From 815b2f0e7338af274ec72c3587f3df028a4bc7e5 Mon Sep 17 00:00:00 2001 From: Vasil Dimov Date: Thu, 21 Nov 2024 07:04:52 +0100 Subject: [PATCH] ci: detect outbound internet traffic generated while running tests Resolves https://github.com/bitcoin/bitcoin/issues/31339 --- ci/test/00_setup_env.sh | 2 +- ci/test/00_setup_env_i686_centos.sh | 2 +- ci/test/00_setup_env_mac_native.sh | 2 + ci/test/00_setup_env_mac_native_fuzz.sh | 2 + ci/test/02_run_container.sh | 2 +- ci/test/03_test_script.sh | 56 +++++++++++++++++++++++++ 6 files changed, 63 insertions(+), 3 deletions(-) diff --git a/ci/test/00_setup_env.sh b/ci/test/00_setup_env.sh index 021d5e15976244..94149106ee2089 100755 --- a/ci/test/00_setup_env.sh +++ b/ci/test/00_setup_env.sh @@ -64,7 +64,7 @@ export BASE_OUTDIR=${BASE_OUTDIR:-$BASE_SCRATCH_DIR/out} # The folder for previous release binaries. # This folder exists only on the ci guest, and on the ci host as a volume. export PREVIOUS_RELEASES_DIR=${PREVIOUS_RELEASES_DIR:-$BASE_ROOT_DIR/prev_releases} -export CI_BASE_PACKAGES=${CI_BASE_PACKAGES:-build-essential pkg-config curl ca-certificates ccache python3 rsync git procps bison e2fsprogs cmake} +export CI_BASE_PACKAGES=${CI_BASE_PACKAGES:-build-essential pkg-config curl ca-certificates ccache python3 rsync git procps bison e2fsprogs cmake net-tools tcpdump} export GOAL=${GOAL:-install} export DIR_QA_ASSETS=${DIR_QA_ASSETS:-${BASE_SCRATCH_DIR}/qa-assets} export CI_RETRY_EXE=${CI_RETRY_EXE:-"retry --"} diff --git a/ci/test/00_setup_env_i686_centos.sh b/ci/test/00_setup_env_i686_centos.sh index 22657742d7c0ed..d6bd93187041af 100755 --- a/ci/test/00_setup_env_i686_centos.sh +++ b/ci/test/00_setup_env_i686_centos.sh @@ -10,7 +10,7 @@ export HOST=i686-pc-linux-gnu export CONTAINER_NAME=ci_i686_centos export CI_IMAGE_NAME_TAG="quay.io/centos/amd64:stream9" export STREAM_GCC_V="12" -export CI_BASE_PACKAGES="gcc-toolset-${STREAM_GCC_V}-gcc-c++ glibc-devel.x86_64 gcc-toolset-${STREAM_GCC_V}-libstdc++-devel.x86_64 glibc-devel.i686 gcc-toolset-${STREAM_GCC_V}-libstdc++-devel.i686 ccache make git python3 python3-pip which patch lbzip2 xz procps-ng dash rsync coreutils bison e2fsprogs cmake" +export CI_BASE_PACKAGES="gcc-toolset-${STREAM_GCC_V}-gcc-c++ glibc-devel.x86_64 gcc-toolset-${STREAM_GCC_V}-libstdc++-devel.x86_64 glibc-devel.i686 gcc-toolset-${STREAM_GCC_V}-libstdc++-devel.i686 ccache make git python3 python3-pip which patch lbzip2 xz procps-ng dash rsync coreutils bison e2fsprogs cmake net-tools tcpdump" export PIP_PACKAGES="pyzmq" export GOAL="install" export BITCOIN_CONFIG="-DWITH_ZMQ=ON -DBUILD_GUI=ON -DREDUCE_EXPORTS=ON" diff --git a/ci/test/00_setup_env_mac_native.sh b/ci/test/00_setup_env_mac_native.sh index e01a56895bfb63..317694e6f47a2f 100755 --- a/ci/test/00_setup_env_mac_native.sh +++ b/ci/test/00_setup_env_mac_native.sh @@ -15,3 +15,5 @@ export BITCOIN_CONFIG="-DBUILD_GUI=ON -DWITH_ZMQ=ON -DREDUCE_EXPORTS=ON" export CI_OS_NAME="macos" export NO_DEPENDS=1 export OSX_SDK="" +# Can't run tcpdump: tcpdump: en0: You don't have permission to capture on that device +export CI_TCPDUMP_OK_TO_FAIL=1 diff --git a/ci/test/00_setup_env_mac_native_fuzz.sh b/ci/test/00_setup_env_mac_native_fuzz.sh index 1a453a4353f8cf..977358d9cf4d39 100755 --- a/ci/test/00_setup_env_mac_native_fuzz.sh +++ b/ci/test/00_setup_env_mac_native_fuzz.sh @@ -14,3 +14,5 @@ export OSX_SDK="" export RUN_UNIT_TESTS=false export RUN_FUNCTIONAL_TESTS=false export RUN_FUZZ_TESTS=true +# Can't run tcpdump: tcpdump: en0: You don't have permission to capture on that device +export CI_TCPDUMP_OK_TO_FAIL=1 diff --git a/ci/test/02_run_container.sh b/ci/test/02_run_container.sh index ce01db325cebed..e1539e8bef3a6f 100755 --- a/ci/test/02_run_container.sh +++ b/ci/test/02_run_container.sh @@ -91,7 +91,7 @@ if [ -z "$DANGER_RUN_CI_ON_HOST" ]; then # Append $USER to /tmp/env to support multi-user systems and $CONTAINER_NAME # to allow support starting multiple runs simultaneously by the same user. # shellcheck disable=SC2086 - CI_CONTAINER_ID=$(docker