Harden network and restore test retries

Author: sjmiller609

lib/instances/compression_integration_linux_test.go

@@ -258,30 +258,64 @@ func waitForRunningAndExecReady(t *testing.T, ctx context.Context, mgr *manager,
 		require.NoError(t, waitHypervisorUp(ctx, inst))
 	}
 	require.NoError(t, waitForExecAgent(ctx, mgr, instanceID, 30*time.Second))
+	waitForGuestExecReady(t, ctx, inst)
 	return inst
 }
 
-func writeGuestMarker(t *testing.T, ctx context.Context, inst *Instance, path string, value string) {
+func waitForGuestExecReady(t *testing.T, ctx context.Context, inst *Instance) {
 	t.Helper()
-	execCtx, cancel := context.WithTimeout(ctx, integrationTestTimeout(compressionGuestExecTimeout))
-	defer cancel()
 
-	output, exitCode, err := execCommand(execCtx, inst, "sh", "-c", fmt.Sprintf("printf %q > %s && sync", value, path))
+	require.Eventually(t, func() bool {
+		execCtx, cancel := context.WithTimeout(ctx, integrationTestTimeout(5*time.Second))
+		defer cancel()
+
+		output, exitCode, err := execCommand(execCtx, inst, "true")
+		return err == nil && exitCode == 0 && output == ""
+	}, integrationTestTimeout(15*time.Second), 500*time.Millisecond, "guest exec should succeed after restore")
+}
+
+func writeGuestMarker(t *testing.T, ctx context.Context, inst *Instance, path string, value string) {
+	t.Helper()
+	output, exitCode, err := execCommandWithRetry(ctx, inst, compressionGuestExecTimeout, "sh", "-c", fmt.Sprintf("printf %q > %s && sync", value, path))
 	require.NoError(t, err)
 	require.Equal(t, 0, exitCode, output)
 }
 
 func assertGuestMarker(t *testing.T, ctx context.Context, inst *Instance, path string, expected string) {
 	t.Helper()
-	execCtx, cancel := context.WithTimeout(ctx, integrationTestTimeout(compressionGuestExecTimeout))
-	defer cancel()
-
-	output, exitCode, err := execCommand(execCtx, inst, "cat", path)
+	output, exitCode, err := execCommandWithRetry(ctx, inst, compressionGuestExecTimeout, "cat", path)
 	require.NoError(t, err)
 	require.Equal(t, 0, exitCode, output)
 	assert.Equal(t, expected, output)
 }
 
+func execCommandWithRetry(ctx context.Context, inst *Instance, timeout time.Duration, command ...string) (string, int, error) {
+	deadline := time.Now().Add(integrationTestTimeout(timeout))
+	var lastOutput string
+	var lastExitCode int
+	var lastErr error
+
+	for {
+		execCtx, cancel := context.WithTimeout(ctx, integrationTestTimeout(5*time.Second))
+		output, exitCode, err := execCommand(execCtx, inst, command...)
+		cancel()
+
+		if err == nil {
+			return output, exitCode, nil
+		}
+
+		lastOutput = output
+		lastExitCode = exitCode
+		lastErr = err
+
+		if time.Now().After(deadline) {
+			return lastOutput, lastExitCode, lastErr
+		}
+
+		time.Sleep(500 * time.Millisecond)
+	}
+}
+
 func waitForCompressionJobStart(t *testing.T, mgr *manager, key string, timeout time.Duration) {
 	t.Helper()
 	deadline := time.Now().Add(timeout)

lib/instances/network_test.go

@@ -245,42 +245,42 @@ func TestDockerForwardChainRestored(t *testing.T) {
 	require.NoError(t, manager.networkManager.Initialize(ctx, nil))
 
