Files
netbird/docs/testing-privileged.md
Zoltan Papp 2d7b309004 [client] Categorize privileged tests behind a build tag and run them in Docker (#6425)
* [client] categorize root/system-mutating tests behind a privileged build tag

Tests that need root or mutate host state (nftables/iptables/DNS, TUN/WireGuard
interfaces, routes, eBPF, SSH/service install) are now gated behind a
//go:build privileged tag. The default `go test ./client/...` runs as a non-root
user with no sudo and leaves host networking untouched; mixed files were split so
pure-logic tests stay in the default suite.

A self-hosting ory/dockertest/v4 harness (client/testutil/privileged) runs the
privileged suite inside a --privileged --cap-add=NET_ADMIN container via
`make test-privileged`; a DOCKER_CI=true guard skips the spawn when already inside
the container. Added `make test-unit` for the host-safe run.

* [client] add PRIV_RUN/PRIV_PKGS filters to the privileged test harness

The dockertest harness now reads two optional env vars when building the
in-container `go test` command: PRIV_RUN adds a -run test-name filter and
PRIV_PKGS overrides the package list. Both empty reproduce the full privileged
suite, so CI and `make test-privileged` behave as before. Lets a developer run a
single privileged test in the container, e.g.:

  PRIV_RUN=TestNftablesManager PRIV_PKGS=./client/firewall/nftables/... make test-privileged

* [client] fix unused-helper lint after the privileged test split

Splitting privileged tests into *_privileged_test.go left their shared helpers in
the untagged files, so in the default (no-tag) build they had no callers and
golangci-lint flagged them as unused.

Moved the privileged-only helpers into the privileged files next to their callers
(generateDummyHandler; createEngine/startSignal/startManagement/getConnectedPeers/
getPeers + kaep/kasp; (*mockDaemon).setJWTToken). Annotated the shared routing-test
fixtures that must stay untagged for cross-platform compilation with //nolint:unused
(systemops_bsd expected* vars, ensureIPv6DefaultRoute on bsd/windows,
loopbackIfaceWindows), matching the existing linux variant.

* [client] fix privileged test CI failures and run the harness on macOS

The host-safe unit run dropped sudo but two privileged test groups were
never tagged, and the Docker privileged job silently never ran the suite:

- Gate the ssh/server PrivilegeDropper command-construction tests behind
  the privileged tag (they require root to target a different UID); split
  them into executor_unix_privileged_test.go.
- Tag sharedsock raw-socket tests privileged (need CAP_NET_RAW).
- Fix the Docker job command: nested single quotes around the build tags
  closed the sh -c wrapper early, dropping the go list package set and the
  privileged tag, so go test ran on the empty repo root. Use double quotes.

Make the self-hosting harness usable from a dev Mac:

- Build it on darwin as well as linux; it only drives Docker.
- Resolve the active docker context endpoint into DOCKER_HOST when the
  default /var/run/docker.sock is absent (Docker Desktop, Colima, OrbStack).
- Rename the misspelled containerGoModache constant to containerGoModCache.

* Update client/internal/engine_privileged_test.go

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

* Update client/internal/routemanager/systemops/systemops_linux_test.go

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

* Update client/internal/routemanager/systemops/systemops_windows_test.go

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

* Update client/server/server_privileged_test.go

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

* [ci] Run privileged-tagged tests on darwin, windows and freebsd

The privileged build tag split moved root/system-mutating tests behind
//go:build privileged, but only the linux docker job was given the tag.
The native darwin (sudo), windows (PsExec64 -s) and freebsd VM runners
already have the required privileges, so add the privileged tag there too
to keep CI running the same set of tests as before the split.

* [ci] Exclude dockertest harness from the darwin privileged run

The privileged tag now compiles client/testutil/privileged on darwin, whose
TestRunPrivilegedSuiteInDocker spawns a container the macOS runner has no
Docker for. Exclude the harness package from the darwin list, matching the
linux job, so the privileged tests run in place without a container spawn.

---------

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
2026-06-28 16:15:54 +02:00

2.9 KiB

Privileged tests

Some tests in this repo need root or mutate host network state: they create TUN/WireGuard interfaces, open netlink/raw sockets, run eBPF programs, or shell out to ip/iptables/nft/ifconfig/route. Running them on a developer machine would require sudo and could leave stray interfaces or routes behind.

These tests are gated behind the privileged build tag so the default test run is host-safe.

Running tests

# Host-safe: excludes privileged tests. Runs as a normal user, no sudo.
make test-unit
# equivalently:
go test -tags devcert ./...

# Privileged suite: runs the privileged-tagged tests inside a
# --privileged --cap-add=NET_ADMIN container (requires Docker).
make test-privileged

# Narrow the container run to a single test / package:
PRIV_RUN=TestNftablesManager PRIV_PKGS=./client/firewall/nftables/... make test-privileged

PRIV_RUN adds a -run test-name filter and PRIV_PKGS overrides the package list; both are optional and default to the full privileged suite.

make test-privileged invokes the ory/dockertest harness in client/testutil/privileged/. The harness:

  1. Skips immediately when it detects it is already inside the container (DOCKER_CI=true), so the privileged tests run in place instead of recursing.
  2. Otherwise spins up a golang:1.25-alpine container (matching CI), bind-mounts the repo and the host Go build/module caches, installs the required packages, and runs go test -tags 'devcert privileged' over the client packages.
  3. Streams the container's output to the test log and fails if the suite fails.

Adding a privileged test

A test is privileged if it does any of:

  • creates a real interface via iface.NewWGIFace(...).Create(),
  • opens a netlink or raw socket that hard-fails without CAP_NET_ADMIN,
  • runs an eBPF program (ebpf.*.Listen()),
  • shells out to ip, iptables, nft, ifconfig, or route to change state.

Add the tag to the top of the file, combined with any existing platform constraint:

//go:build privileged && linux

package foo

If a file mixes privileged and pure-logic tests, split it: keep the pure tests (and any shared data — type/var declarations, table-driven testCases, helper interfaces) in an untagged file, and move the privileged tests into a *_privileged_test.go file with the tag. Shared declarations must stay untagged, otherwise the unprivileged files in the package will not compile.

Always verify both build modes compile on every target platform:

go vet -tags devcert ./...
go vet -tags 'devcert privileged' ./...

CI

  • The Client / Unit job runs go test -tags devcert with no sudo — only host-safe tests.
  • The Client (Docker) / Unit job runs go test -tags 'devcert privileged' inside a --privileged --cap-add=NET_ADMIN container, which is where the privileged tests actually execute.