Re: [Swan-dev] time to delete old dist_certs shell script (attempt #2)?
FYI, I've finally got around to removing the old scripts. As the thread pointed out they were all pretty broken and unmaintained. Andrew On 23 June 2015 at 09:54, Andrew Cagney andrew.cag...@gmail.com wrote: I'd like to delete the old dist_certs shell script: - dist_certs.py seems to be working - make kvm-keys (assuming your VM is up-to-date) even lets you generate keys when the host isn't Fedora 21. little point in keeping old code around. Andrew ___ Swan-dev mailing list Swan-dev@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-dev
Re: [Swan-dev] time to delete old dist_certs shell script (attempt #2)?
On 24 June 2015 at 14:52, Paul Wouters p...@nohats.ca wrote: On Wed, 24 Jun 2015, Andrew Cagney wrote: Why did you pick east as the one to do the work on? It's completely arbitrary. The VMs are identical. Note we would need to update the kickstart file for pyOpenSSL and opssibly other pacakges for the guests. I don't really see a good reason to generate those on a guest instead of a host. That was done a while ago. At least for fedora. Using the guest renders any argument that dist_certs.py are broken on host XYZ mute. We could add a check to see if the timestamp on the testing/x509 directory is newer that the certificate generated, and only then regenerate all certs - all before starting the tests. The dependencies: check: testing/x509/keys/mainca.key testing/x509/keys/mainca.key: testing/x509/dist_certs.py seem to be sufficient (Never depend on a directory.) - fedorabase gets created with everything on it - all the tests get cloned from fedorabase - fedorabase gets deleted So the short answer is because it works :-) (Now if only someone could explain why fedorabase gets deleted :-) Because it is never ever used for anything anymore once the VMs are created? Each VM has their own base +qcow file. Note this is what slows virtual machines down over time. It's good to regenerate the VMs every 2-3 months. I'm finding it a time saver. Instead of the slow painful process of trying to patch up the kickstart file and, again, build everything from scratch (something always goes wrong), I patch up fedorabase directly and then generate the test VMs from that. The only got-ya I've found is that fedorabase's filesystem needs to have been unmounted cleanly. If the VMs should be re-generated regularly then this hack is likely more useful :-) Andrew ___ Swan-dev mailing list Swan-dev@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-dev
Re: [Swan-dev] time to delete old dist_certs shell script (attempt #2)?
| From: Andrew Cagney andrew.cag...@gmail.com | This doesn't seem like a reason for retaining the old shell scripts - | they are so far behind that they don't even generate all the required | keys. BTW, best place to run dist_certs.py is on one of the test VMs | (see make kvm-keys), and not on a host. Provided the VM is | relatively recent all the necessary dependencies will have been | installed for you. I take it that you've implemented this a31d60e504dc55214914738007ff62336a7f13aa. Do you have a cheat-sheet of how we should make our old test setups work again? Or maybe they already work. I haven't tried. I'd not waste time experimenting with the test setups. Why did you pick east as the one to do the work on? In our wiki page about testing, at least sometimes west is the one we do work on. I don't know why that one was chosen either. It seems to me that an argument can be made that we make only one of the VMs heavy enough to do all these task. On the other hand, maybe making them different is a mistake. ___ Swan-dev mailing list Swan-dev@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-dev
Re: [Swan-dev] time to delete old dist_certs shell script (attempt #2)?
On June 24, 2015 11:34:53 AM EDT, D. Hugh Redelmeier h...@mimosa.com wrote: | From: Andrew Cagney andrew.cag...@gmail.com | This doesn't seem like a reason for retaining the old shell scripts - | they are so far behind that they don't even generate all the required | keys. BTW, best place to run dist_certs.py is on one of the test VMs | (see make kvm-keys), and not on a host. Provided the VM is | relatively recent all the necessary dependencies will have been | installed for you. I take it that you've implemented this a31d60e504dc55214914738007ff62336a7f13aa. Do you have a cheat-sheet of how we should make our old test setups work again? Or maybe they already work. I haven't tried. I'd not waste time experimenting with the test setups. Why did you pick east as the one to do the work on? In our wiki page about testing, at least sometimes west is the one we do work on. I don't know why that one was chosen either. It seems to me that an argument can be made that we make only one of the VMs heavy enough to do all these task. On the other hand, maybe making them different is a mistake. In the new certificate tests I made them always launch nic, to use it as the ocsp and crl server available regardless of the vpn status. So I say we can make nic flexible with its configuration, and let that handle cert generation. I always assumed a tester would generate certs on the host machine (and I just patch the installed pyopenssl files on the host). But I see the value of it running at the start of a test run. Maybe the first test in a run can be a dummy test that runs distcerts on nic. Matt ___ Swan-dev mailing list Swan-dev@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-dev ___ Swan-dev mailing list Swan-dev@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-dev
Re: [Swan-dev] time to delete old dist_certs shell script (attempt #2)?