run --cap-add LINUX_IMMUTABLE $CI_CONTAINER_CAP --rm --interactive --detach --tty \ + CI_CONTAINER_ID=$(docker run --cap-add LINUX_IMMUTABLE --cap-add NET_RAW $CI_CONTAINER_CAP --rm --interactive --detach --tty \ --mount "type=bind,src=$BASE_READ_ONLY_DIR,dst=$BASE_READ_ONLY_DIR,readonly" \ --mount "${CI_CCACHE_MOUNT}" \ --mount "${CI_DEPENDS_MOUNT}" \ diff --git a/ci/test/03_test_script.sh b/ci/test/03_test_script.sh index 6e77a8927c2220..7b10f3f27d5d5a 100755 --- a/ci/test/03_test_script.sh +++ b/ci/test/03_test_script.sh @@ -146,21 +146,74 @@ if [ "$RUN_CHECK_DEPS" = "true" ]; then "${BASE_ROOT_DIR}/contrib/devtools/check-deps.sh" . fi +function get_interfaces() +{ + set -o pipefail + ifconfig | awk -F ':| ' '/^[^[:space:]]/ { if (!match($1, /^lo/)) { print $1 } }' + set +o pipefail +} + +function tcpdump_file() +{ + echo "/tmp/tcpdump_$1_$2" +} + +function traffic_monitor_begin() +{ + test_name="$1" + for ifname in $(get_interfaces) ; do + tcpdump -nU -i "$ifname" -w "$(tcpdump_file "$test_name" "$ifname")" & + done +} + +function traffic_monitor_end() +{ + test_name="$1" + + for ifname in $(get_interfaces) ; do + f=$(tcpdump_file "$test_name" "$ifname") + if [ ! -e "$f" ] && [ "$CI_TCPDUMP_OK_TO_FAIL" = "1" ] ; then + # In some CI environments this script is not running as root and so the + # tcpdump errors and does not create $f. Skip silently those, but we + # need at least one where tcpdump can run and this is the ASAN one. So + # treat the absence of $f as an error only on the ASAN task. + continue + fi + # We are running as root and those files are created with owner:group = + # tcpdump:tcpdump and then `tcpdump -r` refuses to read them with an error + # "permission denied" if they are not owned by root:root. + chown root:root "$f" + out="$(tcpdump -n -r "$f" --direction=out tcp or udp)" + if [ -n "$out" ] ; then + echo "Error: outbound TCP or UDP packets on the non loopback interface generated during $test_name tests:" >&2 + tcpdump -n -r "$f" tcp or udp + exit 1 + fi + done +} + if [ "$RUN_UNIT_TESTS" = "true" ]; then + traffic_monitor_begin "unitparallel" DIR_UNIT_TEST_DATA="${DIR_UNIT_TEST_DATA}" LD_LIBRARY_PATH="${DEPENDS_DIR}/${HOST}/lib" CTEST_OUTPUT_ON_FAILURE=ON ctest --stop-on-failure "${MAKEJOBS}" --timeout $(( TEST_RUNNER_TIMEOUT_FACTOR * 60 )) + traffic_monitor_end "unitparallel" fi if [ "$RUN_UNIT_TESTS_SEQUENTIAL" = "true" ]; then + traffic_monitor_begin "unitsequential" DIR_UNIT_TEST_DATA="${DIR_UNIT_TEST_DATA}" LD_LIBRARY_PATH="${DEPENDS_DIR}/${HOST}/lib" "${BASE_OUTDIR}"/bin/test_bitcoin --catch_system_errors=no -l test_suite + traffic_monitor_end "unitsequential" fi if [ "$RUN_FUNCTIONAL_TESTS" = "true" ]; then + traffic_monitor_begin "functional" # parses TEST_RUNNER_EXTRA as an array which allows for multiple arguments such as TEST_RUNNER_EXTRA='--exclude "rpc_bind.py --ipv6"' eval "TEST_RUNNER_EXTRA=($TEST_RUNNER_EXTRA)" LD_LIBRARY_PATH="${DEPENDS_DIR}/${HOST}/lib" test/functional/test_runner.py --ci "${MAKEJOBS}" --tmpdirprefix "${BASE_SCRATCH_DIR}"/test_runner/ --ansi --combinedlogslen=99999999 --timeout-factor="${TEST_RUNNER_TIMEOUT_FACTOR}" "${TEST_RUNNER_EXTRA[@]}" --quiet --failfast + traffic_monitor_end "functional" fi if [ "${RUN_TIDY}" = "true" ]; then + traffic_monitor_begin "tidy" cmake -B /tidy-build -DLLVM_DIR=/usr/lib/llvm-"${TIDY_LLVM_V}"/cmake -DCMAKE_BUILD_TYPE=Release -S "${BASE_ROOT_DIR}"/contrib/devtools/bitcoin-tidy cmake --build /tidy-build "$MAKEJOBS" cmake --build /tidy-build --target bitcoin-tidy-tests "$MAKEJOBS" @@ -185,9 +238,12 @@ if [ "${RUN_TIDY}" = "true" ]; then cd "${BASE_ROOT_DIR}/src" python3 "/include-what-you-use/fix_includes.py" --nosafe_headers < /tmp/iwyu_ci.out git --no-pager diff + traffic_monitor_end "tidy" fi if [ "$RUN_FUZZ_TESTS" = "true" ]; then + traffic_monitor_begin "fuzz" # shellcheck disable=SC2086 LD_LIBRARY_PATH="${DEPENDS_DIR}/${HOST}/lib" test/fuzz/test_runner.py ${FUZZ_TESTS_CONFIG} "${MAKEJOBS}" -l DEBUG "${DIR_FUZZ_IN}" --empty_min_time=60 + traffic_monitor_end "fuzz" fi