diff options
author | Tamir Duberstein <tamird@google.com> | 2020-12-08 10:18:04 -0800 |
---|---|---|
committer | gVisor bot <gvisor-bot@google.com> | 2020-12-08 10:20:38 -0800 |
commit | cc522a9cfb0a2d5976a3a592cba8e9d23b06c6ce (patch) | |
tree | 80716e85c7df353664aa1caa17afd59fdb1d7d18 /test/packetimpact/runner | |
parent | 5ea6419478676560e617fe0c19c9e37bf88dd8bc (diff) |
Run tcpdump as root
Prior to this change tcpdump would fail to create its output file
because the destination directory was owned by root. This would later
cause killall to fail, as tcpdump was not running. Check exit code of
tcpdump/tshark to produce better error messages should this regress.
PiperOrigin-RevId: 346353911
Diffstat (limited to 'test/packetimpact/runner')
-rw-r--r-- | test/packetimpact/runner/dut.go | 20 |
1 files changed, 19 insertions, 1 deletions
diff --git a/test/packetimpact/runner/dut.go b/test/packetimpact/runner/dut.go index b607c0b04..8be2c6526 100644 --- a/test/packetimpact/runner/dut.go +++ b/test/packetimpact/runner/dut.go @@ -272,6 +272,17 @@ func TestWithDUT(ctx context.Context, t *testing.T, mkDevice func(*dockerutil.Co "--packet-buffered", // Disable DNS resolution. "-n", + // run tcpdump as root since the output directory is owned by root. From + // `man tcpdump`: + // + // -Z user + // --relinquish-privileges=user + // If tcpdump is running as root, after opening the capture device + // or input savefile, change the user ID to user and the group ID to + // the primary group of user. + // This behavior is enabled by default (-Z tcpdump), and can be + // disabled by -Z root. + "-Z", "root", } if tshark { baseSnifferArgs = []string{ @@ -294,10 +305,17 @@ func TestWithDUT(ctx context.Context, t *testing.T, mkDevice func(*dockerutil.Co filepath.Join(testOutputDir, fmt.Sprintf("%s.pcap", n.LocalDevName)), ) } - _, err := testbenchContainer.ExecProcess(ctx, dockerutil.ExecOpts{}, snifferArgs...) + p, err := testbenchContainer.ExecProcess(ctx, dockerutil.ExecOpts{}, snifferArgs...) if err != nil { t.Fatalf("failed to start exec a sniffer on %s: %s", n.LocalDevName, err) } + t.Cleanup(func() { + if snifferOut, err := p.Logs(); err != nil { + t.Errorf("sniffer logs failed: %s\n%s", err, snifferOut) + } else { + t.Logf("sniffer logs:\n%s", snifferOut) + } + }) // When the Linux kernel receives a SYN-ACK for a SYN it didn't send, it // will respond with an RST. In most packetimpact tests, the SYN is sent // by the raw socket, the kernel knows nothing about the connection, this |