Skip to content

Commit

Permalink
ci: detect outbound internet traffic generated while running tests
Browse files Browse the repository at this point in the history
Resolves bitcoin#31339
  • Loading branch information
vasild committed Dec 3, 2024
1 parent a824236 commit c88464d
Show file tree
Hide file tree
Showing 4 changed files with 59 additions and 3 deletions.
2 changes: 1 addition & 1 deletion ci/test/00_setup_env.sh
Original file line number Diff line number Diff line change
Expand Up @@ -64,7 +64,7 @@ export BASE_OUTDIR=${BASE_OUTDIR:-$BASE_SCRATCH_DIR/out}
# The folder for previous release binaries.
# This folder exists only on the ci guest, and on the ci host as a volume.
export PREVIOUS_RELEASES_DIR=${PREVIOUS_RELEASES_DIR:-$BASE_ROOT_DIR/prev_releases}
export CI_BASE_PACKAGES=${CI_BASE_PACKAGES:-build-essential pkg-config curl ca-certificates ccache python3 rsync git procps bison e2fsprogs cmake}
export CI_BASE_PACKAGES=${CI_BASE_PACKAGES:-build-essential pkg-config curl ca-certificates ccache python3 rsync git procps bison e2fsprogs cmake net-tools tcpdump}
export GOAL=${GOAL:-install}
export DIR_QA_ASSETS=${DIR_QA_ASSETS:-${BASE_SCRATCH_DIR}/qa-assets}
export CI_RETRY_EXE=${CI_RETRY_EXE:-"retry --"}
2 changes: 1 addition & 1 deletion ci/test/00_setup_env_i686_centos.sh
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ export LC_ALL=C.UTF-8
export HOST=i686-pc-linux-gnu
export CONTAINER_NAME=ci_i686_centos
export CI_IMAGE_NAME_TAG="quay.io/centos/amd64:stream9"
export CI_BASE_PACKAGES="gcc-c++ glibc-devel.x86_64 libstdc++-devel.x86_64 glibc-devel.i686 libstdc++-devel.i686 ccache make git python3 python3-pip which patch lbzip2 xz procps-ng dash rsync coreutils bison e2fsprogs cmake"
export CI_BASE_PACKAGES="gcc-c++ glibc-devel.x86_64 libstdc++-devel.x86_64 glibc-devel.i686 libstdc++-devel.i686 ccache make git python3 python3-pip which patch lbzip2 xz procps-ng dash rsync coreutils bison e2fsprogs cmake net-tools tcpdump"
export PIP_PACKAGES="pyzmq"
export GOAL="install"
export NO_WERROR=1 # Suppress error: #warning _FORTIFY_SOURCE > 2 is treated like 2 on this platform [-Werror=cpp]
Expand Down
2 changes: 1 addition & 1 deletion ci/test/02_run_container.sh
Original file line number Diff line number Diff line change
Expand Up @@ -91,7 +91,7 @@ if [ -z "$DANGER_RUN_CI_ON_HOST" ]; then
# Append $USER to /tmp/env to support multi-user systems and $CONTAINER_NAME
# to allow support starting multiple runs simultaneously by the same user.
# shellcheck disable=SC2086
CI_CONTAINER_ID=$(docker run --cap-add LINUX_IMMUTABLE $CI_CONTAINER_CAP --rm --interactive --detach --tty \
CI_CONTAINER_ID=$(docker run --cap-add LINUX_IMMUTABLE --cap-add NET_RAW $CI_CONTAINER_CAP --rm --interactive --detach --tty \
--mount "type=bind,src=$BASE_READ_ONLY_DIR,dst=$BASE_READ_ONLY_DIR,readonly" \
--mount "${CI_CCACHE_MOUNT}" \
--mount "${CI_DEPENDS_MOUNT}" \
Expand Down
56 changes: 56 additions & 0 deletions ci/test/03_test_script.sh
Original file line number Diff line number Diff line change
Expand Up @@ -144,21 +144,74 @@ if [ "$RUN_CHECK_DEPS" = "true" ]; then
"${BASE_ROOT_DIR}/contrib/devtools/check-deps.sh" .
fi

function get_interfaces()
{
ifconfig | awk -F ':| ' '/^[^[:space:]]/ { if (!match($1, /^lo/)) { print $1 } }'
}

function tcpdump_file_for_interface()
{
echo "/tmp/tcpdump_$1"
}

function traffic_monitor_begin()
{
for ifname in $(get_interfaces) ; do
tcpdump -n -i "$ifname" -w "$(tcpdump_file_for_interface "$ifname")" &
done
}

