Discussion:
Add jail execution environment support to the FreeBSD test suite
(too old to reply)
i***@pm.me
2024-02-22 20:57:54 UTC
Permalink
Hi FreeBSD developers,

There is a proposal to improve the FreeBSD test suite.


1 The Problem

The FreeBSD test suite is based on the Kyua framework. The latter supports
running tests in parallel. However, some tests cannot be run in parallel and
are marked with is_exclusive="true" metadata, which makes Kyua run such tests
in sequence.

Many tests are not meant to be exclusive conceptually, they are so for very
simple technical reasons. For instance, some network related tests are based
on jail and vnet usage. It's convenient for such tests and it provides a lot
of isolation already not to conflict with other tests. But they are still
marked as exclusive due to the shared space of jail names, routing, etc.

The project seeks more tests, and it's kind of a trend for new tests like
jail/vnet based ones to be created as is_exclusive="true" from the very
beginning. It only piles up the suite with exclusive tests, e.g. new tests
from my side faced a fair question from a reviewer whether they could be
re-designed for a parallel run. [1]

If such tests were 100% isolated they would be able to run in parallel and
decrease the test time for CI runs and for the runs within the development
process.

And the problem is that trying to add more isolation by a test itself looks to
be a doable task from a glance, but it would add a lot of complexity to a test
code, or could be found as an impossible task in a specific case.


2 The Idea

The idea is not new. A test could be running in a jail -- it provides the
required isolation with minimum or zero effort from a test.


3 The Implementation

There is a lot of work done already and the working patch passed the initial
review (thanks to markj@ and ngie@). [2]

It adds a new concept to the Kyua framework -- an execution environment. Two
new metadata were added for that: execenv and execenv_jail.

execenv is a switch to select an environment. If a test's metadata defines
execenv="jail" then Kyua will create a temporary jail, run such test within
it, and remove the jail. If execenv="host" is provided or execenv metadata is
undefined then Kyua will run such test as it does today.

execenv_jail metadata takes effect only in case of execenv="jail". It allows a
test to request specific parameters for its jail. These parameters are simply
arguments to jail(8), e.g. execenv_jail="vnet allow.raw_sockets".


4 The Adoption

ATF based tests can easily define this new metadata via Kyuafile or directly,
e.g. for atf-sh based tests:

test_head()
{
atf_set descr "Test foo in case of bar"
atf_set require.user root
atf_set execenv jail
atf_set execenv.jail vnet allow.raw_sockets
}

Non-ATF based ones will do it via Kyuafile. Our test suite does it through a
Makefile:

TEST_METADATA+= execenv="jail"
TEST_METADATA+= execenv_jail="vnet allow.raw_sockets"

The patch got some little evolution, I started with a single execenv_jail
metadata, and during the patch discussion and review, I ended up with two
knobs: execenv and execenv_jail. It turned out to be a cleaner and less tricky
interface such way. The evolution reasoning can be found in the history of the
respective Differential. [2]


5 MFC Concerns

For now, I see at least one issue from the usual project workflow perspective.
Let's imagine that the Kyua framework got this execenv feature committed to
15-CURRENT, we started to convert existing tests and create new ones to use
execenv="jail". If some feature or a bug fix needs to be ported back to
14-STABLE or 13-STABLE, then "old" Kyua without execenv feature will fail to
run such tests:

kyua: E: Load of 'Kyuafile' failed: Failed to load Lua file 'Kyuafile': Kyuafile:9: Unknown metadata property execenv.

From a combinatorics perspective, the first three options pop up to deal with
that:
a) Patch Kyua the same way for the supported STABLE branches so it will be
able to run back ported tests based on execenv="jail" (it's not system ABI
change after all)
b) Exclusively patch Kyua framework for the supported STABLE branches to
simply skip such tests (does not look to provide much benefit)
c) Do not back port tests, only the fix/feature itself (kind of a bad idea)


6 The Demo

My test environment showed promising run time numbers for almost the whole
test suite (ZFS excluded). One of the tests yielded 36 min with test
parallelism improvement versus 1 h 25 min without. In my case with 8 cores,
the suite runs about 2 times faster with the improvement. [3]


7 Action Points

My current vision of the plan looks as follows:
- [ ] community: Review, testing, comments -- probably we want to change the
design
- [ ] committers: Help with the main commit -- it should hit freebsd/kyua
GitHub fork first [4], then vendor branch, and merge to
main after
- [ ] igoro: Provide the subsequent PRs to separate FreeBSD specifics and fix
existing Kyua tests
- [ ] igoro: Provide the PRs to add brand new tests of Kyua itself to cover
the new feature
- [ ] igoro: Provide the respective documentation updates
- [ ] igoro: Migrate some of the existing tests for the start, e.g. netpfil/pf
- [ ] committers: Help with review and respective commits/merges

The plan is not strict, it depends on the discussion and interest of
volunteers.

