Commit e9ebe49d44 for strongswan.org
commit e9ebe49d44ea342cf645503ab04054364257e75d
Author: Tobias Brunner <tobias@strongswan.org>
Date: Fri Aug 15 18:32:24 2025 +0200
testing: Add option to run tests without leak detective
This new option allows to disable leak detective to reduce the runtime
during development. Either only for the command line (swanctl, pki etc.)
or optionally also for the daemon(s).
Disabling leak detective only for the CLI tools already brings a
considerable reduction in runtime (from 48m to 38m on my dev host) as
there are many such calls in the post-test stage. Any leaks in those
tools are also a lot less of an issue than leaks in the daemon. So using
this during development should be fine as long as a full test run is done
regularly (in particular before releases). Disabling leak detective
completely further reduces the runtime (to 30m on my dev host). But that
should probably only be used for functional regression tests after
verifying new code didn't introduce new leaks.
This also fixes the service script which is used for charon-tkm since
16fcdb460afd ("charon-tkm: Don't use starter/stroke with charon-tkm anymore").
diff --git a/testing/do-tests b/testing/do-tests
index 33f946a2e1..8d63477efc 100755
--- a/testing/do-tests
+++ b/testing/do-tests
@@ -59,11 +59,13 @@ function usage()
cat << EOF
Usage:
${0##*/} [-h] [-v|-t] [-i|-e] [TESTDIRS]
- --help (-h) show usage information
- --verbose (-v) show complete logs on errors (implies -t)
- --timestamps (-t) show timestamps in console.log
- --pre (-i) run pretest script only (single test only)
- --post (-e) run posttest script only (single test only)
+ --help (-h) show usage information
+ --verbose (-v) show complete logs on errors (implies -t)
+ --timestamps (-t) show timestamps in console.log
+ --pre (-i) run pretest script only (single test only)
+ --post (-e) run posttest script only (single test only)
+ --no-leaks [daemon] (-n) disable leak detective in commands (e.g. swanctl)
+ and optionally the daemon as well
TESTDIRS list of test directories (relative to testing/tests).
wildcards (*) are supported. default is to run all tests.
@@ -91,6 +93,13 @@ while [ $# -gt 0 ]; do
-e|--post)
posttest_only=YES
;;
+ -n|--no-leaks)
+ export LEAK_DETECTIVE_DISABLE=1
+ if [[ "$2" =~ d(aemon)? ]]; then
+ export LEAK_DETECTIVE_DISABLE_DAEMON=1
+ shift
+ fi
+ ;;
*)
TESTDIRS+=("$1")
;;
diff --git a/testing/hosts/default/etc/ssh/sshd_config b/testing/hosts/default/etc/ssh/sshd_config
index 622887f047..cfe0444c33 100644
--- a/testing/hosts/default/etc/ssh/sshd_config
+++ b/testing/hosts/default/etc/ssh/sshd_config
@@ -12,6 +12,6 @@ PrintMotd no
PrintLastLog no
UsePAM no
AcceptEnv LANG LC_*
-AcceptEnv LEAK_DETECTIVE_LOG
+AcceptEnv LEAK_DETECTIVE_*
SetEnv LEAK_DETECTIVE_IGNORE_UNKNOWN=1
Subsystem sftp /usr/lib/openssh/sftp-server
diff --git a/testing/hosts/default/usr/local/bin/service b/testing/hosts/default/usr/local/bin/service
index c5db4f61b7..0182f0b84a 100755
--- a/testing/hosts/default/usr/local/bin/service
+++ b/testing/hosts/default/usr/local/bin/service
@@ -3,15 +3,20 @@
# LEAK_DETECTIVE_LOG is set for automated runs, however, `service` strips
# the environment. This wrapper is used to set the variable for the charon
# init script.
+# Similar for LEAK_DETECTIVE_DISABLE. However, we don't pass that along
+# directly, to be able to run the daemon with it while still improving the
+# performance when collecting results etc.
