Merge branch 'testing-buster'

Use Debian buster as base image for the testing environment.
2020-09-03 15:53:14 +02:00 · 2020-09-03 15:53:14 +02:00 · 565f022b5a
parent e96f58568e 210c1e2628
commit 565f022b5a
22 changed files with 3078 additions and 14 deletions
--- a/src/libimcv/imv/data.sql
+++ b/src/libimcv/imv/data.sql
@ -598,6 +598,12 @@ INSERT INTO products (      /* 100 */
 'Debian 9.7 x86_64'
 );

+INSERT INTO products (      /* 101 */
+  name
+) VALUES (
+ 'Debian 10.5 x86_64'
+);
+
 /* Directories */

 INSERT INTO directories (		/*  1 */
@ -1312,6 +1318,12 @@ INSERT INTO groups_product_defaults (
  5, 100
 );

+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  5, 101
+);
+
 INSERT INTO groups_product_defaults (
  group_id, product_id
 ) VALUES (
--- a/src/libstrongswan/utils/leak_detective.c
+++ b/src/libstrongswan/utils/leak_detective.c
@ -595,6 +595,8 @@ static char *whitelist[] = {
 	"RAND_DRBG_get0_master",
 	"RAND_DRBG_get0_private",
 	"RAND_DRBG_get0_public",
+	/* We get this via libcurl and OpenSSL 1.1.1 */
+	"CRYPTO_get_ex_new_index",
 	/* OpenSSL libssl */
 	"SSL_COMP_get_compression_methods",
 	/* NSPR */
@ -622,6 +624,7 @@ static char *whitelist[] = {
 	"system__tasking__initialize",
 	"system__tasking__initialization__abort_defer",
 	"system__tasking__stages__create_task",
+	"system__task_primitives__operations__register_foreign_thread__2",
 	/* in case external threads call into our code */
 	"thread_current_id",
 	/* FHH IMCs and IMVs */
--- a/testing/config/kernel/config-5.4
+++ b/testing/config/kernel/config-5.4
@ -1660,7 +1660,12 @@ CONFIG_DEVKMEM=y
 CONFIG_HVC_DRIVER=y
 CONFIG_VIRTIO_CONSOLE=y
 # CONFIG_IPMI_HANDLER is not set
-# CONFIG_HW_RANDOM is not set
+CONFIG_HW_RANDOM=y
+# CONFIG_HW_RANDOM_TIMERIOMEM is not set
+CONFIG_HW_RANDOM_INTEL=y
+CONFIG_HW_RANDOM_AMD=y
+# CONFIG_HW_RANDOM_VIA is not set
+CONFIG_HW_RANDOM_VIRTIO=y
 # CONFIG_NVRAM is not set
 # CONFIG_APPLICOM is not set
 # CONFIG_MWAVE is not set
--- a/testing/config/kernel/config-5.5
+++ b/testing/config/kernel/config-5.5
@ -1627,7 +1627,12 @@ CONFIG_DEVKMEM=y
 CONFIG_HVC_DRIVER=y
 CONFIG_VIRTIO_CONSOLE=y
 # CONFIG_IPMI_HANDLER is not set
-# CONFIG_HW_RANDOM is not set
+CONFIG_HW_RANDOM=y
+# CONFIG_HW_RANDOM_TIMERIOMEM is not set
+CONFIG_HW_RANDOM_INTEL=y
+CONFIG_HW_RANDOM_AMD=y
+# CONFIG_HW_RANDOM_VIA is not set
+CONFIG_HW_RANDOM_VIRTIO=y
 # CONFIG_NVRAM is not set
 # CONFIG_APPLICOM is not set
 # CONFIG_MWAVE is not set
--- a/testing/config/kernel/config-5.7
+++ b/testing/config/kernel/config-5.7
@ -1641,7 +1641,12 @@ CONFIG_HVC_DRIVER=y
 # CONFIG_SERIAL_DEV_BUS is not set
 CONFIG_VIRTIO_CONSOLE=y
 # CONFIG_IPMI_HANDLER is not set
-# CONFIG_HW_RANDOM is not set
+CONFIG_HW_RANDOM=y
+# CONFIG_HW_RANDOM_TIMERIOMEM is not set
+CONFIG_HW_RANDOM_INTEL=y
+CONFIG_HW_RANDOM_AMD=y
+# CONFIG_HW_RANDOM_VIA is not set
+CONFIG_HW_RANDOM_VIRTIO=y
 # CONFIG_APPLICOM is not set
 # CONFIG_MWAVE is not set
 CONFIG_DEVMEM=y
--- a/testing/config/kernel/config-5.8
+++ b/testing/config/kernel/config-5.8
--- a/testing/config/kvm/alice.xml
+++ b/testing/config/kvm/alice.xml
@ -68,5 +68,8 @@
    <memballoon model='virtio'>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x0'/>
    </memballoon>
+    <rng model='virtio'>
+      <backend model='random'>/dev/urandom</backend>
+    </rng>
  </devices>
 </domain>
--- a/testing/config/kvm/bob.xml
+++ b/testing/config/kvm/bob.xml
@ -61,5 +61,8 @@
