From bac385db3e70d1e06b71591fd6a9aa11c2586839 Mon Sep 17 00:00:00 2001 From: Jordan Potter Date: Wed, 4 Oct 2023 09:49:03 -0700 Subject: [PATCH] Test with Podman in CI (#34) * Test with Podman in CI * Correct logic to copy Docker image to Podman * Load necessary kernel modules in CI --------- Co-authored-by: Jordan Potter --- .github/workflows/ci.yml | 75 ++++++++++++++++++++++++---------------- 1 file changed, 46 insertions(+), 29 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 7cf533b..51c8390 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -22,16 +22,13 @@ jobs: - name: Checkout code uses: actions/checkout@v4 - - name: Get date - id: date - uses: josStorer/get-current-time@v2 - with: - format: YYYY-MM-DD + - name: Load necessary kernel modules + run: sudo modprobe ip6_tables - - name: Install wireguard + - name: Install WireGuard run: sudo apt-get install wireguard - - name: Download WireGuard config + - name: Create WireGuard config run: echo '${{ secrets.WIREGUARD_CONF }}' > wireguard.conf - name: Set up QEMU @@ -40,45 +37,59 @@ jobs: - name: Set up Buildx uses: docker/setup-buildx-action@v3 - - name: Build local image for testing + - name: Build local Docker image for testing uses: docker/build-push-action@v5 with: pull: true load: true tags: wireguard + - name: Copy Docker image to Podman + run: | + sudo podman pull docker-daemon:docker.io/library/wireguard:latest + sudo podman save -o ${{ runner.temp }}/wireguard.tar docker.io/library/wireguard:latest + podman load -i ${{ runner.temp }}/wireguard.tar + - name: Test tunnel run: | - docker run --rm -d --name wireguard --cap-add NET_ADMIN --cap-add SYS_MODULE --sysctl net.ipv4.conf.all.src_valid_mark=1 -v ${{ github.workspace }}/wireguard.conf:/etc/wireguard/wg0.conf wireguard - normal_ip=$(docker run --rm curlimages/curl --retry 3 --retry-delay 5 ifconfig.io) - wireguard_ip=$(docker run --rm --net=container:wireguard curlimages/curl --retry 3 --retry-delay 5 ifconfig.io) - if [ "$normal_ip" = "$wireguard_ip" ]; then echo "normal ip and wireguard ip are the same" && exit 1; fi - docker stop wireguard + for cmd in "docker" "podman" "sudo podman"; do + $cmd run --rm -d --name wireguard --cap-add NET_ADMIN --cap-add NET_RAW --cap-add SYS_MODULE --sysctl net.ipv4.conf.all.src_valid_mark=1 -v ${{ github.workspace }}/wireguard.conf:/etc/wireguard/wg0.conf wireguard + normal_ip=$($cmd run --rm curlimages/curl --retry 3 --retry-delay 5 ifconfig.io) + wireguard_ip=$($cmd run --rm --net=container:wireguard curlimages/curl --retry 3 --retry-delay 5 ifconfig.io) + if [ "$normal_ip" = "$wireguard_ip" ]; then echo "normal ip and wireguard ip are the same" && exit 1; fi + $cmd stop wireguard + done - name: Test kill switch run: | - docker run --rm -d --name wireguard --cap-add NET_ADMIN --cap-add SYS_MODULE --sysctl net.ipv4.conf.all.src_valid_mark=1 -v ${{ github.workspace }}/wireguard.conf:/etc/wireguard/wg0.conf wireguard - docker run --rm --net=container:wireguard curlimages/curl --retry 3 --retry-delay 5 ifconfig.io - docker exec wireguard wg-quick down wg0 - ! docker run --rm --net=container:wireguard curlimages/curl --retry 3 --retry-delay 5 ifconfig.io - docker stop wireguard + for cmd in "docker" "podman" "sudo podman"; do + $cmd run --rm -d --name wireguard --cap-add NET_ADMIN --cap-add NET_RAW --cap-add SYS_MODULE --sysctl net.ipv4.conf.all.src_valid_mark=1 -v ${{ github.workspace }}/wireguard.conf:/etc/wireguard/wg0.conf wireguard + $cmd run --rm --net=container:wireguard curlimages/curl --retry 3 --retry-delay 5 ifconfig.io + $cmd exec wireguard wg-quick down wg0 + ! $cmd run --rm --net=container:wireguard curlimages/curl --retry 3 --retry-delay 5 ifconfig.io + $cmd stop wireguard + done - name: Test local subnets run: | - ip_address=$(ip route get 1.2.3.4 | awk '{print $7}') - docker run --rm -d --name nginx -p 8080:80 nginx - docker run --rm -d --name wireguard --cap-add NET_ADMIN --cap-add SYS_MODULE --sysctl net.ipv4.conf.all.src_valid_mark=1 -v ${{ github.workspace }}/wireguard.conf:/etc/wireguard/wg0.conf -e LOCAL_SUBNETS=$ip_address/32 wireguard - sleep 3 - docker run --rm --net=container:wireguard curlimages/curl --retry 3 --retry-delay 5 $ip_address:8080 - docker stop wireguard nginx + for cmd in "docker" "podman" "sudo podman"; do + ip_address=$(ip route get 1.2.3.4 | awk '{print $7}') + $cmd run --rm -d --name nginx -p 8080:80 nginx + $cmd run --rm -d --name wireguard --cap-add NET_ADMIN --cap-add NET_RAW --cap-add SYS_MODULE --sysctl net.ipv4.conf.all.src_valid_mark=1 -v ${{ github.workspace }}/wireguard.conf:/etc/wireguard/wg0.conf -e LOCAL_SUBNETS=$ip_address/32 wireguard + sleep 3 + $cmd run --rm --net=container:wireguard curlimages/curl --retry 3 --retry-delay 5 $ip_address:8080 + $cmd stop wireguard nginx + done - name: Test exposed ports run: | - docker run --rm -d --name wireguard --cap-add NET_ADMIN --cap-add SYS_MODULE --sysctl net.ipv4.conf.all.src_valid_mark=1 -v ${{ github.workspace }}/wireguard.conf:/etc/wireguard/wg0.conf -p 8080:80 wireguard - docker run --rm -d --name nginx --net=container:wireguard nginx - sleep 3 - curl --retry 3 --retry-delay 5 localhost:8080 - docker stop wireguard nginx + for cmd in "docker" "podman" "sudo podman"; do + $cmd run --rm -d --name wireguard --cap-add NET_ADMIN --cap-add NET_RAW --cap-add SYS_MODULE --sysctl net.ipv4.conf.all.src_valid_mark=1 -v ${{ github.workspace }}/wireguard.conf:/etc/wireguard/wg0.conf -p 8080:80 wireguard + $cmd run --rm -d --name nginx --net=container:wireguard nginx + sleep 3 + curl --retry 3 --retry-delay 5 localhost:8080 + $cmd stop wireguard nginx + done - name: Log into Docker Hub uses: docker/login-action@v3 @@ -93,6 +104,12 @@ jobs: username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} + - name: Get date + id: date + uses: josStorer/get-current-time@v2 + with: + format: YYYY-MM-DD + - name: Get metadata for image id: metadata uses: docker/metadata-action@v5