I hope that this proposal is found valuable for the project. If so, any help
is appreciated.


[1] New tests exclusivity concern: https://reviews.freebsd.org/D42314
[2] The Kyua patch: https://reviews.freebsd.org/D42350
[3] The whole test suite demo: https://reviews.freebsd.org/D42410
[4] The respective PR to the fork: https://github.com/freebsd/kyua/pull/224


Best regards, Igor.


--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Paul Floyd
2024-02-23 08:30:13 UTC
Permalink
Post by i***@pm.me
Hi FreeBSD developers,
There is a proposal to improve the FreeBSD test suite.
I hope that this proposal is found valuable for the project. If so, any help
is appreciated.
Hi

Will there be an option to turn this off globally?

I sometimes run test suits with Valgrind. I'm not aware of any option to
do that cleanly so I just do it with brute force: run kyua and all
children under Valgrind.

valgrind --trace-children=yes -q kyua test -k Kyuafile

Adding jails into the mix is likely to give worse results. I did try
using an x86 jail as an alternative to VirtualBox but I gave up as I got
too many test failures.

A+
Paul


--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Paul Floyd
2024-02-23 17:57:12 UTC
Permalink
Post by Igor Ostapenko
Post by Paul Floyd
Will there be an option to turn this off globally?
I sometimes run test suits with Valgrind. I'm not aware of any option to
do that cleanly so I just do it with brute force: run kyua and all
children under Valgrind.
valgrind --trace-children=yes -q kyua test -k Kyuafile
Adding jails into the mix is likely to give worse results. I did try
using an x86 jail as an alternative to VirtualBox but I gave up as I got
too many test failures.
Thanks for your attention and mention of your use case.
valgrind --trace-children=yes -q kyua -v execenv=host test -k Kyuafile
Sounds good, but I'd need to test in order to make sure. I don't run
that kind of test very often.
Post by Igor Ostapenko
Does it look like something that would cover your production needs?
It's not to test FreeBSD for prod, it's to test Valgrind is working with
all those tests (any FreeBSD errors picked up are a bonus).

A+
Paul


--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Igor Ostapenko
2024-02-26 16:25:45 UTC
Permalink
Post by Paul Floyd
Post by Igor Ostapenko
Post by Paul Floyd
Will there be an option to turn this off globally?
I sometimes run test suits with Valgrind. I'm not aware of any option to
do that cleanly so I just do it with brute force: run kyua and all
children under Valgrind.
valgrind --trace-children=yes -q kyua test -k Kyuafile
Adding jails into the mix is likely to give worse results. I did try
using an x86 jail as an alternative to VirtualBox but I gave up as I got
too many test failures.
Thanks for your attention and mention of your use case.
valgrind --trace-children=yes -q kyua -v execenv=host test -k Kyuafile
Sounds good, but I'd need to test in order to make sure. I don't run
that kind of test very often.
Post by Igor Ostapenko
Does it look like something that would cover your production needs?
It's not to test FreeBSD for prod, it's to test Valgrind is working with
all those tests (any FreeBSD errors picked up are a bonus).
Paul, it would be appreciated if you have time to test the patch. The general
test plan is covered here: https://reviews.freebsd.org/D42350, but specifically
for your case the following extra check could be run in addition:

valgrind --trace-children=yes -q kyua -v execenv=host test -k /usr/tests/sys/netpfil/pf/Kyuafile

It should report that pass_block:* tests are skipped due to the given
"-v execenv=host" runtime configuration.

I hope current implementation meets your expectations.


Best regards, Igor.


--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Olivier Cochard-Labbé
2024-02-23 09:41:49 UTC
Permalink
Post by i***@pm.me
There is a proposal to improve the FreeBSD test suite.
Thanks a lot for working on improving the parallel tests!

At work, we are using:
1. a Nanobsd based, so a lot of WITHOUT_ : WITHOUT_JAIL, WITHOUT_PF, no
VNET (a nightmare to debug network stack with it), etc.;
2. The standard full test suite (about 8200 tests) is reduced to about 7400
tests with this lighter nanobsd;
3. We have been using kyua parallelism=8 for years, and I had to skip only
about 10-20 tests that were not compliant with parallel mode.

