Bernhard.Linz/openvpn-install
1
0
Fork 0
mirror of https://github.com/angristan/openvpn-install.git synced 2025-12-14 16:17:03 +01:00
Code Issues Projects Releases Wiki Activity

feat: enable proper systemd support in Docker tests (#1373)

Browse Source 
- Replace the `sed` hack that disabled `systemctl` commands with proper
systemd support in Docker containers
- This allows testing the actual `systemctl` commands used by the
install script
- No more manual workarounds for starting OpenVPN/Unbound services
This commit is contained in:
Stanislas
2025-12-13 01:14:54 +01:00
committed by GitHub
parent 236e77af68
commit 9e1bb4b175
4 changed files with 118 additions and 83 deletions
Download Patch File Download Diff File Expand all files Collapse all files

54
.github/workflows/docker-test.yml vendored
View File

@@ -99,34 +99,56 @@ jobs:
docker run -d \ docker run -d \
--name openvpn-server \ --name openvpn-server \
--hostname openvpn-server \ --hostname openvpn-server \
--cap-add=NET_ADMIN \ --privileged \
--cgroupns=host \
--device=/dev/net/tun:/dev/net/tun \ --device=/dev/net/tun:/dev/net/tun \
--sysctl net.ipv4.ip_forward=1 \ --sysctl net.ipv4.ip_forward=1 \
--network vpn-test \ --network vpn-test \
--ip 172.28.0.10 \ --ip 172.28.0.10 \
-v shared-config:/shared \ -v shared-config:/shared \
-v /sys/fs/cgroup:/sys/fs/cgroup:rw \
--tmpfs /run \
--tmpfs /run/lock \
--stop-signal SIGRTMIN+3 \
openvpn-server openvpn-server
- name: Wait for server installation and startup - name: Wait for server installation and startup
run: | run: |
echo "Waiting for OpenVPN server to install and start..." echo "Waiting for OpenVPN server to install and client config to be ready..."
for i in {1..60}; do for i in {1..90}; do
# Use pgrep -f to match openvpn running with server.conf, not transient # Check BOTH conditions:
# processes like "openvpn --genkey" that run during installation # 1. OpenVPN server process is running
# 2. Client config file exists in shared volume
OPENVPN_RUNNING=false
CONFIG_EXISTS=false
if docker exec openvpn-server pgrep -f "openvpn.*server.conf" > /dev/null 2>&1; then if docker exec openvpn-server pgrep -f "openvpn.*server.conf" > /dev/null 2>&1; then
echo "OpenVPN server is running!" OPENVPN_RUNNING=true
fi
if docker exec openvpn-server test -f /shared/client.ovpn 2>/dev/null; then
CONFIG_EXISTS=true
fi
if [ "$OPENVPN_RUNNING" = true ] && [ "$CONFIG_EXISTS" = true ]; then
echo "OpenVPN server is running and client config is ready!"
break break
fi fi
echo "Waiting... ($i/60)"
echo "Waiting... ($i/90) - OpenVPN running: $OPENVPN_RUNNING, Config exists: $CONFIG_EXISTS"
sleep 5 sleep 5
# Show logs for debugging
docker logs --tail 20 openvpn-server 2>&1 || true
done done
# Final check # Final check
if ! docker exec openvpn-server pgrep -f "openvpn.*server.conf" > /dev/null 2>&1; then if ! docker exec openvpn-server pgrep -f "openvpn.*server.conf" > /dev/null 2>&1; then
echo "ERROR: OpenVPN server failed to start" echo "ERROR: OpenVPN server failed to start"
docker logs openvpn-server docker exec openvpn-server systemctl status openvpn-server@server 2>&1 || true
exit 1
fi
if ! docker exec openvpn-server test -f /shared/client.ovpn 2>/dev/null; then
echo "ERROR: Client config not generated"
docker exec openvpn-server systemctl status openvpn-test.service 2>&1 || true
exit 1 exit 1
fi fi
@@ -174,6 +196,18 @@ jobs:
if: always() if: always()
run: docker logs openvpn-server 2>&1 || true run: docker logs openvpn-server 2>&1 || true
- name: Show systemd journal logs
if: always()
run: |
echo "=== openvpn-test.service status ==="
docker exec openvpn-server systemctl status openvpn-test.service 2>&1 || true
echo ""
echo "=== openvpn-test.service journal ==="
docker exec openvpn-server journalctl -u openvpn-test.service --no-pager -n 100 2>&1 || true
echo ""
echo "=== openvpn-server@server.service journal ==="
docker exec openvpn-server journalctl -u openvpn-server@server.service --no-pager -n 50 2>&1 || true
- name: Show install script log - name: Show install script log
if: always() if: always()
run: | run: |

