From a3ab3ad5d1154cad69e2c6a6473d6f3c1690a53e Mon Sep 17 00:00:00 2001 From: Drew Malin Date: Wed, 4 Feb 2026 11:59:14 -0800 Subject: [PATCH 1/8] docker egress and tests --- internal/validation/suite.go | 10 ++++ v1/networking_validation.go | 96 ++++++++++++++++++++++++++++++ v1/providers/nebius/instance.go | 4 ++ v1/providers/shadeform/firewall.go | 27 +++++++-- 4 files changed, 133 insertions(+), 4 deletions(-) diff --git a/internal/validation/suite.go b/internal/validation/suite.go index 880ca7b..f2b558f 100644 --- a/internal/validation/suite.go +++ b/internal/validation/suite.go @@ -322,6 +322,16 @@ func RunFirewallValidation(t *testing.T, config ProviderConfig, opts FirewallVal require.NoError(t, err, "ValidateDockerFirewallBlocksPort should pass - docker port should be blocked") }) + t.Run("ValidateDockerFirewallAllowsEgress", func(t *testing.T) { + err := v1.ValidateDockerFirewallAllowsEgress(ctx, client, instance, ssh.GetTestPrivateKey(), testPort) + require.NoError(t, err, "ValidateDockerFirewallAllowsEgress should pass - egress should be allowed") + }) + + t.Run("ValidateDockerFirewallAllowsContainerToContainerCommunication", func(t *testing.T) { + err := v1.ValidateDockerFirewallAllowsContainerToContainerCommunication(ctx, client, instance, ssh.GetTestPrivateKey(), testPort) + require.NoError(t, err, "ValidateDockerFirewallAllowsContainerToContainerCommunication should pass - container to container communication should be allowed") + }) + // Test that SSH port is accessible (sanity check) t.Run("ValidateSSHPortAccessible", func(t *testing.T) { err := v1.ValidateFirewallAllowsPort(ctx, client, instance, ssh.GetTestPrivateKey(), instance.SSHPort) diff --git a/v1/networking_validation.go b/v1/networking_validation.go index 7cef7da..fba2ca5 100644 --- a/v1/networking_validation.go +++ b/v1/networking_validation.go @@ -6,6 +6,7 @@ import ( "fmt" "net" "net/http" + "strings" "time" "github.com/brevdev/cloud/internal/ssh" @@ -141,6 +142,101 @@ func ValidateDockerFirewallBlocksPort(ctx context.Context, client CloudInstanceR return nil } +func ValidateDockerFirewallAllowsEgress(ctx context.Context, client CloudInstanceReader, instance *Instance, privateKey string, port int) error { + var err error + instance, err = WaitForInstanceLifecycleStatus(ctx, client, instance, LifecycleStatusRunning, PendingToRunningTimeout) + if err != nil { + return fmt.Errorf("failed to wait for instance running: %w", err) + } + + publicIP := instance.PublicIP + if publicIP == "" { + return fmt.Errorf("public IP is not available for instance %s", instance.CloudID) + } + + sshClient, err := ssh.ConnectToHost(ctx, ssh.ConnectionConfig{ + User: instance.SSHUser, + HostPort: fmt.Sprintf("%s:%d", publicIP, instance.SSHPort), + PrivKey: privateKey, + }) + if err != nil { + return fmt.Errorf("failed to SSH into instance: %w", err) + } + defer func() { _ = sshClient.Close() }() + + dockerCmd, err := setupDockerCommand(ctx, sshClient, instance.CloudID) + if err != nil { + return err + } + // Start a Docker container to ping Google's DNS server + startDockerCmd := fmt.Sprintf( + "%s run --rm alpine ping -c 3 8.8.8.8", + dockerCmd, + ) + stdout, stderr, err := sshClient.RunCommand(ctx, startDockerCmd) + if err != nil { + return fmt.Errorf("failed to start docker container: %w, stderr: %s", err, stderr) + } + if !strings.Contains(stdout, "3 packets transmitted, 3 packets received") { + return fmt.Errorf("expected successful ping, got: %s", stdout) + } + + return nil +} + +func ValidateDockerFirewallAllowsContainerToContainerCommunication(ctx context.Context, client CloudInstanceReader, instance *Instance, privateKey string, port int) error { + var err error + instance, err = WaitForInstanceLifecycleStatus(ctx, client, instance, LifecycleStatusRunning, PendingToRunningTimeout) + if err != nil { + return fmt.Errorf("failed to wait for instance running: %w", err) + } + + publicIP := instance.PublicIP + if publicIP == "" { + return fmt.Errorf("public IP is not available for instance %s", instance.CloudID) + } + + sshClient, err := ssh.ConnectToHost(ctx, ssh.ConnectionConfig{ + User: instance.SSHUser, + HostPort: fmt.Sprintf("%s:%d", publicIP, instance.SSHPort), + PrivKey: privateKey, + }) + if err != nil { + return fmt.Errorf("failed to SSH into instance: %w", err) + } + defer func() { _ = sshClient.Close() }() + + dockerCmd, err := setupDockerCommand(ctx, sshClient, instance.CloudID) + if err != nil { + return err + } + // Start a Docker container in the background + containerName := fmt.Sprintf("firewall-test-container-to-container") + startDockerCmd := fmt.Sprintf( + "%s run -d --name %s nginx:alpine", + dockerCmd, containerName, + ) + _, stderr, err := sshClient.RunCommand(ctx, startDockerCmd) + if err != nil { + return fmt.Errorf("failed to start docker container: %w, stderr: %s", err, stderr) + } + + // Start a second Docker container to connect to the first container + startDockerCmd = fmt.Sprintf( + "%s run --rm alpine wget -q -O- http://%s", + dockerCmd, containerName, + ) + stdout, stderr, err := sshClient.RunCommand(ctx, startDockerCmd) + if err != nil { + return fmt.Errorf("failed to start docker container: %w, stderr: %s", err, stderr) + } + + if !strings.Contains(stdout, "Welcome to nginx") { + return fmt.Errorf("expected successful wget, got: %s", stdout) + } + return nil +} + // setupDockerCommand ensures Docker is available and returns the command to use (always with sudo) func setupDockerCommand(ctx context.Context, sshClient *ssh.Client, instanceID CloudProviderInstanceID) (string, error) { // Check if Docker is available diff --git a/v1/providers/nebius/instance.go b/v1/providers/nebius/instance.go index 89bccae..6f43534 100644 --- a/v1/providers/nebius/instance.go +++ b/v1/providers/nebius/instance.go @@ -1810,6 +1810,10 @@ func generateIPTablesCommands() []string { commands := []string{ "iptables -F DOCKER-USER", "iptables -A DOCKER-USER -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT", + "iptables -A DOCKER-USER -i docker0 ! -o docker0 -j ACCEPT", + "iptables -A DOCKER-USER -i br+ ! -o br+ -j ACCEPT", + "iptables -A DOCKER-USER -i docker0 -o docker0 -j ACCEPT", + "iptables -A DOCKER-USER -i br+ -o br+ -j ACCEPT", "iptables -A DOCKER-USER -i lo -j ACCEPT", "iptables -A DOCKER-USER -j DROP", "iptables -A DOCKER-USER -j RETURN", // Expected by Docker diff --git a/v1/providers/shadeform/firewall.go b/v1/providers/shadeform/firewall.go index 693a18c..13a0013 100644 --- a/v1/providers/shadeform/firewall.go +++ b/v1/providers/shadeform/firewall.go @@ -15,11 +15,26 @@ const ( ufwDefaultAllowPort2222 = "ufw allow 2222/tcp" ufwForceEnable = "ufw --force enable" - ipTablesResetDockerUserChain = "iptables -F DOCKER-USER" - ipTablesAllowDockerUserOutbound = "iptables -A DOCKER-USER -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT" + // Clear DOCKER-USER policy. + ipTablesResetDockerUserChain = "iptables -F DOCKER-USER" + + // Allow return traffic. + ipTablesAllowDockerUserOutbound = "iptables -A DOCKER-USER -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT" + + // Allow containers to initiate outbound traffic (default bridge + user-defined bridges). + ipTablesAllowDockerUserOutboundInit0 = "iptables -A DOCKER-USER -i docker0 ! -o docker0 -j ACCEPT" + ipTablesAllowDockerUserOutboundInit1 = "iptables -A DOCKER-USER -i br+ ! -o br+ -j ACCEPT" + + // Allow container-to-container on the same bridge. + ipTablesAllowDockerUserDockerToDocker0 = "iptables -A DOCKER-USER -i docker0 -o docker0 -j ACCEPT" + ipTablesAllowDockerUserDockerToDocker1 = "iptables -A DOCKER-USER -i br+ -o br+ -j ACCEPT" + + // Allow inbound traffic on the loopback interface. ipTablesAllowDockerUserInpboundLoopback = "iptables -A DOCKER-USER -i lo -j ACCEPT" - ipTablesDropDockerUserInbound = "iptables -A DOCKER-USER -j DROP" - ipTablesReturnDockerUser = "iptables -A DOCKER-USER -j RETURN" + + // Drop everything else. + ipTablesDropDockerUserInbound = "iptables -A DOCKER-USER -j DROP" + ipTablesReturnDockerUser = "iptables -A DOCKER-USER -j RETURN" ) func (c *ShadeformClient) GenerateFirewallScript(firewallRules v1.FirewallRules) (string, error) { @@ -63,6 +78,10 @@ func (c *ShadeformClient) getIPTablesCommands() []string { commands := []string{ ipTablesResetDockerUserChain, ipTablesAllowDockerUserOutbound, + ipTablesAllowDockerUserOutboundInit0, + ipTablesAllowDockerUserOutboundInit1, + ipTablesAllowDockerUserDockerToDocker0, + ipTablesAllowDockerUserDockerToDocker1, ipTablesAllowDockerUserInpboundLoopback, ipTablesDropDockerUserInbound, ipTablesReturnDockerUser, // Expected by Docker From 246eb0bf753072fcadd1a472322cdf3e0d5b8e5b Mon Sep 17 00:00:00 2001 From: Drew Malin Date: Wed, 4 Feb 2026 12:09:41 -0800 Subject: [PATCH 2/8] add tests to lifecycle validation --- internal/validation/suite.go | 14 ++++++++++++-- v1/networking_validation.go | 4 ++-- 2 files changed, 14 insertions(+), 4 deletions(-) diff --git a/internal/validation/suite.go b/internal/validation/suite.go index f2b558f..ad79d17 100644 --- a/internal/validation/suite.go +++ b/internal/validation/suite.go @@ -129,6 +129,16 @@ func RunInstanceLifecycleValidation(t *testing.T, config ProviderConfig) { require.NoError(t, err, "ValidateDockerFirewallBlocksPort should pass - docker port should be blocked by iptables") }) + t.Run("ValidateDockerFirewallAllowsEgress", func(t *testing.T) { + err := v1.ValidateDockerFirewallAllowsEgress(ctx, client, instance, ssh.GetTestPrivateKey()) + require.NoError(t, err, "ValidateDockerFirewallAllowsEgress should pass - egress should be allowed") + }) + + t.Run("ValidateDockerFirewallAllowsContainerToContainerCommunication", func(t *testing.T) { + err := v1.ValidateDockerFirewallAllowsContainerToContainerCommunication(ctx, client, instance, ssh.GetTestPrivateKey()) + require.NoError(t, err, "ValidateDockerFirewallAllowsContainerToContainerCommunication should pass - container to container communication should be allowed") + }) + if