Print this page
11845 acquire-spray test could be improved
11857 kmc-update test missing from runfile
   1 #!/usr/bin/ksh
   2 
   3 #
   4 # This file and its contents are supplied under the terms of the
   5 # Common Development and Distribution License ("CDDL"), version 1.0.
   6 # You may only use this file in accordance with the terms of version
   7 # 1.0 of the CDDL.
   8 #
   9 # A full copy of the text of the CDDL should have accompanied this
  10 # source.  A copy of the CDDL is also available via the Internet at
  11 # http://www.illumos.org/license/CDDL.
  12 #
  13 
  14 #
  15 # Copyright (c) 2017 Joyent, Inc.
  16 #
  17 








  18 if [ `id -u` -ne 0 ]; then
  19         echo "Need to be root or have effective UID of root."
  20         exit 255
  21 fi
  22 
  23 if [[ `zonename` != "global" ]]; then
  24         echo "Need to be the in the global zone for lock detection."
  25         exit 254
  26 fi
  27 
  28 # This test sprays many concurrent ACQUIRE messages.  The idea originally
  29 # was to view lock contention on the global netstack's IPsec algorithm lock.
  30 # It is also useful for having multiple ACQUIRE records.
  31 
  32 PREFIX=10.21.12.0/24
  33 MONITOR_LOG=/var/run/ipseckey-monitor.$$
  34 
  35 # The program that sends an extended REGISTER to enable extended ACQUIREs.
  36 EACQ_PROG=/opt/os-tests/tests/pf_key/eacq-enabler
  37 
  38 $EACQ_PROG &
  39 eapid=$!
  40 
  41 # Find the ipsec_alg_lock to monitor with lockstat (below).
  42 GLOBAL_NETSTACK=`echo ::netstack | mdb -k | grep -w 0 | awk '{print $1}'`
  43 GLOBAL_IPSEC=`echo $GLOBAL_NETSTACK::print netstack_t | mdb -k | grep -w nu_ipsec | awk '{print $3}'`
  44 IPSEC_ALG_LOCK=`echo $GLOBAL_IPSEC::print -a ipsec_stack_t ipsec_alg_lock | mdb -k | head -1 | awk '{print $1}'`
  45 
  46 #echo "WARNING -- this test flushes out IPsec policy..."
  47 #echo "GLOBAL_NETSTACK = $GLOBAL_NETSTACK"
  48 #echo "GLOBAL_IPSEC = $GLOBAL_IPSEC"
  49 #echo "IPSEC_ALG_LOCK = $IPSEC_ALG_LOCK"
  50 
  51 # Tunnels will be preserved by using -f instead of -F.
  52 ipsecconf -qf
  53 
  54 # Simple one-type-of-ESP setup...
  55 echo "{ raddr $PREFIX } ipsec { encr_algs aes encr_auth_algs sha512 }" | \
  56         ipsecconf -qa -
  57 # ipsecconf -ln
  58 


  59 # Get monitoring PF_KEY for at least regular ACQUIREs.
  60 ipseckey -n monitor > $MONITOR_LOG &
  61 IPSECKEY_PID=$!
  62 
  63 # Flush out the SADB to make damned sure we don't have straggler acquire
  64 # records internally.
  65 ipseckey flush
  66 





  67 # Launch 254 pings to different addresses (each requiring an ACQUIRE).
  68 i=1
  69 while [ $i -le 254 ]; do
  70         truss -Topen -o /dev/null ping -svn 10.21.12.$i 1024 1 2>&1 > /dev/null &
  71         i=$(($i + 1))
  72 done
  73 
  74 # Unleash the pings in 10 seconds, Smithers.
  75 ( sleep 10 ; prun `pgrep ping` ) &
  76 
  77 # Get the lockstats going now.
  78 echo "Running:     lockstat -A -l 0x$IPSEC_ALG_LOCK,8 sleep 30"
  79 lockstat -A -l 0x$IPSEC_ALG_LOCK,8 sleep 30









  80 kill $IPSECKEY_PID
  81 kill $eapid
  82 # Use SMF to restore anything that may have been there.  "restart" on
  83 # a disabled service is a NOP, but an enabled one will get
  84 # /etc/inet/ipsecinit.conf reloaded.
  85 svcadm restart ipsec/policy
  86 
  87 # See if we have decent results.
  88 
  89 numacq=`grep ACQUIRE $MONITOR_LOG | wc -l | awk '{print $1}`
  90 #rm -f $MONITOR_LOG
  91 # Pardon the hardcoding again.
  92 if [[ $numacq != 508 ]]; then
  93     echo "Got $numacq ACQUIREs instead of 508"
  94     exit 1
  95 else
  96     echo "Saw expected $numacq ACQUIREs."
  97 fi
  98 