 	// Check if DOCKER-FORWARD chain exists (Docker must be running on host).
-	checkChain := exec.Command("iptables", "-L", "DOCKER-FORWARD", "-n")
+	checkChain := exec.Command("iptables", "-w", "5", "-L", "DOCKER-FORWARD", "-n")
 	if checkChain.Run() != nil {
 		t.Skip("DOCKER-FORWARD chain not present (Docker not running), skipping")
 	}
 
 	// Verify jump currently exists.
-	checkJump := exec.Command("iptables", "-C", "FORWARD", "-j", "DOCKER-FORWARD")
+	checkJump := exec.Command("iptables", "-w", "5", "-C", "FORWARD", "-j", "DOCKER-FORWARD")
 	require.NoError(t, checkJump.Run(), "DOCKER-FORWARD jump should exist before test")
 
 	// Safety net: restore the jump if the test fails or aborts after we delete it,
 	// so we don't leave the host's Docker networking broken.
 	t.Cleanup(func() {
-		check := exec.Command("iptables", "-C", "FORWARD", "-j", "DOCKER-FORWARD")
+		check := exec.Command("iptables", "-w", "5", "-C", "FORWARD", "-j", "DOCKER-FORWARD")
 		if check.Run() != nil {
-			restore := exec.Command("iptables", "-A", "FORWARD", "-j", "DOCKER-FORWARD")
+			restore := exec.Command("iptables", "-w", "5", "-A", "FORWARD", "-j", "DOCKER-FORWARD")
 			_ = restore.Run()
 		}
 	})
 
 	// Simulate the hypervisor flush: remove every jump.
 	for {
-		delJump := exec.Command("iptables", "-D", "FORWARD", "-j", "DOCKER-FORWARD")
+		delJump := exec.Command("iptables", "-w", "5", "-D", "FORWARD", "-j", "DOCKER-FORWARD")
 		if err := delJump.Run(); err != nil {
 			break
 		}
 	}
 
 	// Confirm it's gone.
-	checkGone := exec.Command("iptables", "-C", "FORWARD", "-j", "DOCKER-FORWARD")
+	checkGone := exec.Command("iptables", "-w", "5", "-C", "FORWARD", "-j", "DOCKER-FORWARD")
 	require.Error(t, checkGone.Run(), "DOCKER-FORWARD jump should be gone after delete")
 
 	// Re-initialize network — this should restore the jump.
 	require.NoError(t, manager.networkManager.Initialize(ctx, nil))
 
 	// Verify jump is restored.
-	checkRestored := exec.Command("iptables", "-C", "FORWARD", "-j", "DOCKER-FORWARD")
+	checkRestored := exec.Command("iptables", "-w", "5", "-C", "FORWARD", "-j", "DOCKER-FORWARD")
 	require.NoError(t, checkRestored.Run(), "ensureDockerForwardJump should have restored the DOCKER-FORWARD jump")
 }
 

lib/network/bridge_linux.go

@@ -20,6 +20,18 @@ import (
 )
 
 const netlinkDumpRetryCount = 3
+const iptablesWaitSeconds = "5"
+
+func newIPTablesCommand(args ...string) *exec.Cmd {
+	fullArgs := make([]string, 0, len(args)+2)
+	fullArgs = append(fullArgs, "-w", iptablesWaitSeconds)
+	fullArgs = append(fullArgs, args...)
+	cmd := exec.Command("iptables", fullArgs...)
+	cmd.SysProcAttr = &syscall.SysProcAttr{
+		AmbientCaps: []uintptr{unix.CAP_NET_ADMIN},
+	}
+	return cmd
+}
 
