Add certbot-dns-rfc2136 integration testing

[alexzorin]

Fixes #8433.

This adds integration testing for the certbot-dns-rfc2136 plugin by providing an integration test context which runs an authoritative BIND server, preconfigured with zones and RFC2136 credentials.

Do not merge until #8448 (comment) is addressed (moving test from PR to nightly) (now done)

---

Everything below here is outdated:

It is very much a draft design, but on top of #7722 (+ adding --dns-server to conftest.py) it successfully issues a certificate using RFC2136 with e.g.:

pytest certbot-ci/certbot_integration_tests/rfc2136_tests --acme-server=pebble --dns-server=127.0.0.1:45953

Some questions of my own:

• At the moment, it's a new BIND server for every test. Does it make sense to instead provide the BIND instance globally in conftest.py and keep it running?
• I'm not up to speed on this xdist stuff. Is the current design broken if parallelism kicks in? Do I need to offset the network port by the worker? Is that what nginx does?
• I'm not sure how the {0}.{1}.wtf domain generation pattern would fit in. ISTM the zones need to exist before anything starts up. If we were to do dynamic zones and automatically generate the BIND config, I'm not sure at what point in the program this would happen.
• --dns-server for Boulder might be a bit tricky. I left some comments in named.conf about that. But maybe it's not worth testing multiple ACME servers.
• What type of tests did we have in mind to begin with? e.g. Making sure Certbot works with different tsig algorithms. Making sure Certbot chooses the right zone when there's subdelegation. Making sure Certbot fully cleans up records if domain authorization fails.

[adferrand]

I will group your three first questions since they concern globally the same topic.

About 1-2-3.

Your general design is already pretty much set up in my opinion, and could even go without any major modification as such if parallelization is not required. And basically if there only one test that consume the new fixture, or we explicitly run tests on one unique worker, then parallelization is effectively not required.

Just to say that without going further, if you want to integrate things progressively, we could just define a specific tox target, and set the parallelization off for that target. Then we can have one or several tests in the module, with a TODO linking to an adhoc issue to handle the parallelization problem.

Now to handle things properly in a parallelized environment. In general in my opinion it is better to have integration assets set up on demand for each test, like nginx. However Boulder and Pebble are set up globally, mostly because Boulder is damn slow to start and consume a lot of resources, and I put Pebble on the same approach to not put too much complexity in the code. Thing is in this case, since the DNS server needs to be instructed to Boulder/Pebble, then the DNS server also needs to be set up globally.

I think we can have a way with multiple test workers. The key point in my opinion is to dynamically configure bind9. Given that the DNS server would be global, it needs to be done in the _setup_primary_node of conftest.py. Ideally we should design this so it colocates nicely with the other integration tests (certbot and nginx). I think it requires the following:

• having a global flag in pytest_addoption to select as DNS server a crafted Bind9 instance or the internal mock DNS server
• depending on the global flag, we either setup Bind9 or leave the default behavior (internal DNS server mock)
• if Bind9 is used, configure the --dns-server to the run_acme_server function

Then the Bind9 instance needs to fullfill the role of the standard DNS mock server, and the functionalities required to run the certbot-dns-rfc2136 integration tests. I think it can be done by defining (dynamically) a zone for each {0}.wtf domain, each one having a zone configuration returning localhost for every subdomain request.

At that point the Bind9 will cover the DNS mock server functionality, and we have dedicated {0}.wtf zones to work with certbot-dns-rfc2136 integration tests.

NB: To give more context about {0}.wtf, it is to solve the problem of having multiple certbot instances in parallel, and how the CA server will redirect its challenge requests check for HTTP challenges. The solution I found is to have a L4 proxy (HTTP proxy) between the CA server and the certbot instances. Given the actual host the CA server wants to check, this proxy will redirect the request to the proper test worker, and so the proper certbot instance.

[adferrand]

On your last point, I agree with you in term of functional coverage to begin with. Concerning subdomain delegation, it would be great to cover #7244 and #7346, as it could also unblock these features.

[bmw]

Thanks to both of you for working on this!

At a high level, I personally would suggest simplicity and iteration here. We can get something basic working and add more complexity/features later as needed. I don't think we really need things like parallelism and the ability to test with Boulder in the first version and I think it's likely we won't ever need them.

As for what to test, I have the same idea and would personally just be satisfied with a simple test that successfully obtains a certificate. We could add some extra checks if you like, but again, I'd keep it pretty simple to start with.

[adferrand]

Yes for the iterative approach I would recommend what I described in the two first paragraphs of my big comment.