9
docker-compose.yml
View File

@@ -8,17 +8,22 @@ services:
BASE_IMAGE: ${BASE_IMAGE:-ubuntu:24.04} BASE_IMAGE: ${BASE_IMAGE:-ubuntu:24.04}
container_name: openvpn-server container_name: openvpn-server
hostname: openvpn-server hostname: openvpn-server
cap_add: privileged: true
- NET_ADMIN cgroupns: host
devices: devices:
- /dev/net/tun:/dev/net/tun - /dev/net/tun:/dev/net/tun
sysctls: sysctls:
- net.ipv4.ip_forward=1 - net.ipv4.ip_forward=1
volumes: volumes:
- shared-config:/shared - shared-config:/shared
- /sys/fs/cgroup:/sys/fs/cgroup:rw
tmpfs:
- /run
- /run/lock
networks: networks:
vpn-test: vpn-test:
ipv4_address: 172.28.0.10 ipv4_address: 172.28.0.10
stop_signal: SIGRTMIN+3
healthcheck: healthcheck:
test: ["CMD", "pgrep", "openvpn"] test: ["CMD", "pgrep", "openvpn"]
interval: 5s interval: 5s

23
test/Dockerfile.server
View File

@@ -43,6 +43,27 @@ COPY test/server-entrypoint.sh /entrypoint.sh
COPY test/validate-output.sh /opt/test/validate-output.sh COPY test/validate-output.sh /opt/test/validate-output.sh
RUN chmod +x /entrypoint.sh /opt/test/validate-output.sh RUN chmod +x /entrypoint.sh /opt/test/validate-output.sh
# Create systemd service for the test script
RUN printf '%s\n' \
'[Unit]' \
'Description=OpenVPN Installation Test' \
'After=network.target' \
'' \
'[Service]' \
'Type=oneshot' \
'Environment=HOME=/root' \
'WorkingDirectory=/root' \
'ExecStart=/entrypoint.sh' \
'RemainAfterExit=yes' \
'StandardOutput=journal+console' \
'StandardError=journal+console' \
'' \
'[Install]' \
'WantedBy=multi-user.target' \
> /etc/systemd/system/openvpn-test.service \
&& systemctl enable openvpn-test.service
WORKDIR /opt WORKDIR /opt
ENTRYPOINT ["/entrypoint.sh"] STOPSIGNAL SIGRTMIN+3
CMD ["/sbin/init"]

