From patchwork Thu Jul 4 13:33:36 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Gert Doering X-Patchwork-Id: 3752 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:59c7:b0:57d:b2cb:6cf with SMTP id z7csp3365398may; Thu, 4 Jul 2024 06:34:18 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCWN7Ge13gjKwbewgSAeubFzRPuClIJbVhvMTZbnS8BlrFFFY3Ku8tRTEOw2nA57Kr2DKleyxXxMlAAMzD9KzyRFmlu2EUY= X-Google-Smtp-Source: AGHT+IGhup3lyQmp/Jv6tNwTtkfoxIHMUI1BRJUlmMYIPUBIky/z4VOogJK6GuoXj+10i3N/GoII X-Received: by 2002:a05:6a00:2150:b0:706:61bb:7094 with SMTP id d2e1a72fcca58-70b00ad331dmr1544693b3a.2.1720100057812; Thu, 04 Jul 2024 06:34:17 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1720100057; cv=none; d=google.com; s=arc-20160816; b=OvxErWo4+LGYmruKfs7xk7un2/Mc91HJNq/+PL66X7wRCjBJnJslK2Y+HN8VJWM6E+ bXZ4VgxdCh+TWf6tBYlU+GgpeG9uP+FEtPyQULGlNwyWQEKfEVYCaQBvavcIhARXcs89 3jg0v4SlH2WkE8FJ8AhaKq0HLZx3TMRIh6gx/Ext4Pi8LV4pgBgUEMV8icPx2Ddm2p/M 3xci63NyOiO9pYFTRnhPrWOI3KWinylCMJY2oaWJAjc36oBSj0+pmksVwM2HBVzCr4uq ME4t1Gvgtm7VbD0FKbSUriseLp0wMbxuTmuXfaeBOpy9SZLAjho1ZBLt8shVQ3QKS/mN UStA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature; bh=lyYQe/tlVmWoAFQMAXa80e2dqu9UFeQd2G8RKawLmtE=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=C5AQgOSCjhSEhJjVpyShsfv8TtXHPXhCZ59yihcZ3tCNHp0JBkI3c7l8P8vGwkVjuN DYySWBV9N2wI5j4UD+xH1fggkDqhhsN9ePR5qYTeE777PIYDP1dC99yNFajVQX7LLIBZ gS+YUuAlazNvU8dNBk8kPq3mYJ71phPPbA7LgNldZhvAUcvJQ33K1AvQKUy0V6pxr1r9 VB5U4fG2n0kjR3TtGHcmYgJDPAE9cbQuGtz4NkhJ3MkDQ0h5b+V/U3QwGJbLghGfq8iL EOQ9iAdytW/hlTU+IgD1Ruh37JU9ES4e4z8F4oG/Vr+6/zydrzZDAVo9Mmp4hrvppi6R O/Ew==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=bcn2myQU; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=HwoIToHR; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 41be03b00d2f7-72c719ebde0si15237687a12.734.2024.07.04.06.34.17 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 04 Jul 2024 06:34:17 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=bcn2myQU; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=HwoIToHR; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from [127.0.0.1] (helo=sfs-ml-3.v29.lw.sourceforge.com) by sfs-ml-3.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1sPMav-0002pE-Jw; Thu, 04 Jul 2024 13:33:53 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-3.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1sPMau-0002p8-IH for openvpn-devel@lists.sourceforge.net; Thu, 04 Jul 2024 13:33:51 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:Content-Type:MIME-Version :References:In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=RbQybuclzwdwH75246EsdOUs8FgZt8btnmh2DkTQXn8=; b=bcn2myQUPbcQFR4S9FLK6p+KHN 6L/VO/ET0cZ0+5Nvimm0Tlf/qrsrrAz4/3GNnt8bqw1bjmGhUdmvuR3JkHp6ULWVwNpRLz7bFowE7 DnbDWLJYNY73lbttnBRQryZhkEGWIYl4oLG5amwZogJjaFL36YhBPrxGYodYSRoqxPrw=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:Content-Type:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=RbQybuclzwdwH75246EsdOUs8FgZt8btnmh2DkTQXn8=; b=HwoIToHR5hgbWnvlLnmvqMInBy 