43 lines
1.3 KiB
Bash
43 lines
1.3 KiB
Bash
#!/usr/bin/env bash
|
|
set -euo pipefail
|
|
# Simple sealed-mode CI smoke: block egress, resolve mock DNS, assert services start.
|
|
ROOT=${ROOT:-$(cd "$(dirname "$0")/../.." && pwd)}
|
|
LOGDIR=${LOGDIR:-$ROOT/out/airgap-smoke}
|
|
mkdir -p "$LOGDIR"
|
|
|
|
# 1) Start mock DNS (returns 0.0.0.0 for everything)
|
|
DNS_PORT=${DNS_PORT:-53535}
|
|
python - <<PY &
|
|
import socketserver, threading
|
|
from dnslib import DNSRecord, RR, A
|
|
|
|
class Handler(socketserver.BaseRequestHandler):
|
|
def handle(self):
|
|
data, sock = self.request
|
|
request = DNSRecord.parse(data)
|
|
reply = request.reply()
|
|
reply.add_answer(RR(request.q.qname, rdata=A('0.0.0.0')))
|
|
sock.sendto(reply.pack(), self.client_address)
|
|
|
|
def run():
|
|
with socketserver.UDPServer(('0.0.0.0', ${DNS_PORT}), Handler) as server:
|
|
server.serve_forever()
|
|
|
|
threading.Thread(target=run, daemon=True).start()
|
|
PY
|
|
|
|
# 2) Block egress except loopback
|
|
iptables -I OUTPUT -d 127.0.0.1/8 -j ACCEPT
|
|
iptables -I OUTPUT -d 0.0.0.0/8 -j ACCEPT
|
|
iptables -A OUTPUT -j DROP
|
|
|
|
# 3) Placeholder: capture environment info (replace with service start once wired)
|
|
pushd "$ROOT" >/dev/null
|
|
DOTNET_SYSTEM_NET_HTTP_SOCKETSHTTPHANDLER_HTTP2SUPPORT=false \
|
|
DOTNET_CLI_TELEMETRY_OPTOUT=1 \
|
|
DNS_SERVER=127.0.0.1:${DNS_PORT} \
|
|
dotnet --info > "$LOGDIR/dotnet-info.txt"
|
|
popd >/dev/null
|
|
|
|
echo "sealed CI smoke complete; logs at $LOGDIR"
|