Test Suite - Namespace: Difference between revisions

This is a quick guide to run libreswan tests under namespace. Be aware. the host would get lots of packages, need sudo without password permission

pre requists on the host

sudo without password

to check run "sudo bash -c true" if it does not ask for password you are good!

install testrun dependencies

# pre install check
sudo bash -c true
sudo make install-testing-rpm-dep:
make nsinstall #remember this will install a pluto on your host!!

run a test

#as single test
cd /home/build/libresswan/testing/pluto/basic-pluto-01
../../utils/nsrun --ns

testrun

# run possible tests from testing/pluto/TESTLIST
cd /home/build/libreswan
# another important step generate x509 certifcates
cd /home/build/libreswan/testing/x509/ && ./dist_certs.py && cd /home/build/libreswan/
make nsrun

unsupported tests

As of 2019 fall there are several tests that are hard to run in namespaces. Some can be possibly made to run could be hard and some impossible to run. I would put my initial guess, possibility to run in namespace, inside parenthesis.

• SELINUX testing (possible). It need more attention.

• audit based tests (impossible) : auditd and kenrel messages will all go to one log and hard to trackdown when running test. You don't know which side east or west generated the.

• FIPS tests and non fips tests (impossible)

This sounds like a challenge. I am not sure how far it will go. Mixing FIPS and non fips

• "audit", "dnsoe", "fips", "ipseckey", "dnssec", "interop", "klips", "ocsp", "seccomp", "strongswan"

The tests with above above works in name are igrnoed by narun in testrun. Some of them can possibly run in namespace. Some of these tests need extra software, such as strongswa -- default install of strongswan rpm will start with systemd. We need tricks make strongswan, unbound, nsd, ocsp etc to work.

• testing kernel messages. If there are any tests that cause kernel crash, bug or warn that will break the testrun.

• xfrmi (possible) there seems some issues when the devices are not cleaned up. You would need to reboot after a test.

• KLIPS (may be with 1M $)

future ideas

• tracking coredumps.

Currently when there is crash of say pluto, addcon, whack..there will be a coredump. However in namespace these coredumps are mixed up. A bit hard in some case to track core by east or west or another test. One idea is strictly track the pid. When we start whack we have follow the pid and track it.

• testing with different version. In theory this should be easy however need more work. One idea is bindmount /usr/local/libexec/ipsec

useful alias/fuction

NSENTER ()
{
    ns=$1;
    nsargs="--mount=/run/mountns/${ns} --net=/run/netns/${ns} --uts=/run/utsns/${ns}";
    NSENTER_CMD="/usr/bin/nsenter ${nsargs} ";
    sudo ${NSENTER_CMD} /bin/bash
}
to enter 
NSENTER east-basic-pluto-01

Details of Namespace testing