I am writing an Ansible role and testing it with molecule on LXD containers running on Travis CI (on a google compute instance, not in a docker container)
My role sets some very basic iptables rules:
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp --dport ssh -j ACCEPT
When I test this role with molecule, it creates an unprivileged containers running Ubuntu 18.04 and applies the role to it to simulate applying the role to an actual host. Then testinfra runs and inspects the state of the system within the container to compare it to test cases I wrote. I have remapped the uid and gid both on my local system and on Travis for the lxd and root users to 1000000000.
The issue is that testing this way works perfectly locally, but if I get the exact same test to run on Travis then it can’t access any destination on the internet anymore from within the container (network unreachable). This only happens after applying the firewall rules above, it works fine before.
I’d like to debug what’s going on, and the easiest way is to use the TRACE or at least the LOG targets in iptables. But it looks like these aren’t available in the container: the packet count goes up for LOG and TRACE rules, but it doesn’t seem to output anything anywhere (/var/log/kern.log doesn’t even exist in the container, and there is no output relating to these rules on the host.)
How do I get iptables from within the containers to output data from the TRACE and LOG targets?