test: support socket activation in test harness

Author: csssuf

Containerfile

@@ -1,6 +1,6 @@
 # Multi-stage build for envoy-acme-xds
 # Stage 1: Build dependencies and cache them
-FROM docker.io/rust:1.85-bookworm AS chef
+FROM docker.io/rust:1.93-bookworm AS chef
 RUN cargo install cargo-chef
 WORKDIR /app
 

Containerfile.systemd

@@ -0,0 +1,51 @@
+# Multi-stage build for envoy-acme-xds with systemd socket activation
+# Stage 1: Build dependencies and cache them
+FROM docker.io/rust:1.93-bookworm AS chef
+RUN cargo install cargo-chef
+WORKDIR /app
+
+# Stage 2: Prepare recipe (dependency manifest)
+FROM chef AS planner
+COPY Cargo.toml Cargo.lock ./
+COPY src ./src
+RUN cargo chef prepare --recipe-path recipe.json
+
+# Stage 3: Build dependencies (cached layer)
+FROM chef AS builder
+COPY --from=planner /app/recipe.json recipe.json
+RUN cargo chef cook --release --recipe-path recipe.json
+
+# Build the application
+COPY Cargo.toml Cargo.lock ./
+COPY src ./src
+RUN cargo build --release
+
+# Stage 4: Runtime image with systemd
+FROM docker.io/debian:bookworm AS runtime
+ENV container=podman
+
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    ca-certificates \
+    systemd \
+    && rm -rf /var/lib/apt/lists/*
+
+# Create directories for config and data
+RUN mkdir -p \
+    /var/lib/envoy-acme-xds \
+    /var/run \
+    /etc/envoy-acme-xds \
+    /usr/local/share/ca-certificates \
+    /etc/systemd/system/sockets.target.wants
+
+# Copy the binary
+COPY --from=builder /app/target/release/envoy-acme-xds /usr/local/bin/envoy-acme-xds
+
+# Install systemd units
+COPY test/systemd/envoy-acme-xds.socket /etc/systemd/system/envoy-acme-xds.socket
+COPY test/systemd/envoy-acme-xds.service /etc/systemd/system/envoy-acme-xds.service
+
+# Enable socket activation
+RUN ln -s /etc/systemd/system/envoy-acme-xds.socket /etc/systemd/system/sockets.target.wants/envoy-acme-xds.socket
+
+STOPSIGNAL SIGRTMIN+3
+CMD ["/bin/systemd"]

compose.systemd.yaml

@@ -0,0 +1,17 @@
+services:
+  xds-server:
+    build:
+      context: .
+      dockerfile: Containerfile.systemd
+    command: ["/bin/systemd"]
+    privileged: true
+    tmpfs:
+      - /run
+      - /tmp
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:ro
+      - xds-data:/var/lib/envoy-acme-xds
+      - ./test/xds-config-systemd.yaml:/etc/envoy-acme-xds/config.yaml:ro,Z
+      - ./certificates/pebble-ca.pem:/etc/envoy-acme-xds/ca.pem:ro,z
+    environment:
+      container: podman

compose.yaml

@@ -35,8 +35,8 @@ services:
       - "site-b.example.com:172.28.0.10"
       - "api.example.com:172.28.0.10"
     volumes:
-      - ./test/pebble:/test/config:ro
-      - ./certificates:/test/certs:ro
+      - ./test/pebble:/test/config:ro,Z
+      - ./certificates:/test/certs:ro,z
     ports:
       - "14000:14000"  # ACME directory
       - "15000:15000"  # Management interface
@@ -52,8 +52,8 @@ services:
       dockerfile: Containerfile
     volumes:
       - xds-data:/var/lib/envoy-acme-xds
-      - ./test/xds-config.yaml:/etc/envoy-acme-xds/config.yaml:ro
-      - ./certificates/pebble-ca.pem:/etc/envoy-acme-xds/ca.pem:ro
+      - ./test/xds-config.yaml:/etc/envoy-acme-xds/config.yaml:ro,Z
+      - ./certificates/pebble-ca.pem:/etc/envoy-acme-xds/ca.pem:ro,z
     environment:
       RUST_LOG: "envoy_acme_xds=debug,tower=debug,tonic=debug,h2=debug,info"
     networks:
@@ -66,11 +66,12 @@ services:
   # Envoy proxy
   envoy:
     image: docker.io/envoyproxy/envoy:v1.32-latest
-    command: ["envoy", "-c", "/etc/envoy/envoy.yaml", "--log-level", "info"]
+    entrypoint: ["envoy"]
+    command: ["-c", "/etc/envoy/envoy.yaml", "--log-level", "info"]
     user: "0:0"  # Run as root to bind to privileged ports
     volumes:
       - xds-data:/var/lib/envoy-acme-xds
-      - ./test/envoy/envoy.yaml:/etc/envoy/envoy.yaml:ro
+      - ./test/envoy/envoy.yaml:/etc/envoy/envoy.yaml:ro,Z
     ports:
       - "8080:5001"  # HTTP (for ACME challenges) - host:container
       - "8443:8443"  # HTTPS

test/README.md

@@ -18,6 +18,9 @@ This directory contains the configuration and scripts needed to run a fully cont
 # Run the full test suite
 ./test/run-test.sh
 
+# Run the systemd socket activation test
+./test/run-test.sh --systemd
+
 # Run tests and keep containers running for debugging
 ./test/run-test.sh --keep
 
@@ -193,6 +196,10 @@ test/
 ├── cleanup.sh             # Cleanup and reset script
 ├── verify-validation.sh   # Verification script for real ACME validation
 ├── xds-config.yaml        # XDS server configuration
+├── xds-config-systemd.yaml # XDS server config for systemd socket activation
+├── systemd/
+│   ├── envoy-acme-xds.service
+│   └── envoy-acme-xds.socket
 ├── envoy/
 │   └── envoy.yaml         # Envoy bootstrap configuration
 └── pebble/

test/run-test.sh

@@ -27,6 +27,7 @@ log_error() { echo -e "${RED}[ERROR]${NC} $1"; }
 # Parse arguments
 KEEP_RUNNING=false
 REBUILD=false
+SYSTEMD_MODE=false
 while [[ $# -gt 0 ]]; do
     case $1 in
         --keep|-k)
@@ -37,12 +38,17 @@ while [[ $# -gt 0 ]]; do
             REBUILD=true
             shift
             ;;
+        --systemd|-s)
+            SYSTEMD_MODE=true
+            shift
+            ;;
         --help|-h)
             echo "Usage: $0 [OPTIONS]"
             echo ""
             echo "Options:"
             echo "  --keep, -k     Keep containers running after tests"
             echo "  --rebuild, -r  Force rebuild of containers"
+            echo "  --systemd, -s  Run systemd socket activation test"
             echo "  --help, -h     Show this help message"
             exit 0
             ;;
@@ -55,6 +61,11 @@ done
 
 cd "${PROJECT_DIR}"
 
+COMPOSE_FILES=(-f compose.yaml)
+if [[ "${SYSTEMD_MODE}" == "true" ]]; then
+    COMPOSE_FILES+=(-f compose.systemd.yaml)
+fi
+
 # Step 1: Generate certificates if needed
 if [[ ! -f "${CERT_DIR}/pebble-ca.pem" ]]; then
     log_info "Generating test certificates..."
@@ -70,7 +81,7 @@ if [[ "${REBUILD}" == "true" ]]; then
     BUILD_ARGS="--build"
 fi
 
-podman compose up -d ${BUILD_ARGS}
+podman compose "${COMPOSE_FILES[@]}" up -d ${BUILD_ARGS}
 
 # Step 3: Wait for services to be ready
 log_info "Waiting for services to be ready..."
@@ -138,6 +149,14 @@ run_test "Envoy has LDS listeners" \
 run_test "Envoy has CDS clusters" \
     'curl -sf http://localhost:9901/config_dump | grep -q "xds_cluster"'
 
+if [[ "${SYSTEMD_MODE}" == "true" ]]; then
+    run_test "Systemd socket active" \
+        'podman exec xds-server systemctl is-active envoy-acme-xds.socket | grep -q "active"'
+
+    run_test "Systemd service active" \
+        'podman exec xds-server systemctl is-active envoy-acme-xds.service | grep -q "active"'
+fi
+
 # Test: HTTP port is responding
 run_test "Envoy HTTP port" \
     'curl -sf -o /dev/null -w "%{http_code}" http://localhost:8080/ 2>/dev/null | grep -qE "^(200|301|302|308)$"'
@@ -163,7 +182,7 @@ if [[ "${KEEP_RUNNING}" == "true" ]]; then
     echo "  - Pebble ACME:   https://localhost:14000/dir"
 else
     log_info "Stopping containers..."
-    podman compose down
+    podman compose "${COMPOSE_FILES[@]}" down
 fi
 
 # Exit with appropriate code

test/systemd/envoy-acme-xds.service

@@ -0,0 +1,15 @@
+[Unit]
+Description=envoy-acme-xds service
+After=network.target
+Requires=envoy-acme-xds.socket
+
+[Service]
+Type=simple
+Environment=RUST_LOG=envoy_acme_xds=debug,tower=debug,tonic=debug,h2=debug,info
+ExecStartPre=/bin/sh -c 'if [ -f /etc/envoy-acme-xds/ca.pem ]; then cp /etc/envoy-acme-xds/ca.pem /usr/local/share/ca-certificates/custom-ca.crt && update-ca-certificates 2>/dev/null || true; fi'
+ExecStartPre=/bin/sh -c 'chown -R root:root /var/lib/envoy-acme-xds 2>/dev/null || true'
+ExecStart=/usr/local/bin/envoy-acme-xds /etc/envoy-acme-xds/config.yaml
+Restart=on-failure
+
+[Install]
+WantedBy=multi-user.target

test/systemd/envoy-acme-xds.socket

@@ -0,0 +1,10 @@
+[Unit]
+Description=envoy-acme-xds socket
+
+[Socket]
+ListenStream=/var/lib/envoy-acme-xds/envoy-xds.sock
+SocketMode=0777
+Service=envoy-acme-xds.service
+
+[Install]
+WantedBy=sockets.target