  99 exit 0
   1 #!/usr/bin/ksh
   2 
   3 #
   4 # This file and its contents are supplied under the terms of the
   5 # Common Development and Distribution License ("CDDL"), version 1.0.
   6 # You may only use this file in accordance with the terms of version
   7 # 1.0 of the CDDL.
   8 #
   9 # A full copy of the text of the CDDL should have accompanied this
  10 # source.  A copy of the CDDL is also available via the Internet at
  11 # http://www.illumos.org/license/CDDL.
  12 #
  13 
  14 #
  15 # Copyright 2019 Joyent, Inc.
  16 #
  17 
  18 #
  19 # This test sprays many concurrent ACQUIRE messages and checks the
  20 # monitor.
  21 #
  22 # Note that it's not run by default, as the monitor is best-efforts and
  23 # therefore not reliable under this kind of load.
  24 #
  25 
  26 if [ `id -u` -ne 0 ]; then
  27         echo "Need to be root or have effective UID of root."
  28         exit 255
  29 fi
  30 
  31 if [[ `zonename` != "global" ]]; then
  32         echo "Need to be the in the global zone for lock detection."
  33         exit 254
  34 fi
  35 




  36 PREFIX=10.21.12.0/24
  37 MONITOR_LOG=/var/tmp/ipseckey-monitor.$$
  38 
  39 # The program that sends an extended REGISTER to enable extended ACQUIREs.
  40 EACQ_PROG=/opt/os-tests/tests/pf_key/eacq-enabler
  41 
  42 $EACQ_PROG &
  43 eapid=$!
  44 










  45 # Tunnels will be preserved by using -f instead of -F.
  46 ipsecconf -qf
  47 
  48 # Simple one-type-of-ESP setup...
  49 echo "{ raddr $PREFIX } ipsec { encr_algs aes encr_auth_algs sha512 }" | \
  50         ipsecconf -qa -
  51 # ipsecconf -ln
  52 
  53 echo "Starting monitor, logging to $MONITOR_LOG"
  54 
  55 # Get monitoring PF_KEY for at least regular ACQUIREs.
  56 ipseckey -n monitor > $MONITOR_LOG &
  57 IPSECKEY_PID=$!
  58 
  59 # Flush out the SADB to make damned sure we don't have straggler acquire
  60 # records internally.
  61 ipseckey flush
  62 
  63 # wait for the monitor
  64 sleep 5
  65 
  66 echo "Starting pings"
  67 
  68 # Launch 254 pings to different addresses (each requiring an ACQUIRE).
  69 i=1
  70 while [ $i -le 254 ]; do
  71         truss -Topen -o /dev/null ping -svn 10.21.12.$i 1024 1 2>&1 > /dev/null &
  72         i=$(($i + 1))
  73 done
  74 
  75 # Unleash the pings in 10 seconds, Smithers.
  76 ( sleep 10 ; prun `pgrep ping` ) &
  77 
  78 echo "Waiting for pings to finish"
  79 
  80 # wait for the pings; not so charming
  81 while :; do
  82         pids="$(pgrep ping)"
  83         [[ -n "$pids" ]] || break
  84         pwait $pids
  85 done
  86 
  87 # wait for the monitor
  88 sleep 10
  89 
  90 kill $IPSECKEY_PID
  91 kill $eapid
  92 # Use SMF to restore anything that may have been there.  "restart" on
  93 # a disabled service is a NOP, but an enabled one will get
  94 # /etc/inet/ipsecinit.conf reloaded.
  95 svcadm restart ipsec/policy
  96 
  97 # See if we have decent results.
  98 
  99 i=1
 100 while [ $i -le 254 ]; do
 101         c=$(grep -c "^DST: AF_INET: port 0, 10\.21\.12\.$i\." $MONITOR_LOG)
 102         if [[ "$c" -ne 2 ]]; then
 103                 echo "One or more log entries missing for 10.21.12.$i" >&2
 104                 exit 1
 105         fi
 106         i=$(($i + 1))
 107 done
 108 
 109 rm -f $MONITOR_LOG
 110 exit 0