Skip to content

POSTPONED: VPN from within container #126

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 90 commits into
base: main
Choose a base branch
from
Draft

POSTPONED: VPN from within container #126

wants to merge 90 commits into from

Conversation

@oleschwen
Copy link
Collaborator

@oleschwen oleschwen commented Sep 30, 2025
edited
Loading

Test setup for connecting to VPN from inside the MediSwarm containers rather than on the host, including a setup for locally running an openvpn server. Postponed, as we do not need this for now.
The branch contains credentials used for the test setup, warnings about this can be ignored.

oleschwen added 30 commits August 18, 2025 10:54
@oleschwen
use consistent server name
43570a4
@oleschwen
scripts to start a dummy training from the startup kits
4c2ab1a
@oleschwen
skeleton for further tests
92ccb25
@oleschwen
added preflight checks (without checking their output so far)
cc2f8e5
@oleschwen
check if (source code for) license is available on github and if READ…
8f12780 
…ME contains certain keywords
@oleschwen
check if second startup kit can be built and contains expected files
76ebb4c
@oleschwen
check output of preflight checks
e4864b5
@oleschwen
check captured console output of swarm training and files created
58cfd91
@oleschwen
Merge branch 'main' into 104-testing-startup-kits
b5f9ab6
@oleschwen
test pushing and pulling image to/from local docker registry
a67405e
@oleschwen
Revert "test pushing and pulling image to/from local docker registry"…
1e9cdcf 
…, this is very slow

This reverts commit a67405e.
@oleschwen
use defined variable rather than hard-coded name
c039c10
@oleschwen
Merge branch 'main' into 104-testing-startup-kits
7dcb893
@oleschwen
Merge branch 'main' into 104-testing-startup-kits
53be096
@oleschwen
renamed file for running integration tests
1cb5ad0
@oleschwen
refactored tests to be run in Docker: moved to separate scripts
2d3bdac
@oleschwen
Merge branch 'main' into 104-testing-startup-kits
93a0c4e
@oleschwen
moved method to script for running integration tests
79cf7d6
@oleschwen
moved generating two sets of startup kits to script for integration t…
89b6d59 
…ests
@oleschwen
dedicated function to generate synthetic data
7590b26
@oleschwen
more meaningful name for method
4a7c078
@oleschwen
moved/merged cleanup to script for integration tests
e02911c
@oleschwen
moved test for running Docker/GPU preflight check, i.e., extended exi…
d67fa92 
…sting test by checking output
@oleschwen
moved method for running data access preflight check
c9ba141
@oleschwen
refactored so that individual steps (including cleanup) can be run se…
b1c72f5 
…parately
@oleschwen
integrated 3dcnn training in simulation mode in Docker in test
580b0c0
@oleschwen
let scripts fail on error
0d85a88
@oleschwen
Merge branch 'main' into 104-testing-startup-kits
9602dda
@oleschwen
moved (last remaining) test of server and clients to script for integ…
f015f8b 
…ration tests
@oleschwen
removed unnecessary block
c6b9ec6
@oleschwen
check that dummy training ApC is available
1030d6c
@oleschwen
temporarily removed failing test from CI workflow
ce1207e
@oleschwen
test listing licenses
e086619
@oleschwen
Added test of pushing image to local registry (in separate Docker con…
79b1b0b 
…tainer) and pulling it from there.

This required additional changes:
* changed name of Docker image for testing to localhost:5000/…, which should also prevent accidental push
* parse name of Docker image from swarm project description yml rather than use hard-coded name
* extended "delete old image versions" script accordingly
@oleschwen
removed lengthy test step that does not provide much value from CI pi…
90794d8 
…peline
@oleschwen
more speaking names of the CI test steps
8278720
@oleschwen
fixed syntax of workflow
f4470b9
@oleschwen
do not need -it for listing licenses
095c1b7
@oleschwen
implemented test that client with incorrect startup kit cannot connect
02ff284
@oleschwen
Merge branch 'main' into 104-testing-startup-kits
e3533ce
@oleschwen
added file forgotten in 02ff284
71cc567
@oleschwen
Merge branch 'main' into 104-testing-startup-kits
e027f6f
@oleschwen
Merge branch 'main' into 104-testing-startup-kits
01ce7a1
@oleschwen
Implemented test setup for swarm nodes to connect to locally hosted V…
25e7322 
…PN from within the container.

Currently requires manual steps (at least building the VPN container) for the test to succeed and will need to be adapted for productive VPN use.

* install packages for OpenVPN and debugging in ODELIA container
* changed docker run arguments for swarm nodes to be able to open VPN connection from within (currently as root, to be reconsidered)
* setup for building and VPN container, creating OpenVPN certificates (one fixed set committed), running VPN container
* swarm server now named testserver.local, but this name only needs to be reachable in the containers
* VPN container is assumed to be reachable on host at 172.17.0.1 from other containers
* changed ports for nvflare server to avoid interference with productive servers
* noted TODOs
* added integration test checking that and documenting how this works
@oleschwen
ensure that VPN docker image exists before starting server
cc7f7d8
@oleschwen oleschwen linked an issue Sep 30, 2025 that may be closed by this pull request
Test VPN connection from within container #122
Open
@gitguardian
Copy link

gitguardian bot commented Sep 30, 2025
edited
Loading

⚠️ GitGuardian has uncovered 5 secrets following the scan of your pull request.

Please consider investigating the findings and remediating the incidents. Failure to do so may lead to compromising the associated services or software components.

🔎 Detected hardcoded secrets in your pull request
GitGuardian id GitGuardian status Secret Commit Filename
21197632 Triggered Generic Private Key 25e7322 tests/local_vpn/client_configs/admin@test.odelia_client.ovpn View secret
21197633 Triggered Generic Private Key 25e7322 tests/local_vpn/client_configs/client_B_client.ovpn View secret
21197634 Triggered Generic Private Key 25e7322 tests/local_vpn/client_configs/client_A_client.ovpn View secret
21197635 Triggered Generic Private Key 25e7322 tests/local_vpn/client_configs/testserver.local_client.ovpn View secret
21197636 Triggered Generic Private Key 25e7322 tests/local_vpn/server_config/server.key View secret
🛠 Guidelines to remediate hardcoded secrets
  1. Understand the implications of revoking this secret by investigating where it is used in your code.
  2. Replace and store your secrets safely. Learn here the best practices.
  3. Revoke and rotate these secrets.
  4. If possible, rewrite git history. Rewriting git history is not a trivial act. You might completely break other contributing developers' workflow and you risk accidentally deleting legitimate data.

To avoid such incidents in the future consider

🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.

@oleschwen oleschwen force-pushed the dev-122-vpn-from-within-container branch from 255ad91 to 0d1f098 Compare September 30, 2025 12:46
@oleschwen oleschwen changed the title WIP VPN from within container POSTPONED: VPN from within container Oct 13, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Test VPN connection from within container

2 participants

@oleschwen