115
test/server-entrypoint.sh
View File

@@ -27,21 +27,12 @@ export CLIENT=testclient
export PASS=1 export PASS=1
export ENDPOINT=openvpn-server export ENDPOINT=openvpn-server
# Prepare script for container environment:
# - Replace systemctl calls with no-ops (systemd doesn't work in containers)
# - Skip Unbound startup validation (we start Unbound manually later)
# This ensures the script won't fail silently on systemctl commands
sed -e 's/\bsystemctl /echo "[SKIPPED] systemctl " # /g' \
-e 's/log_fatal "Unbound failed to start/return 0 # [SKIPPED] /g' \
/opt/openvpn-install.sh >/tmp/openvpn-install.sh
chmod +x /tmp/openvpn-install.sh
echo "Running OpenVPN install script..." echo "Running OpenVPN install script..."
# Run in subshell because the script calls 'exit 0' after generating client config # Run in subshell because the script calls 'exit 0' after generating client config
# Capture output to validate logging format, while still displaying it # Capture output to validate logging format, while still displaying it
# Use || true to prevent set -e from exiting on failure, then check exit code # Use || true to prevent set -e from exiting on failure, then check exit code
INSTALL_OUTPUT="/tmp/install-output.log" INSTALL_OUTPUT="/tmp/install-output.log"
(bash /tmp/openvpn-install.sh) 2>&1 | tee "$INSTALL_OUTPUT" (bash /opt/openvpn-install.sh) 2>&1 | tee "$INSTALL_OUTPUT"
INSTALL_EXIT_CODE=${PIPESTATUS[0]} INSTALL_EXIT_CODE=${PIPESTATUS[0]}
echo "=== Installation complete (exit code: $INSTALL_EXIT_CODE) ===" echo "=== Installation complete (exit code: $INSTALL_EXIT_CODE) ==="
@@ -86,6 +77,11 @@ fi
echo "All required files present" echo "All required files present"
# Copy client config to shared volume for the client container
cp /root/testclient.ovpn /shared/client.ovpn
sed -i 's/^remote .*/remote openvpn-server 1194/' /shared/client.ovpn
echo "Client config copied to /shared/client.ovpn"
# ===================================================== # =====================================================
# Verify systemd service file configuration # Verify systemd service file configuration
# ===================================================== # =====================================================
@@ -146,12 +142,6 @@ echo ""
echo "Server config:" echo "Server config:"
cat /etc/openvpn/server/server.conf cat /etc/openvpn/server/server.conf
# Copy client config to shared volume
cp /root/testclient.ovpn /shared/client.ovpn
# Modify remote address to use container hostname
sed -i 's/^remote .*/remote openvpn-server 1194/' /shared/client.ovpn
echo "Client config copied to /shared/client.ovpn"
# ===================================================== # =====================================================
# Test certificate renewal functionality # Test certificate renewal functionality
# ===================================================== # =====================================================
@@ -165,7 +155,7 @@ echo "Original client certificate serial: $ORIG_CERT_SERIAL"
# Test client certificate renewal using the script # Test client certificate renewal using the script
echo "Testing client certificate renewal..." echo "Testing client certificate renewal..."
RENEW_OUTPUT="/tmp/renew-client-output.log" RENEW_OUTPUT="/tmp/renew-client-output.log"
(MENU_OPTION=3 RENEW_OPTION=1 CLIENTNUMBER=1 CLIENT_CERT_DURATION_DAYS=3650 bash /tmp/openvpn-install.sh) 2>&1 | tee "$RENEW_OUTPUT" || true (MENU_OPTION=3 RENEW_OPTION=1 CLIENTNUMBER=1 CLIENT_CERT_DURATION_DAYS=3650 bash /opt/openvpn-install.sh) 2>&1 | tee "$RENEW_OUTPUT" || true
# Verify renewal succeeded # Verify renewal succeeded
if grep -q "Certificate for client testclient renewed" "$RENEW_OUTPUT"; then if grep -q "Certificate for client testclient renewed" "$RENEW_OUTPUT"; then
@@ -245,7 +235,7 @@ echo "Original server certificate serial: $ORIG_SERVER_SERIAL"
# Test server certificate renewal # Test server certificate renewal
echo "Testing server certificate renewal..." echo "Testing server certificate renewal..."
RENEW_SERVER_OUTPUT="/tmp/renew-server-output.log" RENEW_SERVER_OUTPUT="/tmp/renew-server-output.log"