It toke about 23 minutes to run them (in a bhyve VM):

Test cases: 7429 total, 905 skipped, 29 expected failures, 1 broken, 4
failed
Start time: 2024-02-21T00:15:42.527291Z
End time: 2024-02-21T00:38:57.036211Z

Because we were using WITHOUT_JAIL, to improve the time spent, one of my
ideas was to divide the tests into groups of 4 or 8 and run as many bhyve
VMs in parallel.
I assumed that by running regression tests in a jail, I was testing the
jail system as much as the test object (and for our use case, I don’t care
about the jail because we are not using it).
So using the bhyve VM I had the feeling the tests were more confined.

Now if WITH_JAIL becomes mandatory to be able to run the test, I will just
have to modify my build system (like by adding a WITHOUT_JAIL just at
installworld time and not during buildworld).

Regards,
Olivier
Igor Ostapenko
2024-02-23 15:34:00 UTC
Permalink
Post by Olivier Cochard-Labbé
Thanks a lot for working on improving the parallel tests!
1. a Nanobsd based, so a lot of WITHOUT_ : WITHOUT_JAIL, WITHOUT_PF, no VNET (a nightmare to debug network stack with it), etc.;
2. The standard full test suite (about 8200 tests) is reduced to about 7400 tests with this lighter nanobsd;
3. We have been using kyua parallelism=8 for years, and I had to skip only about 10-20 tests that were not compliant with parallel mode.
Test cases: 7429 total, 905 skipped, 29 expected failures, 1 broken, 4 failed
Start time: 2024-02-21T00:15:42.527291Z
End time: 2024-02-21T00:38:57.036211Z
Because we were using WITHOUT_JAIL, to improve the time spent, one of my ideas was to divide the tests into groups of 4 or 8 and run as many bhyve VMs in parallel.
I assumed that by running regression tests in a jail, I was testing the jail system as much as the test object (and for our use case, I don’t care about the jail because we are not using it).
So using the bhyve VM I had the feeling the tests were more confined.
Now if WITH_JAIL becomes mandatory to be able to run the test, I will just have to modify my build system (like by adding a WITHOUT_JAIL just at installworld time and not during buildworld).
Thanks for your consideration.

Actually, from the very beginning I've had doubts regarding a case when jail
feature is not present, but some of existing tests which freely use jail w/o
additional things like "require.progs jail" and absence of comments regarding
that during the initial review of the patch formed a feeling that it does not
require effort to consider, at least for now. Thanks for mentioning a real
production case, it helps not to guess its priority.

From a glance it looks like the following tasks could be added to TODO:
- kyua can be built WITHOUT_JAIL
- kyua should detect in runtime which execenv it supports, host only or both
- kyua should skip tests which are not supported by a kyua runtime instance

It looks to cover your case. It would need no changes on your side,
execenv="jail" based tests would simply be skipped, the similar way when we
run amd64 tests on aarch64, and so on.


Could you please share your src config (WITHOUT_*, etc)?


Best regards, Igor.



--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Igor Ostapenko
2024-02-26 16:32:24 UTC
Permalink
Post by Olivier Cochard-Labbé
Post by i***@pm.me
There is a proposal to improve the FreeBSD test suite.
Thanks a lot for working on improving the parallel tests!
1. a Nanobsd based, so a lot of WITHOUT_ : WITHOUT_JAIL, WITHOUT_PF, no VNET (a nightmare to debug network stack with it), etc.;
2. The standard full test suite (about 8200 tests) is reduced to about 7400 tests with this lighter nanobsd;
3. We have been using kyua parallelism=8 for years, and I had to skip only about 10-20 tests that were not compliant with parallel mode.
Test cases: 7429 total, 905 skipped, 29 expected failures, 1 broken, 4 failed
Start time: 2024-02-21T00:15:42.527291Z
End time: 2024-02-21T00:38:57.036211Z
Because we were using WITHOUT_JAIL, to improve the time spent, one of my ideas was to divide the tests into groups of 4 or 8 and run as many bhyve VMs in parallel.
I assumed that by running regression tests in a jail, I was testing the jail system as much as the test object (and for our use case, I don’t care about the jail because we are not using it).
So using the bhyve VM I had the feeling the tests were more confined.
Now if WITH_JAIL becomes mandatory to be able to run the test, I will just have to modify my build system (like by adding a WITHOUT_JAIL just at installworld time and not during buildworld).
It would be great if you can test the patch.
The general test plan instructions are here: https://reviews.freebsd.org/D42350.
It includes instructions for your case WITHOUT_JAIL. It's expected that you
need no changes in your build system, the Kyua should be built without jail
support and your usual test runs should work as usually. And any execenv=jail
based test on your way should be automatically skipped by such instance of Kyua.


