introduce docker

.dockerignore

@@ -0,0 +1,3 @@
+Dockerfile
+Dockerfile.release
+docker/Dockerfile*

Dockerfile

@@ -0,0 +1,27 @@
+
+arg ALPINE_TAG=3.18.4
+
+# ------------------------------------------------------------------------
+from alpine:${ALPINE_TAG} as build
+
+run apk add --no-cache alpine-sdk gmp-dev iptables-dev openssl-dev libgcrypt-dev botan-dev
+workdir /build
+
+run apk add --no-cache autoconf automake libtool pkgconfig gettext-dev flex bison gperf
+copy . .
+run ./autogen.sh
+
+copy docker/in-docker-build .
+run ./in-docker-build configure
+run ./in-docker-build make
+run ./in-docker-build install
+
+# ------------------------------------------------------------------------
+from alpine:${ALPINE_TAG}
+
+run apk add --no-cache iproute2 iptables gmp openssl libgcrypt botan
+
+copy docker/entrypoint.sh /
+entrypoint ["/entrypoint.sh"]
+
+copy --from=build /target/ /

Dockerfile.release

@@ -0,0 +1,26 @@
+
+arg ALPINE_TAG=3.18.4
+
+# ------------------------------------------------------------------------
+from alpine:${ALPINE_TAG} as build
+
+run apk add --no-cache alpine-sdk gmp-dev iptables-dev openssl-dev libgcrypt-dev botan-dev
+workdir /build
+
+arg SWAN_VERSION=5.9.11
+run wget -O- https://download.strongswan.org/strongswan-${SWAN_VERSION}.tar.bz2 | tar xj --strip-components=1
+
+copy docker/in-docker-build .
+run ./in-docker-build configure
+run ./in-docker-build make
+run ./in-docker-build install
+
+# ------------------------------------------------------------------------
+from alpine:${ALPINE_TAG}
+
+run apk add --no-cache iproute2 iptables gmp openssl libgcrypt botan
+
+copy docker/entrypoint.sh /
+entrypoint ["/entrypoint.sh"]
+
+copy --from=build /target/ /

docker/Dockerfile.header.in

@@ -0,0 +1,9 @@
+
+arg ALPINE_TAG=3.18.4
+
+# ------------------------------------------------------------------------
+from alpine:${ALPINE_TAG} as build
+
+run apk add --no-cache alpine-sdk gmp-dev iptables-dev openssl-dev libgcrypt-dev botan-dev
+workdir /build
+

docker/Dockerfile.release.in

@@ -0,0 +1,2 @@
+arg SWAN_VERSION=5.9.11
+run wget -O- https://download.strongswan.org/strongswan-${SWAN_VERSION}.tar.bz2 | tar xj --strip-components=1

docker/Dockerfile.runtime.in

@@ -0,0 +1,15 @@
+
+copy docker/in-docker-build .
+run ./in-docker-build configure
+run ./in-docker-build make
+run ./in-docker-build install
+
+# ------------------------------------------------------------------------
+from alpine:${ALPINE_TAG}
+
+run apk add --no-cache iproute2 iptables gmp openssl libgcrypt botan
+
+copy docker/entrypoint.sh /
+entrypoint ["/entrypoint.sh"]
+
+copy --from=build /target/ /

docker/Dockerfile.src.in

@@ -0,0 +1,3 @@
+run apk add --no-cache autoconf automake libtool pkgconfig gettext-dev flex bison gperf
+copy . .
+run ./autogen.sh

docker/Makefile

@@ -0,0 +1,11 @@
+
+.PHONY: all ;
+
+all: ../Dockerfile ../Dockerfile.release ;
+
+../Dockerfile:         Dockerfile.header.in Dockerfile.src.in     Dockerfile.runtime.in
+	cat $^ >$@
+
+../Dockerfile.release: Dockerfile.header.in Dockerfile.release.in Dockerfile.runtime.in
+	cat $^ >$@
+

docker/entrypoint.sh

@@ -0,0 +1,9 @@
+#! /bin/ash
+
+(
+ctl_socket=/var/run/charon.vici
+while ! [ -e $ctl_socket ]; do echo "waiting for $ctl_socket"; sleep 1; done
+swanctl --load-all --noprompt
+) &
+
+exec /usr/libexec/ipsec/charon "$@"

