[Swan-dev] time to delete old dist_certs shell script (attempt #2)?

Matt Rogers mrogers at 0x83.com
Wed Jun 24 19:06:52 EEST 2015

On June 24, 2015 11:34:53 AM EDT, "D. Hugh Redelmeier" <hugh at mimosa.com> wrote:
>| From: Andrew Cagney <andrew.cagney at gmail.com>
>| This doesn't seem like a reason for retaining the old shell scripts -
>| they are so far behind that they don't even generate all the required
>| keys.  BTW, best place to run dist_certs.py is on one of the test VMs
>| (see "make kvm-keys"), and not on a host.  Provided the VM is
>| relatively recent all the necessary dependencies will have been
>| installed for you.
>I take it that you've implemented this
>Do you have a cheat-sheet of how we should make our old test setups
>work again?  Or maybe they already work.  I haven't tried.  I'd not
>waste time experimenting with the test setups.
>Why did you pick "east" as the one to do the work on?
>In our wiki page about testing, at least sometimes "west" is the one
>we do work on.  I don't know why that one was chosen either.
>It seems to me that an argument can be made that we make only one of
>the VMs heavy enough to do all these task.  On the other hand, maybe
>making them different is a mistake.

In the new certificate tests I made them always launch nic, to use it as the ocsp and crl server available regardless of the vpn status. So I say  we can make nic flexible with its configuration, and let that handle cert generation. I always assumed a tester would generate certs on the host machine (and I just patch the installed pyopenssl files on the host). But I see the value of it running at the start of a test run. Maybe the first test in a run can be a dummy test that runs distcerts on nic. 


>Swan-dev mailing list
>Swan-dev at lists.libreswan.org

More information about the Swan-dev mailing list