Best regards, Igor.


--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Igor Ostapenko
2024-02-23 15:08:41 UTC
Permalink
Post by Paul Floyd
Will there be an option to turn this off globally?
I sometimes run test suits with Valgrind. I'm not aware of any option to
do that cleanly so I just do it with brute force: run kyua and all
children under Valgrind.
valgrind --trace-children=yes -q kyua test -k Kyuafile
Adding jails into the mix is likely to give worse results. I did try
using an x86 jail as an alternative to VirtualBox but I gave up as I got
too many test failures.
Thanks for your attention and mention of your use case.

I've added this point to my TODO. I guess it could look as the following:

valgrind --trace-children=yes -q kyua -v execenv=host test -k Kyuafile

It would skip tests designed for other execution environments and run only
"host" ones.

I think execenv Kyua config variable could be a list actually. By default, if
jail feature is present it could be set to "host jail", i.e. to run tests
designed for all environments.

As long as tests which opted-in to use execenv="jail" seem to be out of your
interest in your specific case it looks to be as one of the options. I was
thinking about possiblity that a test could be ready to run within "host" and
"jail" env, I actually wrote such tests and they work, but it needs more
effort from a test author and can be error prone. Anyway, Kyua itself cannot
help with duality of a test. Some tests can be freely run as "host" or "jail"
without any change, others may need quite an effort to prepare for both cases.

Does it look like something that would cover your production needs?


Best regards, Igor.



--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Brooks Davis
2024-02-23 16:30:21 UTC
Permalink
Post by i***@pm.me
2 The Idea
The idea is not new. A test could be running in a jail -- it provides the
required isolation with minimum or zero effort from a test.
This generally sounds good. One minor concern I have is how this would
interact with the ability to run the test suite in a jail. This is
imperfectly supported today (IIRC ~350 failures on amd64), but it's
quite userful for testing sweeping userspace-only tests like libsys and
I'd love to see support expanded and improved (failures fixed or tests
skipped, poudriere jail support, etc).

Thanks,
Brooks


--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Warner Losh
2024-02-26 20:25:08 UTC
Permalink
On Friday, February 23rd, 2024 at 6:30 PM, Brooks Davis <
Post by i***@pm.me
2 The Idea
The idea is not new. A test could be running in a jail -- it provides
the
Post by i***@pm.me
required isolation with minimum or zero effort from a test.
This generally sounds good. One minor concern I have is how this would
interact with the ability to run the test suite in a jail. This is
imperfectly supported today (IIRC ~350 failures on amd64), but it's
quite userful for testing sweeping userspace-only tests like libsys and
I'd love to see support expanded and improved (failures fixed or tests
skipped, poudriere jail support, etc).
Thanks for your consideration.
As I understand it's a question to the specific tests, which needs revising
and tuning for a non-prison0 case. I saw such issues with existing tests,
frequently it was about jail restrictions. And by design, a root within a jail
cannot alter restrictions of its parent jail, i.e. it's up to the creator of
such jail. In contrast, execenv=jail asks Kyua to create a temporary jail for
a test execution, and Kyua can be asked to configure it for the needs of a
test via execenv_jail. But when Kyua itself is running within an existing jail
then expectations of the test suite should be lifted a level above,
especially for usual execenv=host based tests. Thus, it's out of Kyua's
control to help with that. And this proposal does not change or improve this
case.
Just a quick idea here. Probably, the test suite could help a creator of such
jail above Kyua itself with its metadata. For example, a test is not intended
to be run within a jail and it works fine if Kyua runs within prison0, but if
Kyua itself runs in a jail it starts failing due to missing, for instance,
allow.mlock allowence, see jail(8). A test could define
execenv_jail="allow.mlock" metadata without asking for execenv=jail, i.e. it's
like a hint for a non-prison0 case. And Kyua could aggregate and provide such
information to ease creation of a jail above the Kyua itself.
On the other end of the spectrum, we could think of a new feature of jail(8)
to be able to ask it for a jail with maximum possible set of allowed things.
Just thinking out loud.
So I run the test suite in jail too today. To test how well qemu user-mode
stuff
is working. I see closer to 800 failures IIRC... Some of these are easy
(like
all the geom tests that need /dev/md.ctl to create the md they test with),
but
others are harder and whack-a-mole: mknode tests, for example, will always
fail (at least with the default jail settings) and so should be fixed.
There's several
tests that would work in a native jail that would fail in a qemu jail
because the
system calls are missing, of which I think the jail system calls are in the
list...