ORIG=/usr/sbin/service
-CONF=/etc/default/charon
+CONF=/etc/default/charon-tkm
-if [[ "$1" != "charon" ]]; then
+if [[ "$1" != "charon-tkm" ]]; then
$ORIG "$@"
fi
-if [[ "$2" == "start" && -n $LEAK_DETECTIVE_LOG ]]; then
+if [[ "$2" == "start" && -n $LEAK_DETECTIVE_DISABLE_DAEMON ]]; then
+ echo "export LEAK_DETECTIVE_DISABLE=$LEAK_DETECTIVE_DISABLE_DAEMON" >> $CONF
+elif [[ "$2" == "start" && -n $LEAK_DETECTIVE_LOG ]]; then
echo "export LEAK_DETECTIVE_LOG=$LEAK_DETECTIVE_LOG" >> $CONF
fi
@@ -19,4 +24,5 @@ $ORIG "$@"
if [[ "$2" == "stop" ]]; then
sed -i '/LEAK_DETECTIVE_LOG/d' $CONF 2>/dev/null
+ sed -i '/LEAK_DETECTIVE_DISABLE/d' $CONF 2>/dev/null
fi
diff --git a/testing/hosts/default/usr/local/bin/systemctl b/testing/hosts/default/usr/local/bin/systemctl
index 51e188c0e0..07027508b0 100755
--- a/testing/hosts/default/usr/local/bin/systemctl
+++ b/testing/hosts/default/usr/local/bin/systemctl
@@ -3,6 +3,9 @@
# LEAK_DETECTIVE_LOG is set for automated runs, however, this is not passed
# to a process started via systemctl. This wrapper is used to set the variable
# for the strongswan.service unit.
+# Similar for LEAK_DETECTIVE_DISABLE. However, we don't pass that along
+# directly, to be able to run the daemon with it while still improving the
+# performance when collecting results etc.
ORIG=/bin/systemctl
CONF=/lib/systemd/system/strongswan.service
@@ -11,7 +14,9 @@ if [[ "$2" != "strongswan" ]]; then
exec $ORIG "$@"
fi
-if [[ "$1" == "start" && -n $LEAK_DETECTIVE_LOG ]]; then
+if [[ "$1" == "start" && -n $LEAK_DETECTIVE_DISABLE_DAEMON ]]; then
+ sed -i "s:Type=:Environment=LEAK_DETECTIVE_DISABLE=$LEAK_DETECTIVE_DISABLE_DAEMON\nType=:" $CONF 2>/dev/null
+elif [[ "$1" == "start" && -n $LEAK_DETECTIVE_LOG ]]; then
sed -i "s:Type=:Environment=LEAK_DETECTIVE_LOG=$LEAK_DETECTIVE_LOG\nType=:" $CONF 2>/dev/null
fi
@@ -20,6 +25,7 @@ STATUS=$?
if [[ "$1" == "stop" ]]; then
sed -i '/LEAK_DETECTIVE_LOG/d' $CONF 2>/dev/null
+ sed -i '/LEAK_DETECTIVE_DISABLE/d' $CONF 2>/dev/null
fi
exit $STATUS
diff --git a/testing/hosts/default/usr/local/sbin/ipsec b/testing/hosts/default/usr/local/sbin/ipsec
new file mode 100755
index 0000000000..60c88274f3
--- /dev/null
+++ b/testing/hosts/default/usr/local/sbin/ipsec
@@ -0,0 +1,12 @@
+#!/bin/bash
+#
+# LEAK_DETECTIVE_DISABLE might be set, however, we only want to actually use
+# it for the daemons if LEAK_DETECTIVE_DISABLE_DAEMON is set.
+
+ORIG=/usr/local/sbin/ipsec.orig
+
+if [[ "$1" == "start" && -z $LEAK_DETECTIVE_DISABLE_DAEMON ]]; then
+ unset LEAK_DETECTIVE_DISABLE
+fi
+
+$ORIG "$@"
diff --git a/testing/scripts/build-guestimages b/testing/scripts/build-guestimages
index caf4231117..ce6a0aee17 100755
--- a/testing/scripts/build-guestimages
+++ b/testing/scripts/build-guestimages
@@ -47,6 +47,7 @@ do
blockdev --rereadpt $NBDEV
execute "mount $NBDPARTITION $LOOPDIR" 0
execute "mount -t proc none $LOOPDIR/proc" 0
+ execute "mv $LOOPDIR/usr/local/sbin/ipsec $LOOPDIR/usr/local/sbin/ipsec.orig" 0
execute "cp -rf $HOSTSDIR/default/* $LOOPDIR" 0
execute "cp -rf $HOSTSDIR/${host}/etc $LOOPDIR" 0
execute_chroot "ldconfig" 0
diff --git a/testing/ssh_config b/testing/ssh_config
index 3ecdd27d1f..0974b990b1 100644
--- a/testing/ssh_config
+++ b/testing/ssh_config
@@ -2,7 +2,7 @@ Host *
LogLevel QUIET
# debian default
SendEnv LANG LC_*
- SendEnv LEAK_DETECTIVE_LOG
+ SendEnv LEAK_DETECTIVE_*
StrictHostKeyChecking no
UserKnownHostsFile /dev/null
GSSAPIAuthentication yes