strongswan构建测试环境

make-testing脚本文件负责构建strongswan的虚拟化测试系统。位于目录strongswan-5.9.14/testing/，需要以管理员身份运行make-testing。生成测试用到的虚拟客户机镜像，KVM虚拟机和虚拟网络的配置文件位于目录:config/kvm。

~/strongswan-5.9.14/testing$ ls config/kvm
alice.xml  bob.xml  carol.xml  dave.xml  moon.xml  sun.xml  venus.xml  vnet1.xml  vnet2.xml  vnet3.xml  winnetou.xml

执行testing/start-testing脚本启动测试环境，查看运行起来的虚拟机。

$ sudo virsh list
 Id   Name       State
--------------------------
 1    alice      running
 2    bob        running
 3    carol      running
 4    dave       running
 5    moon       running
 6    sun        running
 7    venus      running
 8    winnetou   running

虚拟测试环境拓扑如下：
在这里插入图片描述

操作环境信息：

$ cat /etc/issue
Debian GNU/Linux 12 \n \l
$
$ uname -a
Linux reported 6.1.0-28-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.119-1 (2024-11-22) x86_64 GNU/Linux

make-testing

首先包含测试环境的配置文件testing.conf。

之后，依次调用脚本build-baseimage、build-rootimage、build-guestkernel、build-certs和build-guestimages来生成基础镜像、root文件系统镜像、客户机内核，strongswan测试用例使用到的证书和最终的客户机镜像。

. $DIR/testing.conf

rm -f $LOGFILE
mkdir -p $BUILDDIR

if [ $ENABLE_BUILD_BASEIMAGE = "yes" ]
then
    $DIR/scripts/build-baseimage || exit 1
fi
if [ $ENABLE_BUILD_ROOTIMAGE = "yes" ]
then
    $DIR/scripts/build-rootimage || exit 1
fi
if [ $ENABLE_BUILD_GUESTKERNEL = "yes" ]
then
    $DIR/scripts/build-guestkernel || exit 1
fi
if [ $ENABLE_BUILD_CERTIFICATES = "yes" ]
then
    # this always builds the guest images too
    $DIR/scripts/build-certs || exit 1
elif [ $ENABLE_BUILD_GUESTIMAGES = "yes" ]
then
    $DIR/scripts/build-guestimages || exit 1
fi

testing.conf全局配置

位于目录strongswan-5.9.14/testing下，内容如下。基础镜像BASEIMG的文件名称为debian-bookworm-amd64.qcow2，其中默认debian发行版为bookworm，处理器架构为amd64，镜像格式为qcow2，大小为BASEIMGSIZE：2500M。

生成的镜像保存于目录IMGDIR：/srv/strongswan-testing/build/images。

# Common image settings
: ${IMGEXT=qcow2}
: ${IMGDIR=$BUILDDIR/images}

# Base image settings
# The base image is a pristine OS installation created using debootstrap.
: ${BASEIMGSIZE=2500}
: ${BASEIMGSUITE=bookworm}
: ${BASEIMGARCH=amd64}
: ${BASEIMG=$IMGDIR/debian-$BASEIMGSUITE-$BASEIMGARCH.$IMGEXT}
: ${BASEIMGMIRROR=http://http.debian.net/debian}
: ${BASEIMGEXTREPOHOST=download.strongswan.org}
: ${BASEIMGEXTKEY=https://$BASEIMGEXTREPOHOST/testing/repos/strongswan-testing.gpg.key}
: ${BASEIMGEXTREPO=https://$BASEIMGEXTREPOHOST/testing/repos/apt/debian}

如下为编译完成之后的所有虚拟镜像。

$ ls /srv/strongswan-testing/build/images
alice.qcow2  carol.qcow2  debian-bookworm-amd64.qcow2  root.qcow2  venus.qcow2
bob.qcow2    dave.qcow2   moon.qcow2                   sun.qcow2   winnetou.qcow2

build-baseimage

构建基础镜像脚本位于目录：strongswan-5.9.14/testing/scripts。load_qemu_nbd加载宿主机内核nbd驱动，接下来创建qcow2格式qemu硬盘，挂载为网络硬盘：/dev/nbd0。

echo "`date`, building $BASEIMG" >>$LOGFILE

load_qemu_nbd

log_action "Creating base image $BASEIMG"
execute "qemu-img create -f $IMGEXT $BASEIMG ${BASEIMGSIZE}M"

log_action "Connecting image to NBD device $NBDEV"
execute "qemu-nbd -c $NBDEV $BASEIMG"
do_on_exit qemu-nbd -d $NBDEV

对应下列的命令：

modprobe nbd max_part=16
qemu-img create -f qcow2 /srv/strongswan-testing/build/images/debian-bookworm-amd64.qcow2 2500M

qemu-nbd -c /dev/nbd0 /srv/strongswan-testing/build/images/debian-bookworm-amd64.qcow2

如下nbd驱动模块的信息。

# sudo modinfo nbd
filename:       /lib/modules/6.1.0-28-amd64/kernel/drivers/block/nbd.ko
description:    Network Block Device
name:           nbd
vermagic:       6.1.0-28-amd64 SMP preempt mod_unload modversions 
parm:           nbds_max:number of network block devices to initialize (default: 16) (int)
parm:           max_part:number of partitions per device (default: 16) (int)