function traffic_monitor_end()
{
# Stop all tcpdump instances (we want the word splitting if "jobs -p" returns more than one PID).
# shellcheck disable=SC2046
while kill -SIGTERM $(jobs -p) ; do
sleep 1
done

for ifname in $(get_interfaces) ; do
f=$(tcpdump_file_for_interface "$ifname")
if [ ! -e "$f" ] && [ "$FILE_ENV" != "./ci/test/00_setup_env_native_asan.sh" ] ; then
# In some CI environments this script is not running as root and so the
# tcpdump errors and does not create $f. Skip silently those, but we
# need at least one where tcpdump can run and this is the ASAN one. So
# treat the absence of $f as an error only on the ASAN task.
continue
fi
# We are running as root and those files are created with owner:group =
# tcpdump:tcpdump and then `tcpdump -r` refuses to read them with an error
# "permission denied" if they are not owned by root:root.
chown root:root "$f"
if [ -n "$(tcpdump -n -r "$f" --direction=out tcp or udp)" ] ; then
echo "Error: outbound TCP or UDP packets on the non loopback interface generated during tests:" >&2
tcpdump -n -r "$f" tcp or udp
exit 1
fi
done
}

if [ "$RUN_UNIT_TESTS" = "true" ]; then
traffic_monitor_begin
DIR_UNIT_TEST_DATA="${DIR_UNIT_TEST_DATA}" LD_LIBRARY_PATH="${DEPENDS_DIR}/${HOST}/lib" CTEST_OUTPUT_ON_FAILURE=ON ctest --stop-on-failure "${MAKEJOBS}" --timeout $(( TEST_RUNNER_TIMEOUT_FACTOR * 60 ))
traffic_monitor_end
fi

if [ "$RUN_UNIT_TESTS_SEQUENTIAL" = "true" ]; then
traffic_monitor_begin
DIR_UNIT_TEST_DATA="${DIR_UNIT_TEST_DATA}" LD_LIBRARY_PATH="${DEPENDS_DIR}/${HOST}/lib" "${BASE_OUTDIR}"/bin/test_bitcoin --catch_system_errors=no -l test_suite
traffic_monitor_end
fi

if [ "$RUN_FUNCTIONAL_TESTS" = "true" ]; then
traffic_monitor_begin
# parses TEST_RUNNER_EXTRA as an array which allows for multiple arguments such as TEST_RUNNER_EXTRA='--exclude "rpc_bind.py --ipv6"'
eval "TEST_RUNNER_EXTRA=($TEST_RUNNER_EXTRA)"
LD_LIBRARY_PATH="${DEPENDS_DIR}/${HOST}/lib" test/functional/test_runner.py --ci "${MAKEJOBS}" --tmpdirprefix "${BASE_SCRATCH_DIR}"/test_runner/ --ansi --combinedlogslen=99999999 --timeout-factor="${TEST_RUNNER_TIMEOUT_FACTOR}" "${TEST_RUNNER_EXTRA[@]}" --quiet --failfast
traffic_monitor_end
fi

if [ "${RUN_TIDY}" = "true" ]; then
traffic_monitor_begin
cmake -B /tidy-build -DLLVM_DIR=/usr/lib/llvm-"${TIDY_LLVM_V}"/cmake -DCMAKE_BUILD_TYPE=Release -S "${BASE_ROOT_DIR}"/contrib/devtools/bitcoin-tidy
cmake --build /tidy-build "$MAKEJOBS"
cmake --build /tidy-build --target bitcoin-tidy-tests "$MAKEJOBS"
Expand All @@ -183,9 +236,12 @@ if [ "${RUN_TIDY}" = "true" ]; then
cd "${BASE_ROOT_DIR}/src"
python3 "/include-what-you-use/fix_includes.py" --nosafe_headers < /tmp/iwyu_ci.out
git --no-pager diff
traffic_monitor_end
fi

if [ "$RUN_FUZZ_TESTS" = "true" ]; then
traffic_monitor_begin
# shellcheck disable=SC2086
LD_LIBRARY_PATH="${DEPENDS_DIR}/${HOST}/lib" test/fuzz/test_runner.py ${FUZZ_TESTS_CONFIG} "${MAKEJOBS}" -l DEBUG "${DIR_FUZZ_IN}" --empty_min_time=60
traffic_monitor_end
fi

0 comments on commit c88464d

Please sign in to comment.