capabilities.IsCapable(v1.CapabilityStopStartInstance) && instance.Stoppable { t.Run("ValidateStopStartInstance", func(t *testing.T) { err := v1.ValidateStopStartInstance(ctx, client, instance) @@ -323,12 +333,12 @@ func RunFirewallValidation(t *testing.T, config ProviderConfig, opts FirewallVal }) t.Run("ValidateDockerFirewallAllowsEgress", func(t *testing.T) { - err := v1.ValidateDockerFirewallAllowsEgress(ctx, client, instance, ssh.GetTestPrivateKey(), testPort) + err := v1.ValidateDockerFirewallAllowsEgress(ctx, client, instance, ssh.GetTestPrivateKey()) require.NoError(t, err, "ValidateDockerFirewallAllowsEgress should pass - egress should be allowed") }) t.Run("ValidateDockerFirewallAllowsContainerToContainerCommunication", func(t *testing.T) { - err := v1.ValidateDockerFirewallAllowsContainerToContainerCommunication(ctx, client, instance, ssh.GetTestPrivateKey(), testPort) + err := v1.ValidateDockerFirewallAllowsContainerToContainerCommunication(ctx, client, instance, ssh.GetTestPrivateKey()) require.NoError(t, err, "ValidateDockerFirewallAllowsContainerToContainerCommunication should pass - container to container communication should be allowed") }) diff --git a/v1/networking_validation.go b/v1/networking_validation.go index fba2ca5..8939338 100644 --- a/v1/networking_validation.go +++ b/v1/networking_validation.go @@ -142,7 +142,7 @@ func ValidateDockerFirewallBlocksPort(ctx context.Context, client CloudInstanceR return nil } -func ValidateDockerFirewallAllowsEgress(ctx context.Context, client CloudInstanceReader, instance *Instance, privateKey string, port int) error { +func ValidateDockerFirewallAllowsEgress(ctx context.Context, client CloudInstanceReader, instance *Instance, privateKey string) error { var err error instance, err = WaitForInstanceLifecycleStatus(ctx, client, instance, LifecycleStatusRunning, PendingToRunningTimeout) if err != nil { @@ -184,7 +184,7 @@ func ValidateDockerFirewallAllowsEgress(ctx context.Context, client CloudInstanc return nil } -func ValidateDockerFirewallAllowsContainerToContainerCommunication(ctx context.Context, client CloudInstanceReader, instance *Instance, privateKey string, port int) error { +func ValidateDockerFirewallAllowsContainerToContainerCommunication(ctx context.Context, client CloudInstanceReader, instance *Instance, privateKey string) error { var err error instance, err = WaitForInstanceLifecycleStatus(ctx, client, instance, LifecycleStatusRunning, PendingToRunningTimeout) if err != nil { From bb9efe289021583834ad67fef45d27b1dce9fc47 Mon Sep 17 00:00:00 2001 From: Drew Malin Date: Wed, 4 Feb 2026 12:28:59 -0800 Subject: [PATCH 3/8] use network --- v1/networking_validation.go | 22 +++++++++++++++++----- 1 file changed, 17 insertions(+), 5 deletions(-) diff --git a/v1/networking_validation.go b/v1/networking_validation.go index 8939338..b994086 100644 --- a/v1/networking_validation.go +++ b/v1/networking_validation.go @@ -210,21 +210,33 @@ func ValidateDockerFirewallAllowsContainerToContainerCommunication(ctx context.C if err != nil { return err } + + // Create a docker network + networkName := "firewall-test-network" + createNetworkCmd := fmt.Sprintf( + "%s network create %s", + dockerCmd, networkName, + ) + _, stderr, err := sshClient.RunCommand(ctx, createNetworkCmd) + if err != nil { + return fmt.Errorf("failed to