1KQSUaKqzvt+lwp25vXqwgaIHBzkTw+x2f0I2X1SxhiyHEwMmuk2hUH+ZYGpOWfQV91FSaACbUC8f 3pxd1+JRGZ/flmcyHiiRDOi9QhK7H6zIMqBF8/cDXRiVH5ebjXON1zvuQFn/8mozlnr0=; Received: from dhcp-174.greenie.muc.de ([193.149.48.174] helo=blue.greenie.muc.de) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1sPMas-00046z-Ht for openvpn-devel@lists.sourceforge.net; Thu, 04 Jul 2024 13:33:51 +0000 Received: from blue.greenie.muc.de (localhost [127.0.0.1]) by blue.greenie.muc.de (8.17.1.9/8.17.1.9) with ESMTP id 464DXcC2026605 for ; Thu, 4 Jul 2024 15:33:38 +0200 Received: (from gert@localhost) by blue.greenie.muc.de (8.17.1.9/8.17.1.9/Submit) id 464DXcV6026604 for openvpn-devel@lists.sourceforge.net; Thu, 4 Jul 2024 15:33:38 +0200 From: Gert Doering To: openvpn-devel@lists.sourceforge.net Date: Thu, 4 Jul 2024 15:33:36 +0200 Message-ID: <20240704133337.26595-1-gert@greenie.muc.de> X-Mailer: git-send-email 2.44.2 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Score: 0.0 (/) X-Spam-Report: =?unknown-8bit?q?Spam_detection_software=2C_running_on_the_sy?= =?unknown-8bit?q?stem_=22util-spamd-1=2Ev13=2Elw=2Esourceforge=2Ecom=22=2C?= =?unknown-8bit?q?_has_NOT_identified_this_incoming_email_as_spam=2E__The_ori?= =?unknown-8bit?q?ginal?= =?unknown-8bit?q?_message_has_been_attached_to_this_so_you_can_view_it_or_la?= =?unknown-8bit?q?bel?= =?unknown-8bit?q?_similar_future_email=2E__If_you_have_any_questions=2C_see?= =?unknown-8bit?q?_the_administrator_of_that_system_for_details=2E?= =?unknown-8bit?q?_?= =?unknown-8bit?q?_Content_preview=3A__From=3A_Samuli_Sepp=C3=A4nen_=3Csamuli?= =?unknown-8bit?q?=2Eseppanen=40gmail=2Ecom=3E_-_exit?= =?unknown-8bit?q?_after_a_timeout_if_unable_to_kill_servers_-_use_sudo_or_eq?= =?unknown-8bit?q?uivalent_only_for?= =?unknown-8bit?q?_server_stop/start_-_use_/bin/sh_directly_instead_of_throug?= =?unknown-8bit?q?h_/usr/bin/env?= =?unknown-8bit?q?_-_simplify_sudo_call_in_the_sample_rc_file_-_=5B=2E=2E=2E?= =?unknown-8bit?q?=5D_?= =?unknown-8bit?q?_?= =?unknown-8bit?q?_Content_analysis_details=3A___=280=2E0_points=2C_6=2E0_req?= =?unknown-8bit?q?uired=29?= =?unknown-8bit?q?_?= =?unknown-8bit?q?_pts_rule_name______________description?= =?unknown-8bit?q?_----_----------------------_------------------------------?= =?unknown-8bit?q?--------------------?= =?unknown-8bit?q?_0=2E0_URIBL=5FBLOCKED__________ADMINISTRATOR_NOTICE=3A_The?= =?unknown-8bit?q?_query_to_URIBL_was?= =?unknown-8bit?q?_blocked=2E__See?= =?unknown-8bit?q?_http=3A//wiki=2Eapache=2Eorg/spamassassin/DnsBlocklists=23?= =?unknown-8bit?q?dnsbl-block?= =?unknown-8bit?q?_for_more_information=2E?= =?unknown-8bit?q?_=5BURIs=3A_openvpn=2Enet=5D?= =?unknown-8bit?q?_0=2E0_RCVD=5FIN=5FVALIDITY=5FCERTIFIED=5FBLOCKED_RBL=3A_AD?= =?unknown-8bit?q?MINISTRATOR_NOTICE=3A?= =?unknown-8bit?q?_The_query_to_Validity_was_blocked=2E__See?= =?unknown-8bit?q?_https=3A//knowledge=2Evalidity=2Ecom/hc/en-us/articles/209?= =?unknown-8bit?q?61730681243?