Thread: [MASSMAIL]SSL tests
Hi Buildfarm owners,
It's been noted on the -hackers mailing list than most buildfarm animals are not performing SSL tests even if they are building with SSL. That's a sad gap in our test coverage.
The sample configuration file has this in the build_env section
# run extra TAP tests if listed here # These are the ones omitted without the setting # on a secure single user system it makes sense to enable these # PG_TEST_EXTRA => "ssl ldap kerberos",
In general, unless your animal is running on a multi-user system, enabling these tests should be safe, which you could do by uncommenting the last line above or inserting it into your config file if not present.
Please consider doing so for your animal(s), as we'd like to get increased coverage of all these tests, but especially of the SSL tests.
cheers
andrew
-- Andrew Dunstan EDB: https://www.enterprisedb.com
Hello, > Hi Buildfarm owners, > It's been noted on the -hackers mailing list than most buildfarm > animals are not performing SSL tests even if they are building with > SSL. That's a sad gap in our test coverage. > The sample configuration file has this in the build_env section > # run extra TAP tests if listed here # These are the ones omitted > without the setting # on a secure single user system it makes sense > to enable these # PG_TEST_EXTRA => "ssl ldap kerberos", I enabled this on my animal "mule", but I'm not sure how to check if the additional tests were actually run or not. Regards, -- Gaël Le Mignot - gael@pilotsystems.net Pilot Systems - 9 rue Anatole De La Forge - 75017 Paris Tel : +33 1 44 53 05 55 - www.pilot-systems.net Découvrez notre offre Cloud privé 100% infogéré - www.pilotsystems.net/cloud/
Gael Le Mignot: > > # run extra TAP tests if listed here # These are the ones omitted > > without the setting # on a secure single user system it makes sense > > to enable these # PG_TEST_EXTRA => "ssl ldap kerberos", > > I enabled this on my animal "mule", but I'm not sure how to check if the > additional tests were actually run or not. You can see that the PG_TEST_EXTRA variable is set in your build_env now: https://buildfarm.postgresql.org/cgi-bin/show_log.pl?nm=mule&dt=2024-04-04%2010%3A10%3A14 However, the test doesn't run, yet, I think. You'll need to add --enable-tap-tests in config options to begin with. Best, Wolfgang
On 2024-04-04 Th 06:49, Gael Le Mignot wrote: > Hello, > > > Hi Buildfarm owners, > > It's been noted on the -hackers mailing list than most buildfarm > > animals are not performing SSL tests even if they are building with > > SSL. That's a sad gap in our test coverage. > > > The sample configuration file has this in the build_env section > > > # run extra TAP tests if listed here # These are the ones omitted > > without the setting # on a secure single user system it makes sense > > to enable these # PG_TEST_EXTRA => "ssl ldap kerberos", > > I enabled this on my animal "mule", but I'm not sure how to check if the > additional tests were actually run or not. I see this, which indicates the tests ran: <https://buildfarm.postgresql.org/cgi-bin/show_stage_log.pl?nm=mule&dt=2024-04-04%2011%3A49%3A20&stg=ssl-check> (You do seem to be having issues with ldap and kerberos checks, though) cheers andrew -- Andrew Dunstan EDB: https://www.enterprisedb.com
Hi Andrew, > On 2024-04-04 Th 06:49, Gael Le Mignot wrote: >> Hello, >> >> > Hi Buildfarm owners, >> > It's been noted on the -hackers mailing list than most buildfarm >> > animals are not performing SSL tests even if they are building with >> > SSL. That's a sad gap in our test coverage. >> >> > The sample configuration file has this in the build_env section >> >> > # run extra TAP tests if listed here # These are the ones omitted >> > without the setting # on a secure single user system it makes sense >> > to enable these # PG_TEST_EXTRA => "ssl ldap kerberos", >> >> I enabled this on my animal "mule", but I'm not sure how to check if the >> additional tests were actually run or not. > I see this, which indicates the tests ran: > <https://buildfarm.postgresql.org/cgi-bin/show_stage_log.pl?nm=mule&dt=2024-04-04%2011%3A49%3A20&stg=ssl-check> > (You do seem to be having issues with ldap and kerberos checks, though) Yes, I was missing the binaries (slapd and kdb5_util), I had the libraries and headers installed, but not the binaries. It seems to be fixed for LDAP, and I'm re-running it for Kerberos. Regards, -- Gaël Le Mignot - gael@pilotsystems.net Pilot Systems - 9 rue Anatole De La Forge - 75017 Paris Tel : +33 1 44 53 05 55 - www.pilot-systems.net Découvrez notre offre Cloud privé 100% infogéré - www.pilotsystems.net/cloud/
Andrew Dunstan <andrew@dunslane.net> writes:
Hi Andres,
> In general, unless your animal is running on a multi-user system,
> enabling these tests should be safe, which you could do by
> uncommenting the last line above or inserting it into your config file
> if not present.
Could you elaborate a bit on this? My animal is indeed running as
a Container on a multi-user system. Is it "just" extreme cpu
intensive or are there other aspects?
Thanks,
Olaf
--
~ Olaf Bohlen - olbohlen@eenfach.de
|~~ Het
/| \ Bruine
___/_|___\ Leven
\__n____/# DGCN2
Olaf Bohlen:
Could you elaborate a bit on this? My animal is indeed running as a Container on a multi-user system. Is it "just" extreme cpu intensive or are there other aspects?
The docs [1] have more about this. For the three tests "ssl ldap kerberors" it's about that they open TCP/IP listen sockets (and might need more dependencies). This should be fine in a container.
Best,
Wolfgang
[1]: https://www.postgresql.org/docs/current/regress-run.html#REGRESS-ADDITIONAL
On 2024-04-04 Th 09:59, Olaf Bohlen wrote: > Andrew Dunstan <andrew@dunslane.net> writes: > > Hi Andres, > >> In general, unless your animal is running on a multi-user system, >> enabling these tests should be safe, which you could do by >> uncommenting the last line above or inserting it into your config file >> if not present. > Could you elaborate a bit on this? My animal is indeed running as > a Container on a multi-user system. Is it "just" extreme cpu > intensive or are there other aspects? > No, it's more a security issue. We have to run the server for SSL tests with TCP enabled, meaning other users on the localhost can connect to it. If untrusted users in your multi-user environment can connect to a socket in your container, then you probably should not turn this on. cheers andrew -- Andrew Dunstan EDB: https://www.enterprisedb.com
Andrew Dunstan <andrew@dunslane.net> writes:
Dear Andrew and Wolfgang,
> No, it's more a security issue. We have to run the server for SSL
> tests with TCP enabled, meaning other users on the localhost can
> connect to it. If untrusted users in your multi-user environment can
> connect to a socket in your container, then you probably should not
> turn this on.
Thanks for the clarification, I'll turn on the checks then!
Best Regards,
Olaf
--
~ Olaf Bohlen - olbohlen@eenfach.de
|~~ Het
/| \ Bruine
___/_|___\ Leven
\__n____/# DGCN2