I also run it on amd64 machines in a i386 jail and on aarch64 machines with
a armv7
jail too. But I've done it a lot less, and don't have good numbers for
doing that. I
suspect they will be slightly more than Brooks is seeing since our 32-bit
emulation
is imperfect.

So long as we keep the concepts of 'run this in the current env vs creating
a new jail'
and 'test expected to fail inside a jail vs work in un-jailed proc'
separate, I think
we'll be fine. And it might be nice to also have a 'don't run tests that
need temp jails'
option as well that I could mash for times I know they will fail to even
launch.

Cool stuff.

Warner
Igor Ostapenko
2024-02-26 19:58:06 UTC
Permalink
Post by i***@pm.me
2 The Idea
The idea is not new. A test could be running in a jail -- it provides the
required isolation with minimum or zero effort from a test.
This generally sounds good. One minor concern I have is how this would
interact with the ability to run the test suite in a jail. This is
imperfectly supported today (IIRC ~350 failures on amd64), but it's
quite userful for testing sweeping userspace-only tests like libsys and
I'd love to see support expanded and improved (failures fixed or tests
skipped, poudriere jail support, etc).
Thanks for your consideration.

As I understand it's a question to the specific tests, which needs revising
and tuning for a non-prison0 case. I saw such issues with existing tests,
frequently it was about jail restrictions. And by design, a root within a jail
cannot alter restrictions of its parent jail, i.e. it's up to the creator of
such jail. In contrast, execenv=jail asks Kyua to create a temporary jail for
a test execution, and Kyua can be asked to configure it for the needs of a
test via execenv_jail. But when Kyua itself is running within an existing jail
then expectations of the test suite should be lifted a level above,
especially for usual execenv=host based tests. Thus, it's out of Kyua's
control to help with that. And this proposal does not change or improve this
case.

Just a quick idea here. Probably, the test suite could help a creator of such
jail above Kyua itself with its metadata. For example, a test is not intended
to be run within a jail and it works fine if Kyua runs within prison0, but if
Kyua itself runs in a jail it starts failing due to missing, for instance,
allow.mlock allowence, see jail(8). A test could define
execenv_jail="allow.mlock" metadata without asking for execenv=jail, i.e. it's
like a hint for a non-prison0 case. And Kyua could aggregate and provide such
information to ease creation of a jail above the Kyua itself.

On the other end of the spectrum, we could think of a new feature of jail(8)
to be able to ask it for a jail with maximum possible set of allowed things.
Just thinking out loud.

I hope I've got the topic right.


Best regards, Igor.


--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Igor Ostapenko
2024-02-27 18:17:54 UTC
Permalink
And it might be nice to also have a 'don't run tests that need temp jails'
option as well that I could mash for times I know they will fail to even launch.
Current implementation allows to do it, e.g. `kyua -v execenv=host test` will
not run tests that need temp jails.


Best regards, Igor.


--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Igor Ostapenko
2024-02-27 18:32:31 UTC
Permalink
Hi,

The patch was updated after the recent discussion.

Currently, the patch provides the following new functionality, from bottom to
top:

1 ATF based tests

- The new "execenv" metadata property can be set to explicitly ask for an
execution environment: "host" or "jail". If it's not defined, as all
existing tests do, then it implicitly means "host".

- The new "execenv.jail" metadata property can be optionally defined to ask
Kyua to use specific jail(8) parameters during creation of a temporary
jail. An example is "vnet allow.raw_sockets".


2 Kyuafile

- The same new metadata properties can be defined on Kyuafile level:
"execenv" and "execenv_jail".

- Note that historically ATF uses dotted style of metadata naming, while
Kyua uses underscore style. Hence "execenv.jail" vs. "execenv_jail".


3 kyua.conf, kyua CLI

- The new "execenv" engine configuration variable can be set to a list of
execution environments to run only tests designed for. Tests of not listed
environments are skipped.

- By default, this variable lists all execution environments supported by a
Kyua binary, e.g. execenv="host jail".

- This variable can be changed via "kyua.conf" or via kyua CLI's "-v"
parameter. For example, "kyua -v execenv=host test" will run only
host-based tests and skip jail-based ones.

- Current value of this variable can be examined with "kyua config".


The patch is https://reviews.freebsd.org/D42350.

Any help with review and testing is welcome. Its test plan covers the
details and refers to the demo patch of how existing tests could be
converted to be run in a jail.


