[Swan-dev] heads up: change to swantest (make check) add python3 packages

Paul Wouters 🔓 paul at nohats.ca
Mon Dec 1 17:19:36 EET 2014 

On Mon, 1 Dec 2014, Matt Rogers wrote:

>> Initial goal is to run netkey host to host(west-east, road-east, north-east) tests concurrently.
>> About 7-20 concurrent tests seems fine. Starting and stopping dozens of docker images at once seems to slow down things. Currently there is systemd running inside docker that is probably a major over head. Also docker start and stop seems slow. Stopping all docker containers seems to be a serial process with 3-10 seconds wait on each.  No rebooting host does not seems to be a very good option:)  Docker seems to keep state between host reboots. May be there are ways to make it faster, I am new to this.  Another weakness of docker is specifying multiple network interfaces.  Currently it is done using external script pipework.
>>
>
> Would it be a better idea to run docker inside of a hefty VM rather than
> directly on the host? Maybe then it would be easier to trim things down and
> perhaps we could share a base image with everything ready to go.

We don't need that much on the host actually. The biggest thing is we
need to do the equivalent of ipsec _stackmanager start so the kernel
modules are available to the guests. But we could make that part of
the scripts that launch docker VMs, assumming we need root anyway.

So I added --netkey to _stackmanager that allows us to run it straight
from the source tree, so libreswan does not need to be installed on the
host (which only works for docker, not using namespaces directly)

> I installed and ran it the other night, and the test output showed that it
> couldn't find the ipsec command. Then I fell asleep :P. Should I specify a path
> somewhere?

So for now you need libreswan installed on the host I think. If in
/usr/local, you might run into things like local bits not being in
root's path when using "sudo bash" or "sudo su". Sadly plain "su" seems
to be the most reliable to get /usr/local/sbin/ in your path.

>> dis_cert should support generating 100s certificates and swan-prep deal with it.
>
> This would be no problem now. Were you thinking of just a batch with CN like "host[1-100]"?

Yes, although for those large scale tests, we could also use PSK and
uniqueids=no ? Eventually I guess we will do it based on raw RSA keys in
the DNS?

Paul

More information about the Swan-dev mailing list