Print this page
11845 acquire-spray test could be improved
11857 kmc-update test missing from runfile
*** 10,22 ****
# source. A copy of the CDDL is also available via the Internet at
# http://www.illumos.org/license/CDDL.
#
#
! # Copyright (c) 2017 Joyent, Inc.
#
if [ `id -u` -ne 0 ]; then
echo "Need to be root or have effective UID of root."
exit 255
fi
--- 10,30 ----
# source. A copy of the CDDL is also available via the Internet at
# http://www.illumos.org/license/CDDL.
#
#
! # Copyright 2019 Joyent, Inc.
#
+ #
+ # This test sprays many concurrent ACQUIRE messages and checks the
+ # monitor.
+ #
+ # Note that it's not run by default, as the monitor is best-efforts and
+ # therefore not reliable under this kind of load.
+ #
+
if [ `id -u` -ne 0 ]; then
echo "Need to be root or have effective UID of root."
exit 255
fi
*** 23,71 ****
if [[ `zonename` != "global" ]]; then
echo "Need to be the in the global zone for lock detection."
exit 254
fi
- # This test sprays many concurrent ACQUIRE messages. The idea originally
- # was to view lock contention on the global netstack's IPsec algorithm lock.
- # It is also useful for having multiple ACQUIRE records.
-
PREFIX=10.21.12.0/24
! MONITOR_LOG=/var/run/ipseckey-monitor.$$
# The program that sends an extended REGISTER to enable extended ACQUIREs.
EACQ_PROG=/opt/os-tests/tests/pf_key/eacq-enabler
$EACQ_PROG &
eapid=$!
- # Find the ipsec_alg_lock to monitor with lockstat (below).
- GLOBAL_NETSTACK=`echo ::netstack | mdb -k | grep -w 0 | awk '{print $1}'`
- GLOBAL_IPSEC=`echo $GLOBAL_NETSTACK::print netstack_t | mdb -k | grep -w nu_ipsec | awk '{print $3}'`
- IPSEC_ALG_LOCK=`echo $GLOBAL_IPSEC::print -a ipsec_stack_t ipsec_alg_lock | mdb -k | head -1 | awk '{print $1}'`
-
- #echo "WARNING -- this test flushes out IPsec policy..."
- #echo "GLOBAL_NETSTACK = $GLOBAL_NETSTACK"
- #echo "GLOBAL_IPSEC = $GLOBAL_IPSEC"
- #echo "IPSEC_ALG_LOCK = $IPSEC_ALG_LOCK"
-
# Tunnels will be preserved by using -f instead of -F.
ipsecconf -qf
# Simple one-type-of-ESP setup...
echo "{ raddr $PREFIX } ipsec { encr_algs aes encr_auth_algs sha512 }" | \
ipsecconf -qa -
# ipsecconf -ln
# Get monitoring PF_KEY for at least regular ACQUIREs.
ipseckey -n monitor > $MONITOR_LOG &
IPSECKEY_PID=$!
# Flush out the SADB to make damned sure we don't have straggler acquire
# records internally.
ipseckey flush
# Launch 254 pings to different addresses (each requiring an ACQUIRE).
i=1
while [ $i -le 254 ]; do
truss -Topen -o /dev/null ping -svn 10.21.12.$i 1024 1 2>&1 > /dev/null &
i=$(($i + 1))
--- 31,72 ----
if [[ `zonename` != "global" ]]; then
echo "Need to be the in the global zone for lock detection."
exit 254
fi
PREFIX=10.21.12.0/24
! MONITOR_LOG=/var/tmp/ipseckey-monitor.$$
# The program that sends an extended REGISTER to enable extended ACQUIREs.
EACQ_PROG=/opt/os-tests/tests/pf_key/eacq-enabler
$EACQ_PROG &
eapid=$!
# Tunnels will be preserved by using -f instead of -F.
ipsecconf -qf
# Simple one-type-of-ESP setup...
echo "{ raddr $PREFIX } ipsec { encr_algs aes encr_auth_algs sha512 }" | \
ipsecconf -qa -
# ipsecconf -ln
+ echo "Starting monitor, logging to $MONITOR_LOG"
+
# Get monitoring PF_KEY for at least regular ACQUIREs.
ipseckey -n monitor > $MONITOR_LOG &
IPSECKEY_PID=$!
# Flush out the SADB to make damned sure we don't have straggler acquire
# records internally.
ipseckey flush
+ # wait for the monitor
+ sleep 5
+
+ echo "Starting pings"
+
# Launch 254 pings to different addresses (each requiring an ACQUIRE).
i=1
while [ $i -le 254 ]; do
truss -Topen -o /dev/null ping -svn 10.21.12.$i 1024 1 2>&1 > /dev/null &
i=$(($i + 1))
*** 72,99 ****
done
# Unleash the pings in 10 seconds, Smithers.
( sleep 10 ; prun `pgrep ping` ) &
! # Get the lockstats going now.
! echo "Running: lockstat -A -l 0x$IPSEC_ALG_LOCK,8 sleep 30"
! lockstat -A -l 0x$IPSEC_ALG_LOCK,8 sleep 30
kill $IPSECKEY_PID
kill $eapid
# Use SMF to restore anything that may have been there. "restart" on
# a disabled service is a NOP, but an enabled one will get
# /etc/inet/ipsecinit.conf reloaded.
svcadm restart ipsec/policy
# See if we have decent results.
! numacq=`grep ACQUIRE $MONITOR_LOG | wc -l | awk '{print $1}`
! #rm -f $MONITOR_LOG
! # Pardon the hardcoding again.
! if [[ $numacq != 508 ]]; then
! echo "Got $numacq ACQUIREs instead of 508"
exit 1
! else
! echo "Saw expected $numacq ACQUIREs."
! fi
exit 0
--- 73,110 ----
done
# Unleash the pings in 10 seconds, Smithers.
( sleep 10 ; prun `pgrep ping` ) &
! echo "Waiting for pings to finish"
!
! # wait for the pings; not so charming
! while :; do
! pids="$(pgrep ping)"
! [[ -n "$pids" ]] || break
! pwait $pids
! done
!
! # wait for the monitor
! sleep 10
!
kill $IPSECKEY_PID
kill $eapid
# Use SMF to restore anything that may have been there. "restart" on
# a disabled service is a NOP, but an enabled one will get
# /etc/inet/ipsecinit.conf reloaded.
svcadm restart ipsec/policy
# See if we have decent results.
! i=1
! while [ $i -le 254 ]; do
! c=$(grep -c "^DST: AF_INET: port 0, 10\.21\.12\.$i\." $MONITOR_LOG)
! if [[ "$c" -ne 2 ]]; then
! echo "One or more log entries missing for 10.21.12.$i" >&2
exit 1
! fi
! i=$(($i + 1))
! done
+ rm -f $MONITOR_LOG
exit 0