Best regards, Igor.
Post by i***@pm.me
Hi FreeBSD developers,
There is a proposal to improve the FreeBSD test suite.
1 The Problem
The FreeBSD test suite is based on the Kyua framework. The latter supports
running tests in parallel. However, some tests cannot be run in parallel and
are marked with is_exclusive="true" metadata, which makes Kyua run such tests
in sequence.
Many tests are not meant to be exclusive conceptually, they are so for very
simple technical reasons. For instance, some network related tests are based
on jail and vnet usage. It's convenient for such tests and it provides a lot
of isolation already not to conflict with other tests. But they are still
marked as exclusive due to the shared space of jail names, routing, etc.
The project seeks more tests, and it's kind of a trend for new tests like
jail/vnet based ones to be created as is_exclusive="true" from the very
beginning. It only piles up the suite with exclusive tests, e.g. new tests
from my side faced a fair question from a reviewer whether they could be
re-designed for a parallel run. [1]
If such tests were 100% isolated they would be able to run in parallel and
decrease the test time for CI runs and for the runs within the development
process.
And the problem is that trying to add more isolation by a test itself looks to
be a doable task from a glance, but it would add a lot of complexity to a test
code, or could be found as an impossible task in a specific case.
2 The Idea
The idea is not new. A test could be running in a jail -- it provides the
required isolation with minimum or zero effort from a test.
3 The Implementation
There is a lot of work done already and the working patch passed the initial
It adds a new concept to the Kyua framework -- an execution environment. Two
new metadata were added for that: execenv and execenv_jail.
execenv is a switch to select an environment. If a test's metadata defines
execenv="jail" then Kyua will create a temporary jail, run such test within
it, and remove the jail. If execenv="host" is provided or execenv metadata is
undefined then Kyua will run such test as it does today.
execenv_jail metadata takes effect only in case of execenv="jail". It allows a
test to request specific parameters for its jail. These parameters are simply
arguments to jail(8), e.g. execenv_jail="vnet allow.raw_sockets".
4 The Adoption
ATF based tests can easily define this new metadata via Kyuafile or directly,
test_head()
{
atf_set descr "Test foo in case of bar"
atf_set require.user root
atf_set execenv jail
atf_set execenv.jail vnet allow.raw_sockets
}
Non-ATF based ones will do it via Kyuafile. Our test suite does it through a
TEST_METADATA+= execenv="jail"
TEST_METADATA+= execenv_jail="vnet allow.raw_sockets"
The patch got some little evolution, I started with a single execenv_jail
metadata, and during the patch discussion and review, I ended up with two
knobs: execenv and execenv_jail. It turned out to be a cleaner and less tricky
interface such way. The evolution reasoning can be found in the history of the
respective Differential. [2]
5 MFC Concerns
For now, I see at least one issue from the usual project workflow perspective.
Let's imagine that the Kyua framework got this execenv feature committed to
15-CURRENT, we started to convert existing tests and create new ones to use
execenv="jail". If some feature or a bug fix needs to be ported back to
14-STABLE or 13-STABLE, then "old" Kyua without execenv feature will fail to
kyua: E: Load of 'Kyuafile' failed: Failed to load Lua file 'Kyuafile': Kyuafile:9: Unknown metadata property execenv.
From a combinatorics perspective, the first three options pop up to deal with
a) Patch Kyua the same way for the supported STABLE branches so it will be
able to run back ported tests based on execenv="jail" (it's not system ABI
change after all)
b) Exclusively patch Kyua framework for the supported STABLE branches to
simply skip such tests (does not look to provide much benefit)
c) Do not back port tests, only the fix/feature itself (kind of a bad idea)
6 The Demo
My test environment showed promising run time numbers for almost the whole
test suite (ZFS excluded). One of the tests yielded 36 min with test
parallelism improvement versus 1 h 25 min without. In my case with 8 cores,
the suite runs about 2 times faster with the improvement. [3]
7 Action Points
- [ ] community: Review, testing, comments -- probably we want to change the
design
- [ ] committers: Help with the main commit -- it should hit freebsd/kyua
GitHub fork first [4], then vendor branch, and merge to
main after
- [ ] igoro: Provide the subsequent PRs to separate FreeBSD specifics and fix
existing Kyua tests
- [ ] igoro: Provide the PRs to add brand new tests of Kyua itself to cover
the new feature
- [ ] igoro: Provide the respective documentation updates
- [ ] igoro: Migrate some of the existing tests for the start, e.g. netpfil/pf
- [ ] committers: Help with review and respective commits/merges
The plan is not strict, it depends on the discussion and interest of
volunteers.
I hope that this proposal is found valuable for the project. If so, any help
is appreciated.
[1] New tests exclusivity concern: https://reviews.freebsd.org/D42314
[2] The Kyua patch: https://reviews.freebsd.org/D42350
[3] The whole test suite demo: https://reviews.freebsd.org/D42410
[4] The respective PR to the fork: https://github.com/freebsd/kyua/pull/224
Best regards, Igor.
--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Igor Ostapenko
2024-04-03 14:13:56 UTC
Permalink
Hi,

Thanks for testing.

