openvpn-install/test/Dockerfile.server

# checkov:skip=CKV_DOCKER_2:Test container doesn't need healthcheck
# checkov:skip=CKV_DOCKER_3:OpenVPN server requires root for NET_ADMIN
# checkov:skip=CKV_DOCKER_7:Base image is parameterized, some use latest tag
ARG BASE_IMAGE=ubuntu:24.04
FROM ${BASE_IMAGE}

ARG BASE_IMAGE
# Set to "y" to install and enable firewalld for testing
ARG ENABLE_FIREWALLD=n
# Set to "y" to install and enable nftables for testing
ARG ENABLE_NFTABLES=n
ENV DEBIAN_FRONTEND=noninteractive
ENV ENABLE_FIREWALLD=${ENABLE_FIREWALLD}
ENV ENABLE_NFTABLES=${ENABLE_NFTABLES}

# Install basic dependencies based on the OS
# dnsutils/bind-utils provides dig for DNS testing with Unbound
RUN if command -v apt-get >/dev/null; then \
        apt-get update && apt-get install -y --no-install-recommends \
            iproute2 iptables curl procps systemd systemd-sysv dnsutils jq \
        && if [ "$ENABLE_NFTABLES" = "y" ]; then apt-get install -y --no-install-recommends nftables; fi \
        && rm -rf /var/lib/apt/lists/*; \
    elif command -v dnf >/dev/null; then \
        dnf install -y --allowerasing \
            iproute iptables curl procps-ng systemd tar gzip bind-utils jq \
        && if [ "$ENABLE_FIREWALLD" = "y" ]; then dnf install -y firewalld; fi \
        && if [ "$ENABLE_NFTABLES" = "y" ]; then dnf install -y nftables; fi \
        && dnf clean all; \
    elif command -v yum >/dev/null; then \
        yum install -y \
            iproute iptables curl procps-ng systemd tar gzip bind-utils jq \
        && if [ "$ENABLE_FIREWALLD" = "y" ]; then yum install -y firewalld; fi \
        && if [ "$ENABLE_NFTABLES" = "y" ]; then yum install -y nftables; fi \
        && yum clean all; \
    elif command -v pacman >/dev/null; then \
        pacman -Syu --noconfirm \
            iproute2 iptables curl procps-ng bind jq \
        && if [ "$ENABLE_NFTABLES" = "y" ]; then pacman -S --noconfirm nftables; fi \
        && pacman -Scc --noconfirm; \
    elif command -v zypper >/dev/null; then \
        zypper install -y \
            iproute2 iptables curl procps systemd tar gzip bind-utils gawk jq \
        && if [ "$ENABLE_NFTABLES" = "y" ]; then zypper install -y nftables; fi \
        && zypper clean -a; \
    fi

# Enable firewalld if requested (must be done after systemd is available)
RUN if [ "$ENABLE_FIREWALLD" = "y" ] && command -v firewall-cmd >/dev/null; then \
        systemctl enable firewalld; \
    fi

# Enable nftables if requested (must be done after systemd is available)
# Use empty nftables.conf - do NOT flush ruleset as it removes Docker's networking rules
RUN if [ "$ENABLE_NFTABLES" = "y" ] && command -v nft >/dev/null; then \
        systemctl enable nftables; \
        mkdir -p /etc/nftables; \
        echo '#!/usr/sbin/nft -f' > /etc/nftables.conf; \
    fi

# Create TUN device (will be mounted at runtime)
RUN mkdir -p /dev/net

# Copy the install script
COPY openvpn-install.sh /opt/openvpn-install.sh
RUN chmod +x /opt/openvpn-install.sh

# Copy test scripts
COPY test/server-entrypoint.sh /entrypoint.sh
COPY test/validate-output.sh /opt/test/validate-output.sh
RUN chmod +x /entrypoint.sh /opt/test/validate-output.sh

# Create systemd service for the test script
RUN printf '%s\n' \
    '[Unit]' \
    'Description=OpenVPN Installation Test' \
    'After=network.target' \
    '' \
    '[Service]' \
    'Type=oneshot' \
    'Environment=HOME=/root' \
    'WorkingDirectory=/root' \
    'ExecStart=/entrypoint.sh' \
    'RemainAfterExit=yes' \
    'StandardOutput=journal+console' \
    'StandardError=journal+console' \
    '' \
    '[Install]' \
    'WantedBy=multi-user.target' \
    > /etc/systemd/system/openvpn-test.service \
    && systemctl enable openvpn-test.service

WORKDIR /opt

STOPSIGNAL SIGRTMIN+3
CMD ["/sbin/init"]