= =?unknown-8bit?q?_for_more_information=2E?= =?unknown-8bit?q?_=5B193=2E149=2E48=2E174_listed_in_sa-accredit=2Ehabeas=2Ec?= =?unknown-8bit?q?om=5D?= =?unknown-8bit?q?_0=2E0_RCVD=5FIN=5FVALIDITY=5FRPBL=5FBLOCKED_RBL=3A_ADMINIS?= =?unknown-8bit?q?TRATOR_NOTICE=3A_The?= =?unknown-8bit?q?_query_to_Validity_was_blocked=2E__See?= =?unknown-8bit?q?_https=3A//knowledge=2Evalidity=2Ecom/hc/en-us/articles/209?= =?unknown-8bit?q?61730681243?= =?unknown-8bit?q?_for_more_information=2E?= =?unknown-8bit?q?_=5B193=2E149=2E48=2E174_listed_in_bl=2Escore=2Esenderscore?= =?unknown-8bit?q?=2Ecom=5D?= =?unknown-8bit?q?_-0=2E0_SPF=5FPASS_______________SPF=3A_sender_matches_SPF_?= =?unknown-8bit?q?record?= =?unknown-8bit?q?_-0=2E0_SPF=5FHELO=5FPASS__________SPF=3A_HELO_matches_SPF_?= =?unknown-8bit?q?record?= X-Headers-End: 1sPMas-00046z-Ht Subject: [Openvpn-devel] [PATCH v5] t_server_null: multiple improvements and fixes X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1803655638398952292?= X-GMAIL-MSGID: =?utf-8?q?1803655638398952292?= From: Samuli Seppänen - exit after a timeout if unable to kill servers - use sudo or equivalent only for server stop/start - use /bin/sh directly instead of through /usr/bin/env - simplify sudo call in the sample rc file - remove misleading and outdated documentation - make it work on OpenBSD 7.5 - make it work on NetBSD 10.0 - make server logs readable by normal users Change-Id: I2cce8ad4e0d262e1404ab1eb6ff673d8590b6b3a Signed-off-by: Samuli Seppänen Acked-by: Frank Lichtenheld --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/669 This mail reflects revision 5 of this Change. Acked-by according to Gerrit (reflected above): Frank Lichtenheld diff --git a/doc/t_server_null.rst b/doc/t_server_null.rst index e3a098a..5fe9080 100644 --- a/doc/t_server_null.rst +++ b/doc/t_server_null.rst @@ -43,6 +43,12 @@ * run as root * a privilege escalation tool (sudo, doas, su) and the permission to become root +If you use "doas" you should enable nopass feature in */etc/doas.conf*. For +example to allow users in the *wheel* group to run commands without a password +prompt:: + + permit nopass keepenv :wheel + Technical implementation ------------------------ @@ -73,13 +79,6 @@ * Waits until servers have launched. Then launch all clients, wait for them to exit and then check test results by parsing the client log files. Each client kills itself after some delay using an "--up" script. -Note that "make check" moves on once *t_server_null_client.sh* has exited. At -that point *t_server_null_server.sh* is still running, because it exists only -after waiting a few seconds for more client connections to potentially appear. -This is a feature and not a bug, but means that launching "make check" runs too -quickly might cause test failures or unexpected behavior such as leftover -OpenVPN server processes. - Configuration ------------- diff --git a/tests/t_server_null.rc-sample b/tests/t_server_null.rc-sample index 28c3773..98d7869 100644 --- a/tests/t_server_null.rc-sample +++ b/tests/t_server_null.rc-sample @@ -1,6 +1,5 @@ # Uncomment to run tests with sudo -#SUDO_EXEC=`which sudo` -#RUN_SUDO="${SUDO_EXEC} -E" +#RUN_SUDO="sudo -E" TEST_RUN_LIST="1 2 3 10 11" diff --git a/tests/t_server_null.sh b/tests/t_server_null.sh index 0e53ba4..7627edf 100755 --- a/tests/t_server_null.sh +++ b/tests/t_server_null.sh @@ -1,4 +1,4 @@ -#!