[Swan-dev] generating x509 certificates

Andrew Cagney andrew.cagney at gmail.com
Tue Feb 3 23:42:40 EET 2015 

[inline]

On 3 February 2015 at 15:35, Paul Wouters <paul at nohats.ca> wrote:
> On Tue, 3 Feb 2015, Andrew Cagney wrote:
>
>> -- I had to add kvmsetup.sh by hand, i think that is a bug
>
>
> people have different ideas of where the pool should live. Or what OS
> to use inside the guest. So we provide kvmsetup.sh.sample.

I see your point.  Does anyone actually do that though?

>> -- I had to add Makefile.inc.local to add -Werror, I think that is a bug
>
>
> I thought we said that was going to be okay soon? :)

Arm will break.

>> - run testing/libvirt/install.sh to set up the test framework
>> -> if I think the VMs are corrupt then I should be able to run
>> uninstall.sh ; install.sh to rebuild them
>
>
> I don't trust uninstallers :/

I don't exactly trust them either :-)  Short of re-installing the test
host, its the best we've got.
(and definitely better than the old code that simply did rm -rf
/path/to/vm/disks)

>> - build/install: swan-update on west, then swan-install on the others
>> -> it would be nice to automate this
>
>
> make check UPDATE=1
> (hit ctrl-c when it starts on basic-pluto-01 :)

Cool.  I might fix that.

>> - strongswan in FC21 doesn't include GCM or CTR; for the GCM and CTR
>> interop tests to work, a custom version of strongswan is needed
>
>
> We could automate pulling it in from a repository on
> download.libreswan.org. I hadn't because I thought the fedora maintainer
> would fix these. The latest spec file in fedora does enable CCM and CTR
> but not GCM.

I thought about either doing that or building it as part of
install.sh, luckily the thought only lasted a millisecond.
I think, the best thing is to document and keep pushing upstream.
Rebuilding the test VMs is hopeful a relatively rare activity.
(We'd need a signed repo for safe automated install).

>> - the "wip" tests need to be disabled, it was one of those that hung
>> (If it is possible to clearly identify wip results as something to
>> ignore and ensure they don't hang then running them is probably
>> mostely harmless; google for "KFAIL")
>
>
> I've not had a test "hung" permanently. I had VMs hanging permanently
> not taking commands from virsh though.

> We could change swantest that if it is run with --x509 and it does not
> see the expected certificates, that it will run dist_certs.whatever ?

Sure; provided there is no race between the separate machines.  My
suggestion was to tweak swan-update.

> Paul

More information about the Swan-dev mailing list