The key points are to isolate these tests at runtime from the other integration tests (with a dedicated tox target) since it would break them if a bind9 server is used as the dns resolver for pebble without proper configuration, and to set explicitly no parallelization.

[alexzorin]

Thanks as always for the very deep explanations. I've tried to balance simplicity and future proofing.

The DNS Server is now a global resource for the integration tests, but only used for a single tox target integration-dns-rfc2186. I've tried to give it all a shape that will allow it to be easily transitioned into full-blown xdist and {0}.{1}.wtf mode, should those needs arise. But I feel this looks pretty adequate in terms of features.

I have further proposed in 3146ea8 a method to mock recursive DNS that I believe should be able to eventually meet the rather significant needs of #7244. That said, I admit that I did not understand @adferrand's idea to try integrate challtestsrv as a forwarder. I would be keen to hear how it would work (e.g. following CNAMEs from AA=0 to AA=1) so we don't accidentally choose something which is a bad fit.

[adferrand]

@alexzorin I will start the review soon, but from a quick look it looks great. I think the balance is good, and the PR stays in an acceptable size (at least for me, concerning things about certbot-ci :p). We can definitly handle the parallelization problem later.

To precise my idea on challtestsrv, it needs to be challenged, but my intention was not that it could cover any need for the RFC2136 integration tests. For that I think that a carefully crafted and self-contained configuration in Bind9 is definitely better.

My idea was to build on the idea to never allow the DNS server to leak requests on the outside world. But instead of just making a configuration that would make Bind9 respond NXDOMAIN or SERVFAIL errors for unhandled zones, I thought that we could use the challtestsrv as the unique forwarder to Bind9. On top of ensuring that any DNS query would stay local, if I am not mistaken it would make Bind9 respond what is configured in challtestsrv for any other unhandled zone, making it effectively a DNS mock server for the rest of the integration tests (certbot or nginx).

Or course I am pretty sure that Bind9 could be configured to do this mocking by itself, but having challtestsrv could reduce the configuration to do on Bind9 on that matter, while keeping the convenient behavior we have when challtestsrv is used directly. To recall, challtestsrv is primarily designed to help with DNS challenges: it exposes a dead simple REST API to prepare and return the expected TXT requests during a DNS challenge, while fallbacking to a predefined IP for everything else.

Of course this is entirely optional. We could just keep independant runs of certbot+nginx integration tests vs rfc2136 tests. But with this I think we could have a transparent execution of all tests in a row. What do you think of this?

[adferrand]

Thanks a lot for this really elegant PR. It fits very well in the general certbot-ci approach.

[alexzorin]

I've thought about the pebble-challtestsrv forwarder question for a few days and I guess I don't have much an opinion either way.

Having one standard stack of services for tests would be nice for certbot-ci.

I have a minor concern about making sure that there is good hygiene: making sure that mock RRs from pebble-challtestsrv do not have accidental contamination of RFC2136 tests (using BIND9 mock RRs), and vice-versa. But that's probably quite doable just by virtue of {0}.{1}.wtf.

Is there an obvious benefit to implementing that now? I can try it out if so. Otherwise, I'm pretty happy with how things have turned out.

[adferrand]

No, no immediate benefit, and this can be addressed in a later time like for parallelization. About one unified stack, I would like so, but bind9 is still an external dependency that needs to be available in the system to make these tests work, and it may be a problem for Windows.

[adferrand]

@alexzorin I tried the integration tests on a DigitalOcean Ubuntu 20.04 machine and WSL2 under Windows. Both failed with the following stack:

$ tox -e integration-dns-rfc2136
...
integration-dns-rfc2136 run-test: commands[1] | pytest certbot-ci/certbot_integration_tests/rfc2136_tests --acme-server=pebble --dns-server=bind --numprocesses=1
DNS xdist config:
{'address': '127.0.0.1', 'port': 45953}
INTERNALERROR> Traceback (most recent call last):
INTERNALERROR>   File "/root/certbot/certbot-ci/certbot_integration_tests/utils/dns_server.py", line 93, in _start_bind
INTERNALERROR>     self._wait_until_ready()
INTERNALERROR>   File "/root/certbot/certbot-ci/certbot_integration_tests/utils/dns_server.py", line 127, in _wait_until_ready
INTERNALERROR>     raise ValueError(
INTERNALERROR> ValueError: Gave up waiting for DNS server ('127.0.0.1', 45953) to respond
INTERNALERROR>
INTERNALERROR> During handling of the above exception, another exception occurred:
INTERNALERROR>
INTERNALERROR> Traceback (most recent call last):
INTERNALERROR>   File "/root/certbot/.tox/integration-dns-rfc2136/lib/python3.8/site-packages/_pytest/main.py", line 107, in wrap_session
INTERNALERROR>     config._do_configure()
INTERNALERROR>   File "/root/certbot/.tox/integration-dns-rfc2136/lib/python3.8/site-packages/_pytest/config.py", line 935, in _do_configure
INTERNALERROR>     self.hook.pytest_configure.call_historic(kwargs=dict(config=self))
INTERNALERROR>   File "/root/certbot/.tox/integration-dns-rfc2136/lib/python3.8/site-packages/_pytest/vendored_packages/pluggy.py", line 750, in call_historic
INTERNALERROR>     self._hookexec(self, self._nonwrappers + self._wrappers, kwargs)
INTERNALERROR>   File "/root/certbot/.tox/integration-dns-rfc2136/lib/python3.8/site-packages/_pytest/vendored_packages/pluggy.py", line 339, in _hookexec
INTERNALERROR>     return self._inner_hookexec(hook, methods, kwargs)
INTERNALERROR>   File "/root/certbot/.tox/integration-dns-rfc2136/lib/python3.8/site-packages/_pytest/vendored_packages/pluggy.py", line 334, in <lambda>
INTERNALERROR>     _MultiCall(methods, kwargs, hook.spec_opts).execute()
INTERNALERROR>   File "/root/certbot/.tox/integration-dns-rfc2136/lib/python3.8/site-packages/_pytest/vendored_packages/pluggy.py", line 614, in execute
INTERNALERROR>     res = hook_impl.function(*args)
INTERNALERROR>   File "/root/certbot/certbot-ci/certbot_integration_tests/conftest.py", line 41, in pytest_configure
INTERNALERROR>     _setup_primary_node(config)
INTERNALERROR>   File "/root/certbot/certbot-ci/certbot_integration_tests/conftest.py", line 109, in _setup_primary_node
INTERNALERROR>     dns_server.start()
INTERNALERROR>   File "/root/certbot/certbot-ci/certbot_integration_tests/utils/dns_server.py", line 54, in start
INTERNALERROR>     self._start_bind()
INTERNALERROR>   File "/root/certbot/certbot-ci/certbot_integration_tests/utils/dns_server.py", line 96, in _start_bind
INTERNALERROR>     self._stop_bind()
INTERNALERROR> AttributeError: 'DNSServer' object has no attribute '_stop_bind'
Traceback (most recent call last):
  File "/root/certbot/.tox/integration-dns-rfc2136/bin/pytest", line 8, in <module>
    sys.exit(main())
  File "/root/certbot/.tox/integration-dns-rfc2136/lib/python3.8/site-packages/_pytest/config.py", line 58, in main
    return config.hook.pytest_cmdline_main(config=config)
  File "/root/certbot/.tox/integration-dns-rfc2136/lib/python3.8/site-packages/_pytest/vendored_packages/pluggy.py", line 745, in __call__
    return self._hookexec(self, self._nonwrappers + self._wrappers, kwargs)
  File "/root/certbot/.tox/integration-dns-rfc2136/lib/python3.8/site-packages/_pytest/vendored_packages/pluggy.py", line 339, in _hookexec
    return self._inner_hookexec(hook, methods, kwargs)
  File "/root/certbot/.tox/integration-dns-rfc2136/lib/python3.8/site-packages/_pytest/vendored_packages/pluggy.py", line 334, in <lambda>
    _MultiCall(methods, kwargs, hook.spec_opts).execute()
  File "/root/certbot/.tox/integration-dns-rfc2136/lib/python3.8/site-packages/_pytest/vendored_packages/pluggy.py", line 614, in execute
    res = hook_impl.function(*args)
  File "/root/certbot/.tox/integration-dns-rfc2136/lib/python3.8/site-packages/_pytest/main.py", line 140, in pytest_cmdline_main
    return wrap_session(config, _main)
  File "/root/certbot/.tox/integration-dns-rfc2136/lib/python3.8/site-packages/_pytest/main.py", line 135, in wrap_session
    config._ensure_unconfigure()
  File "/root/certbot/.tox/integration-dns-rfc2136/lib/python3.8/site-packages/_pytest/config.py", line 944, in _ensure_unconfigure
    fin()
  File "/root/certbot/certbot-ci/certbot_integration_tests/utils/dns_server.py", line 68, in stop
    shutil.rmtree(self.bind_root)
  File "/root/certbot/.tox/integration-dns-rfc2136/lib/python3.8/shutil.py", line 706, in rmtree
    onerror(os.lstat, path, sys.exc_info())
  File "/root/certbot/.tox/integration-dns-rfc2136/lib/python3.8/shutil.py", line 704, in rmtree
    orig_st = os.lstat(path)
FileNotFoundError: [Errno 2] No such file or directory: '/tmp/tmpj7qvk3hu'
ERROR: InvocationError for command /root/certbot/.tox/integration-dns-rfc2136/bin/pytest certbot-ci/certbot_integration_tests/rfc2136_tests --acme-server=pebble --dns-server=bind --numprocesses=1 (exited with code 1)
_______________________________________________________ summary ________________________________________________________
ERROR:   integration-dns-rfc2136: commands failed

Do you know what is going on?

[alexzorin]

Ignoring the simple 9733524 mistake, I wonder if it's because Docker is taking a long time to download the image.

I will try reproduce on DigitalOcean as well.

[adferrand]

Yes, I suspect that. I retried two times with the same result, but given that pytest will clear everything, it is very likely that the docker process is stopped before the big layer that is blocking here is downloaded, so it will be downloaded again.

[alexzorin]

While you have the droplet up, could you time this:

docker run --rm -it --entrypoint /bin/true internetsystemsconsortium/bind9:9.16

[adferrand]

This call should also be protected by try/except to avoid to polute the logs when the temporary workspace has not even been setup before the main exception in the process occurs.

[adferrand]

While you have the droplet up, could you time this:

docker run --rm -it --entrypoint /bin/true internetsystemsconsortium/bind9:9.16

$ time docker run --rm -it --entrypoint /bin/true internetsystemsconsortium/bind9:9.16

real    0m0.612s
user    0m0.045s
sys     0m0.055s

[alexzorin]

Ah, that's with the image is already downloaded. Perhaps after docker image prune -a.

I am trying the same thing in NYC1 region at the moment.

[adferrand]

Well, with prune:

$ time docker run --rm -it --entrypoint /bin/true internetsystemsconsortium/bind9:9.16
Unable to find image 'internetsystemsconsortium/bind9:9.16' locally
9.16: Pulling from internetsystemsconsortium/bind9
54ee1f796a1e: Pull complete
f7bfea53ad12: Pull complete
46d371e02073: Pull complete
b66c17bbf772: Pull complete
397f607c4492: Pull complete
b0fcfe8aaf93: Pull complete
48fb8b248074: Pull complete
3f7bf47434c7: Pull complete
96362b0e08fb: Pull complete
Digest: sha256:332d41e7b319d5b1b559d20978e2e476097645471f40c3f9037d6144474ecbe6
Status: Downloaded newer image for internetsystemsconsortium/bind9:9.16

real    0m9.446s
user    0m0.084s
sys     0m0.044s

But without prune, the image was already there so the docker should run almost instantly on the second tox invocation. The docker is certainly not starting correctly.

[alexzorin]

Hmmm. It worked for me on the first go on DigitalOcean NYC1, Ubuntu 20.04.

Installed python3 python3-venv git and Docker from https://docs.docker.com/engine/install/ubuntu/, then tools/venv3.py, source venv3/bin/activate and tox -e integration-dns-rfc2136.

Are you doing anything different?

[adferrand]

I put aside WSL 2, since I know that Docker for Windows has some problems to work correctly in that context (one of the main reason why I designed certbot integration tests to run without any docker when Pebble is involved).

For DigitalOcean, I have almost the same setup, but installed Docker with snap, and my droplet is in Amsterdam. I retry with the non-snap installation.

[adferrand]

I put aside WSL 2, since I know that Docker for Windows has some problems to work correctly in that context (one of the main reason why I designed certbot integration tests to run without any docker when Pebble is involved).

For DigitalOcean, I have almost the same setup, but installed Docker with snap, and my droplet is in Amsterdam. I retry with the non-snap installation.

I confirm it is working with a non-snap installation of docker.

