illumos-gate Wdiff usr/src/test/os-tests/tests/pf_key/acquire-spray.sh

Print this page

11845 acquire-spray test could be improved
11857 kmc-update test missing from runfile

Split	Close
Expand all
Collapse all

          --- old/usr/src/test/os-tests/tests/pf_key/acquire-spray.sh
          +++ new/usr/src/test/os-tests/tests/pf_key/acquire-spray.sh

   1    1  #!/usr/bin/ksh
   2    2  
   3    3  #
   4    4  # This file and its contents are supplied under the terms of the

↓ open down ↓

4 lines elided

↑ open up ↑

   5    5  # Common Development and Distribution License ("CDDL"), version 1.0.
   6    6  # You may only use this file in accordance with the terms of version
   7    7  # 1.0 of the CDDL.
   8    8  #
   9    9  # A full copy of the text of the CDDL should have accompanied this
  10   10  # source.  A copy of the CDDL is also available via the Internet at
  11   11  # http://www.illumos.org/license/CDDL.
  12   12  #
  13   13  
  14   14  #
  15      -# Copyright (c) 2017 Joyent, Inc.
       15 +# Copyright 2019 Joyent, Inc.
  16   16  #
  17   17  
       18 +#
       19 +# This test sprays many concurrent ACQUIRE messages and checks the
       20 +# monitor.
       21 +#
       22 +# Note that it's not run by default, as the monitor is best-efforts and
       23 +# therefore not reliable under this kind of load.
       24 +#
       25 +
  18   26  if [ `id -u` -ne 0 ]; then
  19   27          echo "Need to be root or have effective UID of root."
  20   28          exit 255
  21   29  fi
  22   30  
  23   31  if [[ `zonename` != "global" ]]; then
  24   32          echo "Need to be the in the global zone for lock detection."
  25   33          exit 254
  26   34  fi
  27   35  
  28      -# This test sprays many concurrent ACQUIRE messages.  The idea originally
  29      -# was to view lock contention on the global netstack's IPsec algorithm lock.
  30      -# It is also useful for having multiple ACQUIRE records.
  31      -
  32   36  PREFIX=10.21.12.0/24
  33      -MONITOR_LOG=/var/run/ipseckey-monitor.$$
       37 +MONITOR_LOG=/var/tmp/ipseckey-monitor.$$
  34   38  
  35   39  # The program that sends an extended REGISTER to enable extended ACQUIREs.
  36   40  EACQ_PROG=/opt/os-tests/tests/pf_key/eacq-enabler
  37   41  
  38   42  $EACQ_PROG &
  39   43  eapid=$!
  40   44  
  41      -# Find the ipsec_alg_lock to monitor with lockstat (below).
  42      -GLOBAL_NETSTACK=`echo ::netstack | mdb -k | grep -w 0 | awk '{print $1}'`
  43      -GLOBAL_IPSEC=`echo $GLOBAL_NETSTACK::print netstack_t | mdb -k | grep -w nu_ipsec | awk '{print $3}'`
  44      -IPSEC_ALG_LOCK=`echo $GLOBAL_IPSEC::print -a ipsec_stack_t ipsec_alg_lock | mdb -k | head -1 | awk '{print $1}'`
  45      -
  46      -#echo "WARNING -- this test flushes out IPsec policy..."
  47      -#echo "GLOBAL_NETSTACK = $GLOBAL_NETSTACK"
  48      -#echo "GLOBAL_IPSEC = $GLOBAL_IPSEC"
  49      -#echo "IPSEC_ALG_LOCK = $IPSEC_ALG_LOCK"
  50      -
  51   45  # Tunnels will be preserved by using -f instead of -F.
  52   46  ipsecconf -qf
  53   47  
  54   48  # Simple one-type-of-ESP setup...
  55   49  echo "{ raddr $PREFIX } ipsec { encr_algs aes encr_auth_algs sha512 }" | \
  56   50          ipsecconf -qa -
  57   51  # ipsecconf -ln
  58   52  
       53 +echo "Starting monitor, logging to $MONITOR_LOG"
       54 +
  59   55  # Get monitoring PF_KEY for at least regular ACQUIREs.
  60   56  ipseckey -n monitor > $MONITOR_LOG &
  61   57  IPSECKEY_PID=$!
  62   58  
  63   59  # Flush out the SADB to make damned sure we don't have straggler acquire
  64   60  # records internally.
  65   61  ipseckey flush
  66   62  
       63 +# wait for the monitor
       64 +sleep 5
       65 +
       66 +echo "Starting pings"
       67 +
  67   68  # Launch 254 pings to different addresses (each requiring an ACQUIRE).
  68   69  i=1
  69   70  while [ $i -le 254 ]; do
  70   71          truss -Topen -o /dev/null ping -svn 10.21.12.$i 1024 1 2>&1 > /dev/null &
  71   72          i=$(($i + 1))
  72   73  done
  73   74  
  74   75  # Unleash the pings in 10 seconds, Smithers.
  75   76  ( sleep 10 ; prun `pgrep ping` ) &
  76   77  
  77      -# Get the lockstats going now.
  78      -echo "Running:     lockstat -A -l 0x$IPSEC_ALG_LOCK,8 sleep 30"
  79      -lockstat -A -l 0x$IPSEC_ALG_LOCK,8 sleep 30
       78 +echo "Waiting for pings to finish"
       79 +
       80 +# wait for the pings; not so charming
       81 +while :; do
       82 +        pids="$(pgrep ping)"
       83 +        [[ -n "$pids" ]] || break
       84 +        pwait $pids
       85 +done
       86 +
       87 +# wait for the monitor
       88 +sleep 10
       89 +
  80   90  kill $IPSECKEY_PID
  81   91  kill $eapid
  82   92  # Use SMF to restore anything that may have been there.  "restart" on
  83   93  # a disabled service is a NOP, but an enabled one will get
  84   94  # /etc/inet/ipsecinit.conf reloaded.
  85   95  svcadm restart ipsec/policy
  86   96  
  87   97  # See if we have decent results.
  88   98  
  89      -numacq=`grep ACQUIRE $MONITOR_LOG | wc -l | awk '{print $1}`
  90      -#rm -f $MONITOR_LOG
  91      -# Pardon the hardcoding again.
  92      -if [[ $numacq != 508 ]]; then
  93      -    echo "Got $numacq ACQUIREs instead of 508"
  94      -    exit 1
  95      -else
  96      -    echo "Saw expected $numacq ACQUIREs."
  97      -fi
       99 +i=1
      100 +while [ $i -le 254 ]; do
      101 +        c=$(grep -c "^DST: AF_INET: port 0, 10\.21\.12\.$i\." $MONITOR_LOG)
      102 +        if [[ "$c" -ne 2 ]]; then
      103 +                echo "One or more log entries missing for 10.21.12.$i" >&2
      104 +                exit 1
      105 +        fi
      106 +        i=$(($i + 1))
      107 +done
  98  108  
      109 +rm -f $MONITOR_LOG
  99  110  exit 0

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX