From 04dca5dada8c2d971ff3b54eeedc5ab6e53a29ac Mon Sep 17 00:00:00 2001 From: James O'Doherty Date: Thu, 4 Jun 2026 22:57:35 -0400 Subject: refactor: decouple namespace operations and improve test coverage - Introduce `namespace.Ops` interface to decouple `Manager` from system-level namespace operations, enabling easier unit testing via mocks. - Add unit tests for `internal/paths` to verify path resolution logic across different environment configurations. - Implement `EnsureBinary` helper in E2E tests to gracefully skip tests when `WG_WRAP_BIN` is not set, allowing `go test ./...` to pass in non-build environments. - Apply project-wide formatting and fix linting issues. --- internal/namespace/namespace.go | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) (limited to 'internal/namespace/namespace.go') diff --git a/internal/namespace/namespace.go b/internal/namespace/namespace.go index b05dea2..a50f70a 100644 --- a/internal/namespace/namespace.go +++ b/internal/namespace/namespace.go @@ -6,15 +6,15 @@ // scheduler, and to maintain encrypted UDP socket connectivity over the host's network, // wg-wrap employs an advanced bootstrap loop: // -// 1. Host-Bound Socket Creation: During the initial host-level start, a UDP socket is opened -// on 0.0.0.0:0 on the host, and its FD is stored in the environment (WG_WRAP_HOST_SOCKET_FD). -// 2. Helper Deployment: An embedded single-threaded C launcher is used to bridge the transition. -// 3. Namespace Transition: The process replaces itself with the C launcher via syscall.Exec. -// 4. Isolation: The launcher performs the unshare(CLONE_NEWUSER | CLONE_NEWNS | CLONE_NEWNET) -// sequence to isolate Mount, User, and Network environments. -// 5. Re-entry: The launcher then execvp's the original wg-wrap binary. -// 6. FDBind Tunnel Initialization: The second instance of wg-wrap wraps the host socket FD -// inside a custom FDBind struct to initialize wireguard-go. +// 1. Host-Bound Socket Creation: During the initial host-level start, a UDP socket is opened +// on 0.0.0.0:0 on the host, and its FD is stored in the environment (WG_WRAP_HOST_SOCKET_FD). +// 2. Helper Deployment: An embedded single-threaded C launcher is used to bridge the transition. +// 3. Namespace Transition: The process replaces itself with the C launcher via syscall.Exec. +// 4. Isolation: The launcher performs the unshare(CLONE_NEWUSER | CLONE_NEWNS | CLONE_NEWNET) +// sequence to isolate Mount, User, and Network environments. +// 5. Re-entry: The launcher then execvp's the original wg-wrap binary. +// 6. FDBind Tunnel Initialization: The second instance of wg-wrap wraps the host socket FD +// inside a custom FDBind struct to initialize wireguard-go. // // User Namespace Sequence: // To create a network namespace without root, wg-wrap follows the sequence: -- cgit v1.2.3