Test Suite - Namespace: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
No edit summary |
||
| Line 29: | Line 29: | ||
== unsupported tests == | == unsupported tests == | ||
As of 2019 fall | As of 2019 fall, several tests are hard to run in namespaces. Some can be possibly made to run, with varying amount of effort and motivation, and some appears to be impossible to run(KLIPS). I would put my initial guess, possibility to run in namespace, inside parenthesis. | ||
* SELINUX testing (possible). It need more attention. | * SELINUX testing (possible). It need more attention and work in theory. Though won't co-exist with SELinux enabled and disabled. | ||
* audit | * audit tests (impossible) : auditd and kenrel messages will all go to one log and hard to trackdown when running test. You don't know which side east or west generated the. | ||
* FIPS tests and non fips tests (impossible) | * FIPS tests and non fips tests at the same time (impossible) | ||
This sounds like a challenge. I am not sure how far it will go. Mixing FIPS and non fips | This sounds like a challenge. I am not sure how far it will go. Mixing FIPS and non fips | ||
* "audit", "dnsoe", "fips", "ipseckey", "dnssec", "interop", "klips", "ocsp", "seccomp", "strongswan" | * Ignored tests: "audit", "dnsoe", "fips", "ipseckey", "dnssec", "interop", "klips", "ocsp", "seccomp", "strongswan" | ||
The tests with above above works in name are igrnoed by narun in testrun. Some of them can possibly run in namespace. Some of these tests need extra software, such as strongswa -- default install of strongswan rpm will start with systemd. We need tricks make strongswan, unbound, nsd, ocsp etc to work. | The tests with above above works in name are igrnoed by narun in testrun. Some of them can possibly run in namespace. Some of these tests need extra software, such as strongswa -- default install of strongswan rpm will start with systemd. We need tricks make strongswan, unbound, nsd, ocsp etc to work. | ||
* testing kernel messages. | * testing kernel netlink messages or kernel crash. tests that cause kernel crash, bug or warn that will break the testrun. | ||
* xfrmi (possible) there seems some issues when the devices are not cleaned up. You would need to reboot after a test. | * xfrmi (possible) there seems some issues when the devices are not cleaned up. You would need to reboot after a test. | ||
* KLIPS (may be with 1M $) | * KLIPS (may be with 1M $) | ||
* testing libreswan code that involve systemd (impossible). Or may be if use docker or systemd-machined? | |||
== future ideas == | == future ideas == | ||
Revision as of 18:58, 21 September 2019
This is a quick guide to run libreswan tests under namespace. Be aware. the host would get lots of packages, need sudo without password permission
pre requists on the host
sudo without password
to check run "sudo bash -c true" if it does not ask for password you are good!
install testrun dependencies
# pre install check sudo bash -c true sudo make install-testing-rpm-dep: make nsinstall #remember this will install a pluto on your host!!
run a test
#as single test cd /home/build/libresswan/testing/pluto/basic-pluto-01 ../../utils/nsrun --ns
testrun
# run possible tests from testing/pluto/TESTLIST cd /home/build/libreswan # another important step generate x509 certifcates cd /home/build/libreswan/testing/x509/ && ./dist_certs.py && cd /home/build/libreswan/ make nsrun
unsupported tests
As of 2019 fall, several tests are hard to run in namespaces. Some can be possibly made to run, with varying amount of effort and motivation, and some appears to be impossible to run(KLIPS). I would put my initial guess, possibility to run in namespace, inside parenthesis.
- SELINUX testing (possible). It need more attention and work in theory. Though won't co-exist with SELinux enabled and disabled.
- audit tests (impossible) : auditd and kenrel messages will all go to one log and hard to trackdown when running test. You don't know which side east or west generated the.
- FIPS tests and non fips tests at the same time (impossible)
This sounds like a challenge. I am not sure how far it will go. Mixing FIPS and non fips
- Ignored tests: "audit", "dnsoe", "fips", "ipseckey", "dnssec", "interop", "klips", "ocsp", "seccomp", "strongswan"
The tests with above above works in name are igrnoed by narun in testrun. Some of them can possibly run in namespace. Some of these tests need extra software, such as strongswa -- default install of strongswan rpm will start with systemd. We need tricks make strongswan, unbound, nsd, ocsp etc to work.
- testing kernel netlink messages or kernel crash. tests that cause kernel crash, bug or warn that will break the testrun.
- xfrmi (possible) there seems some issues when the devices are not cleaned up. You would need to reboot after a test.
- KLIPS (may be with 1M $)
- testing libreswan code that involve systemd (impossible). Or may be if use docker or systemd-machined?
future ideas
- tracking coredumps.
Currently when there is crash of say pluto, addcon, whack..there will be a coredump. However in namespace these coredumps are mixed up. A bit hard in some case to track core by east or west or another test. One idea is strictly track the pid. When we start whack we have follow the pid and track it.
- testing with different version. In theory this should be easy however need more work. One idea is bindmount /usr/local/libexec/ipsec
useful alias/fuction
NSENTER ()
{
ns=$1;
nsargs="--mount=/run/mountns/${ns} --net=/run/netns/${ns} --uts=/run/utsns/${ns}";
NSENTER_CMD="/usr/bin/nsenter ${nsargs} ";
sudo ${NSENTER_CMD} /bin/bash
}
to enter
NSENTER east-basic-pluto-01