Selftest namespaces

Overview

Added in Samba version: v4.11

The use of namespaces in the selftest system is only really of interest to Samba developers, or users who want to utilize the customdc selftest environment.

Currently the Samba selftest framework uses cwrap socket-wrapper to 'fake' network connections between the Samba testenv DCs. Each DC has a 127.0.0.<id> IP address and socket wrapper uses the '<id>' to work out which DC to pass the packets to.

As an alternative to using cwrap, there is experimental selftest support to use the kernel Namespaces to isolate the testenvs. This uses a mix of network namespaces in the kernel, for isolation, and veth tunnel interfaces, to connect together the separate testenv namespaces. The Samba testenv DC becomes more like a containerized system.

For more details on what namespaces are and how selftest uses them, see selftest/ns/README.

How to configure it

To use namespaces instead of socket-wrapper, just add 'USE_NAMESPACES=1' to the make command, e.g.

  • To run the 'quick' test cases using namespaces:
USE_NAMESPACES=1 make test TESTS=quick
  • To setup an ad_dc testenv using namespaces:
USE_NAMESPACES=1 SELFTEST_TESTENV=ad_dc make testenv
You can then connect secondary shells to the namespace your testenv is running in. The command to do this is a little complicated, so a helper 'nsenter.sh' script gets autogenerated when the testenv is created. E.g. to connect to the testenv that the ad_dc is running in, use:
./st/ad_dc/nsenter.sh

Known issues and limitations

Refer to selftest/ns/README.

Troubleshooting

You can use standard packet capture tools, such as wireshark and tcpdump, to debug the Samba traffic. However, you would have to attach to the testenv namespace first, i.e. run ./st/ad_dc/nsenter.sh.

For Developers

Where the code is located

The scripts to setup namespaces are in selftest/ns/. You can find the places that namespaces hook into the selftest framework by using:

git grep "USE_NAMESPACES\|selftest/ns"

TODO

  • Add a helper script to connect the default namespace to the selftest namespace. (Also generating an nsenter.sh helper script for the main selftest namespace is probably useful).
  • Perform a full run of the autobuild jobs and work out what tests fail. A lot of failures will due to the tests running as root, so it might be worth checking if the tests also fail under 'sudo make test'.
  • Update gitlab so we run jobs with USE_NAMESPACES enabled (currently the CI docker container's seccomp profile disables the 'unshare' system call).
  • Where possible, try to rework tests that explicitly rely on socket-wrapper, e.g. samba.tests.auth_log.
  • Use the --mount option to create a real (and unique) /etc/resolv.conf file for each testenv, and avoid using resolve-wrapper with USE_NAMESPACES.
  • Try to get Bind9 running in a testenv with USE_NAMESPACES.
  • Investigate adding a dedicated 'selftest' user (USE_NAMESPACES already creates its own separate user namespace). This may allow us to run some tests as root, and others as a regular user - this should get around the tests that currently fail when run as root. Alternatively (if this approach doesn't work), we could rework the autobuild jobs so the tests that fail as 'root' are all under a single autobuild job.