接下来使用sfdisk对nbd0设备分区，partprobe通知系统重新读取nbd0分区表信息，mkfs.ext3在新分区（/dev/nbd0p1）上创建ext3文件系统，将分区挂载到目录：/srv/strongswan-testing/build/loop，之后的操作都在此loop目录执行。

sfdisk /dev/nbd0 >>$LOGFILE 2>&1 << EOF
;
EOF

partprobe $NBDEV

log_action "Creating ext3 filesystem"
execute "mkfs.ext3 $NBDPARTITION"

log_action "Mounting $NBDPARTITION to $LOOPDIR"
execute "mount $NBDPARTITION $LOOPDIR"
do_on_exit graceful_umount $LOOPDIR

创建新分区nbd0p1过程信息，以及partprobe执行信息如下。

Checking that no-one is using this disk right now ... OK

Disk /dev/nbd0: 2.44 GiB, 2621440000 bytes, 5120000 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes

>>> Created a new DOS (MBR) disklabel with disk identifier 0xfe4e6d3a.
/dev/nbd0p1: Created a new partition 1 of type 'Linux' and of size 2.4 GiB.
/dev/nbd0p2: Done.

New situation:
Disklabel type: dos
Disk identifier: 0xfe4e6d3a

Device      Boot Start     End Sectors  Size Id Type
/dev/nbd0p1       2048 5119999 5117952  2.4G 83 Linux

The partition table has been altered.
Calling ioctl() to re-read partition table.
Syncing disks.

创建ext3文件系统。

mkfs.ext3 /dev/nbd0p1
mke2fs 1.47.0 (5-Feb-2023)
Discarding device blocks: done                            
Creating filesystem with 639744 4k blocks and 160000 inodes
Filesystem UUID: 55f96272-8359-4fd9-a665-767a0a39815c
Superblock backups stored on blocks: 
        32768, 98304, 163840, 229376, 294912

Allocating group tables: done                            
Writing inode tables: done                            
Creating journal (16384 blocks): done
Writing superblocks and filesystem accounting information: done

在新挂载的目录loop下创建目录var/cache/apt/archives，并且将主机目录/srv/strongswan-testing/build/cache绑定到此目录。使用debootstrap目录在loop目录创建debian根文件系统。

log_action "Using $CACHEDIR as archive for apt"
mkdir -p $APTCACHE
execute "mount -o bind $CACHEDIR $APTCACHE"
do_on_exit graceful_umount $APTCACHE

log_action "Running debootstrap ($BASEIMGSUITE, $BASEIMGARCH)"
execute "debootstrap --arch=$BASEIMGARCH --include=$INC $BASEIMGSUITE $LOOPDIR $BASEIMGMIRROR"

对应的日志信息，以及debootstrap的命令参数和执行日志（…表示省略内容）如下：

mount /dev/nbd0p1 /srv/strongswan-testing/build/loop
mount -o bind /srv/strongswan-testing/build/cache /srv/strongswan-testing/build/loop/var/cache/apt/archives
debootstrap --arch=amd64 --include=automake,autoconf,libtool,bison,flex,gperf,pkg-config,gettext,less,locales,build-essential,libgmp-dev,libldap2-dev,libcurl4-openssl-dev,ethtool,libxml2-dev,libtspi-dev,libsqlite3-dev,openssh-server,tcpdump,psmisc,openssl,vim,sqlite3,conntrack,gdb,cmake,libltdl-dev,wget,gnupg,man-db,libboost-thread-dev,libboost-system-dev,git,iperf,htop,valgrind,strace,gnat,gprbuild,acpid,acpi-support-base,libldns-dev,libunbound-dev,dnsutils,libsoup2.4-dev,ca-certificates,unzip,libsystemd-dev,python3,python3-setuptools,python3-dev,python3-daemon,python3-venv,,apt-transport-https,libjson-c-dev,libxslt1-dev,libapache2-mod-wsgi-py3,libxerces-c-dev,rsyslog,libiptc-dev,libahven11-dev,libxmlada-schema12-dev,libgmpada12-dev,libalog8-dev,dbus-user-session,libboost-regex1.74.0,apache2,dbus,isc-dhcp-server,slapd,bind9,freeradius bookworm /srv/strongswan-testing/build/loop http://http.debian.net/debian

I: Checking component main on http://http.debian.net/debian...
I: Retrieving acpi-support-base 0.143-5.1
I: Validating acpi-support-base 0.143-5.1
...
I: Retrieving zlib1g-dev 1:1.2.13.dfsg-1
I: Validating zlib1g-dev 1:1.2.13.dfsg-1
I: Chosen extractor for .deb packages: dpkg-deb
I: Extracting adduser...
...
I: Extracting zlib1g...
I: Installing core packages...
I: Unpacking required packages...
I: Unpacking adduser...
...
I: Unpacking zlib1g:amd64...
I: Configuring required packages...
I: Configuring debian-archive-keyring...
...
I: Configuring libc-bin...
I: Unpacking the base system...
I: Unpacking acpi-support-base...
...
I: Unpacking zlib1g-dev:amd64...
I: Configuring the base system...
I: Configuring libksba8:amd64...
...
I: Configuring ca-certificates...
I: Base system installed successfully.

