Configure and start Sable in guest VMs

2023-09-09 17:33:05 +02:00 · 2023-09-09 17:33:05 +02:00 · 776d4a425f
parent fbe2cd6951
commit 776d4a425f
6 changed files with 218 additions and 11 deletions
--- a/.gitignore
+++ b/.gitignore
@ -3,8 +3,9 @@ pom.xml
 pom.xml.asc
 *.jar
 *.class
-/lib/
 /classes/
+/lib/
+/resources/
 /store/
 /target/
 /checkouts/
--- a/README.md
+++ b/README.md
@ -1,2 +1,13 @@
-# jable
+# jable (jepsen sable)

+Test suite for [Sable](https://github.com/Libera-Chat/sable)'s networking layer
+using the [Jepsen](https://github.com/jepsen-io/jepsen/) framework.
+
+How to run:
+
+1. Compile Sable somewhere on your system
+2. setup VMs [suitable for Jepsen](https://github.com/jepsen-io/jepsen#vms-real-hardware-etc)
+3. `git clone https://git.tf/val/jable/ && cd jable`
+4. generate test TLS certs in `resources/`: `./gen_conf.sh`
+5. Run tests: `lein run test --sable-bin /home/dev-sable/sable/target/debug/`
+```
--- a/gen_conf.sh
+++ b/gen_conf.sh
@ -0,0 +1,47 @@
+mkdir -p resources/config/ resources/useless_openssl_data/
+
+cat > resources/openssl.cnf <<EOF
+[ ca ]
+default_ca	= CA_default		# The default ca section
+
+[ CA_default ]
+new_certs_dir = resources/useless_openssl_data/
+database = resources/useless_openssl_data/db
+policy = policy_anything
+serial = resources/useless_openssl_data/serial
+
+[ policy_anything ]
+countryName		        = optional
+stateOrProvinceName	    = optional
+localityName		    = optional
+organizationName	    = optional
+organizationalUnitName	= optional
+commonName		        = supplied
+emailAddress		    = optional
+EOF
+
+touch resources/useless_openssl_data/db
+echo 01 > resources/useless_openssl_data/serial
+
+# Generate CA
+openssl req -x509 -nodes -newkey rsa:2048 -batch \
+    -outform PEM -out resources/config/ca_cert.pem \
+    -keyout resources/ca_cert.key
+
+for server in $*; do
+    openssl genrsa -traditional \
+        -out resources/config/server_$server.key \
+        2048
+    openssl req -nodes -batch \
+        -in resources/config/server_$server.key \
+        -outform PEM -out resources/server_$server.req
+    openssl ca -config resources/openssl.cnf -days 3650 -md sha512 -batch \
+        -subj /CN=$server \
+        -keyfile resources/ca_cert.key -cert resources/config/ca_cert.pem \
+        -in resources/server_$server.req \
+        -out resources/config/server_$server.pem
+    openssl x509 -sha1 -in resources/config/server_$server.pem -fingerprint -noout \
+        | sed "s/.*=//" | sed "s/://g" | tr '[:upper:]' '[:lower:]' > resources/server_$server.pem.sha1
+done
+
+rm -r resources/useless_openssl_data/
--- a/project.clj
+++ b/project.clj
@ -4,6 +4,7 @@
  :license {:name "AGPL-3.0-only"
            :url "https://www.gnu.org/licenses/agpl-3.0.txt"}
  :dependencies [[org.clojure/clojure "1.11.1"]
+                 [org.clojure/data.json "2.4.0"]
                 [jepsen "0.3.3"]]
  :repl-options {:init-ns jable.core}
  :main jable.cli)
--- a/src/jable/cli.clj
+++ b/src/jable/cli.clj
@ -25,7 +25,7 @@
         opts
         {:name "etcd"
          :os   debian/os
-          :db   (db/sable (:sable-bin opts))
+          :db   (db/sable (:sable-bin opts) (:nodes opts))
          :pure-generators true}))

 (def cli-opts
--- a/src/jable/db.clj
+++ b/src/jable/db.clj
@ -13,6 +13,7 @@

 (ns jable.db
  (:require [clojure.tools.logging :refer :all]
+            [clojure.data.json :as json]
            [clojure.string :as str]
            [jepsen [control :as c]
                    [db :as db]]
@ -21,19 +22,165 @@
            [jepsen.control.scp :as scp]
            [jepsen.os.debian :as debian]))

