Bernhard.Linz/openvpn-install
1
0
Fork 0
mirror of https://github.com/angristan/openvpn-install.git synced 2025-12-29 14:17:03 +01:00
Code Issues Projects Releases Wiki Activity
Files
fix/fingerprint-mode-client-management
openvpn-install/test/Dockerfile.server
Stanislas Lange cc1b2fafc8 fix(test): pass Docker env vars to systemd test service 
The fingerprint mode CI test was not actually testing fingerprint mode
because Docker environment variables (-e AUTH_MODE=fingerprint) were not
being inherited by the systemd service running the tests.

Add PassEnvironment directive to pass AUTH_MODE and other test config
env vars from Docker to the systemd service.

Fixes the CI gap where fingerprint mode issues went undetected.
2025-12-29 10:34:13 +01:00

99 lines
3.9 KiB
Docker
Raw Permalink Blame History

# checkov:skip=CKV_DOCKER_2:Test container doesn't need healthcheck
# checkov:skip=CKV_DOCKER_3:OpenVPN server requires root for NET_ADMIN
# checkov:skip=CKV_DOCKER_7:Base image is parameterized, some use latest tag
ARG BASE_IMAGE=ubuntu:24.04
FROM ${BASE_IMAGE}
ARG BASE_IMAGE
# Set to "y" to install and enable firewalld for testing
ARG ENABLE_FIREWALLD=n
# Set to "y" to install and enable nftables for testing
ARG ENABLE_NFTABLES=n
ENV DEBIAN_FRONTEND=noninteractive
ENV ENABLE_FIREWALLD=${ENABLE_FIREWALLD}
ENV ENABLE_NFTABLES=${ENABLE_NFTABLES}
# Install basic dependencies based on the OS
# dnsutils/bind-utils provides dig for DNS testing with Unbound
# Note: socat is installed by openvpn-install.sh during OpenVPN installation
RUN if command -v apt-get >/dev/null; then \
apt-get update && apt-get install -y --no-install-recommends \
iproute2 iptables curl procps systemd systemd-sysv dnsutils jq \
&& if [ "$ENABLE_NFTABLES" = "y" ]; then apt-get install -y --no-install-recommends nftables; fi \
&& rm -rf /var/lib/apt/lists/*; \
elif command -v dnf >/dev/null; then \
dnf install -y --allowerasing \
iproute iptables curl procps-ng systemd tar gzip bind-utils jq \
&& if [ "$ENABLE_FIREWALLD" = "y" ]; then dnf install -y firewalld; fi \
&& if [ "$ENABLE_NFTABLES" = "y" ]; then dnf install -y nftables; fi \
&& dnf clean all; \
elif command -v yum >/dev/null; then \
yum install -y \
iproute iptables curl procps-ng systemd tar gzip bind-utils jq \
&& if [ "$ENABLE_FIREWALLD" = "y" ]; then yum install -y firewalld; fi \
&& if [ "$ENABLE_NFTABLES" = "y" ]; then yum install -y nftables; fi \
&& yum clean all; \
elif command -v pacman >/dev/null; then \
pacman -Syu --noconfirm \
iproute2 iptables curl procps-ng bind jq \
&& if [ "$ENABLE_NFTABLES" = "y" ]; then pacman -S --noconfirm nftables; fi \
&& pacman -Scc --noconfirm; \
elif command -v zypper >/dev/null; then \
zypper install -y \
iproute2 iptables curl procps systemd tar gzip bind-utils gawk jq \
&& if [ "$ENABLE_NFTABLES" = "y" ]; then zypper install -y nftables; fi \
&& zypper clean -a; \
fi
# Enable firewalld if requested (must be done after systemd is available)
RUN if [ "$ENABLE_FIREWALLD" = "y" ] && command -v firewall-cmd >/dev/null; then \
systemctl enable firewalld; \
fi
# Enable nftables if requested (must be done after systemd is available)
# Use empty nftables.conf - do NOT flush ruleset as it removes Docker's networking rules
RUN if [ "$ENABLE_NFTABLES" = "y" ] && command -v nft >/dev/null; then \
systemctl enable nftables; \
mkdir -p /etc/nftables; \
echo '#!/usr/sbin/nft -f' > /etc/nftables.conf; \
fi
# Create TUN device (will be mounted at runtime)
RUN mkdir -p /dev/net
# Copy the install script
COPY openvpn-install.sh /opt/openvpn-install.sh
RUN chmod +x /opt/openvpn-install.sh
# Copy test scripts
COPY test/server-entrypoint.sh /entrypoint.sh
COPY test/validate-output.sh /opt/test/validate-output.sh
RUN chmod +x /entrypoint.sh /opt/test/validate-output.sh
# Create systemd service for the test script
# PassEnvironment passes Docker env vars (-e) from PID 1 to the service
RUN printf '%s\n' \
'[Unit]' \
'Description=OpenVPN Installation Test' \
'After=network.target' \
'' \
'[Service]' \
'Type=oneshot' \
'Environment=HOME=/root' \
'PassEnvironment=AUTH_MODE TLS_SIG TLS_KEY_FILE TLS_VERSION_MIN TLS13_CIPHERSUITES CLIENT_IPV6 VPN_SUBNET_IPV6' \
'WorkingDirectory=/root' \
'ExecStart=/entrypoint.sh' \
'RemainAfterExit=yes' \
'StandardOutput=journal+console' \
'StandardError=journal+console' \
'' \
'[Install]' \
'WantedBy=multi-user.target' \
> /etc/systemd/system/openvpn-test.service \
&& systemctl enable openvpn-test.service
WORKDIR /opt
STOPSIGNAL SIGRTMIN+3
CMD ["/sbin/init"]
Reference in New Issue View Git Blame Copy Permalink