将宿主机proc文件系统挂载到loop目录下的proc目录上。编辑文件etc/locale.gen设置语言环境。

execute "mount -t proc none $LOOPDIR/proc" 0
do_on_exit graceful_umount $LOOPDIR/proc

log_action "Generating locales"
cat > $LOOPDIR/etc/locale.gen << EOF
de_CH.UTF-8 UTF-8
en_US.UTF-8 UTF-8
EOF
execute_chroot "locale-gen"

如下执行日志。

mount -t proc none /srv/strongswan-testing/build/loop/proc
chroot /srv/strongswan-testing/build/loop env PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin locale-gen
Generating locales (this might take a while)...
  de_CH.UTF-8... done
  en_US.UTF-8... done
Generation complete.

测试环境构建完成之后，登录moon主机，可以看到/etc/locale.gen文件的内容。

$ ssh root@192.168.0.1
moon:~#  
moon:~# cat /etc/locale.gen 
de_CH.UTF-8 UTF-8
en_US.UTF-8 UTF-8
moon:~#

下载基础镜像的扩展签名秘钥，apt-key将秘钥添加到系统的中，使用此秘钥认证的安装包被认为是可信的。生成strongswan下载apt库strongswan.list文件，其中内容为：deb https://download.strongswan.org/testing/repos/apt/debian bookworm main。设置其优先级。

127 log_action "Downloading signing key for custom apt repo"
128 execute_chroot "wget -q $BASEIMGEXTKEY -O /tmp/key"
129 log_action "Installing signing key for custom apt repo"
130 execute_chroot "apt-key add /tmp/key"

132 log_action "Enabling custom apt repo"
133 cat > $LOOPDIR/etc/apt/sources.list.d/strongswan.list << EOF
134 deb $BASEIMGEXTREPO $BASEIMGSUITE main
135 EOF
137 
138 log_action "Prioritize custom apt repo"
139 cat > $LOOPDIR/etc/apt/preferences.d/strongswan.pref << EOF
140 Package: *
141 Pin: origin "$BASEIMGEXTREPOHOST"
142 Pin-Priority: 1001
143 EOF

如下为对应的日志：

chroot /srv/strongswan-testing/build/loop env PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin wget -q https://download.strongswan.org/testing/repos/strongswan-testing.gpg.key -O /tmp/key
chroot /srv/strongswan-testing/build/loop env PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin apt-key add /tmp/key
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
OK

测试环境构建完成之后，登录到moon主机，查看strongswan.pref文件内容如下。

moon:~# cat /etc/apt/preferences.d/strongswan.pref
Package: *
Pin: origin "download.strongswan.org"
Pin-Priority: 1001

以上设置完apt库之后，接下来执行apt-get update跟新，并且安装包：libgcrypt20-dev traceroute iptables。

146 log_action "Update package sources"
147 execute_chroot "apt-get update"
148 log_action "Install packages via APT"
149 execute_chroot "apt-get -y install $APT1"

如下执行日志。

chroot /srv/strongswan-testing/build/loop env PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin apt-get update
Get:3 https://download.strongswan.org/testing/repos/apt/debian bookworm InRelease [1,819 B]
Reading package lists...
W: https://download.strongswan.org/testing/repos/apt/debian/dists/bookworm/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.

chroot /srv/strongswan-testing/build/loop env PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin apt-get -y install libgcrypt20-dev traceroute iptables
The following NEW packages will be installed:
  iptables libgcrypt20-dev libgpg-error-dev traceroute
0 upgraded, 4 newly installed, 0 to remove and 0 not upgraded.
Need to get 1,297 kB of archives.
After this operation, 5,623 kB of additional disk space will be used.
Get:1 http://deb.debian.org/debian bookworm/main amd64 traceroute amd64 1:2.1.2-1 [51.5 kB]
Get:2 http://deb.debian.org/debian bookworm/main amd64 iptables amd64 1.8.9-2 [360 kB]
Get:3 http://deb.debian.org/debian bookworm/main amd64 libgpg-error-dev amd64 1.46-1 [133 kB]
Get:4 http://deb.debian.org/debian bookworm/main amd64 libgcrypt20-dev amd64 1.10.1-3 [752 kB]

安装tmux。

log_action "Move history.log to history.log.1"
execute_chroot "mv /var/log/apt/history.log /var/log/apt/history.log.1"
log_action "Compress history.log.1 to history.log.1.gz"
execute_chroot "gzip /var/log/apt/history.log.1"
log_action "Install more packages via APT"
execute_chroot "apt-get -y install $APT"
log_action "Install packages from custom repo"
execute_chroot "apt-get -y upgrade"

如下安装日志。

chroot /srv/strongswan-testing/build/loop env PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin mv /var/log/apt/history.log /var/log/apt/history.log.1
chroot /srv/strongswan-testing/build/loop env PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin gzip /var/log/apt/history.log.1
chroot /srv/strongswan-testing/build/loop env PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin apt-get -y install tmux
Reading package lists...
The following NEW packages will be installed:
  libevent-core-2.1-7 libutempter0 tmux
0 upgraded, 3 newly installed, 0 to remove and 0 not upgraded.
After this operation, 1,493 kB of additional disk space will be used.
Get:1 http://deb.debian.org/debian bookworm/main amd64 libevent-core-2.1-7 amd64 2.1.12-stable-8 [131 kB]
Get:2 http://deb.debian.org/debian bookworm/main amd64 libutempter0 amd64 1.2.1-3 [8,960 B]
Get:3 http://deb.debian.org/debian bookworm/main amd64 tmux amd64 3.3a-3 [455 kB]
...
chroot /srv/strongswan-testing/build/loop env PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin apt-get -y upgrade
Reading package lists...
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

