[Swan-dev] [Testing] Test Suite & Docker
Antony Antony
antony at phenome.org
Sun May 15 17:01:37 UTC 2016
Ondrej,
I just tested a patch on testing.libreswan.org, which is a FC23 host and docker instance is also FC23.
Here is a better patch that will run on FC23 and ikev2-37-docker-rw will pass.
I am using pipework to create extra interfaces and bridge eth0 to the right bridge.
AFIK docker does not allow multiple virtual network interfaces at start.
pipework is the workaround I found. This way the real ethX configs are in one place which is also used by
kvm tests.
-antony
On Sun, May 15, 2016 at 05:51:49PM +0200, Antony Antony wrote:
> Hi Ondrej,
> I am still on F22:) ikev2-37-docker-rw works for me on F22.
>
> A quick workaround for the 0/0 problem could the patch below.
> Remember the workaround will cause the test to fail for cosmetic reasons.
> However you can check the actual output file to see ping etc works.
>
> less OUTPUT/road.console.txt
> diff road.console.txt OUTPUT/road.console.txt
>
> diff --git a/testing/utils/swantest b/testing/utils/swantest
> index 3e6173e..e134cd9 100755
> --- a/testing/utils/swantest
> +++ b/testing/utils/swantest
> @@ -1735,7 +1735,7 @@ def docker_add_net_bridges(args, test, dnamei, dnamer, dnamen):
> pcap_file_ext = '.pcap'
> pcap_file = 'OUTPUT/' + 'swan12' + pcap_file_ext
>
> - prefix = "0/0"
> + prefix = "192.0.2.1/23" # rfc5737. the real address will come with network restart
> if test["initiator"] == "west":
>
> There is no list of dockerpluto tests. I guess it would be nice to have one, never had any interest by others. I use it manually and I can swift through the differences easily!!
>
> Most netkey tests will run on docker with cosmetic output differences.
>
> My understanding is klips is not namespace aware?
> I don't have a detailed answer how to make protostack=klips work under docker.
> The module is loaded on the host. All instances share the same module.
>
> -antony
>
>
> On Sun, May 15, 2016 at 04:21:10PM +0200, Ondrej Moris wrote:
> > Hey Antony, thanks for your reply, sorry for such a delayed answer,
> > please see my inline comments...
> >
> > On 05/11/2016 09:21 PM, Antony Antony wrote:
> > > Hi Ondrej,
> > > here is a quick response. Do you still have the system where you followed the steps in [1]?
> > >
> > > On Wed, May 11, 2016 at 01:42:37PM +0200, Ondrej Moris wrote:
> > >> Hi,
> > >>
> > >> a few months ago I became aware of "libreswan testing suite docker
> > >> adventures" [1].Then I had a chance to have a brief chat about it with
> > >> Paul during his visit on DevConf in Brno, Czech Republic. Since it
> > >> looked more or less like an experiment which was stalled at some point
> > >> and I considered it to be very interesting idea I promised to lend a
> > >> hand with it.
> > >>
> > >> There are two main reasons why I think it is worth resurrection:
> > >>
> > >> (1) It is faster and cleaner way of multi-host network testing, network
> > >> namespaces represent transparent network separation (different IP
> > >> stacks) and no baremetal is needed for test suite execution.
> > >>
> > >> (2) It will allow to run the test suite on more linux distributions.
> > >> There are docker base images for Fedora, RHEL, Debian, (Open) SUSE (LE),
> > >> etc.The current test suite based on KVM virtualization has an essential
> > >> dependency on 9P filesystem since guests need to share testing directory
> > >> with their host. However, 9P FS is not available in all kernel and qemu
> > >> distributions and it is no longer maintained AFAIK. Relaxing this
> > >> dependency (e.g. via NFS) seems to be too complicated and might
> > >> interfere with the testing. On the other hand there is docker based on
> > >> concepts of control groups and namespaces which are widespread in linux
> > >> distributions for some time.
> > >>
> > >> Following steps in [1] test suite can be set-up easily, however it is
> > >> not possible to execute any test at the moment. Obviously that part of
> > >> the docker adventures are yet to happen. Moreover there are various
> > >> mutually independent bits related to docker in testing directory
> > >> (docker, pluto/ikev2-37-docker-rw/docker,
> > >> pluto/ikev2-37-docker-rw/runme.sh and utils/swantest).
> > > ignore the runme.sh. That is only for reference or to debug swantest.
> > > try the steps below, which is mentioned in [1]
> > >
> > > cd /home/build/libreswan/
> > > make programs
> > > cd /home/build/libreswan/testing/pluto/ikev2-37-docker-rw
> > > ../../utils/swantest --docker
> > >
> > > make sure you have the latest master from github, especially 9b39035e1e9d1d7d9 (test results are updated in this commit. Results drifted away over time).
> > Yes, that's something I started with at the beginning. But there seems
> > to be some issue while adding bridges in docker_containers_start_stop,
> > actually the problem is in docker_net_bridge, the latest pipework I have
> > cannot consume 0/0 prefix:
> >
> > sudo /usr/local/bin/pipework br51789982 -i eth0 road-ikev2-37-docker-rw 0/0
> > ipcalc: bad IPv4 address: 0
> > Error: an inet address is expected rather than "".
> >
> > It is not surprising since ipcalc -bjust does not work with 0/0 in (at
> > least in Fedora 23). At that point I mistakenly made a conclusion that
> > "swantest --docker" is not finished and turned to runme.sh :-/.
> >
> > With prefix = "0.0.0.0/0" ipcalc does not complain, swantest --docker
> > works and the testing is not aborted. Most likely ipcalc is distribution
> > specific or pipework used something else than ipcalc -b to get broadcast
> > address. Anyway that does not matternow.
> >
> > Is ikev2-37-docker-rw expected to fail? I see some minor issues on
> > "east" (outputs are semantically equivalent even thought they differ)
> > but "road" has some real issues (ping failed, I have not time to check
> > whyyet).
> > >
> > >> At the moment, most viable option seems to be runme.sh but it is calling
> > >> non-existing guestbin/swan-docker-run. I guess swan-run can be used
> > >> there with some very minor updates, is that what swan-docker-run was
> > >> meant to be?
> > > as I said before to run a single test use "swantest --docker" to run mutiple tests
> > > speficy the type in TESTLIST. If it is "dockerplutotest" then "make check" should run them cuncurrently. Complex bits in swan test is to run several tests cuncurrently.
> > > I run single test while for quick and easy testing.
> > Do you have a list of tests which fall into "dockerplutotest" category
> > Antony? I would assume there is "a prototype" test ikev2-37-docker-rw at
> > the moment based probably on ikev2-09-rw-rsa and there are no claims
> > about the other tests yet. Or are there?
> > >
> > >> Clearly docker and and pluto/ikev2-37-docker-rw/dockerare just some PoC
> > >> with no future progress, is that correct?
> > >>
> > >> Finally, there are docker test execution code in swantest but it is not
> > >> used anywhere. This seems to be rather complex and I am not sure how
> > >> complete it is. I guess it represents the same functionality as
> > >> runme.sh, doesn't it?
> > >> Clearly, the only missing step in "dockerization" of the test suite is
> > >> to finish the test driver (i.e. probably having runme.sh steps covered
> > >> by swantest code). Test cases are basically already both KVM and Docker
> > >> friendly.
> > After reading your reply I am very happy to re-phrase that paragraph -
> > the test driver actually seems to be ready. Hence the next steps are
> > probably to try out some good KVM pluto tests using docker, to find out
> > what are the differences in their output and to sanitize them somehow.
> > Is that correct?
> >
> > One more thing, one of steps in [1] forbids using KLIPS IPsec stack. I
> > am aware of some potential issues and doubts about using KLIPS in LXC
> > containers (so basically it applies to Docker too). On the other hand I
> > am not aware of any obvious reason why clearly explained reason why (yet
> > ipsec does not start with protostack=klips in the container), can you
> > shed some light on this matter?
> > >>
> > >> So the crucial question is - are you interested in discussing future of
> > >> the remaining parts of docker test suite?
> > >>
> > >> [1] https://libreswan.org/wiki/Test_Suite_-_Docker
> >
> >
-------------- next part --------------
commit 9223e2f610901f2efbdc9180ca76ac4deefd1550
Author: Antony Antony <antony at phenome.org>
Date: Sun May 15 18:37:07 2016 +0200
testing: improve swantest to cope with FC23.
diff --git a/testing/utils/swantest b/testing/utils/swantest
index 3e6173e..f923542 100755
--- a/testing/utils/swantest
+++ b/testing/utils/swantest
@@ -1710,6 +1710,8 @@ def docker_net_bridge(dname, brname, iface, prefix):
logging.error(output)
raise PipeworkEroor(output)
+ cmd = "sudo docker exec -ti %s /bin/bash -c 'ip addr del %s dev %s'" % (dname, prefix, iface)
+ runcmd_check_output(cmd)
def docker_add_net_bridges(args, test, dnamei, dnamer, dnamen):
# shared bridge between east - west, east - nic
@@ -1735,7 +1737,7 @@ def docker_add_net_bridges(args, test, dnamei, dnamer, dnamen):
pcap_file_ext = '.pcap'
pcap_file = 'OUTPUT/' + 'swan12' + pcap_file_ext
- prefix = "0/0"
+ prefix = "192.0.2.1/24" # rfc5737. the real address will come with network restart
if test["initiator"] == "west":
iface = "eth0"
brname = "br%s" % bidw0
-------------- next part --------------
commit 9223e2f610901f2efbdc9180ca76ac4deefd1550
Author: Antony Antony <antony at phenome.org>
Date: Sun May 15 18:37:07 2016 +0200
testing: improve swantest to cope with FC23.
diff --git a/testing/utils/swantest b/testing/utils/swantest
index 3e6173e..f923542 100755
--- a/testing/utils/swantest
+++ b/testing/utils/swantest
@@ -1710,6 +1710,8 @@ def docker_net_bridge(dname, brname, iface, prefix):
logging.error(output)
raise PipeworkEroor(output)
+ cmd = "sudo docker exec -ti %s /bin/bash -c 'ip addr del %s dev %s'" % (dname, prefix, iface)
+ runcmd_check_output(cmd)
def docker_add_net_bridges(args, test, dnamei, dnamer, dnamen):
# shared bridge between east - west, east - nic
@@ -1735,7 +1737,7 @@ def docker_add_net_bridges(args, test, dnamei, dnamer, dnamen):
pcap_file_ext = '.pcap'
pcap_file = 'OUTPUT/' + 'swan12' + pcap_file_ext
- prefix = "0/0"
+ prefix = "192.0.2.1/24" # rfc5737. the real address will come with network restart
if test["initiator"] == "west":
iface = "eth0"
brname = "br%s" % bidw0
More information about the Swan-dev
mailing list