &cobra.Command{
@@ -104,7 +105,8 @@ func newNetworkCreateCmd() *cobra.Command {
 			if len(args) == 1 {
 				subnet = args[0]
 			}
-			if err := openEVEC.NetworkCreate(subnet, networkType, networkName, uplinkAdapter, staticDNSEntries); err != nil {
+			if err := openEVEC.NetworkCreate(subnet, networkType, networkName, uplinkAdapter,
+				staticDNSEntries, enableFlowlog); err != nil {
 				log.Fatal(err)
 			}
 		},
@@ -114,6 +116,7 @@ func newNetworkCreateCmd() *cobra.Command {
 	networkCreateCmd.Flags().StringVarP(&networkName, "name", "n", "", "Name of network (empty for auto generation)")
 	networkCreateCmd.Flags().StringVarP(&uplinkAdapter, "uplink", "u", "eth0", "Name of uplink adapter, set to 'none' to not use uplink")
 	networkCreateCmd.Flags().StringArrayVarP(&staticDNSEntries, "static-dns-entries", "s", []string{}, "List of static DNS entries in format HOSTNAME:IP_ADDR,IP_ADDR,...")
+	networkCreateCmd.Flags().BoolVar(&enableFlowlog, "enable-flowlog", false, "enable flow logging (EVE collecting and publishing records of application network flows)")
 
 	return networkCreateCmd
 }

pkg/expect/networkInstance.go

@@ -25,6 +25,7 @@ type NetInstanceExpectation struct {
 	netInstType      string
 	uplinkAdapter    string
 	staticDNSEntries map[string][]string
+	enableFlowlog    bool
 }
 
 // checkNetworkInstance checks if provided netInst match expectation
@@ -60,12 +61,13 @@ func (exp *AppExpectation) createNetworkInstance(instanceExpect *NetInstanceExpe
 			Uuid:    id.String(),
 			Version: "1",
 		},
-		InstType: config.ZNetworkInstType_ZnetInstLocal, //we use local networks for now
-		Activate: true,
-		Port:     adapter,
-		Cfg:      &config.NetworkInstanceOpaqueConfig{},
-		IpType:   config.AddressType_IPV4,
-		Ip:       &config.Ipspec{},
+		InstType:       config.ZNetworkInstType_ZnetInstLocal, //we use local networks for now
+		Activate:       true,
+		Port:           adapter,
+		Cfg:            &config.NetworkInstanceOpaqueConfig{},
+		IpType:         config.AddressType_IPV4,
+		Ip:             &config.Ipspec{},
+		DisableFlowlog: !instanceExpect.enableFlowlog,
 	}
 	if instanceExpect.netInstType == "switch" {
 		netInst.InstType = config.ZNetworkInstType_ZnetInstSwitch

pkg/expect/options.go

@@ -163,6 +163,18 @@ func WithStaticDNSEntries(networkName string, dnsEntries []string) ExpectationOp
 	}
 }
 
+// WithFlowlog enables flow logging for the given network instance.
+func WithFlowlog(networkName string) ExpectationOption {
+	return func(expectation *AppExpectation) {
+		for _, netInstance := range expectation.netInstances {
+			if netInstance.name != networkName {
+				continue
+			}
+			netInstance.enableFlowlog = true
+		}
+	}
+}
+
 // WithDiskSize set disk size for created app (equals with image size if not defined)
 func WithDiskSize(diskSizeBytes int64) ExpectationOption {
 	return func(expectation *AppExpectation) {

pkg/openevec/edenNetwork.go

@@ -93,7 +93,8 @@ func (openEVEC *OpenEVEC) NetworkNetstat(niName string, outputFormat types.Outpu
 	return nil
 }
 
-func (openEVEC *OpenEVEC) NetworkCreate(subnet, networkType, networkName, uplinkAdapter string, staticDNSEntries []string) error {
+func (openEVEC *OpenEVEC) NetworkCreate(subnet, networkType, networkName, uplinkAdapter string,
+	staticDNSEntries []string, enableFlowlog bool) error {
 	if networkType != "local" && networkType != "switch" {
 		return fmt.Errorf("network type %s not supported now", networkType)
 	}
@@ -108,6 +109,9 @@ func (openEVEC *OpenEVEC) NetworkCreate(subnet, networkType, networkName, uplink
 	var opts []expect.ExpectationOption
 	opts = append(opts, expect.AddNetInstanceAndPortPublish(subnet, networkType, networkName, nil, uplinkAdapter))
 	opts = append(opts, expect.WithStaticDNSEntries(networkName, staticDNSEntries))
+	if enableFlowlog {
+		opts = append(opts, expect.WithFlowlog(networkName))
+	}
 	expectation := expect.AppExpectationFromURL(ctrl, dev, defaults.DefaultDummyExpect, "", opts...)
 	netInstancesConfigs := expectation.NetworkInstances()
 mainloop:

pkg/utils/templates.go

@@ -34,6 +34,10 @@ var funcs = template.FuncMap{
 		res := os.Getenv(key)
 		return res
 	},
+	// Sets the environment variable.
+	"EdenSetEnv": func(variable, value string) {
+		os.Setenv(variable, value)
+	},
 	// Get the runtime Operating system name
 	"EdenOSRuntime": func() string {
 		return runtime.GOOS

tests/eclient/testdata/acl.txt

@@ -12,6 +12,12 @@
 
 {{define "eclient_image"}}docker://{{EdenConfig "eden.eclient.image"}}:{{EdenConfig "eden.eclient.tag"}}{{end}}
 