基础镜像中禁止运行的服务：“apache2 dbus isc-dhcp-server slapd bind9 freeradius”

for service in $SERVICES
do
    log_action "Disabling service $service"
    execute_chroot "systemctl disable $service"
done

如下为执行日志。

chroot /srv/strongswan-testing/build/loop env PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin systemctl disable apache2
Synchronizing state of apache2.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install disable apache2
Removed "/etc/systemd/system/multi-user.target.wants/apache2.service".
chroot /srv/strongswan-testing/build/loop env PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin systemctl disable dbus
Synchronizing state of dbus.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install disable dbus
chroot /srv/strongswan-testing/build/loop env PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin systemctl disable isc-dhcp-server
isc-dhcp-server.service is not a native service, redirecting to systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install disable isc-dhcp-server
chroot /srv/strongswan-testing/build/loop env PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin systemctl disable slapd
slapd.service is not a native service, redirecting to systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install disable slapd
chroot /srv/strongswan-testing/build/loop env PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin systemctl disable bind9
Removed "/etc/systemd/system/multi-user.target.wants/named.service".
Removed "/etc/systemd/system/bind9.service".
chroot /srv/strongswan-testing/build/loop env PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin systemctl disable freeradius
Synchronizing state of freeradius.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install disable freeradius
Removed "/etc/systemd/system/multi-user.target.wants/freeradius.service".

iptables和ip6tables命令使用legacy传统的版本iptables-legacy和ip6tables-legacy，不使用iptables-nft。

165 log_action "Switching from iptables-nft to iptables-legacy"
166 execute_chroot "update-alternatives --set iptables /usr/sbin/iptables-legacy" 0
167 execute_chroot "update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy" 0
168 log_status 0

如下执行日志。

chroot /srv/strongswan-testing/build/loop env PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin update-alternatives --set iptables /usr/sbin/iptables-legacy
update-alternatives: using /usr/sbin/iptables-legacy to provide /usr/sbin/iptables (iptables) in manual mode
chroot /srv/strongswan-testing/build/loop env PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
update-alternatives: using /usr/sbin/ip6tables-legacy to provide /usr/sbin/ip6tables (ip6tables) in manual mode

最后，清空根文件系统root用户的密码。之后，使用root登录虚拟客户系统不需要密码。

log_action "Disabling root password"
execute_chroot "passwd -d root"

脚本执行完毕，执行On_Exit，卸载之前挂载的proc，var/cache/apt/archives和loop目录，以及断开网络硬盘nbd0。

chroot /srv/strongswan-testing/build/loop env PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin passwd -d root
passwd: password changed.
On_Exit: graceful_umount /srv/strongswan-testing/build/loop/proc
On_Exit: graceful_umount /srv/strongswan-testing/build/loop/var/cache/apt/archives
On_Exit: graceful_umount /srv/strongswan-testing/build/loop
On_Exit: qemu-nbd -d /dev/nbd0
/dev/nbd0 disconnected

build-rootimage

此脚本用于创建root.qcow2镜像，调用build-strongswan脚本完成。

  3 echo "Building root image"
  4 
  5 DIR=$(dirname `readlink -f $0`)
  6 . $DIR/../testing.conf
  7 
  8 $DIR/build-strongswan --all --replace --no-guests --tarball $SWANVERSION

创建完成之后，镜像列表如下：

$ ls -l /srv/strongswan-testing/build/images/
total 3042304
-rw-r--r-- 1 libvirt-qemu libvirt-qemu   88735744 Dec 15 03:52 alice.qcow2    // guest镜像
-rw-r--r-- 1 libvirt-qemu libvirt-qemu   88604672 Dec 15 03:48 bob.qcow2      // guest镜像
-rw-r--r-- 1 libvirt-qemu libvirt-qemu   88342528 Dec 15 03:51 carol.qcow2
-rw-r--r-- 1 libvirt-qemu libvirt-qemu   88670208 Dec 15 03:52 dave.qcow2
-rw-r--r-- 1 libvirt-qemu libvirt-qemu 2129068032 Dec  9 17:47 debian-bookworm-amd64.qcow2  // 基础镜像
-rw-r--r-- 1 libvirt-qemu libvirt-qemu   89849856 Dec 15 03:52 moon.qcow2
-rw-r--r-- 1 libvirt-qemu libvirt-qemu  271974400 Dec  9 18:39 root.qcow2    // root镜像
-rw-r--r-- 1 libvirt-qemu libvirt-qemu   88473600 Dec 15 03:49 sun.qcow2
-rw-r--r-- 1 libvirt-qemu libvirt-qemu   88735744 Dec 15 03:52 venus.qcow2
-rw-r--r-- 1 libvirt-qemu libvirt-qemu   93192192 Dec 15 03:52 winnetou.qcow2   // guest镜像

build-strongswan

传入此脚本的参数参见以上build-rootimage文件。–all表示编译和安装所有的软件，不仅是strongswan。–replace表示替换root镜像。–no-guests表示不构建客户机guest镜像。–tarball表示从tar包编译strongswan。

在root镜像不存在，或者指定replace参数的情况下，使用qemu-img创建root.qcow2镜像，-b指定后端硬盘：/srv/strongswan-testing/build/images/debian-bookworm-amd64.qcow2，root镜像ROOTIMG；/srv/strongswan-testing/build/images/root.qcow2。

