[Swan-dev] building rpm target and using namespaces based testing

Paul Wouters paul at nohats.ca
Tue Sep 24 17:04:40 UTC 2019

On Tue, 24 Sep 2019, Antony Antony wrote:

> a9ebfa04957 is an interesting idea. However, there should be a way to
> disable this and let INITSYSTEM do it is job. Sometimes I want invoke the
> INITSYSTEM that is compiled and installed not override by nsenter. e.g
> docker with systemd in it. I  also use docker or podman with systemd for
> testing and this commit would break some of the use cases.
> Could you refine it? so this can be disabled when necessary.

Sure, just add anything to the sudo line that we can use for the grep.

> Initially I thought adding "ipsec --no-sudo-check" that is also not so
> smart. It would would intefear with testing "ipsec stop" and "ipsec start"
> should just wor. So far my thinking a compile time option to disable it?

Why compile time and not runtime. Currently, nsrun provides the sudo
command and "ipsec setup" consumes it. nsrun can just add anything, to
which ipsec setup can respond.

> To be clear:
> This patch will break my docker test! The docker is configured with systemd
> and can enter with nsenter. I am not sure how to make it conditional and yet
> easy to use.

when you say "can enter" I'm a little confused. As far as I know,
systemd does not use "ipsec start" ? Do you mean when you manually
enter the namespace of a docker container and run "ipsec start" ?
Or does an automated test for docker do that? Regardless, we can just
tune the grep by adding a parameter to the sudo command. The reason for
not changing the "ipsec start" command, is that we don't want to change
the output. Running "ipsec start --initsystem=direct" or the like would
show up in the test output as a diff. That's why I picked an existing
environment variable instead (and due to sudo and environment stripping,
the SUDO_COMMAND is the safest to use for this)

>> Stock rpms should now be able to run namespace tests without modifications.
> I quickly tried and noticed "ipsec stop" does not work yet? That means tests
> with nsrun --ns --shutdown will be break,

It should work but I will check if there is a bug.

> When you install with "make nsinstall" ipsec stop works.
> The means the pluto instances will not get cleaned.  This need need fixing.

I think the nsinstall target has been obsoleted and can be removed? You
should run make install instead. What else was "nsinstall" providing
other than the namespace/initsystem feature?

>> There is some Makefile.inc.local handling in Antony's version that does
>> not translate
>> to rpmbuilding that hardcodes various features based on distro. But I
>> don't think anything from there is still needed and was done mostly to
>> ack the INITSYSTEM stuff?
> NO just INITSYSTEM. This rpm started for KVM it has several tricks for
> testing.   Install in /usr/local and other needs for testing, and also some
> of the reasons you mentioned bellow.

I cannot parse this. You seem to say "it was just initsystem" and "it
provides additional tricks". Can you clarify and provide some details?

> For the record do not remove packaging/fedora/libreswan-testing.spec.in that
> has some specific tricks for testig. It is also used on KVM and docker (with
> sytemd).

I used different Make variables and locations on purpose so that "make
rpm" and "make kvm-rpm" can co-exist for now. I would like to move
towards a situation where "kvm-rpm" (and a separate spec file) is no longer
needed. The advantage is you can run "make rpm" on any platform (fedora,
rhel, technically suse) and get it working. It will also use the spec
files we use normally for packaging, so every update is automatically
included in the testing. The current way of using a seperate
libreswan-testing spec file results in a spec file that is older and
only works on fedora, not rhel/centos.

>> I can see it might be useful to select the "devel" build, maybe using
>> "make rpm-devel" that will then run rpmbuild --define with_development=1
>> to get a version with full debug and electric fence.
> It pass IPSECVERSION to make porgrams.  So pluto --version show the right version.

Ah. I had removed it because it should not be needed. I see now how the
version does mismatch. I'll look at how best to fix this.

> It do not install documentation

Does this really matter?

> I suspect your rpm file name will not match with plutoversion?

Yes, I'll fix it.

> Due to these minor but important features keep libreswan-testing.spec.in for
> now. It call RPM_BUILD_CLEAN.
>> I did not port over the support for RPM_BUILD_CLEAN in "make rpm"
>> because it breaks the subsequent build by deleting the source files
>> (ikev*fax.bz2) when done.
> this is on puropse. for devlopment nightly run otherwise lot of directoies
> will pile up in ${HOME}/rpmbuild/SOURCES. It is also a must feature for
> testig. May be I will make it optional.

I'm am pretty strongly against this feature. You do not own the
~/rpmbuild/SOURCES directory, and removing files from it is bad. It
actually took me a little while to figure out why my sources were
getting deleted. If I build using a regular rpmbuild command, unrelated
to testing, suddenly those builds now fail. That's pretty bad.

If you want to purge old tar balls, a cron job seems more appropriate.
Or delete the libreswan-version.targ.z explictely after your build,
without removing other files like ikev2.fax.bz2


More information about the Swan-dev mailing list