Re: [Qemu-block] [Qemu-devel] [PATCH 6/6] tests: exercise NBD server in TLS mode

[Daniel P . Berrangé]

On Sat, Nov 17, 2018 at 03:31:34PM -0600, Eric Blake wrote:
> On 11/16/18 11:20 AM, Eric Blake wrote:
> > On 11/16/18 9:53 AM, Daniel P. Berrangé wrote:
> > > Add tests that validate it is possible to connect to an NBD server
> > > running TLS mode. Also test mis-matched TLS vs non-TLS connections
> > > correctly fail.
> > > ---
> 
> > > +== check TLS client to plain server fails ==
> > > +option negotiation failed: read failed: Unexpected end-of-file
> > > before all bytes were read
> > 
> > Annoying message; I wonder if we can clean that up. But not this patch's
> > problem.
> > 
> 
> Actually, I tracked this message down to using socat (which actually
> connects and then abruptly exits) when probing whether the socket is up and
> listening.  That is, the message is being produced as a side effect of
> nbd_server_wait_for_tcp_socket rather than during the actual $QEMU_IMG
> command we are interested in testing.
> 
> 
> > >   nbd_pid_file="${TEST_DIR}/qemu-nbd.pid"
> > >   function nbd_server_stop()
> > > @@ -62,3 +63,49 @@ function nbd_server_start_unix_socket()
> > >       $QEMU_NBD -v -t -k "$nbd_unix_socket" $@ &
> > >       nbd_server_wait_for_unix_socket $!
> > >   }
> > > +
> > > +function nbd_server_set_tcp_port()
> > > +{
> > > +    for port in `seq 10809 10909`
> > > +    do
> > > +    socat TCP:$nbd_tcp_addr:$port STDIO < /dev/null 1>/dev/null 2>&1
> > 
> > This is the first use of socat in iotests.  Might not be the most
> > portable, but I don't know if I have better ideas.
> > nbdkit.git/tests/test-ip.sh greps the output of 'ss -ltn' to locate free
> > ports, but I don't know if ss is any better than socat.
> 
> So, I'm planning to squash this in, to use ss instead of socat, as follows:

Personally I prefer socat since it is more portable, per my previous
message.

> diff --git i/tests/qemu-iotests/233.out w/tests/qemu-iotests/233.out
> index eaa410c2703..eb4077f9fd7 100644
> --- i/tests/qemu-iotests/233.out
> +++ w/tests/qemu-iotests/233.out
> @@ -11,12 +11,10 @@ Generating a signed certificate...
>  Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864
> 
>  == check TLS client to plain server fails ==
> -option negotiation failed: read failed: Unexpected end-of-file before all
> bytes were read
>  qemu-img: Could not open
> 'driver=nbd,host=127.0.0.1,port=10809,tls-creds=tls0': Denied by server for
> option 5 (starttls)
>  server reported: TLS not configured
> 
>  == check plain client to TLS server fails ==
> -option negotiation failed: read failed: Unexpected end-of-file before all
> bytes were read
>  qemu-img: Could not open 'nbd://localhost:10809': TLS negotiation required
> before option 8 (structured reply)
>  server reported: Option 0x8 not permitted before TLS
>  write failed (error message): Unable to write to socket: Broken pipe
> 
> 
> Also, you have to sanitize 233.out to change 10809 into PORT, so the test
> can still pass when it picked a different port.

Opps, yes.

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|