以上执行成功之后，将ROOTIMG映射到网络硬盘NBDEV：/dev/nbd0。

case "$GUEST" in
"")
    if [ ! -f "$ROOTIMG" -o "$REPLACE" ]; then
        log_action "Creating root image $ROOTIMG"
        execute "qemu-img create -b $BASEIMG -f $IMGEXT -F $IMGEXT $ROOTIMG"
        ALL_RECIPES=1
    fi
    log_action "Connecting root image to NBD device $NBDEV"
    [ -f "$ROOTIMG" ] || die "Root image $ROOTIMG not found"
    execute "qemu-nbd -c $NBDEV $ROOTIMG"
    ;;
*)
    ;;
esac

执行日志如下。

qemu-img create -b /srv/strongswan-testing/build/images/debian-bookworm-amd64.qcow2 -f qcow2 -F qcow2 /srv/strongswan-testing/build/images/root.qcow2
Formatting '/srv/strongswan-testing/build/images/root.qcow2', fmt=qcow2 cluster_size=65536 extended_l2=off compression_type=zlib size=2621440000 backing_file=/srv/strongswan-testing/build/images/debian-bookworm-amd64.qcow2 backing_fmt=qcow2 lazy_refcounts=off refcount_bits=16
qemu-nbd -c /dev/nbd0 /srv/strongswan-testing/build/images/root.qcow2

partprobe通知系统重新读取nbd0分区表信息。将nbd0p1分区挂载到LOOPDIR：/srv/strongswan-testing/build/loop。将宿主机proc文件系统挂载到LOOPDIR/proc。

do_on_exit qemu-nbd -d $NBDEV
partprobe $NBDEV

log_action "Mounting $NBDPARTITION to $LOOPDIR"
execute "mount $NBDPARTITION $LOOPDIR"
do_on_exit umount $LOOPDIR

log_action "Mounting proc filesystem to $LOOPDIR/proc"
execute "mount -t proc none $LOOPDIR/proc"
do_on_exit umount $LOOPDIR/proc

如下命令日志。

mount /dev/nbd0p1 /srv/strongswan-testing/build/loop
mount -t proc none /srv/strongswan-testing/build/loop/proc

将宿主机目录SHAREDDIR：/srv/strongswan-testing/build/shared/bookworm绑定到LOOPDIR(映射的网络硬盘)的root/shared目录。比如登录moon主机，可看到/root/shared目录。

将DNS配置拷贝到LOOPDIR相同位置，chroot到LOOPDIR目录，删除其中之前版本strongSwan遗留的SWID标签。

mkdir -p $SHAREDDIR
mkdir -p $LOOPDIR/root/shared
log_action "Mounting $SHAREDDIR as /root/shared"
execute "mount -o bind $SHAREDDIR $LOOPDIR/root/shared"
do_on_exit umount $LOOPDIR/root/shared

log_action "Copy /etc/resolv.conf"
execute "cp /etc/resolv.conf $LOOPDIR/etc/resolv.conf"
do_on_exit rm $LOOPDIR/etc/resolv.conf

log_action "Remove SWID tags of previous strongSwan versions"
execute_chroot "find /usr/local/share -path '*strongswan*' -name *.swidtag -delete"

如下为命令日志。

mount -o bind /srv/strongswan-testing/build/shared/bookworm /srv/strongswan-testing/build/loop/root/shared
cp /etc/resolv.conf /srv/strongswan-testing/build/loop/etc/resolv.conf
chroot /srv/strongswan-testing/build/loop env PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin find /usr/local/share -path '*strongswan*' -name *.swidtag -delete

遍历目录testing/scripts/recipes目录下的makefile文件，保存到RECIPES变量中。

RECPDIR=$DIR/recipes
if [ "$ALL_RECIPES" ]; then
    echo "Building and installing strongSwan and all other software"
    if [ -d "$RECPDIR/patches" ]
    then
        execute "cp -r $RECPDIR/patches $LOOPDIR/root/shared/compile" 0
    fi
    RECIPES=`ls $RECPDIR/*.mk | xargs -n1 basename`
    log_action "Whitelist all Git repositories"
    echo "[safe]"             > $LOOPDIR/root/.gitconfig
    echo "    directory = *" >> $LOOPDIR/root/.gitconfig
    log_status 0
else
    echo "Building and installing strongSwan"
    RECIPES=`ls $RECPDIR/*strongswan.mk | xargs -n1 basename`
fi

如下为strongswan源码目录testing/scripts/recipes目录下的makefile文件。

strongswan-5.9.14/testing$ ls scripts/recipes/
004_spark-crypto.mk  006_tkm-rpc.mk   008_xfrm-ada.mk    010_tkm.mk    012_wolfssl.mk     014_swid_generator.mk
005_anet.mk          007_x509-ada.mk  009_xfrm-proxy.mk  011_botan.mk  013_strongswan.mk  015_strongTNC.mk

遍历目录中每个文件makefile文件，chroot到LOOPDIR执行。对于除去013_strongswan.mk之外的makefile，先将其拷贝到/root/shared/compile目录，此目录绑定的为：/srv/strongswan-testing/build/shared/bookworm/compile/，之后运行此makefile。

对于strongswan的makefile，在SHAREDDIR/build-strongswan目录执行编译。

mkdir -p $SHAREDDIR/build-strongswan
mkdir -p $SHAREDDIR/compile

for r in $RECIPES
do
    log_action "Installing from recipe $r"
    if [[ $r == *strongswan.mk && -z "$TARBALL" ]]; then
        cp $RECPDIR/$r $SHAREDDIR/build-strongswan
        execute_chroot "make SRCDIR=/root/strongswan BUILDDIR=/root/shared/build-strongswan -f /root/shared/build-strongswan/$r"
    else
        cp $RECPDIR/$r ${LOOPDIR}/root/shared/compile
        execute_chroot "make SWANVERSION=$TARBALL -C /root/shared/compile -f $r"
    fi
done

