Test Suite - Docker: Difference between revisions
Jump to navigation
Jump to search
(Created page with "<pre> # install docker 1.3 yum -y remove docker yum -y install docker-io yum -y update docker-io systemctl start docker systemctl enable docker wget -O /usr/local/bin/pipewo...") |
No edit summary |
||
(39 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
Libreswan testing suite docker adventures. | |||
'''Everything below runs as root on Fedora 26''' | |||
== Setting up the host == | |||
=== Prerequisites === | |||
The swantest need Python 3.3 or later. It is necessary for subprocess to deal with 100s of threads/processes. Also pexpect is works better in 3.3. | |||
<pre> | <pre> | ||
# install docker | #swantest depend on python 3.3 or later | ||
dnf install python3-setproctitle python3-pexpect | |||
# install docker image of Fedora 28 | |||
dnf -y install docker | |||
systemctl start docker.service | |||
systemctl enable docker.service | |||
systemctl start docker | |||
systemctl enable docker | |||
wget -O /usr/local/bin/pipework https://github.com/jpetazzo/pipework/raw/master/pipework | wget -O /usr/local/bin/pipework https://github.com/jpetazzo/pipework/raw/master/pipework | ||
chmod a+x /usr/local/bin/pipework | chmod a+x /usr/local/bin/pipework | ||
cd /home/build/ | |||
# | # clone an up to date libreswan tree from somewhere to /home/build/ | ||
cd /home/build/libreswan/testing/docker/ | cd /home/build/libreswan/testing/docker/ | ||
# check authorized_keys file edit or add your your keys in there | |||
cd /home/build/libreswan | |||
sudo make DISTRO=fedora DISTRO_REL=28 docker-image | |||
# coffee break. It will download Fedora 28 + about 200 packages. It may take 15 minutes or more | |||
# my experience on blueswan real 15m18.893s user 0m0.123 sys 0m0.057s | |||
# make sure the host has netkey stack loaded | |||
ipsec _stackmanager start --netkey | |||
ipsec version |grep klips && echo you need netkey | |||
cd /home/build/libreswan/ | |||
cd /home/build/libreswan/testing/pluto/ikev2-37-docker-rw | |||
../../utils/swantest --docker | |||
iptables -F ; the iptable rules on host and docker may interfere with IKE or ESP | |||
</pre> | |||
=== setup tcpdump permissions on the host === | |||
https://libreswan.org/wiki/Test_Suite#tcpdump_permissions_on_the_Host | |||
== Docker related diagnostics commands == | |||
<pre> | <pre> | ||
# show running docker containers | |||
docker ps -a | |||
# check if you have a proper docker installation? | |||
docker images | |||
# stop ALL containers | |||
docker stop $(docker ps -a -q) | |||
docker rm $(docker ps -a -q) | |||
# if your tests it create a bunch of bridge devices too. Not all of them are cleaned up. | |||
brctl show | |||
</pre> | |||
=== Check if you got correct image === | |||
<pre> | <pre> | ||
docker | cd /home/build/libreswan/testing/docker | ||
docker | |||
docker build -t swanbase . | |||
root@jes:/home/build/libreswan/testing/docker# docker images | |||
REPOSITORY TAG IMAGE ID CREATED VIRTUAL SIZE | |||
swanbase latest d02d76e98391 2 days ago 2.986 GB | |||
docker.io/fedora 22 ded7cd95e059 3 months ago 186.5 MB | |||
</pre> | </pre> | ||
=== Manually update the swanbase (base docker image) === | |||
Start the docker image by hand. Note this instance will have access to network, via bridge docker0 | |||
<pre> | |||
docker run -h swan --privileged --name swan -v /home/build/libreswan:/home/build/libreswan -v /sys/fs/cgroup:/sys/fs/cgroup:ro -d swanbase /usr/sbin/init | |||
docker exec -ti swan /bin/bash | |||
dnf -y update | |||
# now commit the images as tag swanbase. | |||
docker ps ; to see image id | |||
docker commit <docker id> swanbase | |||
# to stop this instance | |||
docker stop --time=1 swan | |||
docker rm swan | |||
=== Notes === | |||
# currently support install rpms (on both initiator and responder). May be separate options so can have different version on both sides. | |||
# Add strongswan package or just install runtime? or keep different image? | |||
# delete brige interfaces after the test is done | |||
# option to clean up all bridges? | |||
# make install for docker. support "ipsec start" in Docker |
Latest revision as of 16:20, 4 April 2019
Libreswan testing suite docker adventures.
Everything below runs as root on Fedora 26
Setting up the host
Prerequisites
The swantest need Python 3.3 or later. It is necessary for subprocess to deal with 100s of threads/processes. Also pexpect is works better in 3.3.
#swantest depend on python 3.3 or later dnf install python3-setproctitle python3-pexpect # install docker image of Fedora 28 dnf -y install docker systemctl start docker.service systemctl enable docker.service wget -O /usr/local/bin/pipework https://github.com/jpetazzo/pipework/raw/master/pipework chmod a+x /usr/local/bin/pipework cd /home/build/ # clone an up to date libreswan tree from somewhere to /home/build/ cd /home/build/libreswan/testing/docker/ # check authorized_keys file edit or add your your keys in there cd /home/build/libreswan sudo make DISTRO=fedora DISTRO_REL=28 docker-image # coffee break. It will download Fedora 28 + about 200 packages. It may take 15 minutes or more # my experience on blueswan real 15m18.893s user 0m0.123 sys 0m0.057s # make sure the host has netkey stack loaded ipsec _stackmanager start --netkey ipsec version |grep klips && echo you need netkey cd /home/build/libreswan/ cd /home/build/libreswan/testing/pluto/ikev2-37-docker-rw ../../utils/swantest --docker iptables -F ; the iptable rules on host and docker may interfere with IKE or ESP
setup tcpdump permissions on the host
https://libreswan.org/wiki/Test_Suite#tcpdump_permissions_on_the_Host
# show running docker containers docker ps -a # check if you have a proper docker installation? docker images # stop ALL containers docker stop $(docker ps -a -q) docker rm $(docker ps -a -q) # if your tests it create a bunch of bridge devices too. Not all of them are cleaned up. brctl show
Check if you got correct image
cd /home/build/libreswan/testing/docker docker build -t swanbase . root@jes:/home/build/libreswan/testing/docker# docker images REPOSITORY TAG IMAGE ID CREATED VIRTUAL SIZE swanbase latest d02d76e98391 2 days ago 2.986 GB docker.io/fedora 22 ded7cd95e059 3 months ago 186.5 MB
Manually update the swanbase (base docker image)
Start the docker image by hand. Note this instance will have access to network, via bridge docker0
docker run -h swan --privileged --name swan -v /home/build/libreswan:/home/build/libreswan -v /sys/fs/cgroup:/sys/fs/cgroup:ro -d swanbase /usr/sbin/init docker exec -ti swan /bin/bash dnf -y update # now commit the images as tag swanbase. docker ps ; to see image id docker commit <docker id> swanbase # to stop this instance docker stop --time=1 swan docker rm swanNotes
# currently support install rpms (on both initiator and responder). May be separate options so can have different version on both sides. # Add strongswan package or just install runtime? or keep different image? # delete brige interfaces after the test is done # option to clean up all bridges? # make install for docker. support "ipsec start" in Docker