My current vision of the action points is as follows:

The first phase:
- [x] igoro: Separate FreeBSD specifics and fix existing Kyua tests broken by
the change
- [x] igoro: Migrate some of the existing tests for the start, e.g. netpfil/pf
- [x] igoro: Cover Paul's use case mentioned in this email thread
- [x] igoro: Cover Olivier's use case mentioned in this email thread
- [x] igoro: Provide the respective documentation updates (manual pages)
- [~] community: Review, testing, comments -- probably we want to change the
design
- [ ] committers: Help with the main commit -- it should hit freebsd/kyua
GitHub fork first, then vendor branch, and merge to main after

The next phases:
- [ ] igoro: Provide the PRs to add brand new tests of Kyua itself to cover
the new feature
- [ ] igoro: Help with the Handbook(s) update to cover the new concept for
test authors

The future phases:
- [ ] igoro: Work on the related improvements and ideas like required_klds etc


If there is nothing to change or add at this stage then the next step could be
to merge the GitHub PR:

https://github.com/freebsd/kyua/pull/224


Thanks the community for your time invested, I hope it will be eventually
payed back with better test run time during development.


Best regards, Igor.
<Picking this mail to resurrect the thread>
diff --git a/tests/sys/netpfil/pf/Makefile b/tests/sys/netpfil/pf/Makefile
index 867b98e5f6c2..c2f0f15fa798 100644
--- a/tests/sys/netpfil/pf/Makefile
+++ b/tests/sys/netpfil/pf/Makefile
@@ -51,8 +51,8 @@ ATF_TESTS_PYTEST+= frag6.py
ATF_TESTS_PYTEST+= nat66.py
ATF_TESTS_PYTEST+= sctp.py
-# Tests reuse jail names and so cannot run in parallel.
-TEST_METADATA+= is_exclusive=true
+TEST_METADATA+= execenv="jail"
+TEST_METADATA+= execenv_jail="vnet allow.raw_sockets"
PROGS= divapp
That gets the test time, with parallelism=5, down from 22 minutes to 5m40s.
So I’m rather keen to see this work land.
My read from the reactions here is that people are generally okay with the approach, especially (I assume) given that the current version lets us turn this on on a per-test basis.
Is there anything else anyone wants to raise before we land this?
Best regards,
Kristof
Post by Igor Ostapenko
Hi,
The patch was updated after the recent discussion.
Currently, the patch provides the following new functionality, from bottom to
1 ATF based tests
- The new "execenv" metadata property can be set to explicitly ask for an
execution environment: "host" or "jail". If it's not defined, as all
existing tests do, then it implicitly means "host".
- The new "execenv.jail" metadata property can be optionally defined to ask
Kyua to use specific jail(8) parameters during creation of a temporary
jail. An example is "vnet allow.raw_sockets".
2 Kyuafile
"execenv" and "execenv_jail".
- Note that historically ATF uses dotted style of metadata naming, while
Kyua uses underscore style. Hence "execenv.jail" vs. "execenv_jail".
3 kyua.conf, kyua CLI
- The new "execenv" engine configuration variable can be set to a list of
execution environments to run only tests designed for. Tests of not listed
environments are skipped.
- By default, this variable lists all execution environments supported by a
Kyua binary, e.g. execenv="host jail".
- This variable can be changed via "kyua.conf" or via kyua CLI's "-v"
parameter. For example, "kyua -v execenv=host test" will run only
host-based tests and skip jail-based ones.
- Current value of this variable can be examined with "kyua config".
The patch is https://reviews.freebsd.org/D42350.
Any help with review and testing is welcome. Its test plan covers the
details and refers to the demo patch of how existing tests could be
converted to be run in a jail.
Best regards, Igor.
Post by i***@pm.me
Hi FreeBSD developers,
There is a proposal to improve the FreeBSD test suite.
1 The Problem
The FreeBSD test suite is based on the Kyua framework. The latter supports
running tests in parallel. However, some tests cannot be run in parallel and
are marked with is_exclusive="true" metadata, which makes Kyua run such tests
in sequence.
Many tests are not meant to be exclusive conceptually, they are so for very
simple technical reasons. For instance, some network related tests are based
on jail and vnet usage. It's convenient for such tests and it provides a lot
of isolation already not to conflict with other tests. But they are still
marked as exclusive due to the shared space of jail names, routing, etc.
The project seeks more tests, and it's kind of a trend for new tests like
jail/vnet based ones to be created as is_exclusive="true" from the very