如下第一个spark加密库的makefile：004_spark-crypto.mk的编译日志。代码下载地址为https://git.codelabs.ch/spark-crypto.git ，版本为153590e2fc784d3173b73642fafa4efb597bb2f3。编译命令为
：make NO_SPARK=1 NO_TESTS=1 NO_APIDOC=1。安装目录为：DESTDIR=/usr/local/ada/lib/gnat。

编译日志如下：

chroot /srv/strongswan-testing/build/loop env PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin make SWANVERSION=5.9.14 -C /root/shared/compile -f 004_spark-crypto.mk
make: Entering directory '/root/shared/compile'
[ -d spark-crypto ] || git clone https://git.codelabs.ch/spark-crypto.git spark-crypto
Cloning into 'spark-crypto'...
cd spark-crypto && git fetch && git checkout 153590e2fc784d3173b73642fafa4efb597bb2f3

cd spark-crypto && make NO_SPARK=1 NO_TESTS=1 NO_APIDOC=1
make[1]: Entering directory '/root/shared/compile/spark-crypto'
gnatmake -Xarch=x86_64 -Xendianess=little_endian -XAES=aes_sw -XRTS=native -p -P build/build_libsparkcrypto
Compile
   ...
   [Ada]          lsc-io.adb
Build Libraries
   [index]        libsparkcrypto.a
install -d -m 755 /root/shared/compile/spark-crypto/out/libsparkcrypto/adalib/native;
...
cd spark-crypto && make NO_SPARK=1 NO_TESTS=1 NO_APIDOC=1 DESTDIR=/usr/local/ada/lib/gnat install
make[1]: Entering directory '/root/shared/compile/spark-crypto'
install -d -m 755 /usr/local/ada/lib/gnat/adalib/native;

如下为005_anet.mk的编译日志，anet为Ada语言的网络库，支持IPv4，IPv6，Packet等类型套接口。

chroot /srv/strongswan-testing/build/loop env PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin make SWANVERSION=5.9.14 -C /root/shared/compile -f 005_anet.mk
make: Entering directory '/root/shared/compile'
[ -d anet ] || git clone https://git.codelabs.ch/git/anet.git anet
Cloning into 'anet'...
cd anet && git fetch && git checkout 15b469b1e47fde41822543da5be717df195c87dc
cd anet && make LIBRARY_KIND=static
make[1]: Entering directory '/root/shared/compile/anet'
gprbuild -p -R -j1 '-XADAFLAGS=' '-XLDFLAGS=' '-XOS=linux' '-XVERSION=0.4.2' anet_lib.gpr -XLIBRARY_KIND=static
Compile
   [Ada]          anet-sockets-packet.adb
...kzhang
   [Ada]          anet-os.adb
Build Libraries
   [gprlib]       anet.lexch
   [archive]      libanet.a
   [index]        libanet.a
cd anet && make PREFIX=/usr/local/ada LIBRARY_KIND=static install
make[1]: Entering directory '/root/shared/compile/anet'
gprbuild -p -R -j1 '-XADAFLAGS=' '-XLDFLAGS=' '-XOS=linux' '-XVERSION=0.4.2' anet_lib.gpr -XLIBRARY_KIND=static
install -d /usr/local/ada/lib/gnat
...
make: Leaving directory '/root/shared/compile'

如下为006_tkm-rpc.mk的编译日志。TKM(trusted key manager)服务使用tkm-rpc库于strongswan的charon进程通信，tkm-rpc使用Ada语言编写。

chroot /srv/strongswan-testing/build/loop env PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin make SWANVERSION=5.9.14 -C /root/shared/compile -f 006_tkm-rpc.mk
make: Entering directory '/root/shared/compile'
[ -d tkm-rpc ] || git clone https://git.codelabs.ch/git/tkm-rpc.git tkm-rpc
Cloning into 'tkm-rpc'...
cd tkm-rpc && git fetch && git checkout 85f725c0c938cc7f8a48ed86892d6b112b858b8b

cd tkm-rpc && make tests && make
make[1]: Entering directory '/root/shared/compile/tkm-rpc'
Compile
...
   [Ada]          tkmrpc-transport-client.adb
Link
   [link]         test_runner.adb
Running Tkmrpc tests ... please wait
Passed :  6
...

cd tkm-rpc && make PREFIX=/usr/local/ada install
make[1]: Entering directory '/root/shared/compile/tkm-rpc'
install -d /usr/local/ada/lib/gnat
...
make: Leaving directory '/root/shared/compile'

如下为007_x509-ada.mk的编译日志。x509-ada为Ada语言实现的X509证书处理库。

chroot /srv/strongswan-testing/build/loop env PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin make SWANVERSION=5.9.14 -C /root/shared/compile -f 007_x509-ada.mk
make: Entering directory '/root/shared/compile'
[ -d x509-ada ] || git clone https://git.codelabs.ch/git/x509-ada.git x509-ada
Cloning into 'x509-ada'...
cd x509-ada && git fetch && git checkout v0.1.3

cd x509-ada && make tests && make
make[1]: Entering directory '/root/shared/compile/x509-ada'
Compile
   [Ada]          test_runner.adb
   [C]            TeletexDomainDefinedAttributes.c
...
   [Ada]          test_utils.adb
Build Libraries
   [archive]      libx509ada.a
   [index]        libx509ada.a
Running X.509 tests ... please wait
Passed :  11
...

