From Libreswan
Revision as of 07:01, 9 February 2017 by Paul Wouters (talk | contribs) (Created page with " = Ideas Page = While IKE and IPsec have been around for almost 20 years, like SSL/TLS, the protocols are still evolving and getting new features to deal with an ever changin...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Ideas Page

While IKE and IPsec have been around for almost 20 years, like SSL/TLS, the protocols are still evolving and getting new features to deal with an ever changing mobile world. The Libreswan Project's core developers have come up with a list of projects that they would like to see implemented and for which they are willing to commit to mentoring students. If any of these projects look interesting to you, feel free to contact the developers either on the developer mailinglist or the #swan channel on the FreeNode IRC network.

Re-implement the KVM/python based testing infrastructure

Required Skills: General DevOps and Virtualization skills, python and shell scripting

Libreswan Mentors: Andrew Cagney, Antony Antony, Paul Wouters

The goal is to investigate using another container technology that is better suited for our use. This could be raw namespaces, "unshare", kubernetes, docker (without systemd), openshift, openstack or something else. Note that since it needs to support containerized IPsec kernel stacks, LXC or vserver will not work.

The following new properties are desired for the new test harness:

  • Allow most tests to run with containers running libreswan, instead of VMs running libreswan
  • It should be able to run many tests in parallel on 1 machine
  • It should be able to spread jobs on multiple machines
  • Distinguish minor issues (diff in output) from major issues (different number of IKE or IPsec SA's)
  • Be as independent from the host OS as possible
  • Keep similar web based reporting output

The following properties of the current test harness should not be lost:

History of the current test harness

The libreswan testing infrastructure has its roots in the ancient UserMpdeLinux (UML). It ran for a number of years until UML stopped working reliably on newer kernels. In 2012 this system was migrated to the current system which us based on KVM, QEMU and libvirt tied together with python code. This system is used daily for automated testing as well as by most libreswan developers when working on specific code. Anyone can run these tests on their server or laptop as documented at Test_Suite

Daily test results are available at Daily Test Results and an example run can be found at

There are currently around 600 test cases that involve booting 2 to 4 VMs to install various IPsec tunnels. The console output is captured, sanitized and compared against known good output. It takes about 8 hours to run and most of the time is lost waiting on VMs to startup and shutdown. Test cases consist of "init", "run" and "final" shell scripts that perform the actual test. You can browse our test cases at testing/pluto

Waiting 8 hours to see if a code change breaks anything is not pleasant. An attempt was made to speed things up dramatically using docker instead as documented at [Test_Suite_-_Docker]

Unfortunately, our experiment with docker turned out to be very slow as well, mostly due to the additional overhead of systemd and the plumbing to support multiple interfaces which we need for our tests.