/usr/bin/env sh +#!/bin/sh # TSERVER_NULL_SKIP_RC="${TSERVER_NULL_SKIP_RC:-77}" @@ -57,12 +57,7 @@ srcdir="${srcdir:-.}" -if [ -z "${RUN_SUDO}" ]; then - "${srcdir}/t_server_null_server.sh" & -else - $RUN_SUDO "${srcdir}/t_server_null_server.sh" & -fi - +"${srcdir}/t_server_null_server.sh" & "${srcdir}/t_server_null_client.sh" retval=$? diff --git a/tests/t_server_null_client.sh b/tests/t_server_null_client.sh index 8890007..e7dd332 100755 --- a/tests/t_server_null_client.sh +++ b/tests/t_server_null_client.sh @@ -1,4 +1,4 @@ -#!/usr/bin/env sh +#!/bin/sh launch_client() { test_name=$1 @@ -76,19 +76,22 @@ count=0 server_max_wait=15 while [ $count -lt $server_max_wait ]; do - server_pids="" - server_count=$(set|grep 'SERVER_NAME_'|wc -l) + servers_up=0 + server_count=$(echo $TEST_SERVER_LIST|wc -w) # We need to trim single-quotes because some shells return quoted values # and some don't. Using "set -o posix" which would resolve this problem is # not supported in all shells. + # + # While inactive server configurations may get checked they won't increase + # the active server count as the processes won't be running. for i in `set|grep 'SERVER_NAME_'|cut -d "=" -f 2|tr -d "[\']"`; do server_pid=$(cat $i.pid 2> /dev/null) - server_pids="${server_pids} ${server_pid}" + if ps -p $server_pid > /dev/null 2>&1; then + servers_up=$(( $servers_up + 1 )) + fi done - servers_up=$(ps -p $server_pids 2>/dev/null|sed '1d'|wc -l) - echo "OpenVPN test servers up: ${servers_up}/${server_count}" if [ $servers_up -ge $server_count ]; then @@ -101,6 +104,7 @@ if [ $count -eq $server_max_wait ]; then retval=1 + exit $retval fi done diff --git a/tests/t_server_null_default.rc b/tests/t_server_null_default.rc index 63b6bcd..825bb52 100755 --- a/tests/t_server_null_default.rc +++ b/tests/t_server_null_default.rc @@ -24,7 +24,7 @@ MAX_CLIENTS="10" CLIENT_MATCH="Test-Client" SERVER_EXEC="${top_builddir}/src/openvpn/openvpn" -SERVER_BASE_OPTS="--daemon --local 127.0.0.1 --dev tun --topology subnet --server 10.29.41.0 255.255.255.0 --max-clients $MAX_CLIENTS --persist-tun --verb 3" +SERVER_BASE_OPTS="--daemon --local 127.0.0.1 --dev tun --topology subnet --max-clients $MAX_CLIENTS --persist-tun --verb 3" SERVER_CIPHER_OPTS="" SERVER_CERT_OPTS="--ca ${CA} --dh ${DH} --cert ${SERVER_CERT} --key ${SERVER_KEY} --tls-auth ${TA} 0" SERVER_CONF_BASE="${SERVER_BASE_OPTS} ${SERVER_CIPHER_OPTS} ${SERVER_CERT_OPTS}" @@ -32,14 +32,16 @@ TEST_SERVER_LIST="1 2" SERVER_NAME_1="t_server_null_server-1194_udp" +SERVER_SERVER_1="--server 10.29.41.0 