create docker network: %w, stderr: %s", err, stderr) + } + // Start a Docker container in the background containerName := fmt.Sprintf("firewall-test-container-to-container") startDockerCmd := fmt.Sprintf( - "%s run -d --name %s nginx:alpine", - dockerCmd, containerName, + "%s run -d --name %s --network %s nginx:alpine", + dockerCmd, containerName, networkName, ) - _, stderr, err := sshClient.RunCommand(ctx, startDockerCmd) + _, stderr, err = sshClient.RunCommand(ctx, startDockerCmd) if err != nil { return fmt.Errorf("failed to start docker container: %w, stderr: %s", err, stderr) } // Start a second Docker container to connect to the first container startDockerCmd = fmt.Sprintf( - "%s run --rm alpine wget -q -O- http://%s", - dockerCmd, containerName, + "%s run --network %s --rm alpine wget -q -O- http://%s", + dockerCmd, networkName, containerName, ) stdout, stderr, err := sshClient.RunCommand(ctx, startDockerCmd) if err != nil { From 1f67bd0fe64ae08e88700f024a0d19563b91b578 Mon Sep 17 00:00:00 2001 From: Drew Malin Date: Wed, 4 Feb 2026 12:31:26 -0800 Subject: [PATCH 4/8] fmt --- v1/networking_validation.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/v1/networking_validation.go b/v1/networking_validation.go index b994086..a9e08a8 100644 --- a/v1/networking_validation.go +++ b/v1/networking_validation.go @@ -223,7 +223,7 @@ func ValidateDockerFirewallAllowsContainerToContainerCommunication(ctx context.C } // Start a Docker container in the background - containerName := fmt.Sprintf("firewall-test-container-to-container") + containerName := "firewall-test-container-to-container" startDockerCmd := fmt.Sprintf( "%s run -d --name %s --network %s nginx:alpine", dockerCmd, containerName, networkName, From ae95b78242c074ffad3264205e2bb84dc3ac279b Mon Sep 17 00:00:00 2001 From: Drew Malin Date: Wed, 4 Feb 2026 13:05:01 -0800 Subject: [PATCH 5/8] see if tests fail --- v1/providers/shadeform/firewall.go | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/v1/providers/shadeform/firewall.go b/v1/providers/shadeform/firewall.go index 13a0013..6333f55 100644 --- a/v1/providers/shadeform/firewall.go +++ b/v1/providers/shadeform/firewall.go @@ -78,10 +78,10 @@ func (c *ShadeformClient) getIPTablesCommands() []string { commands := []string{ ipTablesResetDockerUserChain, ipTablesAllowDockerUserOutbound, - ipTablesAllowDockerUserOutboundInit0, - ipTablesAllowDockerUserOutboundInit1, - ipTablesAllowDockerUserDockerToDocker0, - ipTablesAllowDockerUserDockerToDocker1, + // ipTablesAllowDockerUserOutboundInit0, + // ipTablesAllowDockerUserOutboundInit1, + // ipTablesAllowDockerUserDockerToDocker0, + // ipTablesAllowDockerUserDockerToDocker1, ipTablesAllowDockerUserInpboundLoopback, ipTablesDropDockerUserInbound, ipTablesReturnDockerUser, // Expected by Docker From 2f23b7846e167e3c5352d6080e6112bf63b85c37 Mon Sep 17 00:00:00 2001 From: Drew Malin Date: Wed, 4 Feb 2026 13:21:30 -0800 Subject: [PATCH 6/8] explicit pull --- v1/networking_validation.go | 47 +++++++++++++++++++++++++----- v1/providers/shadeform/firewall.go | 8 ++--- 2 files changed, 43 insertions(+), 12 deletions(-) diff --git a/v1/networking_validation.go b/v1/networking_validation.go index a9e08a8..3589926 100644 --- a/v1/networking_validation.go +++ b/v1/networking_validation.go @@ -168,12 +168,23 @@ func