[Swan-dev] [Testing] Test Suite & Docker

Ondrej Moris omoris at redhat.com
Sun May 15 15:28:30 UTC 2016 

Hi Andrew,

On 05/12/2016 05:01 PM, Andrew Cagney wrote:
> Here's a brain dump:
> 
> - yes 9p is isn't reliable, and it seems to be getting worse; I really
> wonder about eliminating 9p and using copy/rsync/clone instead, this
> might fit better with docker

Well, that would mean introducing some additional networking between
guests and hosts, right? I think that might lead to various new
problems, for instance you have to ensure that ipsec does not interfere
with networking needed for guest->host synchronization

> 
> - f22 also had a nice bug where cloning corrupted the root filesystem
> 
> - I've found trying to use more than #cores/2 (1 core for each KVM,
> one for userland 9p?) doesn't seem to make things faster
>   Docker could help, however ...
> 
> - "half" of each test is spent twiddling thumbs waiting for things to
> timeout, docker won't help with that
> 
> - otoh, the other "half" of each test is spent waiting for _Fedora_ to
> boot; given other OSs and linux variants boot in seconds there's
> something going really really wrong
>   Deploying docker instances containing rebuilt pluto should be faster
> and more robust?  I've found cloning test domains to be really fast,
> but getting the fresh clone to boot to be really slow; Fedora again.
> 
> - I'm guessing that, like the current KVM tests, docker doesn't do
> FIPS "correctly" (as in run an entire FIPS stack including the
> kernel); for the KVMs it is a small matter of programming, for docker?
>  This might mean keeping both around

There should not be any blocker for running either KVM or Docker suite
in FIPS mode actually. With KVM you just need to install VMs with fips=1
on kernel command line and that's it. The systems will run in FIPS mode.
With docker containers it is in a sense even easier as you only need to
have host system running in FIPS mode and any container based on
Fedora/RHEL base images will be running in FIPS (actually you have to
install one more package on them - dracut-fips or create /etc/system-fips).

Off-topic - are you runnig test suite executed in FIPS mode? If not, are
you interested in that? There would probably be tons of both true and
false positives though. And I am very very doubtful about FIPS in
Fedora. OTOH it might be doable in RHEL...

> 
> - Similarly, if we want to test against systems that are not amd64,
> KVM would be need

You're right. But that can change in the future, lacking support for
32bit is more or less just a plumbing issue (you just need support in
registries basically). Is KVM testsuite running in 32-bit environment?

> 
> Andrew
>

More information about the Swan-dev mailing list