cd x509-ada && make PREFIX=/usr/local/ada install
...
make[1]: Leaving directory '/root/shared/compile/x509-ada'
make: Leaving directory '/root/shared/compile'

如下为008_xfrm-ada.mk的编译日志。xfrm-ada为Ada语言实现的与内核xfrm模块通信的库。

chroot /srv/strongswan-testing/build/loop env PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin make SWANVERSION=5.9.14 -C /root/shared/compile -f 008_xfrm-ada.mk
make: Entering directory '/root/shared/compile'
[ -d xfrm-ada ] || git clone https://git.codelabs.ch/git/xfrm-ada.git xfrm-ada
Cloning into 'xfrm-ada'...
cd xfrm-ada && git fetch && git checkout v0.1
...
cd xfrm-ada && make
make[1]: Entering directory '/root/shared/compile/xfrm-ada'
cp include/xfrm.h thin
(cd thin && g++ -fdump-ada-spec xfrm.h)
Compile
   ...
   [Ada]          xfrm.ads
Build Libraries
   [index]        libxfrmada.a
make[1]: Leaving directory '/root/shared/compile/xfrm-ada'

cd xfrm-ada && make PREFIX=/usr/local/ada install
...
make[1]: Leaving directory '/root/shared/compile/xfrm-ada'
make: Leaving directory '/root/shared/compile'

如下为009_xfrm-proxy.mk的编译日志。xfrm-proxy用于处理内核XFRM模块的Acquire和Expire事件。

chroot /srv/strongswan-testing/build/loop env PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin make SWANVERSION=5.9.14 -C /root/shared/compile -f 009_xfrm-proxy.mk
make: Entering directory '/root/shared/compile'
[ -d xfrm-proxy ] || git clone https://git.codelabs.ch/git/xfrm-proxy.git xfrm-proxy
Cloning into 'xfrm-proxy'...
cd xfrm-proxy && git fetch && git checkout v0.1

cd xfrm-proxy && make
make[1]: Entering directory '/root/shared/compile/xfrm-proxy'
Compile
   [Ada]          xfrm_proxy.adb
   ...
cd xfrm-proxy && make install
mkdir -p /usr/local/bin
install -m 755 obj/xfrm_proxy /usr/local/bin
make[1]: Leaving directory '/root/shared/compile/xfrm-proxy'
make: Leaving directory '/root/shared/compile'

如下为010_tkm.mk的编译日志。Trusted Key Manager是一个可信计算平台（Trusted Computing Base），其中实现了IKEv2协议的安全关键功能。TKM与IKEv2守护进程charon-tkm一同为IPSec提供秘钥管理服务。两者之间使用tkm-rpc库通信。x509/Ada用于证书处理，XFRM/Ada用于和内核XFRM交互。

chroot /srv/strongswan-testing/build/loop env PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin make SWANVERSION=5.9.14 -C /root/shared/compile -f 010_tkm.mk
make: Entering directory '/root/shared/compile'
[ -d tkm ] || git clone https://git.codelabs.ch/git/tkm.git tkm
Cloning into 'tkm'...
cd tkm && git fetch && git checkout e46eef9f0991ba2777dcde845c2e00b8df9c72f7

cd tkm && make tests && make
make[1]: Entering directory '/root/shared/compile/tkm'
Compile
   [Ada]          test_runner.adb
...
Passed :  61
...
make[1]: Entering directory '/root/shared/compile/tkm'
Compile
   [Ada]          tkm_keymanager.adb
...

cd tkm && make install
make[1]: Entering directory '/root/shared/compile/tkm'
install -m 755 obj/tkm_cfgtool /usr/local/bin
cp schema/* /usr/local/share/tkm
make[1]: Leaving directory '/root/shared/compile/tkm'
make: Leaving directory '/root/shared/compile'

如下为011_botan.mk的编译日志。botan为C++语言编写的加密库。

chroot /srv/strongswan-testing/build/loop env PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin make SWANVERSION=5.9.14 -C /root/shared/compile -f 011_botan.mk
make: Entering directory '/root/shared/compile'
[ -d botan ] || git clone https://github.com/randombit/botan.git botan
Cloning into 'botan'...
cd botan && git fetch && git checkout 3.3.0

cd botan && python3 ./configure.py --without-os-features=threads --disable-modules=locking_allocator --disable-modules=pkcs11,tls,x509,xmss  && make -j 4
   INFO: ./configure.py invoked with options "--without-os-features=threads --disable-modules=locking_allocator --disable-modules=pkcs11,tls,x509,xmss"
   INFO: Configuring to build Botan 3.3.0 (revision git:9074b04c1303a24e2084f8325fa570a5ad4f2478)
   ...
make[1]: Entering directory '/root/shared/compile/botan'
...
build/obj/test/unit_x509.o -L.    -lbotan-3 -lrt  -o botan-test
make[1]: Leaving directory '/root/shared/compile/botan'
cd botan && make install && ldconfig
make[1]: Entering directory '/root/shared/compile/botan'
"/usr/bin/python3" "src/scripts/install.py" --build-dir="build"
   INFO: Botan 3.3.0 installation to /usr/local complete
make[1]: Leaving directory '/root/shared/compile/botan'
make: Leaving directory '/root/shared/compile'