 func listBridgeAddrsWithRetry(link netlink.Link) ([]netlink.Addr, error) {
 	var err error
@@ -288,13 +300,10 @@ func (m *manager) setupIPTablesRules(ctx context.Context, subnet, bridgeName str
 // ensureNATRule ensures the MASQUERADE rule exists with correct uplink
 func (m *manager) ensureNATRule(subnet, uplink, comment string) (string, error) {
 	// Check if rule exists with correct subnet and uplink
-	checkCmd := exec.Command("iptables", "-t", "nat", "-C", "POSTROUTING",
+	checkCmd := newIPTablesCommand("-t", "nat", "-C", "POSTROUTING",
 		"-s", subnet, "-o", uplink,
 		"-m", "comment", "--comment", comment,
 		"-j", "MASQUERADE")
-	checkCmd.SysProcAttr = &syscall.SysProcAttr{
-		AmbientCaps: []uintptr{unix.CAP_NET_ADMIN},
-	}
 	if checkCmd.Run() == nil {
 		return "existing", nil
 	}
@@ -303,13 +312,10 @@ func (m *manager) ensureNATRule(subnet, uplink, comment string) (string, error)
 	m.deleteNATRuleByComment(comment)
 
 	// Add rule with comment
-	addCmd := exec.Command("iptables", "-t", "nat", "-A", "POSTROUTING",
+	addCmd := newIPTablesCommand("-t", "nat", "-A", "POSTROUTING",
 		"-s", subnet, "-o", uplink,
 		"-m", "comment", "--comment", comment,
 		"-j", "MASQUERADE")
-	addCmd.SysProcAttr = &syscall.SysProcAttr{
-		AmbientCaps: []uintptr{unix.CAP_NET_ADMIN},
-	}
 	if err := addCmd.Run(); err != nil {
 		return "", fmt.Errorf("add masquerade rule: %w", err)
 	}
@@ -327,10 +333,7 @@ func (m *manager) ruleComment(base string) string {
 // deleteNATRuleByComment deletes any NAT POSTROUTING rule containing our comment
 func (m *manager) deleteNATRuleByComment(comment string) {
 	// List NAT POSTROUTING rules
-	cmd := exec.Command("iptables", "-t", "nat", "-L", "POSTROUTING", "--line-numbers", "-n")
-	cmd.SysProcAttr = &syscall.SysProcAttr{
-		AmbientCaps: []uintptr{unix.CAP_NET_ADMIN},
-	}
+	cmd := newIPTablesCommand("-t", "nat", "-L", "POSTROUTING", "--line-numbers", "-n")
 	output, err := cmd.Output()
 	if err != nil {
 		return
@@ -350,10 +353,7 @@ func (m *manager) deleteNATRuleByComment(comment string) {
 
 	// Delete in reverse order
 	for i := len(ruleNums) - 1; i >= 0; i-- {
-		delCmd := exec.Command("iptables", "-t", "nat", "-D", "POSTROUTING", ruleNums[i])
-		delCmd.SysProcAttr = &syscall.SysProcAttr{
-			AmbientCaps: []uintptr{unix.CAP_NET_ADMIN},
-		}
+		delCmd := newIPTablesCommand("-t", "nat", "-D", "POSTROUTING", ruleNums[i])
 		delCmd.Run() // ignore error
 	}
 }
@@ -369,14 +369,11 @@ func (m *manager) ensureForwardRule(inIface, outIface, ctstate, comment string,
 	m.deleteForwardRuleByComment(comment)
 