255.255.255.0" SERVER_MGMT_PORT_1="11194" SERVER_EXEC_1="${SERVER_EXEC}" -SERVER_CONF_1="${SERVER_CONF_BASE} --lport 1194 --proto udp --management 127.0.0.1 ${SERVER_MGMT_PORT_1}" +SERVER_CONF_1="${SERVER_CONF_BASE} ${SERVER_SERVER_1} --lport 1194 --proto udp --management 127.0.0.1 ${SERVER_MGMT_PORT_1}" SERVER_NAME_2="t_server_null_server-1195_tcp" +SERVER_SERVER_2="--server 10.29.42.0 255.255.255.0" SERVER_MGMT_PORT_2="11195" SERVER_EXEC_2="${SERVER_EXEC}" -SERVER_CONF_2="${SERVER_CONF_BASE} --lport 1195 --proto tcp --management 127.0.0.1 ${SERVER_MGMT_PORT_2}" +SERVER_CONF_2="${SERVER_CONF_BASE} ${SERVER_SERVER_2} --lport 1195 --proto tcp --management 127.0.0.1 ${SERVER_MGMT_PORT_2}" # Test client configurations CLIENT_EXEC="${top_builddir}/src/openvpn/openvpn" diff --git a/tests/t_server_null_server.sh b/tests/t_server_null_server.sh index 9bc0c88..e5906ee 100755 --- a/tests/t_server_null_server.sh +++ b/tests/t_server_null_server.sh @@ -1,4 +1,4 @@ -#!/usr/bin/env sh +#!/bin/sh launch_server() { server_name=$1 @@ -8,18 +8,28 @@ status="${server_name}.status" pid="${server_name}.pid" - # Ensure that old status, log and pid files are gone - rm -f "${status}" "${log}" "${pid}" - - "${server_exec}" \ - $server_conf \ - --status "${status}" 1 \ - --log "${log}" \ - --writepid "${pid}" \ - --explicit-exit-notify 3 - + if [ -z "${RUN_SUDO}" ]; then + rm -f "${status}" "${log}" "${pid}" + "${server_exec}" \ + $server_conf \ + --status "${status}" 1 \ + --log "${log}" \ + --writepid "${pid}" \ + --explicit-exit-notify 3 + else + $RUN_SUDO rm -f "${status}" "${log}" "${pid}" + $RUN_SUDO "${server_exec}" \ + $server_conf \ + --status "${status}" 1 \ + --log "${log}" \ + --writepid "${pid}" \ + --explicit-exit-notify 3 + fi } +# Make server log files readable by normal users +umask 022 + # Load base/default configuration . "${srcdir}/t_server_null_default.rc" || exit 1 @@ -64,15 +74,30 @@ echo "All clients have disconnected from all servers" +# Make sure that the server processes are truly dead before exiting. If a +# server process does not exit in 15 seconds assume it never will, move on and +# hope for the best. +echo "Waiting for servers to exit" for PID_FILE in $server_pid_files do SERVER_PID=$(cat "${PID_FILE}") - $KILL_EXEC "${SERVER_PID}" - # Make sure that the server processes are truly dead before exiting - while : + if [ -z "${RUN_SUDO}" ]; then + $KILL_EXEC "${SERVER_PID}" + else + $RUN_SUDO $KILL_EXEC "${SERVER_PID}" + fi + + count=0 + maxcount=75 + while [ $count -le $maxcount ] do ps -p "${SERVER_PID}" > /dev/null || break + count=$(( count + 1)) sleep 0.2 done + + if [ $count -ge $maxcount ]; then + echo "WARNING: could not kill server with pid ${SERVER_PID}!" + fi done diff --git a/tests/t_server_null_stress.sh b/tests/t_server_null_stress.sh index 1281397..0bb9452 100755 --- a/tests/t_server_null_stress.sh +++ b/tests/t_server_null_stress.sh @@ -1,4 +1,4 @@ -#!/usr/bin/env sh +#!/bin/sh # # Run this stress test as root to avoid sudo authorization from timing out.