On 24 June 2015 at 11:34, D. Hugh Redelmeier h...@mimosa.com wrote: | From: Andrew Cagney andrew.cag...@gmail.com | This doesn't seem like a reason for retaining the old shell scripts - | they are so far behind that they don't even generate all the required | keys. BTW, best place to run dist_certs.py is on one of the test VMs | (see make kvm-keys), and not on a host. Provided the VM is | relatively recent all the necessary dependencies will have been | installed for you. I take it that you've implemented this a31d60e504dc55214914738007ff62336a7f13aa. along with a plithera of changes to testing/libvirt Do you have a cheat-sheet of how we should make our old test setups work again? Or maybe they already work. I haven't tried. I'd not waste time experimenting with the test setups. It didn't touch the existing stuff. That's deliberate - testing/pluto/Makefile contains some older code for generating certificates (admittedly using the host), push-back led to it being disabled. Discussion should be in the archives. Something to revisit later. Yes, someone with write access to the web-docs should update them to mention this as an option :-) Why did you pick east as the one to do the work on? It's completely arbitrary. The VMs are identical. Perhaps I noticed that make check UPDATE=1 used east for some things? Perhaps I noticed that east is always used for testing, kvmsh.py was slightly faster? Perhaps I tossed a coin? The only slightly interesting thing here is that kvmsh.py requires an explicit DOMAIN parameter making my arbitrary choice obvious :-) In our wiki page about testing, at least sometimes west is the one we do work on. I don't know why that one was chosen either. It seems to me that an argument can be made that we make only one of the VMs heavy enough to do all these task. On the other hand, maybe making them different is a mistake. The VMs get built as follows: - fedorabase gets created with everything on it - all the tests get cloned from fedorabase - fedorabase gets deleted So the short answer is because it works :-) (Now if only someone could explain why fedorabase gets deleted :-) ___ Swan-dev mailing list Swan-dev@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-dev ___ Swan-dev mailing list Swan-dev@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-dev
Re: [Swan-dev] time to delete old dist_certs shell script (attempt #2)?
On 24 June 2015 at 12:06, Matt Rogers mrog...@0x83.com wrote: In the new certificate tests I made them always launch nic, to use it as the ocsp and crl server available regardless of the vpn status. So I say we can make nic flexible with its configuration, and let that handle cert generation. I always assumed a tester would generate certs on the host machine (and I just patch the installed pyopenssl files on the host). But I see the value of it running at the start of a test run. Maybe the first test in a run can be a dummy test that runs distcerts on nic. We need to be careful here and not generate new certificates on each test run. If we do that we get into a situation where it isn't possible to consistently re-run tests. I've found that having check depend on one of the local cert files and generating everything when it is missing to be simple and robust and one less thing to remember . However, I suspect we're some way off from having that enabled in mainline. Andrew PS: Feel free to fix my mysterious can't create cert/ directory problem :-) ___ Swan-dev mailing list Swan-dev@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-dev
Re: [Swan-dev] time to delete old dist_certs shell script (attempt #2)?
I don't think it is guaranteed that nic boots and runs the creation script before the other VMs boot. It would add a slowdown if they do Sent from my iPhone On Jun 24, 2015, at 13:06, Matt Rogers mrog...@0x83.com wrote: On June 24, 2015 11:34:53 AM EDT, D. Hugh Redelmeier h...@mimosa.com wrote: | From: Andrew Cagney andrew.cag...@gmail.com | This doesn't seem like a reason for retaining the old shell scripts - | they are so far behind that they don't even generate all the required | keys. BTW, best place to run dist_certs.py is on one of the test VMs | (see make kvm-keys), and not on a host. Provided the VM is | relatively recent all the necessary dependencies will have been | installed for you. I take it that you've implemented this a31d60e504dc55214914738007ff62336a7f13aa. Do you have a cheat-sheet of how we should make our old test setups work again? Or maybe they already work. I haven't tried. I'd not waste time experimenting with the test setups. Why did you pick east as the one to do the work on? In our wiki page about testing, at least sometimes west is the one we do work on. I don't know why that one was chosen either. It seems to me that an argument can be made that we make only one of the VMs heavy enough to do all these task. On the other hand, maybe making them different is a mistake. In the new certificate tests I made them always launch nic, to use it as the ocsp and crl server available regardless of the vpn status. So I say we can make nic flexible with its configuration, and let that handle cert generation. I always assumed a tester would generate certs on the host machine (and I just patch the installed pyopenssl files on the host). But I see the value of it running at the start of a test run. Maybe the first test in a run can be a dummy test that runs distcerts on nic. Matt ___ Swan-dev mailing list Swan-dev@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-dev ___ Swan-dev mailing list Swan-dev@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-dev ___ Swan-dev mailing list Swan-dev@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-dev
Re: [Swan-dev] time to delete old dist_certs shell script (attempt #2)?
