This reverts commit 532183a7.

ESR is really old and it seems that issues in Firefox were removed in
the end.

This switches to stable Firefox. There are some issues with bleeding
edge Firefox and we should ensure that we work with stable version more
than with newest one.

This implements dedicated Selenium container class as an extension to
LXD Container. This class provides easy access to Selenium drivers for
selected browser.
The special hack in Selenium extended Container class is that it is able
to run vncviewer on its start. This is controlled by class variable that
can be set for nsfasrm run. This way developer can select to see what is
happening on virtual desktop browsers are spawned to.

With all this there is also need to store some screenshots as part of
failed or even standard execution of tests. The screenshot fixture was
created for this purpose. It hides some ugliness of screenshot saving.

Minor but notable tweak here is addition of shell property to
container. The idea is to prevent spawning of multiple one-time use
shells we do for wait commands. The regular usage for testing is
discouraged.

This is image that can be used to test web interface.

It is based on client container but we do not want to put this as part
of it. It generates pretty big image and in most tests it is not
necessary to start web drivers.

The container itself provides driver for Chrome (Chromium) and Firefox
browsers.
There is also driver for WebKit but it does not work, it crashes right
now so it is there just for the future once something is fixed in
upstream or we found out what we are doing wrong.

The Alpine Linux creates /dev/shm using init script devfs but that is
not run in container. It won't even run correctly in container. That
makes /dev/shm unavailable but we need it in some cases and thus this is
hacky script that adds just very small init script that creates it.

Jan Miksik authored May 25, 2021 and Karel Koci committed Jun 22, 2021

Added basic throughput tests for basic testing.
Test is run for 60 seconds and checks if the speed is at least
400 Mbps.
It also checks min/max of 10s chunks.
And checks if some of chunks is under the limit - raises warning.
Prints the speeds to output log.

This is simple test on OpenWrt as well as on Alpine of nsfarm's Shell
abstraction.

Karel Koci authored Mar 22, 2021 and Karel Koci committed Apr 13, 2021

This changes the order of setup. The original pretty much relied on
configuration change happening before service actually started and
system booted. This of course can't be ensured and is pretty fragile.

In general we can change file access or any file content without waiting
for system boot but once we want to communicate with services or to
access the Internet we need to wait for system to actually boot.

The clean effect here is the need to reload networking service once we
modify interfaces after boot. This should have always been there.

Karel Koci authored Mar 19, 2021 and Karel Koci committed Apr 13, 2021

These tests aim to check if firewall is well configured in such a way
attackers can be caught by Sentinel.

Karel Koci authored Mar 18, 2021 and Karel Koci committed Apr 13, 2021

This removes concept of exclusive device. The only use of it was to pass
exclusive access to network interface but that is not essentially
required as it is even more versatile to use macvlan as thus we can
easily spawn multiple containers to simulate network.
The only known use for physical device pass trough and thus exclusive is
Wi-Fi. It won't be possible to use macvlan for it. At the same time this
is not an issue as it is not expected that we are going to be reusing
this interface in single tests run multiple times over and over. In the
end there is no need to automatically suspend containers to steal
devices as it has been implemented (and in reality not finished).

The introduced device management now required all devices to be defined
in image as attributes. This gives image definition control over name of
this device in container. It is up to container user to assign
appropriate real device for it. This is done using device map that is
simply pair of attribute and real device specifier. This concept can be
in future expanded to even encode additional configuration if have need
for it.

Karel Koci authored Mar 30, 2021 and Karel Koci committed Mar 30, 2021

This explicitly enables DNSSEC validation and adds additional option to
conform to RFC1035.
It also uses named.ca file shipped as part of package as root hints.
We can safely left out `listen-on` as `listen-on-v6` uses dual-stack and
thus listens on IPv4 as well as on IPv6.

And the last but the most important change is disable of IPv6. This
solves issues on IPv4 only network but IPv6 once we begin to support
IPv6 we should allow disable/removal of this line.

Karel Koci authored Mar 29, 2021 and Karel Koci committed Mar 30, 2021

This fixes commit: 57f0b251
It added Bind as ISP's DNS resolver but open in firewall was missing.

There is change that adds device exclusivity. Only for few devices we
need exclusive passtrough to container. In most cases it is enough to
pass only access to that device.

Another change is that there is possibility to specify parameter for
images. At the moment this allows only passtrough of Unix character
devices but that can be expanded in the future.

Upstream seem to have fixed invalid init script in iperf3-openrc package
so now this hack is no longer required.

This is now only initial implementation. There should be also
specification of board and more but that is going to be added later on
once we are able to run tests on more than one board.

First network test in set was in some probability failing. This just
adds dummy sleep to stabilize network before tests are executed.

This also incorporates feedback from ongoing review.

It makes no sense as we reset access rights either way. Let's just check
if it is standard file and that is it.

This is initial documentation describing parts of NSFarm that are
already known and are expected to be exactly that way.