ValidateDockerFirewallAllowsEgress(ctx context.Context, client CloudInstanc if err != nil { return err } + + // Pull the alpine image + cmd := fmt.Sprintf( + "%s pull alpine", + dockerCmd, + ) + _, stderr, err := sshClient.RunCommand(ctx, cmd) + if err != nil { + return fmt.Errorf("failed to pull alpine image: %w, stderr: %s", err, stderr) + } + // Start a Docker container to ping Google's DNS server - startDockerCmd := fmt.Sprintf( + cmd = fmt.Sprintf( "%s run --rm alpine ping -c 3 8.8.8.8", dockerCmd, ) - stdout, stderr, err := sshClient.RunCommand(ctx, startDockerCmd) + stdout, stderr, err := sshClient.RunCommand(ctx, cmd) if err != nil { return fmt.Errorf("failed to start docker container: %w, stderr: %s", err, stderr) } @@ -213,32 +224,52 @@ func ValidateDockerFirewallAllowsContainerToContainerCommunication(ctx context.C // Create a docker network networkName := "firewall-test-network" - createNetworkCmd := fmt.Sprintf( + cmd := fmt.Sprintf( "%s network create %s", dockerCmd, networkName, ) - _, stderr, err := sshClient.RunCommand(ctx, createNetworkCmd) + _, stderr, err := sshClient.RunCommand(ctx, cmd) if err != nil { return fmt.Errorf("failed to create docker network: %w, stderr: %s", err, stderr) } + // Pull the alpine image + cmd = fmt.Sprintf( + "%s pull alpine", + dockerCmd, + ) + _, stderr, err = sshClient.RunCommand(ctx, cmd) + if err != nil { + return fmt.Errorf("failed to pull alpine image: %w, stderr: %s", err, stderr) + } + + // Pull the nginx image + cmd = fmt.Sprintf( + "%s pull nginx:alpine", + dockerCmd, + ) + _, stderr, err = sshClient.RunCommand(ctx, cmd) + if err != nil { + return fmt.Errorf("failed to pull nginx image: %w, stderr: %s", err, stderr) + } + // Start a Docker container in the background containerName := "firewall-test-container-to-container" - startDockerCmd := fmt.Sprintf( + cmd = fmt.Sprintf( "%s run -d --name %s --network %s nginx:alpine", dockerCmd, containerName, networkName, ) - _, stderr, err = sshClient.RunCommand(ctx, startDockerCmd) + _, stderr, err = sshClient.RunCommand(ctx, cmd) if err != nil { return fmt.Errorf("failed to start docker container: %w, stderr: %s", err, stderr) } // Start a second Docker container to connect to the first container - startDockerCmd = fmt.Sprintf( + cmd = fmt.Sprintf( "%s run --network %s --rm alpine wget -q -O- http://%s", dockerCmd, networkName, containerName, ) - stdout, stderr, err := sshClient.RunCommand(ctx, startDockerCmd) + stdout, stderr, err := sshClient.RunCommand(ctx, cmd) if err != nil { return fmt.Errorf("failed to start docker container: %w, stderr: %s", err, stderr) } diff --git a/v1/providers/shadeform/firewall.go b/v1/providers/shadeform/firewall.go index 6333f55..13a0013 100644 --- a/v1/providers/shadeform/firewall.go +++ b/v1/providers/shadeform/firewall.go @@ -78,10 +78,10 @@ func (c *ShadeformClient) getIPTablesCommands() []string { commands := []string{ ipTablesResetDockerUserChain, ipTablesAllowDockerUserOutbound, - // ipTablesAllowDockerUserOutboundInit0, - // ipTablesAllowDockerUserOutboundInit1, - // ipTablesAllowDockerUserDockerToDocker0, - // ipTablesAllowDockerUserDockerToDocker1, + ipTablesAllowDockerUserOutboundInit0, + ipTablesAllowDockerUserOutboundInit1, + ipTablesAllowDockerUserDockerToDocker0, + ipTablesAllowDockerUserDockerToDocker1, ipTablesAllowDockerUserInpboundLoopback, ipTablesDropDockerUserInbound, ipTablesReturnDockerUser, // Expected