    <memballoon model='virtio'>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x0'/>
    </memballoon>
+    <rng model='virtio'>
+      <backend model='random'>/dev/urandom</backend>
+    </rng>
  </devices>
 </domain>
--- a/testing/config/kvm/carol.xml
+++ b/testing/config/kvm/carol.xml
@ -61,5 +61,8 @@
    <memballoon model='virtio'>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x0'/>
    </memballoon>
+    <rng model='virtio'>
+      <backend model='random'>/dev/urandom</backend>
+    </rng>
  </devices>
 </domain>
--- a/testing/config/kvm/dave.xml
+++ b/testing/config/kvm/dave.xml
@ -61,5 +61,8 @@
    <memballoon model='virtio'>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x0'/>
    </memballoon>
+    <rng model='virtio'>
+      <backend model='random'>/dev/urandom</backend>
+    </rng>
  </devices>
 </domain>
--- a/testing/config/kvm/moon.xml
+++ b/testing/config/kvm/moon.xml
@ -73,5 +73,8 @@
    <memballoon model='virtio'>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x0'/>
    </memballoon>
+    <rng model='virtio'>
+      <backend model='random'>/dev/urandom</backend>
+    </rng>
  </devices>
 </domain>
--- a/testing/config/kvm/sun.xml
+++ b/testing/config/kvm/sun.xml
@ -73,5 +73,8 @@
    <memballoon model='virtio'>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x0'/>
    </memballoon>
+    <rng model='virtio'>
+      <backend model='random'>/dev/urandom</backend>
+    </rng>
  </devices>
 </domain>
--- a/testing/config/kvm/winnetou.xml
+++ b/testing/config/kvm/winnetou.xml
@ -66,5 +66,8 @@
    <memballoon model='virtio'>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x0'/>
    </memballoon>
+    <rng model='virtio'>
+      <backend model='random'>/dev/urandom</backend>
+    </rng>
  </devices>
 </domain>
--- a/testing/hosts/default/etc/ssh/sshd_config
+++ b/testing/hosts/default/etc/ssh/sshd_config
@ -3,7 +3,6 @@ Protocol 2
 Ciphers aes128-gcm@openssh.com
 HostKey /etc/ssh/ssh_host_rsa_key
 HostKey /etc/ssh/ssh_host_ecdsa_key
-UsePrivilegeSeparation no
 PermitRootLogin yes
 StrictModes no
 PubkeyAuthentication no
--- a/testing/scripts/build-baseimage
+++ b/testing/scripts/build-baseimage
@ -15,8 +15,8 @@ check_commands debootstrap mkfs.ext3 partprobe qemu-img qemu-nbd sfdisk
 INC=automake,autoconf,libtool,bison,flex,gperf,pkg-config,gettext,less,locales
 INC=$INC,build-essential,libgmp-dev,libldap2-dev,libcurl4-openssl-dev,ethtool
 INC=$INC,libxml2-dev,libtspi-dev,libsqlite3-dev,openssh-server,tcpdump,psmisc
-INC=$INC,openssl,vim,sqlite3,conntrack,gdb,cmake,libltdl-dev,liblog4cxx10-dev
-INC=$INC,libboost-thread-dev,libboost-system-dev,git-core,iperf,htop
+INC=$INC,openssl,vim,sqlite3,conntrack,gdb,cmake,libltdl-dev,wget,gnupg,man-db
+INC=$INC,libboost-thread-dev,libboost-system-dev,git,iperf,htop,valgrind,strace
 INC=$INC,gnat,gprbuild,acpid,acpi-support-base,libldns-dev,libunbound-dev
 INC=$INC,dnsutils,libsoup2.4-dev,ca-certificates,unzip,libsystemd-dev
 INC=$INC,python,python-setuptools,python-dev,python-pip,apt-transport-https
@ -31,8 +31,13 @@ stretch)
 	INC=$INC,libahven5-dev,libxmlada-schema6-dev,libgmpada6-dev
 	INC=$INC,libalog2-dev
 	;;
+buster)
+	INC=$INC,libahven7-dev,libxmlada-schema8-dev,libgmpada8-dev
+	INC=$INC,libalog4-dev,dbus-user-session
+	;;
 *)
 	echo_warn "Package list for '$BASEIMGSUITE' might has to be updated"
+	;;
 esac
 SERVICES="apache2 dbus isc-dhcp-server slapd bind9 freeradius"
 INC=$INC,${SERVICES// /,}
@ -130,5 +135,14 @@ do
 	execute_chroot "systemctl disable $service"
 done