+{{$flowlog := EdenGetEnv "EDEN_FLOWLOG"}}
+{{$flowlog_opt := ""}}
+{{if (eq $flowlog "y")}}
+{{$flowlog_opt := "--enable-flowlog"}}
+{{end}}
+
 [!exec:bash] stop
 [!exec:sleep] stop
 [!exec:ssh] stop
@@ -32,7 +38,7 @@ exec -t 10m bash dns_lookup.sh zededa.com
 source .env
 
 # Create network for which ACLs will be defined.
-eden network create 10.11.12.0/24 -n {{$network_name}} -s {{$fake_domain}}:$host_ip
+eden network create 10.11.12.0/24 -n {{$network_name}} {{$flowlog_opt}} -s {{$fake_domain}}:$host_ip
 test eden.network.test -test.v -timewait 10m ACTIVATED {{$network_name}}
 
 # First app is only allowed to access github.com and $long_domain.
@@ -75,6 +81,7 @@ stderr 'Connected to {{$long_domain}}'
 ! exec -t 1m bash curl.sh 2224 google.com
 ! stderr 'Connected'
 
+{{if (eq $flowlog "y")}}
 # Wait for network packets information
 exec -t 10m bash wait_netstat.sh curl-acl1 google.com github.com {{$long_domain}} {{$fake_domain}}
 stdout 'google.com'
@@ -88,6 +95,7 @@ stdout 'github.com'
 stdout '{{$long_domain}}'
 ! stdout '{{$fake_domain}}'
 stdout 'ieee.org'
+{{end}}
 
 # Cleanup - undeploy applications
 eden pod delete curl-acl1

tests/workflow/networking.tests.txt

@@ -35,22 +35,26 @@ eden.escript.test -test.run TestEdenScripts/template_check
 /bin/echo Eden basic network test (5/{{$tests}})
 eden.escript.test -testdata ../network/testdata/ -test.run TestEdenScripts/network_test
 
-/bin/echo Eden ACL to particular host (6/{{$tests}})
+/bin/echo Eden ACLs without flow logging (6/{{$tests}})
+{{EdenSetEnv "EDEN_FLOWLOG" "n"}}
 eden.escript.test -testdata ../eclient/testdata/ -test.run TestEdenScripts/acl
-/bin/echo Eden Network light (7/{{$tests}})
+/bin/echo Eden ACLs with flow logging (7/{{$tests}})
+{{EdenSetEnv "EDEN_FLOWLOG" "y"}}
+eden.escript.test -testdata ../eclient/testdata/ -test.run TestEdenScripts/acl
+/bin/echo Eden Network light (8/{{$tests}})
 eden.escript.test -testdata ../eclient/testdata/ -test.run TestEdenScripts/networking_light
 
-/bin/echo Eden Networks switch (8/{{$tests}})
+/bin/echo Eden Networks switch (9/{{$tests}})
 eden.escript.test -testdata ../eclient/testdata/ -test.run TestEdenScripts/nw_switch
-/bin/echo Eden Network Ports switch (9/{{$tests}})
+/bin/echo Eden Network Ports switch (10/{{$tests}})
 eden.escript.test -testdata ../eclient/testdata/ -test.run TestEdenScripts/port_switch
-/bin/echo Eden Network portmap test (10/{{$tests}})
+/bin/echo Eden Network portmap test (11/{{$tests}})
 eden.escript.test -testdata ../eclient/testdata/ -test.run TestEdenScripts/port_forward
-/bin/echo Eden Test DNS service provided to applications (11/{{$tests}})
+/bin/echo Eden Test DNS service provided to applications (12/{{$tests}})
 eden.escript.test -testdata ../eclient/testdata/ -test.run TestEdenScripts/app_dns
 
-/bin/echo Eden Nginx (12/{{$tests}})
+/bin/echo Eden Nginx (13/{{$tests}})
 eden.escript.test -testdata ../eclient/testdata/ -test.run TestEdenScripts/nginx
 
-/bin/echo Testing quick replace of network instances (13/{{$tests}})
+/bin/echo Testing quick replace of network instances (14/{{$tests}})
 eden.escript.test -testdata ../network/testdata/ -test.run TestEdenScripts/network_replace_test