Browse code
Fixed the SYN eater tests so they have enough privilege
These changes make the DROP_SYN_DURING_RESTART tests better match the
documented procedure. I noticed we were getting errors in the docker
logs because the router was not set up to use root, so iptables was
failing. This corrects that.
Benjamin Bennett authored on 2016/11/04 23:32:58Showing 3 changed files
| ... | ... |
@@ -634,6 +634,7 @@ function os::start::router() {
|
| 634 | 634 |
if [[ -n "${DROP_SYN_DURING_RESTART:-}" ]]; then
|
| 635 | 635 |
# Rewrite the DC for the router to add the environment variable into the pod definition |
| 636 | 636 |
os::log::info "Changing the router DC to drop SYN packets during a reload" |
| 637 |
+ oc patch dc router -p '{"spec":{"template":{"spec":{"containers":[{"name":"router","securityContext":{"privileged":true}}],"securityContext":{"runAsUser": 0}}}}}'
|
|
| 637 | 638 |
oc set env dc/router -c router DROP_SYN_DURING_RESTART=true |
| 638 | 639 |
fi |
| 639 | 640 |
} |
| ... | ... |
@@ -657,4 +658,4 @@ function os::start::registry() {
|
| 657 | 657 |
oc env -f - --output json "REGISTRY_MIDDLEWARE_REPOSITORY_OPENSHIFT_PROJECTCACHETTL=0" | \ |
| 658 | 658 |
oc create -f - |
| 659 | 659 |
} |
| 660 |
-readonly -f os::start::registry |
|
| 661 | 660 |
\ No newline at end of file |
| 661 |
+readonly -f os::start::registry |
| ... | ... |
@@ -122,7 +122,7 @@ function os::test::extended::setup () {
|
| 122 | 122 |
if [[ -z "${SKIP_NODE:-}" ]]; then
|
| 123 | 123 |
oc rollout status dc/docker-registry |
| 124 | 124 |
fi |
| 125 |
- DROP_SYN_DURING_RESTART=1 CREATE_ROUTER_CERT=1 os::start::router |
|
| 125 |
+ DROP_SYN_DURING_RESTART=true CREATE_ROUTER_CERT=true os::start::router |
|
| 126 | 126 |
|
| 127 | 127 |
os::log::info "Creating image streams" |
| 128 | 128 |
oc create -n openshift -f "${OS_ROOT}/examples/image-streams/image-streams-centos7.json" --config="${ADMIN_KUBECONFIG}"
|