+case "$BASEIMGSUITE" in
+buster)
+	log_action "Switching from iptables-nft to iptables-legacy"
+	execute_chroot "update-alternatives --set iptables /usr/sbin/iptables-legacy" 0
+	execute_chroot "update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy" 0
+	log_status 0
+	;;
+esac
+
 log_action "Disabling root password"
 execute_chroot "passwd -d root"
--- a/testing/scripts/load-testconfig
+++ b/testing/scripts/load-testconfig
@ -154,7 +154,7 @@ for host in $IPSECHOSTS
 do
 	eval HOSTLOGIN=root@\$ipv4_${host}
 	ssh $SSHCONF $HOSTLOGIN 'rm -f /var/log/auth.log /var/log/daemon.log; \
-			kill -SIGHUP `cat /var/run/rsyslogd.pid`' > /dev/null 2>&1
+			pkill -SIGHUP rsyslogd' > /dev/null 2>&1
 done


@ -166,5 +166,5 @@ for host in $RADIUSHOSTS
 do
 	eval HOSTLOGIN=root@\$ipv4_${host}
 	ssh $SSHCONF $HOSTLOGIN 'rm -f /var/log/daemon.log /var/log/freeradius/radius.log; \
-			kill -SIGHUP `cat /var/run/rsyslogd.pid`' > /dev/null 2>&1
+			pkill -SIGHUP rsyslogd' > /dev/null 2>&1
 done
--- a/testing/scripts/recipes/007_x509-ada.mk
+++ b/testing/scripts/recipes/007_x509-ada.mk
@ -2,7 +2,7 @@

 PKG = x509-ada
 SRC = http://git.codelabs.ch/git/$(PKG).git
-REV = caeea59c945945afd7dc092b37c85a9fef73a395
+REV = v0.1.2

