Attn: CI/Jenkins people; Run bhyve instance for testing pf

Nikos Vassiliadis nvass at gmx.com
Thu Jul 20 16:24:22 UTC 2017 

On 07/18/2017 02:55 AM, Panagiotes Mousikides wrote:
> Den 2017-07-16 kl. 21:11, skrev Alan Somers:
>> On Sun, Jul 16, 2017 at 2:44 PM, Panagiotes Mousikides
>> <paggas1 at yandex.com> wrote:
>>> Hello everybody!
>>>
>>> I am working on adding tests to the FreeBSD test suite for testing 
>>> pf, the
>>> network packet filter.
>>>
>>> These tests need at least two machines running and connected to each 
>>> other,
>>> with one machine generating network traffic and the other running pf and
>>> filtering the traffic.  I am looking for a way to fire off a bhyve 
>>> instance
>>> to serve as the second machine, the first being the actual machine I am
>>> running the tests on. This should be done completely automatically, with
>>> scripts to configure all network interfaces and to preferably also 
>>> set up an
>>> SSH server on the bhyve instance.
>>>
>>> This bhyve instance could start off as running the latest stable 
>>> version of
>>> FreeBSD, or it could be configured to run a snapshot of the development
>>> tree.  The aim is to have the desired version of FreeBSD that we want to
>>> test running on it.  Ideally this would be done in such a way that we 
>>> can
>>> reuse the machine for further tests, instead of rebuilding everything 
>>> from
>>> scratch for each test.
>>>
>>> What I am looking for is the best way to do this, preferably so that 
>>> it can
>>> be easily integrated into the CI work being done at Jenkins.  What do 
>>> you
>>> think?  Any input is welcome!
>>>
>>> All the best,
>>> Panagiotes
>> It's possible to setup CI systems that involve multiple machines
>> networked together.  I've done it.  But it's complicated, fragile, and
>> slow.  I advise you to consider very carefully whether you truly need
>> multiple VMs.  What about creating an epair(4)?  You could run pf on
>> epair0b and generate traffic from epair0a.  That would be faster than
>> spinning up VMs, and would be very easy to integrate into any other CI
>> system.  Would that work?
>>
>> -Alan
>>
> Hi Alan!
> 
> Thank you for the tip about epair(4), it sounds really like an 
> interesting approach to my problem.  I will look into it!
> 
> Best regards,
> Panagiotes

Hi,

It would be great if you use vnet jails for that. I am not
sure regarding the per-vnet pf functionality but I have seen
many bug fixes hitting the tree since last year. You can ask
on freebsd-virtualization at freebsd.org or freebsd-pf at freebsd.org
to learn more about it.

Pf within a jail should behave more or less like the "normal" one.
Plus you will be testing per-vnet functionality, which the project
needs anyhow, in one go.

Best regards,
Nikos

More information about the freebsd-hackers mailing list