blocked 4

2025-11-23 17:53:41 +02:00
parent fc99092dec
commit c13355923f
22 changed files with 460 additions and 27 deletions
--- a/ops/devops/airgap/sealed-ci-smoke.sh
+++ b/ops/devops/airgap/sealed-ci-smoke.sh
@@ -0,0 +1,42 @@
+#!/usr/bin/env bash
+set -euo pipefail
+# Simple sealed-mode CI smoke: block egress, resolve mock DNS, assert services start.
+ROOT=${ROOT:-$(cd "$(dirname "$0")/../.." && pwd)}
+LOGDIR=${LOGDIR:-$ROOT/out/airgap-smoke}
+mkdir -p "$LOGDIR"
+
+# 1) Start mock DNS (returns 0.0.0.0 for everything)
+DNS_PORT=${DNS_PORT:-53535}
+python - <<PY &
+import socketserver, threading
+from dnslib import DNSRecord, RR, A
+
+class Handler(socketserver.BaseRequestHandler):
+    def handle(self):
+        data, sock = self.request
+        request = DNSRecord.parse(data)
+        reply = request.reply()
+        reply.add_answer(RR(request.q.qname, rdata=A('0.0.0.0')))
+        sock.sendto(reply.pack(), self.client_address)
+
+def run():
+    with socketserver.UDPServer(('0.0.0.0', ${DNS_PORT}), Handler) as server:
+        server.serve_forever()
+
+threading.Thread(target=run, daemon=True).start()
+PY
+
+# 2) Block egress except loopback
+iptables -I OUTPUT -d 127.0.0.1/8 -j ACCEPT
+iptables -I OUTPUT -d 0.0.0.0/8 -j ACCEPT
+iptables -A OUTPUT -j DROP
+
+# 3) Placeholder: capture environment info (replace with service start once wired)
+pushd "$ROOT" >/dev/null
+DOTNET_SYSTEM_NET_HTTP_SOCKETSHTTPHANDLER_HTTP2SUPPORT=false \
+DOTNET_CLI_TELEMETRY_OPTOUT=1 \
+DNS_SERVER=127.0.0.1:${DNS_PORT} \
+dotnet --info > "$LOGDIR/dotnet-info.txt"
+popd >/dev/null
+
+echo "sealed CI smoke complete; logs at $LOGDIR"