 	// Insert at specified position with comment
-	addCmd := exec.Command("iptables", "-I", "FORWARD", fmt.Sprintf("%d", position),
+	addCmd := newIPTablesCommand("-I", "FORWARD", fmt.Sprintf("%d", position),
 		"-i", inIface, "-o", outIface,
 		"-m", "conntrack", "--ctstate", ctstate,
 		"-m", "comment", "--comment", comment,
 		"-j", "ACCEPT")
-	addCmd.SysProcAttr = &syscall.SysProcAttr{
-		AmbientCaps: []uintptr{unix.CAP_NET_ADMIN},
-	}
 	if err := addCmd.Run(); err != nil {
 		return "", fmt.Errorf("insert forward rule: %w", err)
 	}
@@ -386,10 +383,7 @@ func (m *manager) ensureForwardRule(inIface, outIface, ctstate, comment string,
 // isForwardRuleCorrect checks if our rule exists at the expected position with correct interfaces
 func (m *manager) isForwardRuleCorrect(inIface, outIface, comment string, position int) bool {
 	// List FORWARD chain with line numbers
-	cmd := exec.Command("iptables", "-L", "FORWARD", "--line-numbers", "-n", "-v")
-	cmd.SysProcAttr = &syscall.SysProcAttr{
-		AmbientCaps: []uintptr{unix.CAP_NET_ADMIN},
-	}
+	cmd := newIPTablesCommand("-L", "FORWARD", "--line-numbers", "-n", "-v")
 	output, err := cmd.Output()
 	if err != nil {
 		return false
@@ -417,10 +411,7 @@ func (m *manager) isForwardRuleCorrect(inIface, outIface, comment string, positi
 // deleteForwardRuleByComment deletes any FORWARD rule containing our comment
 func (m *manager) deleteForwardRuleByComment(comment string) {
 	// List FORWARD rules
-	cmd := exec.Command("iptables", "-L", "FORWARD", "--line-numbers", "-n")
-	cmd.SysProcAttr = &syscall.SysProcAttr{
-		AmbientCaps: []uintptr{unix.CAP_NET_ADMIN},
-	}
+	cmd := newIPTablesCommand("-L", "FORWARD", "--line-numbers", "-n")
 	output, err := cmd.Output()
 	if err != nil {
 		return
@@ -440,10 +431,7 @@ func (m *manager) deleteForwardRuleByComment(comment string) {
 
 	// Delete in reverse order
 	for i := len(ruleNums) - 1; i >= 0; i-- {
-		delCmd := exec.Command("iptables", "-D", "FORWARD", ruleNums[i])
-		delCmd.SysProcAttr = &syscall.SysProcAttr{
-			AmbientCaps: []uintptr{unix.CAP_NET_ADMIN},
-		}
+		delCmd := newIPTablesCommand("-D", "FORWARD", ruleNums[i])
 		delCmd.Run() // ignore error
 	}
 }
@@ -460,19 +448,13 @@ func (m *manager) ensureDockerForwardJump(ctx context.Context) {
 	log := logger.FromContext(ctx)
 
 	// Check if DOCKER-FORWARD chain exists (Docker is installed and configured)
-	checkChain := exec.Command("iptables", "-L", "DOCKER-FORWARD", "-n")
-	checkChain.SysProcAttr = &syscall.SysProcAttr{
-		AmbientCaps: []uintptr{unix.CAP_NET_ADMIN},
-	}
+	checkChain := newIPTablesCommand("-L", "DOCKER-FORWARD", "-n")
 	if checkChain.Run() != nil {
 		return // Chain doesn't exist — Docker not installed or not configured
 	}
 
 	// Check if jump already exists in FORWARD
-	checkJump := exec.Command("iptables", "-C", "FORWARD", "-j", "DOCKER-FORWARD")
-	checkJump.SysProcAttr = &syscall.SysProcAttr{
-		AmbientCaps: []uintptr{unix.CAP_NET_ADMIN},
-	}
+	checkJump := newIPTablesCommand("-C", "FORWARD", "-j", "DOCKER-FORWARD")
 	if checkJump.Run() == nil {
 		return // Jump already present
 	}
@@ -481,10 +463,7 @@ func (m *manager) ensureDockerForwardJump(ctx context.Context) {
 	// Insert right after hypeman's last rule so the jump is evaluated before any
 	// explicit DROP/REJECT rules that an external firewall tool may have added.
 	insertPos := m.lastHypemanForwardRulePosition() + 1
-	addJump := exec.Command("iptables", "-I", "FORWARD", fmt.Sprintf("%d", insertPos), "-j", "DOCKER-FORWARD")
-	addJump.SysProcAttr = &syscall.SysProcAttr{
-		AmbientCaps: []uintptr{unix.CAP_NET_ADMIN},
-	}
+	addJump := newIPTablesCommand("-I", "FORWARD", fmt.Sprintf("%d", insertPos), "-j", "DOCKER-FORWARD")
 	if err := addJump.Run(); err != nil {
 		log.WarnContext(ctx, "failed to restore Docker FORWARD chain jump", "error", err)
 		return
@@ -496,10 +475,7 @@ func (m *manager) ensureDockerForwardJump(ctx context.Context) {
 // lastHypemanForwardRulePosition returns the line number of the last hypeman-managed
 // rule in the FORWARD chain, or 0 if none are found.
 func (m *manager) lastHypemanForwardRulePosition() int {
-	cmd := exec.Command("iptables", "-L", "FORWARD", "--line-numbers", "-n", "-v")
-	cmd.SysProcAttr = &syscall.SysProcAttr{
-		AmbientCaps: []uintptr{unix.CAP_NET_ADMIN},
-	}
+	cmd := newIPTablesCommand("-L", "FORWARD", "--line-numbers", "-n", "-v")
 	output, err := cmd.Output()
 	if err != nil {
 		return 0

