Hi Andrew, On 05/12/2016 05:01 PM, Andrew Cagney wrote: > Here's a brain dump: > > - yes 9p is isn't reliable, and it seems to be getting worse; I really > wonder about eliminating 9p and using copy/rsync/clone instead, this > might fit better with docker
Well, that would mean introducing some additional networking between guests and hosts, right? I think that might lead to various new problems, for instance you have to ensure that ipsec does not interfere with networking needed for guest->host synchronization > > - f22 also had a nice bug where cloning corrupted the root filesystem > > - I've found trying to use more than #cores/2 (1 core for each KVM, > one for userland 9p?) doesn't seem to make things faster > Docker could help, however ... > > - "half" of each test is spent twiddling thumbs waiting for things to > timeout, docker won't help with that > > - otoh, the other "half" of each test is spent waiting for _Fedora_ to > boot; given other OSs and linux variants boot in seconds there's > something going really really wrong > Deploying docker instances containing rebuilt pluto should be faster > and more robust? I've found cloning test domains to be really fast, > but getting the fresh clone to boot to be really slow; Fedora again. > > - I'm guessing that, like the current KVM tests, docker doesn't do > FIPS "correctly" (as in run an entire FIPS stack including the > kernel); for the KVMs it is a small matter of programming, for docker? > This might mean keeping both around There should not be any blocker for running either KVM or Docker suite in FIPS mode actually. With KVM you just need to install VMs with fips=1 on kernel command line and that's it. The systems will run in FIPS mode. With docker containers it is in a sense even easier as you only need to have host system running in FIPS mode and any container based on Fedora/RHEL base images will be running in FIPS (actually you have to install one more package on them - dracut-fips or create /etc/system-fips). Off-topic - are you runnig test suite executed in FIPS mode? If not, are you interested in that? There would probably be tons of both true and false positives though. And I am very very doubtful about FIPS in Fedora. OTOH it might be doable in RHEL... > > - Similarly, if we want to test against systems that are not amd64, > KVM would be need You're right. But that can change in the future, lacking support for 32bit is more or less just a plumbing issue (you just need support in registries basically). Is KVM testsuite running in 32-bit environment? > > Andrew > _______________________________________________ Swan-dev mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan-dev