+(def sable_binaries ["auth_client" "listener_process" "sable_ircd"])
+
+(defn fingerprint
+  [node]
+  (slurp (str "resources/server_" node ".pem.sha1")))
+
+(defn network_conf
+  [nodes]
+  {
+    :fanout 1
+    :ca_file "/usr/local/etc/sable/ca_cert.pem"
+
+    :peers (map (fn [node] {:name node
+                            :address (str node ":6668")
+                            :fingerprint (fingerprint node)})
+                nodes)})
+
+(def network_config_json
+  {
+    :opers [
+      {
+        :name "operuser",
+        ; echo -n "operpassword" | openssl passwd -6 -stdin
+        :hash "$6$z5yA.OfGliDoi/R2$BgSsguS6bxAsPSCygDisgDw5JZuo5.88eU3Hyc7/4OaNpeKIxWGjOggeHzOl0xLiZg1vfwxXjOTFN14wG5vNI."
+      }
+    ],
+
+    :alias_users [
+      {
+        :nick "ChanServ",
+        :user "ChanServ",
+        :host "services.",
+        :realname "Channel services compatibility layer",
+        :command_alias "CS"
+      },
+      {
+        :nick "NickServ",
+        :user "NickServ",
+        :host "services.",
+        :realname "Account services compatibility layer",
+        :command_alias "NS"
+      }
+    ],
+
+    :default_roles {
+      "builtin:op" [
+        "always_send",
+        "op_self", "op_grant", "voice_self", "voice_grant",
+        "receive_op", "receive_voice", "receive_opmod",
+        "topic", "kick", "set_simple_mode", "set_key",
+        "ban_view", "ban_add", "ban_remove_any",
+        "quiet_view", "quiet_add", "quiet_remove_any",
+        "exempt_view", "exempt_add", "exempt_remove_any",
+        "invite_self", "invite_other",
+        "invex_view", "invex_add", "invex_remove_any"
+      ],
+      "builtin:voice" [
+        "always_send",
+        "voice_self",
+        "receive_voice",
+        "ban_view", "quiet_view"
+      ],
+      :builtin:all [
+          "ban_view", "quiet_view"
+      ]
+    },
+
+    :debug_mode true
+  })
+
+
+(defn server_conf
+  [nodes node]
+  {
+    :server_id (.indexOf nodes node),
+    :server_name node,
+    :management {
+      :address "[::]:8888",
+      :client_ca "/usr/local/etc/sable/ca_cert.pem",
+      :authorised_fingerprints [],
+    },
+    :server {
+      :listeners [
+        { :address "[::]:6667" }
+      ]
+    },
+    :event_log {
+      :event_expiry 3600  ; an hour
+    },
+    :tls_config {
+      :key_file (str "/usr/local/etc/sable/server_" node ".key"),
+      :cert_file (str "/usr/local/etc/sable/server_" node ".pem"),
+    },
+    :node_config {
+      :listen_addr "[::]:6668",
+      :cert_file (str "/usr/local/etc/sable/server_" node ".pem"),
+      :key_file (str "/usr/local/etc/sable/server_" node ".key"),
+    },
+    :log {
+      :dir (str "/var/log/"),
+      :module-levels {
+        "sable" "trace"
+      },
+      :targets [
+        {
+          :target {:filename "sable.ircd.log"},
+          :level "trace",
+          :modules [ "sable" "audit" "client_listener" ],
+        },
+      ],
+    }
+  })
+
+(defn configure_node
+  [nodes node]
+  (c/exec "echo" (json/write-str (network_conf nodes)) :> "/etc/sable/network.conf")
+  (c/exec "echo" (json/write-str network_config_json) :> "/etc/sable/network_config.json")
+  (c/exec "echo" (json/write-str (server_conf nodes node)) :> "/etc/sable/server.conf"))
+
+(def logfile "/var/log/sable_ircd.stdout")
+(def pidfile "/var/run/sable_ircd.pid")
+
 (defn sable
  "Sable IRCd install from binaries in a local directory."
-  [sable_bin_path]
+  [sable_bin_path nodes]
  (reify db/DB
    (setup! [_ test node]
-      (info node "installing Sable from" sable_bin_path)
-      (c/exec "rm" "-rf" "/tmp/sable_upload")
-      (c/exec "mkdir" "/tmp/sable_upload")
-      (let [remote_bin_path (c/upload (map (fn [file] (str sable_bin_path file))
-                                           ["auth_client" "listener_process" "sable_ircd"])
+      (c/exec "rm" "-rf" "/etc/sable" "/tmp/sable_upload" "/usr/local/etc/sable")
+      (c/exec "mkdir" "/tmp/sable_upload" "/etc/sable")
+      (info node "configuring Sable")
+      (let [remote_tmp_path (c/upload "resources/config"
                                      "/tmp/sable_upload")]
        (c/su
-          (c/exec* "cp" (str remote_bin_path "/*") "/usr/local/bin"))))
+          (c/exec* "mv" (str remote_tmp_path "/*") "/usr/local/etc/sable/")))
+      (c/su (configure_node nodes node))
+      (info node "installing Sable from" sable_bin_path)
+      (let [remote_tmp_path (c/upload (map (fn [file] (str sable_bin_path file))
+                                           sable_binaries)
+                                      "/tmp/sable_upload")]
+        (c/su
+          (c/exec* "mv" (str remote_tmp_path "/*") "/usr/local/bin/")))
+      (info node "starting Sable")
+      (c/su
+        (cu/start-daemon!
+            {:logfile logfile
+             :pidfile pidfile
+             :chdir "/usr/local/bin/"}
+            "sable_ircd"
+            "--foreground"
+            "--server-conf" "/etc/sable/server.conf"
+            "--network-conf" "/etc/sable/network.conf"
+            "--bootstrap-network" "/etc/sable/network_config.json"))
+      (Thread/sleep 1000))

    (teardown! [_ test node]
-      (info node "tearing down Sable"))))
+      (info node "tearing down Sable")
+      (cu/stop-daemon! "sable_ircd" pidfile)
+      ;(c/exec "rm" "-f"
+      ;        (map (fn [file] (str sable_bin_path file)) sable_binaries)
+      ;        (map (fn [file] (str "/usr/local/bin/" file)) sable_binaries))
+      ;(c/exec "rm" "-rf" "/tmp/sable_upload" "/usr/local/etc/sable" "/etc/sable")
+      )))