cmd/buildlet: find iptables on newer systems, via PATH

iptables may be installed as /usr/sbin/iptables or as /sbin/iptables,
depending on the distribution and its age. Prefer to look for it via
the PATH environment variable.

Also prefer explicitly picking iptables-legacy when available, since
on newer systems "iptables" may default to the newer nftables syntax.

Also block port 80 while here, and update dashboard test data.

Fixes golang/go#51444.

Change-Id: I7b0b622502cb88d7c576c1b18a80a9636467d4ea
Reviewed-on: https://go-review.googlesource.com/c/build/+/418792
Reviewed-by: Heschi Kreinick <[email protected]>
Auto-Submit: Dmitri Shuralyov <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
Run-TryBot: Dmitri Shuralyov <[email protected]>
Reviewed-by: Dmitri Shuralyov <[email protected]>

Author: dmitshur

cmd/buildlet/buildlet.go

@@ -2010,13 +2010,23 @@ func disableOutboundNetwork() {
 }
 
 func disableOutboundNetworkLinux() {
-	const iptables = "/sbin/iptables"
+	iptables, err := exec.LookPath("iptables-legacy")
+	if err != nil {
+		// Some older distributions, such as Debian Stretch, don't yet have nftables,
+		// so "iptables" gets us the legacy version whose rules syntax is used below.
+		iptables, err = exec.LookPath("iptables")
+		if err != nil {
+			log.Println("disableOutboundNetworkLinux failed to find iptables:", err)
+			return
+		}
+	}
 	const vcsTestGolangOrgIPOnVM = "35.184.38.56" // vcs-test.golang.org, on previous VM
 	runOrLog(exec.Command(iptables, "-I", "OUTPUT", "1", "-m", "state", "--state", "NEW", "-d", vcsTestGolangOrgIPOnVM, "-p", "tcp", "-j", "ACCEPT"))
 	const vcsTestGolangOrgIP = "34.110.184.62" // vcs-test.golang.org, on GKE
 	runOrLog(exec.Command(iptables, "-I", "OUTPUT", "1", "-m", "state", "--state", "NEW", "-d", vcsTestGolangOrgIP, "-p", "tcp", "-j", "ACCEPT"))
 	runOrLog(exec.Command(iptables, "-I", "OUTPUT", "2", "-m", "state", "--state", "NEW", "-d", "10.0.0.0/8", "-p", "tcp", "-j", "ACCEPT"))
 	runOrLog(exec.Command(iptables, "-I", "OUTPUT", "3", "-m", "state", "--state", "NEW", "-p", "tcp", "--dport", "443", "-j", "REJECT", "--reject-with", "icmp-host-prohibited"))
+	runOrLog(exec.Command(iptables, "-I", "OUTPUT", "3", "-m", "state", "--state", "NEW", "-p", "tcp", "--dport", "80", "-j", "REJECT", "--reject-with", "icmp-host-prohibited"))
 	runOrLog(exec.Command(iptables, "-I", "OUTPUT", "3", "-m", "state", "--state", "NEW", "-p", "tcp", "--dport", "22", "-j", "REJECT", "--reject-with", "icmp-host-prohibited"))
 }
 

dashboard/builders_test.go

@@ -125,7 +125,7 @@ func TestTrybots(t *testing.T) {
 		},
 		{
 			repo:   "go",
-			branch: "release-branch.go1.17",
+			branch: "release-branch.go1.18",
 			want: []string{
 				"freebsd-amd64-12_3",
 				"js-wasm",
@@ -163,7 +163,7 @@ func TestTrybots(t *testing.T) {
 		},
 		{
 			repo:   "go",
-			branch: "release-branch.go1.16",
+			branch: "release-branch.go1.17",
 			want: []string{
 				"freebsd-amd64-12_3",
 				"js-wasm",
@@ -173,6 +173,7 @@ func TestTrybots(t *testing.T) {
 				"linux-amd64-race",
 				"linux-arm-aws",
 				"linux-arm64-aws",
+				"openbsd-amd64-70",
 				"windows-386-2008",
 				"windows-386-2012",
 				"windows-amd64-2016",