Test Suite - Docker: Difference between revisions

From Libreswan
Jump to navigation Jump to search
No edit summary
No edit summary
 
(11 intermediate revisions by the same user not shown)
Line 1: Line 1:
Libreswan testing suite docker adventures.
Libreswan testing suite docker adventures.


'''Everything below runs as root on Fedora 20'''
'''Everything below runs as root on Fedora 26'''
 
== Setting up the host ==
 
=== Prerequisites ===
The swantest need Python 3.3 or later. It is necessary for subprocess to deal with 100s of threads/processes. Also pexpect is works better in 3.3.
 


<pre>
<pre>
#swantest depend on python 3.3 or later
#swantest depend on python 3.3 or later
dnf install python3-setproctitle python3-pexpect


yum install python3-setproctitle python3-pexpect
# install docker image of Fedora 28


# install docker 1.3
dnf -y install docker
yum -y remove docker
 
yum -y install docker-io bridge-utils
systemctl start docker.service
yum -y update docker-io
systemctl enable docker.service
systemctl start docker
systemctl enable docker


wget -O /usr/local/bin/pipework  https://github.com/jpetazzo/pipework/raw/master/pipework
wget -O /usr/local/bin/pipework  https://github.com/jpetazzo/pipework/raw/master/pipework
Line 20: Line 25:
cd /home/build/
cd /home/build/
# clone an up to date libreswan tree from somewhere to  /home/build/
# clone an up to date libreswan tree from somewhere to  /home/build/


cd /home/build/libreswan/testing/docker/
cd /home/build/libreswan/testing/docker/
# check authorized_keys file edit or add your your keys in there
# check authorized_keys file edit or add your your keys in there


docker build -t swanbase .
cd /home/build/libreswan
# coffee break. It will download Fedora 20 + about 200 packages  
sudo make DISTRO=fedora DISTRO_REL=28 docker-image
# my experience on swantest real 19m31.907s, on parallels vm from Toronto real 7m1.228s
 
# coffee break. It will download Fedora 28 + about 200 packages. It may take 15 minutes or more
# my experience on blueswan real 15m18.893s user 0m0.123  sys 0m0.057s


# make sure the host has netkey stack loaded  
# make sure the host has netkey stack loaded  
Line 33: Line 41:


cd /home/build/libreswan/
cd /home/build/libreswan/
make programs
cd /home/build/libreswan/testing/pluto/ikev2-37-docker-rw
cd /home/build/libreswan/testing/pluto/ikev2-37-docker-rw
../../utils/swantest --docker
../../utils/swantest --docker
iptables  -F ; the iptable rules on host and docker may interfere with IKE or ESP


</pre>
</pre>
=== setup tcpdump permissions on the host ===
https://libreswan.org/wiki/Test_Suite#tcpdump_permissions_on_the_Host


== Docker related diagnostics commands ==
== Docker related diagnostics commands ==
Line 66: Line 79:
root@jes:/home/build/libreswan/testing/docker# docker images
root@jes:/home/build/libreswan/testing/docker# docker images
REPOSITORY          TAG                IMAGE ID            CREATED            VIRTUAL SIZE
REPOSITORY          TAG                IMAGE ID            CREATED            VIRTUAL SIZE
swanbase            latest              e8e73564a0ae       55 minutes ago     2.84 GB
swanbase            latest              d02d76e98391       2 days ago         2.986 GB
fedora             20                 7d3f07f8de5f       6 weeks ago         374.1 MB
docker.io/fedora   22                 ded7cd95e059       3 months ago       186.5 MB
</pre>
</pre>


=== Prerequisites ===
=== Manually update the swanbase (base docker image) ===
The swantest need Python 3.3 or later. It is necessary for subprocess to deal with 100s of threads/processes. Also pexpect is works better in 3.3.
Start the docker image by hand. Note this instance will have access to network, via bridge docker0
<pre>
docker run -h swan --privileged  --name swan -v /home/build/libreswan:/home/build/libreswan -v /sys/fs/cgroup:/sys/fs/cgroup:ro -d swanbase /usr/sbin/init
 
docker exec -ti swan /bin/bash
dnf -y update
 
# now commit the images as tag swanbase.
 
docker ps ; to see image id
 
docker commit <docker id> swanbase
 


=== Attempt to run as user build
# to stop this instance
# run docker as user build
docker stop --time=1 swan
<pre>
docker rm swan
sudo groupadd docker
usermod -a -G docker build
</pre>


