[launcher] add IPv6 support when opening ports

launcher/container_runner.go

@@ -628,11 +628,12 @@ func openPorts(ports map[string]struct{}) error {
 			return fmt.Errorf("received unknown protocol: got %s, expected tcp or udp", protocol)
 		}
 
-		// This command will write a firewall rule to accept all INPUT packets for the given port/protocol.
-		cmd := exec.Command("iptables", "-A", "INPUT", "-p", protocol, "--dport", port, "-j", "ACCEPT")
-		out, err := cmd.CombinedOutput()
-		if err != nil {
-			return fmt.Errorf("failed to open port %s %s: %v %s", port, protocol, err, out)
+		for _, cmd := range []string{"iptables", "ip6tables"} {
+			cmdline := exec.Command(cmd, "-A", "INPUT", "-p", protocol, "--dport", port, "-j", "ACCEPT")
+			out, err := cmdline.CombinedOutput()
+			if err != nil {
+				return fmt.Errorf("failed to open port using %v: %s, %v", cmdline.Args, out, err)
+			}
 		}
 	}
 

launcher/image/test/create_vm.sh

@@ -10,6 +10,8 @@ print_usage() {
     echo "  -f <metadataFromFile>: read a metadata value from a file; specified in format key=filePath"
     echo "  -n <instanceName>: instance name"
     echo "  -z <instanceZone>: instance zone"
+    echo "  -s <subnet>: subnet"
+    echo "  -t <stackType>: stack type"
     exit 1
 }
 
@@ -42,8 +44,8 @@ create_vm() {
 
   gcloud compute instances create $VM_NAME --confidential-compute --maintenance-policy=TERMINATE \
     --machine-type=n2d-standard-2 --boot-disk-size=$DISK_SIZE_GB --scopes=cloud-platform --zone $ZONE \
-    --image=$IMAGE_NAME --image-project=$PROJECT_NAME --shielded-secure-boot $APPEND_METADATA \
-    $APPEND_METADATA_FILE
+    --image=$IMAGE_NAME --image-project=$PROJECT_NAME --subnet=$SUBNET --shielded-secure-boot $APPEND_METADATA \
+    $APPEND_METADATA_FILE  --stack-type=$STACK_TYPE
 }
 
 IMAGE_NAME=''
@@ -52,17 +54,21 @@ METADATA=''
 PROJECT_NAME=''
 VM_NAME=''
 ZONE=''
+SUBNET='default'
+STACK_TYPE='IPV4_ONLY'
 
 # In getopts, a ':' following a letter means that that flag takes an argument.
 # For example, i: means -i takes an additional argument.
-while getopts 'i:f:m:p:n:z:' flag; do
+while getopts 'i:f:m:p:n:z:s:t:' flag; do
   case "${flag}" in
     i) IMAGE_NAME=${OPTARG} ;;
     f) METADATA_FILE=${OPTARG} ;;
     m) METADATA=${OPTARG} ;;
     p) PROJECT_NAME=${OPTARG} ;;
     n) VM_NAME=${OPTARG} ;;
     z) ZONE=${OPTARG} ;;
+    s) SUBNET=${OPTARG} ;;
+    t) STACK_TYPE=${OPTARG} ;;
     *) print_usage ;;
   esac
 done

launcher/image/test/test_ingress_network.yaml

@@ -18,6 +18,8 @@ steps:
             '-m', 'tee-image-reference=${_WORKLOAD_IMAGE}',
             '-n', 'ingress-network-test-${BUILD_ID}',
             '-z', '${_ZONE}',
+            '-s', 'testipv6',
+            '-t', 'IPV4_IPV6'
           ]
 
   - name: 'gcr.io/cloud-builders/gcloud'
@@ -30,18 +32,36 @@ steps:
         echo "sleeping 200s, waiting for workload server to setup..."
         sleep 200
         internalIP=$(gcloud -q compute instances describe ingress-network-test-${BUILD_ID} --zone=${_ZONE} --format='get(networkInterfaces[0].networkIP)')
-        echo "workload internal IP: "${internalIP}
+        echo "workload internal IPv4 address: "${internalIP}
 
-        # try to connect to the nginx server
+        internalIPv6=$(gcloud -q compute instances describe ingress-network-test-${BUILD_ID} --zone=${_ZONE} --format='get(networkInterfaces[0].ipv6Address)')
+        echo "workload internal IPv6 address: "${internalIPv6}
+
+        # try to connect to the nginx server on IPv4
+        echo "try access via IPv4 internal IP"
         response=$(curl -v ${internalIP}:80)
         echo "got response [${response}]"
 
         # check nginx default response
         if [[ "${response}" == *"Welcome to nginx!"* ]];
         then
-          echo "workload reachable through the internal network"
+          echo "workload reachable through the internal network via IPv4"
+        else
+          echo "FAILED: workload not reachable through the internal network via IPv4"
+          echo 'TEST FAILED' > /workspace/status.txt
+        fi
+
+        # try to connect to the nginx server on IPv6
+        echo "try access via IPv6 internal IP"
+        response=$(curl -g -6 -v "http://[${internalIPv6}]:80/")
+        echo "got response [${response}]"
+
+        # check nginx default response
+        if [[ "${response}" == *"Welcome to nginx!"* ]];
+        then
+          echo "workload reachable through the internal network via IPv6"
         else
-          echo "FAILED: workload not reachable through the internal network"
+          echo "FAILED: workload not reachable through the internal network via IPv6"
           echo 'TEST FAILED' > /workspace/status.txt
         fi
 
@@ -64,4 +84,4 @@ steps:
 
 options:
   pool:
-    name: 'projects/confidential-space-images-dev/locations/us-west1/workerPools/cs-image-build-vpc'
+    name: 'projects/confidential-space-images-dev/locations/us-west1/workerPools/cs-image-build-vpc-ipv6'