t_server: Make anchor_vm work#4
Open
flichtenheld wants to merge 13 commits into
Open
Conversation
- Configure two clients, one at 10.204.4.200, one at 10.207.4.207. This replaces the fbsd-11 and fbsd-74 clients in Gert's setup. - We put them into separate network namespaces on the anchor VM since otherwise they would interfere with each other. - For now we just use Rocky's default openvpn (2.5 version). It is good enough and we avoid having to rebuild yet another openvpn executable. Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Master is now 2.8 and we will want release/2.7 tests when we set up version-specific tests. Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Due to how dante binds to interfaces it is very likely to fail during bootup. So just try again later. Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
2048 is being deprecated by standards, so increase size. We really should have some EC certificates in here as well, but I will leave that for another time. Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
No reason to have it take longer than necessary. Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
While here generally avoid duplicating passwords from users.txt. Make the dependency explicit. Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
We set all of them explicitly in t_client.sh.wrapper. Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Otherwise I get "cp: cannot create regular file '/home/rocky/bin/openvpn': Text file busy" Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
7x2 currently depends on this. Add a note to t_client.rc to that effect as well. Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
openvpn is set before, so this never has any effect. Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
This is already mounted read-write. So use it to store the t_client logs. Before they got stored inside the container and deleted after the run ended. Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
There was a problem hiding this comment.
Pull request overview
This PR updates the t_server OpenTofu-based test environment to make the anchor VM functional again by introducing per-anchor OpenVPN client instances (with network namespaces), updating PKI artifacts, and adjusting client execution/build behavior.
Changes:
- Add two anchor identities (
anchor-200,anchor-207) and a new test client (client-28) to the PKI/configuration and distribute their certs/keys to the relevant VMs. - Introduce a systemd-managed netns setup + OpenVPN client service override so multiple anchor OpenVPN clients can run concurrently in separate network namespaces.
- Update t_client execution (podman wrapper workdir, simplified remote invocation) and OpenVPN build flags/versions (PKCS#11 enabled, OpenVPN 2.7 release build, parallel builds).
Reviewed changes
Copilot reviewed 30 out of 32 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| t_server/tofu/openvpn_test_env/tserver_rocky_9_amd64.tf | Distributes additional client certs/keys to the main tserver VM for fingerprint/config generation. |
| t_server/tofu/openvpn_test_env/tserver_client.tf | Adds client-28 cert/key and makes client-master symlink point to client-28. |
| t_server/tofu/openvpn_test_env/tserver_anchor.tf | Switches anchor provisioning to anchor-200 and anchor-207 cert/key pairs. |
| t_server/tofu/openvpn_test_env/main.tf | Extends PKI clients list to include anchor-200/207 and client-28. |
| t_server/tofu/modules/tserver_user_data/provision/t_client.sh.wrapper | Ensures podman runs in the correct workdir for the selected t_client tree. |
| t_server/tofu/modules/tserver_user_data/provision/setup-netns@.service | Adds a systemd template unit to create per-instance network namespaces. |
| t_server/tofu/modules/tserver_user_data/provision/setup-netns.sh | Implements netns + veth + NAT setup used by the new systemd unit. |
| t_server/tofu/modules/tserver_user_data/provision/podman/create-openvpn-executable.sh | Enables PKCS#11 when building OpenVPN in containers. |
| t_server/tofu/modules/tserver_user_data/provision/podman/Containerfile.ubuntu-24.04 | Builds OpenVPN 2.7 from release/2.7 instead of master for the “27” slot. |
| t_server/tofu/modules/tserver_user_data/provision/deployment-config.sh | Points OpenVPN client config dir to /etc/openvpn/client and uses the private tserver hostname for anchor remote. |
| t_server/tofu/modules/tserver_user_data/provision/91-distribute-keys.sh | Fixes a comment typo (missing parenthesis). |
| t_server/tofu/modules/tserver_user_data/provision/55-prepare_t_client.sh | Copies client VM assets following symlinks, expands versions loop, and derives auth files from users.txt. |
| t_server/tofu/modules/tserver_user_data/provision/28-setup-test-dependencies.sh | Updates fingerprint generation list to include client-28. |
| t_server/tofu/modules/tserver_user_data/provision/27-generate-openvpn-configs.sh | Generates per-anchor OpenVPN client configs, installs keys into /etc/openvpn/client, and enables/restarts services. |
| t_server/tofu/modules/tserver_user_data/provision/25-build-openvpn.sh | Uses parallel make for OpenVPN build on VM. |
| t_server/tofu/modules/tserver_user_data/provision/10-prepare_t_server.sh | Stops creating $OPENVPN_ETCDIR during server prep (dir now system-managed). |
| t_server/tofu/modules/tserver_user_data/main.tf | Installs netns tooling + systemd overrides via cloud-init and installs openvpn on anchor VM. |
| t_server/tofu/modules/openvpn-test-pki/main.tf | Uses 4096-bit RSA keys for CA/server/client TLS keys. |
| t_server/original/t_server/tap-udp-p2mp/ccd/tserver-client-28 | Adds CCD entry for the new client-28. |
| t_server/original/t_server/tap-udp-p2mp/ccd/tserver-anchor-207 | Updates CCD cipher directive to data-ciphers. |
| t_server/original/t_server/tap-udp-p2mp/ccd/tserver-anchor-200 | Adds CCD entry for anchor-200. |
| t_server/original/t_server/tap-udp-p2mp/ccd/freebsd-13-amd64 | Removes obsolete CCD entry. |
| t_server/original/t_server/tap-udp-p2mp/ccd/cron2-win10 | Removes obsolete CCD entry. |
| t_server/original/t_server/tap-udp-p2mp/ccd/cron2-freebsd-tc-amd64-24 | Removes obsolete CCD entry. |
| t_server/original/t_server/tap-udp-p2mp/ccd/cron2-freebsd-tc-amd64-23 | Removes obsolete CCD entry. |
| t_server/original/t_server/tap-udp-p2mp/ccd/cron2-freebsd-tc-amd64 | Removes obsolete CCD entry. |
| t_server/original/t_server.sh | Speeds up builds, adjusts restart ordering, and actively waits for anchor clients to reconnect. |
| t_server/original/run_t_clients.sh | Simplifies remote execution of t_client runs to use the wrapper directly. |
| t_server/original/client_vm/t_client.master/t_client.rc | Enables anchor-dependent tests and documents PKCS#11 requirement for the too-long username test. |
| t_server/original/client_vm/bin/t_client.sh | Removes branch-specific openvpn binary selection (now provided via wrapper env). |
| t_server/original/anchor_vm/openvpn.conf | Makes anchor config template generic (placeholder remote, generic cert/key names, data-ciphers, tap device). |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+1
to
+10
| [Unit] | ||
| Description=Set up netns config for OpenVPN client %i | ||
|
|
||
| [Service] | ||
| Type=oneshot | ||
| RemainAfterExit=yes | ||
| ExecStart=bash -c "/var/lib/provision/setup-netns.sh %i" | ||
|
|
||
| [Install] | ||
| WantedBy=multi-user.target |
Member
Author
There was a problem hiding this comment.
This is just wrong. Systemd documentation says:
For each command, the first argument must be either an absolute path to an
executable or a simple file name without any slashes. If the command is not a
full (absolute) path, it will be resolved to a full path using a fixed search
path determined at compilation time.
Identified by Github Copilot. Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.