On Wed, 24 Jun 2015, Andrew Cagney wrote: Why did you pick east as the one to do the work on? It's completely arbitrary. The VMs are identical. Note we would need to update the kickstart file for pyOpenSSL and opssibly other pacakges for the guests. I don't really see a good reason to generate those on a guest instead of a host. We could add a check to see if the timestamp on the testing/x509 directory is newer that the certificate generated, and only then regenerate all certs - all before starting the tests. - fedorabase gets created with everything on it - all the tests get cloned from fedorabase - fedorabase gets deleted So the short answer is because it works :-) (Now if only someone could explain why fedorabase gets deleted :-) Because it is never ever used for anything anymore once the VMs are created? Each VM has their own base +qcow file. Note this is what slows virtual machines down over time. It's good to regenerate the VMs every 2-3 months. Paul ___ Swan-dev mailing list Swan-dev@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-dev
Re: [Swan-dev] time to delete old dist_certs shell script (attempt #2)?
Fine with me Sent from my iPhone On Jun 23, 2015, at 10:54, Andrew Cagney andrew.cag...@gmail.com wrote: I'd like to delete the old dist_certs shell script: - dist_certs.py seems to be working - make kvm-keys (assuming your VM is up-to-date) even lets you generate keys when the host isn't Fedora 21. little point in keeping old code around. Andrew ___ Swan-dev mailing list Swan-dev@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-dev ___ Swan-dev mailing list Swan-dev@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-dev
Re: [Swan-dev] time to delete old dist_certs shell script (attempt #2)?
On Tue, 23 Jun 2015, Antony Antony wrote: I still have issues to install the patched pyOpenssl RPM on FC20 Can you be more specific? Did you try: wget ftp://ftp.nohats.ca/pyOpenSSL/pyOpenSSL-0.14-4.fc21.src.rpm rpm -ihv pyOpenSSL-0.14-4.fc21.src.rpm rpbuild -ba ~/rpmbuild/SPECS/pyOpenSSL.spec rpm -Uhv ~/rpmbuild/RPMS/noarch/pyOpenSSL-0.14-4.fc20.noarch.rpm Paul ___ Swan-dev mailing list Swan-dev@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-dev
Re: [Swan-dev] time to delete old dist_certs shell script (attempt #2)?
I still have issues to install the patched pyOpenssl RPM on FC20. The patched package is a barrier for me. Of the 3 servers I run, so far I only manged to run distcert.py on one and I copied the generated files to the other tow. -antony On Tue, Jun 23, 2015 at 12:25:48PM -0300, Paul Wouters wrote: Fine with me Sent from my iPhone On Jun 23, 2015, at 10:54, Andrew Cagney andrew.cag...@gmail.com wrote: I'd like to delete the old dist_certs shell script: - dist_certs.py seems to be working - make kvm-keys (assuming your VM is up-to-date) even lets you generate keys when the host isn't Fedora 21. little point in keeping old code around. Andrew ___ Swan-dev mailing list Swan-dev@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-dev ___ Swan-dev mailing list Swan-dev@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-dev ___ Swan-dev mailing list Swan-dev@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-dev
Re: [Swan-dev] time to delete old dist_certs shell script (attempt #2)?
On Tue, 23 Jun 2015, Antony Antony wrote: [root@blueswan ~]# rpmbuild -ba ~/rpmbuild/SPECS/pyOpenSSL.spec error: Failed build dependencies: python-sphinx is needed by pyOpenSSL-0.14-4.fc20.noarch python-cryptography is needed by pyOpenSSL-0.14-4.fc20.noarch python3-devel is needed by pyOpenSSL-0.14-4.fc20.noarch python3-cryptography is needed by pyOpenSSL-0.14-4.fc20.noarch [root@blueswan ~]# No package python-cryptography available. Hmm, we could grab that and recompile it but it might drag in more new dependancies. At some point it is easier to just re-install your VMs from scratch using f21 or f22 specified in the kvmsetup.sh Paul ___ Swan-dev mailing list Swan-dev@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-dev