skills/test-agent/agents/test-agent/NOTES.md

@@ -259,6 +259,41 @@
   - Run 1: pass (`lib/instances` 193.279s)
   - Run 2: pass (`lib/instances` 261.633s)
   - Run 3: pass (`lib/instances` 173.573s)
+
+## 2026-04-07 - PR #184 follow-up CI round on `codex/standby-compression-delay`
+
+### Initial CI red signature
+- Linux `test` job failed on `TestDockerForwardChainRestored`.
+- Failure:
+  - `ensureDockerForwardJump should have restored the DOCKER-FORWARD jump`
+  - raw `iptables -C FORWARD -j DOCKER-FORWARD` exited non-zero in the test after re-initialization.
+
+### Root cause and fix
+- The Docker-forward recovery path and the test both used plain `iptables` invocations with no wait for the xtables lock.
+- Under parallel CI activity, a transient lock holder can cause checks/deletes/inserts to fail immediately and make the test observe a missing rule even though the recovery logic is otherwise correct.
+- Fix:
+  - Added a small `newIPTablesCommand` helper in `lib/network/bridge_linux.go` that uses `iptables -w 5 ...` with the existing `CAP_NET_ADMIN` setup.
+  - Switched the bridge NAT/FORWARD rule management and `ensureDockerForwardJump` commands to that helper.
+  - Updated `TestDockerForwardChainRestored` in `lib/instances/network_test.go` to use `iptables -w 5` for its direct host-global mutations/checks.
+
+### Secondary flake surfaced during Deft reruns
+- A subsequent Deft full-suite rerun exposed a post-restore guest exec race in `TestCloudHypervisorStandbyRestoreCompressionScenarios`:
+  - `receive response (stdout=0, stderr=0): rpc error: code = DeadlineExceeded desc = stream terminated by RST_STREAM with error code: CANCEL`
+- The compression integration harness was only waiting for the exec agent socket and then issuing marker reads/writes immediately after restore.
+- Fix:
+  - Added a no-op post-restore guest exec readiness probe in `waitForRunningAndExecReady`.
+  - Added a small retry wrapper for the compression integration test’s guest marker read/write commands so transient post-restore transport resets do not fail the scenario immediately.
+
+### Validation
+- Deft targeted loop:
+  - `go test -count=20 -run '^TestDockerForwardChainRestored$' -v ./lib/instances`
+  - Result: pass
+- Deft targeted loop:
+  - `go test -count=10 -run '^TestCloudHypervisorStandbyRestoreCompressionScenarios$' -tags containers_image_openpgp -timeout=30m ./lib/instances`
+  - Result: pass
+- Local sanity:
+  - `go test ./lib/instances -count=1`
+  - Result: pass (`117.538s`)
   - `exec-agent not ready for instance ... within 15s (last state: Initializing)`
 
 ### Additional flakes reproduced during Deft full-suite verification