(MENU_OPTION=3 RENEW_OPTION=2 CONTINUE=y SERVER_CERT_DURATION_DAYS=3650 bash /tmp/openvpn-install.sh) 2>&1 | tee "$RENEW_SERVER_OUTPUT" || true (MENU_OPTION=3 RENEW_OPTION=2 CONTINUE=y SERVER_CERT_DURATION_DAYS=3650 bash /opt/openvpn-install.sh) 2>&1 | tee "$RENEW_SERVER_OUTPUT" || true
# Verify renewal succeeded # Verify renewal succeeded
if grep -q "Server certificate renewed successfully" "$RENEW_SERVER_OUTPUT"; then if grep -q "Server certificate renewed successfully" "$RENEW_SERVER_OUTPUT"; then
@@ -304,26 +294,14 @@ echo "=== All Certificate Renewal Tests PASSED ==="
echo "" echo ""
# ===================================================== # =====================================================
# Start and verify Unbound DNS resolver # Verify Unbound DNS resolver (started by systemd via install script)
# ===================================================== # =====================================================
echo "=== Starting Unbound DNS Resolver ===" echo "=== Verifying Unbound DNS Resolver ==="
# Start Unbound manually (systemctl commands are no-ops in container)
if [ -f /etc/unbound/unbound.conf ]; then if [ -f /etc/unbound/unbound.conf ]; then
echo "Starting Unbound DNS resolver..." # Verify Unbound is running (started by systemctl in install script)
echo "Checking Unbound service status..."
# Create root key for DNSSEC if it doesn't exist for _ in $(seq 1 30); do
# Normally, unbound.service's ExecStartPre copies /usr/share/dns/root.key to /var/lib/unbound/root.key
# In Docker, policy-rc.d blocks service starts during apt install, so this never happens
if [ ! -f /var/lib/unbound/root.key ] && [ -f /usr/share/dns/root.key ]; then
mkdir -p /var/lib/unbound
cp /usr/share/dns/root.key /var/lib/unbound/root.key
chown -R unbound:unbound /var/lib/unbound 2>/dev/null || true
fi
unbound
# Poll up to 10 seconds for Unbound to start
for _ in $(seq 1 10); do
if pgrep -x unbound >/dev/null; then if pgrep -x unbound >/dev/null; then
echo "PASS: Unbound is running" echo "PASS: Unbound is running"
break break
@@ -331,9 +309,9 @@ if [ -f /etc/unbound/unbound.conf ]; then
sleep 1 sleep 1
done done
if ! pgrep -x unbound >/dev/null; then if ! pgrep -x unbound >/dev/null; then
echo "FAIL: Unbound failed to start" echo "FAIL: Unbound is not running"
# Show debug info systemctl status unbound 2>&1 || true
unbound-checkconf /etc/unbound/unbound.conf 2>&1 || true journalctl -u unbound --no-pager -n 50 2>&1 || true
exit 1 exit 1
fi fi
else else
@@ -377,50 +355,46 @@ fi
echo "=== Unbound Installation Verified ===" echo "=== Unbound Installation Verified ==="
echo "" echo ""
# Start OpenVPN server manually (systemd doesn't work in containers) # Verify OpenVPN server (started by systemd via install script)
echo "Starting OpenVPN server..." echo "Verifying OpenVPN server..."
# Apply iptables rules manually (systemd not available in containers) # Verify iptables NAT rules exist (applied by iptables-openvpn service)
echo "Applying iptables rules..."
bash /etc/iptables/add-openvpn-rules.sh
# Verify iptables NAT rules exist
echo "Verifying iptables NAT rules..." echo "Verifying iptables NAT rules..."
if iptables -t nat -L POSTROUTING -n | grep -q "10.8.0.0"; then for _ in $(seq 1 10); do
echo "PASS: NAT POSTROUTING rule for 10.8.0.0/24 exists" if iptables -t nat -L POSTROUTING -n | grep -q "10.8.0.0"; then
else echo "PASS: NAT POSTROUTING rule for 10.8.0.0/24 exists"
break
fi
sleep 1
done
if ! iptables -t nat -L POSTROUTING -n | grep -q "10.8.0.0"; then
echo "FAIL: NAT POSTROUTING rule for 10.8.0.0/24 not found" echo "FAIL: NAT POSTROUTING rule for 10.8.0.0/24 not found"
echo "Current NAT rules:" echo "Current NAT rules:"
iptables -t nat -L POSTROUTING -n -v iptables -t nat -L POSTROUTING -n -v
systemctl status iptables-openvpn 2>&1 || true
exit 1 exit 1
fi fi
# Enable IP forwarding (may already be set via docker-compose sysctls) # Verify IP forwarding is enabled
if [ "$(cat /proc/sys/net/ipv4/ip_forward)" != "1" ]; then if [ "$(cat /proc/sys/net/ipv4/ip_forward)" != "1" ]; then
echo 1 >/proc/sys/net/ipv4/ip_forward || { echo "ERROR: IP forwarding is not enabled"
echo "ERROR: Failed to enable IP forwarding" exit 1
exit 1
}