beginning. It only piles up the suite with exclusive tests, e.g. new tests
from my side faced a fair question from a reviewer whether they could be
re-designed for a parallel run. [1]
If such tests were 100% isolated they would be able to run in parallel and
decrease the test time for CI runs and for the runs within the development
process.
And the problem is that trying to add more isolation by a test itself looks to
be a doable task from a glance, but it would add a lot of complexity to a test
code, or could be found as an impossible task in a specific case.
2 The Idea
The idea is not new. A test could be running in a jail -- it provides the
required isolation with minimum or zero effort from a test.
3 The Implementation
There is a lot of work done already and the working patch passed the initial
It adds a new concept to the Kyua framework -- an execution environment. Two
new metadata were added for that: execenv and execenv_jail.
execenv is a switch to select an environment. If a test's metadata defines
execenv="jail" then Kyua will create a temporary jail, run such test within
it, and remove the jail. If execenv="host" is provided or execenv metadata is
undefined then Kyua will run such test as it does today.
execenv_jail metadata takes effect only in case of execenv="jail". It allows a
test to request specific parameters for its jail. These parameters are simply
arguments to jail(8), e.g. execenv_jail="vnet allow.raw_sockets".
4 The Adoption
ATF based tests can easily define this new metadata via Kyuafile or directly,
test_head()
{
atf_set descr "Test foo in case of bar"
atf_set require.user root
atf_set execenv jail
atf_set execenv.jail vnet allow.raw_sockets
}
Non-ATF based ones will do it via Kyuafile. Our test suite does it through a
TEST_METADATA+= execenv="jail"
TEST_METADATA+= execenv_jail="vnet allow.raw_sockets"
The patch got some little evolution, I started with a single execenv_jail
metadata, and during the patch discussion and review, I ended up with two
knobs: execenv and execenv_jail. It turned out to be a cleaner and less tricky
interface such way. The evolution reasoning can be found in the history of the
respective Differential. [2]
5 MFC Concerns
For now, I see at least one issue from the usual project workflow perspective.
Let's imagine that the Kyua framework got this execenv feature committed to
15-CURRENT, we started to convert existing tests and create new ones to use
execenv="jail". If some feature or a bug fix needs to be ported back to
14-STABLE or 13-STABLE, then "old" Kyua without execenv feature will fail to
kyua: E: Load of 'Kyuafile' failed: Failed to load Lua file 'Kyuafile': Kyuafile:9: Unknown metadata property execenv.
From a combinatorics perspective, the first three options pop up to deal with
a) Patch Kyua the same way for the supported STABLE branches so it will be
able to run back ported tests based on execenv="jail" (it's not system ABI
change after all)
b) Exclusively patch Kyua framework for the supported STABLE branches to
simply skip such tests (does not look to provide much benefit)
c) Do not back port tests, only the fix/feature itself (kind of a bad idea)
6 The Demo
My test environment showed promising run time numbers for almost the whole
test suite (ZFS excluded). One of the tests yielded 36 min with test
parallelism improvement versus 1 h 25 min without. In my case with 8 cores,
the suite runs about 2 times faster with the improvement. [3]
7 Action Points
- [ ] community: Review, testing, comments -- probably we want to change the
design
- [ ] committers: Help with the main commit -- it should hit freebsd/kyua
GitHub fork first [4], then vendor branch, and merge to
main after
- [ ] igoro: Provide the subsequent PRs to separate FreeBSD specifics and fix
existing Kyua tests
- [ ] igoro: Provide the PRs to add brand new tests of Kyua itself to cover
the new feature
- [ ] igoro: Provide the respective documentation updates
- [ ] igoro: Migrate some of the existing tests for the start, e.g. netpfil/pf
- [ ] committers: Help with review and respective commits/merges
The plan is not strict, it depends on the discussion and interest of
volunteers.
I hope that this proposal is found valuable for the project. If so, any help
is appreciated.
[1] New tests exclusivity concern: https://reviews.freebsd.org/D42314
[2] The Kyua patch: https://reviews.freebsd.org/D42350
[3] The whole test suite demo: https://reviews.freebsd.org/D42410
[4] The respective PR to the fork: https://github.com/freebsd/kyua/pull/224
Best regards, Igor.
--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Loading...