[alexzorin]

OK. If I toggle show_output=True in dns_server.py, we get:

16-Nov-2020 09:08:53.094 starting BIND 9.16.6-Ubuntu (Stable Release) <id:25846cf>
16-Nov-2020 09:08:53.094 running on Linux x86_64 5.4.0-51-generic #56-Ubuntu SMP Mon Oct 5 14:28:49 UTC 2020
16-Nov-2020 09:08:53.094 built with '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=/usr/include' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--disable-silent-rules' '--libdir=/usr/lib/x86_64-linux-gnu' '--libexecdir=/usr/lib/x86_64-linux-gnu' '--disable-maintainer-mode' '--disable-dependency-tracking' '--libdir=/usr/lib/x86_64-linux-gnu' '--sysconfdir=/etc/bind' '--with-python=python3' '--localstatedir=/' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--enable-static' '--with-gost=no' '--with-openssl=/usr' '--with-gssapi=/usr' '--with-libidn2' '--with-libjson-c' '--with-lmdb=/usr' '--with-gnu-ld' '--with-maxminddb' '--with-atf=no' '--enable-ipv6' '--enable-rrl' '--enable-filter-aaaa' '--disable-native-pkcs11' '--enable-dnstap' 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -fdebug-prefix-map=/build/bind9-IhPNrB/bind9-9.16.6=. -fstack-protector-strong -Wformat -Werror=format-security -fno-strict-aliasing -fno-delete-null-pointer-checks -DNO_VERSION_DATE -DDIG_SIGCHASE' 'LDFLAGS=-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2'
16-Nov-2020 09:08:53.094 running as: named -g -c /etc/bind/named.conf -u bind
16-Nov-2020 09:08:53.094 compiled by GCC 9.3.0
16-Nov-2020 09:08:53.094 compiled with OpenSSL version: OpenSSL 1.1.1f  31 Mar 2020
16-Nov-2020 09:08:53.094 linked to OpenSSL version: OpenSSL 1.1.1f  31 Mar 2020
16-Nov-2020 09:08:53.094 compiled with libxml2 version: 2.9.10
16-Nov-2020 09:08:53.094 linked to libxml2 version: 20910
16-Nov-2020 09:08:53.094 compiled with json-c version: 0.13.1
16-Nov-2020 09:08:53.094 linked to json-c version: 0.13.1
16-Nov-2020 09:08:53.094 compiled with zlib version: 1.2.11
16-Nov-2020 09:08:53.094 linked to zlib version: 1.2.11
16-Nov-2020 09:08:53.094 ----------------------------------------------------
16-Nov-2020 09:08:53.094 BIND 9 is maintained by Internet Systems Consortium,
16-Nov-2020 09:08:53.094 Inc. (ISC), a non-profit 501(c)(3) public-benefit
16-Nov-2020 09:08:53.094 corporation.  Support and training for BIND 9 are
16-Nov-2020 09:08:53.094 available at https://www.isc.org/support
16-Nov-2020 09:08:53.094 ----------------------------------------------------
16-Nov-2020 09:08:53.094 found 4 CPUs, using 4 worker threads
16-Nov-2020 09:08:53.094 using 4 UDP listeners per interface
16-Nov-2020 09:08:53.098 using up to 21000 sockets
16-Nov-2020 09:08:53.102 loading configuration from '/etc/bind/named.conf'
16-Nov-2020 09:08:53.102 open: /etc/bind/named.conf: file not found

which I guess makes sense because Docker is not a classic snap? Well, I don't know how Docker works on snap, but it is not surprising that the volume mounts are not working as expected anyhow.

Would you like this to work for the PR to land? The fix is potentially simple according to https://github.com/docker-snap/docker-snap#usage:

All files that docker needs access to should live within your $HOME folder.

At the moment certbot-ci workspace is in /tmp; I could add some code to temporary copy to $HOME (though whether $HOME actually points to a writable directory in every test environment, I'm not sure).

[adferrand]

Ah yes! Several points in favor of using a temporary workspace in the home user:

• same problem for Boulder, which is using a docker-compose stack
• I already encountered this issue, you did also and someone else could in the future
• proper setup and cleanup of workspaces is already carried out by the pytest mechanics

You do not even need to copy the data. Everything is refered relatively to self._workspace in ACMEServer and self.bind_root in DNSServer. So we could change the location of these folders to something under ~/.certbot-ci for instance.

If it is that simple, I think it is worth a try.

[alexzorin]

Yuck, we would have to end up sniffing for snapped Docker anyway because docker-compose gets renamed to docker.compose. I'm leaning against doing this, especially if we don't have any users (such as ourselves) who are going to regularly test that it works across the whole test suite.

[adferrand]

Yes, I agree.

[adferrand]

Also the tempfile module in python honors the TMPDIR env variable if it is set. So it is still possible to globally control the temporary directory location for a given system by setting this variable.

[adferrand]

LGTM!

[bmw]

Thanks a lot for tackling this!