fi fi
# Start OpenVPN in background (run from /etc/openvpn/server so relative paths work) # Wait for OpenVPN to start (started by systemctl in install script)
cd /etc/openvpn/server
openvpn --config /etc/openvpn/server/server.conf --log /var/log/openvpn-server.log &
OPENVPN_PID=$!
# Wait for OpenVPN to start
echo "Waiting for OpenVPN server to start..." echo "Waiting for OpenVPN server to start..."
for _ in $(seq 1 30); do for _ in $(seq 1 30); do
if pgrep -f "openvpn --config" >/dev/null; then if pgrep -f "openvpn.*server.conf" >/dev/null; then
echo "OpenVPN server started (PID: $OPENVPN_PID)" echo "PASS: OpenVPN server is running"
break break
fi fi
sleep 1 sleep 1
done done
if ! pgrep -f "openvpn --config" >/dev/null; then if ! pgrep -f "openvpn.*server.conf" >/dev/null; then
echo "FAIL: OpenVPN server failed to start" echo "FAIL: OpenVPN server is not running"
cat /var/log/openvpn-server.log || true systemctl status openvpn-server@server 2>&1 || true
journalctl -u openvpn-server@server --no-pager -n 50 2>&1 || true
exit 1 exit 1
fi fi
@@ -453,7 +427,7 @@ echo "=== Testing Certificate Revocation ==="
REVOKE_CLIENT="revoketest" REVOKE_CLIENT="revoketest"
echo "Creating client '$REVOKE_CLIENT' for revocation testing..." echo "Creating client '$REVOKE_CLIENT' for revocation testing..."
REVOKE_CREATE_OUTPUT="/tmp/revoke-create-output.log" REVOKE_CREATE_OUTPUT="/tmp/revoke-create-output.log"
(MENU_OPTION=1 CLIENT=$REVOKE_CLIENT PASS=1 CLIENT_CERT_DURATION_DAYS=3650 bash /tmp/openvpn-install.sh) 2>&1 | tee "$REVOKE_CREATE_OUTPUT" || true (MENU_OPTION=1 CLIENT=$REVOKE_CLIENT PASS=1 CLIENT_CERT_DURATION_DAYS=3650 bash /opt/openvpn-install.sh) 2>&1 | tee "$REVOKE_CREATE_OUTPUT" || true
if [ -f "/root/$REVOKE_CLIENT.ovpn" ]; then if [ -f "/root/$REVOKE_CLIENT.ovpn" ]; then
echo "PASS: Client '$REVOKE_CLIENT' created successfully" echo "PASS: Client '$REVOKE_CLIENT' created successfully"
@@ -517,7 +491,7 @@ if [ -z "$REVOKE_CLIENT_NUM" ]; then
exit 1 exit 1
fi fi
echo "Revoke client number: $REVOKE_CLIENT_NUM" echo "Revoke client number: $REVOKE_CLIENT_NUM"
(MENU_OPTION=2 CLIENTNUMBER=$REVOKE_CLIENT_NUM bash /tmp/openvpn-install.sh) 2>&1 | tee "$REVOKE_OUTPUT" || true (MENU_OPTION=2 CLIENTNUMBER=$REVOKE_CLIENT_NUM bash /opt/openvpn-install.sh) 2>&1 | tee "$REVOKE_OUTPUT" || true
if grep -q "Certificate for client $REVOKE_CLIENT revoked" "$REVOKE_OUTPUT"; then if grep -q "Certificate for client $REVOKE_CLIENT revoked" "$REVOKE_OUTPUT"; then
echo "PASS: Certificate for '$REVOKE_CLIENT' revoked successfully" echo "PASS: Certificate for '$REVOKE_CLIENT' revoked successfully"
@@ -566,7 +540,7 @@ echo "=== Testing Reuse of Revoked Client Name ==="
# Create a new certificate with the same name as the revoked one # Create a new certificate with the same name as the revoked one
echo "Creating new client with same name '$REVOKE_CLIENT'..." echo "Creating new client with same name '$REVOKE_CLIENT'..."
RECREATE_OUTPUT="/tmp/recreate-output.log" RECREATE_OUTPUT="/tmp/recreate-output.log"
(MENU_OPTION=1 CLIENT=$REVOKE_CLIENT PASS=1 CLIENT_CERT_DURATION_DAYS=3650 bash /tmp/openvpn-install.sh) 2>&1 | tee "$RECREATE_OUTPUT" || true (MENU_OPTION=1 CLIENT=$REVOKE_CLIENT PASS=1 CLIENT_CERT_DURATION_DAYS=3650 bash /opt/openvpn-install.sh) 2>&1 | tee "$RECREATE_OUTPUT" || true
if [ -f "/root/$REVOKE_CLIENT.ovpn" ]; then if [ -f "/root/$REVOKE_CLIENT.ovpn" ]; then
echo "PASS: New client '$REVOKE_CLIENT' created successfully (reusing revoked name)" echo "PASS: New client '$REVOKE_CLIENT' created successfully (reusing revoked name)"
@@ -625,6 +599,7 @@ echo "=== Reuse of Revoked Client Name Tests PASSED ==="
echo "" echo ""
echo "=== All Revocation Tests PASSED ===" echo "=== All Revocation Tests PASSED ==="
# Keep server running for any remaining client tests # Server tests complete - systemd keeps the container running via /sbin/init
echo "Server waiting for client to complete all tests..." # OpenVPN service (openvpn-server@server) continues independently
wait $OPENVPN_PID echo "Server tests complete. Container will remain running via systemd."
echo "OpenVPN is managed by: systemctl status openvpn-server@server"