 PREFIX = /usr/local/ada

--- a/testing/scripts/recipes/013_strongswan.mk
+++ b/testing/scripts/recipes/013_strongswan.mk
@ -106,7 +106,7 @@ CONFIG_OPTS = \
 	--enable-systemd \
 	--enable-counters \
 	--enable-save-keys \
-	--enable-python-eggs-install
+	--enable-python-eggs

 export ADA_PROJECT_PATH=/usr/local/ada/lib/gnat

@ -126,6 +126,7 @@ build: configure
 	cd $(BUILDDIR) && make -j $(NUM_CPUS)

 install: build
-	cd $(BUILDDIR) && make -j install
+	cd $(BUILDDIR) && make -j install && \
+		cd $(DIR)/src/libcharon/plugins/vici/python && python setup.py install
 	# for Python-based updown scripts
 	pip install python-daemon
--- a/testing/scripts/recipes/015_strongTNC.mk
+++ b/testing/scripts/recipes/015_strongTNC.mk
@ -15,7 +15,7 @@ $(PKG)-master: $(ZIP)

 $(DEPS): $(PKG)-master
 	mkdir -p $(DEPS)
-	pip install --download $(DEPS) -r $(PKG)-master/requirements.txt
+	pip download -d $(DEPS) -r $(PKG)-master/requirements.txt

 install: $(DEPS)
 	pip install --no-index --find-links=file://`pwd`/$(DEPS) -r $(PKG)-master/requirements.txt
--- a/testing/testing.conf
+++ b/testing/testing.conf
@ -48,8 +48,8 @@ fi

 # Base image settings
 # The base image is a pristine OS installation created using debootstrap.
-: ${BASEIMGSIZE=1800}
-: ${BASEIMGSUITE=stretch}
+: ${BASEIMGSIZE=2500}
+: ${BASEIMGSUITE=buster}
 : ${BASEIMGARCH=amd64}
 : ${BASEIMG=$IMGDIR/debian-$BASEIMGSUITE-$BASEIMGARCH.$IMGEXT}
 : ${BASEIMGMIRROR=http://http.debian.net/debian}
--- a/testing/tests/route-based/net2net-xfrmi-ike/evaltest.dat
+++ b/testing/tests/route-based/net2net-xfrmi-ike/evaltest.dat
@ -1,3 +1,4 @@
+sun::cat /var/log/daemon.log::charon-updown.*connected to charon-systemd::YES
 moon::swanctl --list-sas --ike-id 1 --raw 2> /dev/null::gw.*version=2 state=ESTABLISHED local-host=PH_IP_MOON local-port=4500 local-id=moon.strongswan.org remote-host=PH_IP_SUN remote-port=4500 remote-id=sun.strongswan.org.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*local-ts=\[10.1.0.10/32] remote-ts=\[10.2.0.0/16].*local-ts=\[10.1.0.20/32] remote-ts=\[10.2.0.0/16]::YES
 sun::swanctl --list-sas --ike-id 1 --raw 2> /dev/null::gw.*version=2 state=ESTABLISHED local-host=PH_IP_SUN local-port=4500 local-id=sun.strongswan.org remote-host=PH_IP_MOON remote-port=4500 remote-id=moon.strongswan.org.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.10/32].*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.20/32]::YES
 alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
--- a/testing/tests/route-based/net2net-xfrmi-ike/hosts/sun/etc/updown.py
+++ b/testing/tests/route-based/net2net-xfrmi-ike/hosts/sun/etc/updown.py
@ -6,6 +6,7 @@ import daemon
 import logging
 from logging.handlers import SysLogHandler
 import subprocess
+import resource


 logger = logging.getLogger('updownLogger')
@ -54,6 +55,13 @@ def install_routes(ike_sa):
        subprocess.call(["ip", "route", "add", ts, "dev", ifname_out])


+# the hard limit (second number) is the value used by python-daemon when closing
+# potentially open file descriptors while daemonizing.  since the default is
+# 524288 on newer systems, this can take quite a while, and due to how this
+# range of FDs is handled internally (as set) it can even trigger the OOM killer
+resource.setrlimit(resource.RLIMIT_NOFILE, (256, 256))
+
+
 # daemonize and run parallel to the IKE daemon
 with daemon.DaemonContext():
    logger.debug("starting Python updown listener")