docker/in-docker-build

@@ -0,0 +1,80 @@
+#! /bin/ash
+
+case $1 in
+configure)
+    ./configure \
+        --prefix=/usr \
+    	--sysconfdir=/etc \
+        --with-random-device=/dev/urandom \
+    	--enable-eap-aka \
+    	--enable-eap-aka-3gpp2 \
+    	--enable-eap-sim \
+    	--enable-eap-sim-file \
+    	--enable-eap-simaka-sql \
+    	--enable-eap-md5 \
+    	--enable-md4 \
+    	--enable-eap-mschapv2 \
+    	--enable-eap-identity \
+    	--enable-eap-radius \
+    	--enable-eap-dynamic \
+    	--enable-eap-tls \
+    	--enable-eap-ttls \
+    	--enable-eap-peap \
+    	--enable-eap-tnc \
+    	--enable-tnc-pdp \
+    	--enable-tnccs-20 \
+    	--enable-tnccs-dynamic \
+    	--enable-mediation \
+    	--enable-botan \
+    	--enable-openssl \
+    	--enable-blowfish \
+    	--enable-kernel-pfkey \
+    	--enable-integrity-test \
+    	--enable-leak-detective \
+    	--enable-load-tester \
+    	--enable-test-vectors \
+    	--enable-gcrypt \
+    	--enable-socket-default \
+    	--enable-socket-dynamic \
+    	--enable-connmark \
+    	--enable-forecast \
+    	--enable-addrblock \
+    	--enable-ctr \
+    	--enable-ccm \
+    	--enable-gcm \
+    	--enable-cmac \
+    	--enable-chapoly \
+    	--enable-ha \
+    	--enable-af-alg \
+    	--enable-whitelist \
+    	--enable-xauth-generic \
+    	--enable-xauth-eap \
+    	--enable-pkcs8 \
+    	--enable-unity \
+    	--enable-ipseckey \
+    	--enable-dnscert \
+    	--enable-acert \
+    	--enable-cmd \
+    	--enable-libipsec \
+    	--enable-ntru \
+    	--enable-lookip \
+    	--enable-sha3 \
+    	--enable-newhope \
+    	--enable-counters \
+    	--enable-save-keys
+    	#--enable-wolfssl
+    	#--enable-bliss \
+    ;;
+
+make)
+    make -j$(getconf _NPROCESSORS_ONLN) all
+    ;;
+
+install)
+    make install DESTDIR=/target
+    ;;
+
+*)  echo "unknown operation: $1"
+    exit 1
+    ;;
+esac

testing/.dockerignore

@@ -0,0 +1,3 @@
+.dockerignore
+Dockerfile
+test-docker

testing/Dockerfile

@@ -0,0 +1,26 @@
+arg SWANIMAGE=strongswan
+
+from alpine:3.18.4 as testing
+
+arg NET_PREFIX=192.168.0.
+
+copy . /testing/
+run find /testing -type f -exec sed -i \
+ -e "s,192\.168\.0\.,${NET_PREFIX}," \
+ {} +
+
+from ${SWANIMAGE}
+
+run apk add --no-cache bash
+
+run find /etc/ipsec.* -type f -exec rm {} +
+
+arg HOST=moon
+
+copy --from=testing /testing/hosts/default/ /
+copy --from=testing /testing/hosts/${HOST}/ /
+
+arg TEST=ikev2/rw-psk-ipv4
+
+copy --from=testing /testing/tests/${TEST}/hosts/${HOST}/ /
+

testing/test-docker

@@ -0,0 +1,75 @@
+#! /bin/bash
+
+TEST=${1:-ikev2/rw-psk-ipv4}
+
+: ${NAME_PREFIX:=strongswan}
+: ${IMAGE_NAME:=strongswan-testing}
+: ${DOCKER_NET:=strongswan}
+: ${NET_PREFIX:=192.168.0.}
+
+. tests/$TEST/test.conf
+
+echo "hosts in test: $IPSECHOSTS"
+
+set -e
+
+if true; then # XXX
+
+for host in $IPSECHOSTS
+do
+    image=$IMAGE_NAME:$host
+
+    docker build . -t $image --build-arg NET_PREFIX=$NET_PREFIX --build-arg TEST=$TEST --build-arg HOST=$host
+
+    name=${NAME_PREFIX}-$host
+    docker rm -f $name ||true
+
+    opts=""
+
+    for host2 in $IPSECHOSTS
+    do
+        case $host2 in
+        moon)     n=1  ;;
+        carol)    n=100 ;;
+        dave)     n=200 ;;
+        **) echo "unknown host: $host"; exit 1 ;;
+        esac
+
+        ip=${NET_PREFIX}$n
+
+        if [ $host = $host2 ]; then
+            my_ip=$ip
+        else
+            opts="$opts --add-host $host2:$ip"
+        fi
+    done
+
+    echo "host $host IP is $my_ip"
+
+    docker run -d --name $name \
+        --cap-add NET_ADMIN \
+        --net $DOCKER_NET \
+        --hostname $host --ip $my_ip \
+        $opts \
+        $image
+done
+
+fi # XXX
+
+script=pretest.dat
+
+set +e
+
+cat tests/$TEST/$script | ( while IFS="\n" read line; do
+    host="${line%::*}"
+    cmd="${line#*::}"
+
+    # skip VM-specific commands
+    if [ "$cmd" = "systemctl start strongswan" ]; then continue; fi
+
+    name=${NAME_PREFIX}-$host
+
+    echo "$host\$ $cmd"
+    docker exec $name sh -c "$cmd"
+done)
+