=== Notes ===
=== Notes ===
# currently support install rpms (on both initiator and responder). May be separate options so can have different version on both sides.
# currently support install rpms (on both initiator and responder). May be separate options so can have different version on both sides.
# Add strongswan package or just install runtime? or keep different image?
# Add strongswan package or just install runtime? or keep different image?
# take eth0  from docker bridge? currently docker has 3 ethernets eth0 (unused, bridged to docker) eth1 and eth2. this cause mismatch with kvm tests. they have eth0 and eth1
# delete brige interfaces after the test is done
# delete brige interfaces after the test is done
# option to clean up all bridges?
# option to clean up all bridges?
# make install for docker. support "ipsec start" in Docker
# make install for docker. support "ipsec start" in Docker
# run as user build

Latest revision as of 16:20, 4 April 2019

Libreswan testing suite docker adventures.

Everything below runs as root on Fedora 26

Setting up the host

Prerequisites

The swantest need Python 3.3 or later. It is necessary for subprocess to deal with 100s of threads/processes. Also pexpect is works better in 3.3.


#swantest depend on python 3.3 or later
dnf install python3-setproctitle python3-pexpect

# install docker image of Fedora 28

dnf -y install docker

systemctl start docker.service
systemctl enable docker.service

wget -O /usr/local/bin/pipework  https://github.com/jpetazzo/pipework/raw/master/pipework
chmod a+x /usr/local/bin/pipework

cd /home/build/
# clone an up to date libreswan tree from somewhere to  /home/build/


cd /home/build/libreswan/testing/docker/
# check authorized_keys file edit or add your your keys in there

cd /home/build/libreswan 
sudo make DISTRO=fedora DISTRO_REL=28 docker-image

# coffee break. It will download Fedora 28 + about 200 packages. It may take 15 minutes or more
# my experience on blueswan real 15m18.893s user 0m0.123  sys 0m0.057s

# make sure the host has netkey stack loaded 
ipsec _stackmanager start --netkey
ipsec version |grep klips && echo you need netkey

cd /home/build/libreswan/
cd /home/build/libreswan/testing/pluto/ikev2-37-docker-rw
../../utils/swantest --docker

iptables  -F ; the iptable rules on host and docker may interfere with IKE or ESP

setup tcpdump permissions on the host

https://libreswan.org/wiki/Test_Suite#tcpdump_permissions_on_the_Host

Docker related diagnostics commands

# show running docker containers
docker ps -a 

# check if you have a proper docker installation?
docker images

# stop ALL containers 
docker stop $(docker ps -a -q)
docker rm $(docker ps -a -q)

# if your tests it create a bunch of bridge devices too. Not all of them are cleaned up.

brctl show

Check if you got correct image

cd /home/build/libreswan/testing/docker

docker build -t swanbase .

root@jes:/home/build/libreswan/testing/docker# docker images
REPOSITORY          TAG                 IMAGE ID            CREATED             VIRTUAL SIZE
swanbase            latest              d02d76e98391        2 days ago          2.986 GB
docker.io/fedora    22                  ded7cd95e059        3 months ago        186.5 MB

Manually update the swanbase (base docker image)

Start the docker image by hand. Note this instance will have access to network, via bridge docker0

docker run -h swan --privileged  --name swan -v /home/build/libreswan:/home/build/libreswan -v /sys/fs/cgroup:/sys/fs/cgroup:ro -d swanbase /usr/sbin/init

docker exec -ti swan /bin/bash 
dnf -y update 

# now commit the images as tag swanbase.

docker ps ; to see image id 

docker commit <docker id> swanbase


# to stop this instance
docker stop --time=1 swan
docker rm swan

Notes

# currently support install rpms (on both initiator and responder). May be separate options so can have different version on both sides. # Add strongswan package or just install runtime? or keep different image? # delete brige interfaces after the test is done # option to clean up all bridges? # make install for docker. support "ipsec start" in Docker