by Docker From 8c5c102ad1bd339bc59de3c720148a440a5a7709 Mon Sep 17 00:00:00 2001 From: Drew Malin Date: Wed, 4 Feb 2026 13:28:08 -0800 Subject: [PATCH 7/8] see if shadeform test fails --- v1/providers/shadeform/firewall.go | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/v1/providers/shadeform/firewall.go b/v1/providers/shadeform/firewall.go index 13a0013..6333f55 100644 --- a/v1/providers/shadeform/firewall.go +++ b/v1/providers/shadeform/firewall.go @@ -78,10 +78,10 @@ func (c *ShadeformClient) getIPTablesCommands() []string { commands := []string{ ipTablesResetDockerUserChain, ipTablesAllowDockerUserOutbound, - ipTablesAllowDockerUserOutboundInit0, - ipTablesAllowDockerUserOutboundInit1, - ipTablesAllowDockerUserDockerToDocker0, - ipTablesAllowDockerUserDockerToDocker1, + // ipTablesAllowDockerUserOutboundInit0, + // ipTablesAllowDockerUserOutboundInit1, + // ipTablesAllowDockerUserDockerToDocker0, + // ipTablesAllowDockerUserDockerToDocker1, ipTablesAllowDockerUserInpboundLoopback, ipTablesDropDockerUserInbound, ipTablesReturnDockerUser, // Expected by Docker From b926875124172f5d0c0bd38b3657277053d4b1d6 Mon Sep 17 00:00:00 2001 From: Drew Malin Date: Wed, 4 Feb 2026 13:39:14 -0800 Subject: [PATCH 8/8] error message --- v1/networking_validation.go | 4 ++-- v1/providers/shadeform/firewall.go | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/v1/networking_validation.go b/v1/networking_validation.go index 3589926..4fc4b8d 100644 --- a/v1/networking_validation.go +++ b/v1/networking_validation.go @@ -186,7 +186,7 @@ func ValidateDockerFirewallAllowsEgress(ctx context.Context, client CloudInstanc ) stdout, stderr, err := sshClient.RunCommand(ctx, cmd) if err != nil { - return fmt.Errorf("failed to start docker container: %w, stderr: %s", err, stderr) + return fmt.Errorf("failed to connect to Google's DNS server: %w, stderr: %s", err, stderr) } if !strings.Contains(stdout, "3 packets transmitted, 3 packets received") { return fmt.Errorf("expected successful ping, got: %s", stdout) @@ -271,7 +271,7 @@ func ValidateDockerFirewallAllowsContainerToContainerCommunication(ctx context.C ) stdout, stderr, err := sshClient.RunCommand(ctx, cmd) if err != nil { - return fmt.Errorf("failed to start docker container: %w, stderr: %s", err, stderr) + return fmt.Errorf("failed to connect to nginx container: %w, stderr: %s", err, stderr) } if !strings.Contains(stdout, "Welcome to nginx") { diff --git a/v1/providers/shadeform/firewall.go b/v1/providers/shadeform/firewall.go index 6333f55..13a0013 100644 --- a/v1/providers/shadeform/firewall.go +++ b/v1/providers/shadeform/firewall.go @@ -78,10 +78,10 @@ func (c *ShadeformClient) getIPTablesCommands() []string { commands := []string{ ipTablesResetDockerUserChain, ipTablesAllowDockerUserOutbound, - // ipTablesAllowDockerUserOutboundInit0, - // ipTablesAllowDockerUserOutboundInit1, - // ipTablesAllowDockerUserDockerToDocker0, - // ipTablesAllowDockerUserDockerToDocker1, + ipTablesAllowDockerUserOutboundInit0, + ipTablesAllowDockerUserOutboundInit1, + ipTablesAllowDockerUserDockerToDocker0, + ipTablesAllowDockerUserDockerToDocker1, ipTablesAllowDockerUserInpboundLoopback, ipTablesDropDockerUserInbound, ipTablesReturnDockerUser, // Expected by Docker