如下为012_wolfssl.mk的编译日志。wolfssl为轻量级的SSL/TLS库。

chroot /srv/strongswan-testing/build/loop env PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin make SWANVERSION=5.9.14 -C /root/shared/compile -f 012_wolfssl.mk
make: Entering directory '/root/shared/compile'
[ -d wolfssl ] || git clone https://github.com/wolfSSL/wolfssl.git wolfssl
Cloning into 'wolfssl'...
cd wolfssl && git fetch --tags && git checkout v5.6.4-stable

cd wolfssl && ./autogen.sh && ./configure C_FLAGS="-DWOLFSSL_PUBLIC_MP -DWOLFSSL_DES_ECB -DHAVE_AES_ECB -DHAVE_ECC_BRAINPOOL -DWOLFSSL_MIN_AUTH_TAG_SZ=8" --disable-crypttests --disable-examples --enable-silent-rules --enable-aesccm --enable-aesctr --enable-aescfb --enable-camellia --enable-curve25519 --enable-curve448 --enable-des3 --enable-ecccustcurves --enable-ed25519 --enable-ed448 --enable-keygen --enable-max-rsa-bits=8192 --enable-md4 --enable-rsapss --enable-sha3 --enable-shake256 && make -j 4
libtoolize: putting auxiliary files in AC_CONFIG_AUX_DIR, 'build-aux'.
...
Configuration summary for wolfssl version 5.6.4

   * Installation prefix:        /usr/local
   * System type:                pc-linux-gnu
   ...
  CC       wolfcrypt/src/src_libwolfssl_la-hmac.lo
...
  CC       src/libwolfssl_la-tls13.lo
  CCLD     src/libwolfssl.la
make[1]: Leaving directory '/root/shared/compile/wolfssl'
cd wolfssl && make install && ldconfig
make[1]: Entering directory '/root/shared/compile/wolfssl'
make -j5  install-recursive
...
libtool: install: /usr/bin/install -c src/.libs/libwolfssl.lai /usr/local/lib/libwolfssl.la
libtool: finish: PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/sbin" ldconfig -n /usr/local/lib
...
make[1]: Leaving directory '/root/shared/compile/wolfssl'
make: Leaving directory '/root/shared/compile'

如下为013_strongswan.mk的编译日志。strongswan版本为5.9.14，在configure时，enable使能所有的特性。

chroot /srv/strongswan-testing/build/loop env PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin make SWANVERSION=5.9.14 -C /root/shared/compile -f 013_strongswan.mk
make: Entering directory '/root/shared/compile'
wget https://download.strongswan.org/strongswan-5.9.14.tar.bz2
--2024-12-09 13:39:06--  https://download.strongswan.org/strongswan-5.9.14.tar.bz2
...

2024-12-09 13:39:08 (4.31 MB/s) - ‘strongswan-5.9.14.tar.bz2’ saved [4869709/4869709]

tar xfj strongswan-5.9.14.tar.bz2
echo "5.9.14" > /root/shared/.strongswan-version
cd strongswan-5.9.14 && ./configure --enable-silent-rules --sysconfdir=/etc --with-strongswan-conf=/etc/strongswan.conf.testing --with-random-device=/dev/urandom --disable-load-warning --enable-curl --enable-soup --enable-ldap --enable-eap-aka --enable-eap-aka-3gpp2 --enable-eap-sim --enable-eap-sim-file --enable-eap-simaka-sql --enable-eap-md5 --enable-md4 --enable-eap-mschapv2 --enable-eap-identity --enable-eap-radius --enable-eap-dynamic --enable-eap-tls --enable-eap-ttls --enable-eap-peap --enable-eap-tnc --enable-tnc-ifmap --enable-tnc-pdp --enable-tnc-imc --enable-tnc-imv --enable-tnccs-11 --enable-tnccs-20 --enable-tnccs-dynamic --enable-imc-test --enable-imv-test --enable-imc-scanner --enable-imv-scanner --enable-imc-os --enable-imv-os --enable-imc-attestation --enable-imv-attestation --enable-imc-swima --enable-imv-swima --enable-imc-hcd --enable-imv-hcd --enable-sql --enable-sqlite --enable-attr-sql --enable-mediation --enable-botan --enable-openssl --enable-blowfish --enable-kernel-pfkey --enable-integrity-test --enable-leak-detective --enable-load-tester --enable-test-vectors --enable-gcrypt --enable-socket-default --enable-socket-dynamic --enable-dhcp --enable-farp --enable-connmark --enable-forecast --enable-addrblock --enable-ctr --enable-ccm --enable-gcm --enable-cmac --enable-chapoly --enable-ha --enable-af-alg --enable-whitelist --enable-xauth-generic --enable-xauth-eap --enable-pkcs8 --enable-unity --enable-unbound --enable-ipseckey --enable-dnscert --enable-acert --enable-cmd --enable-libipsec --enable-kernel-libipsec --enable-tkm --enable-ntru --enable-lookip --enable-bliss --enable-sha3 --enable-newhope --enable-systemd --enable-counters --enable-save-keys --enable-python-eggs --enable-wolfssl
checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for a race-free mkdir -p... /usr/bin/mkdir -p

strongswan编译使能了以下的插件：

 strongSwan will be built with the following plugins
-----------------------------------------------------
libstrongswan: test-vectors unbound ldap aes des blowfish rc2 sha2 sha3 sha1 md4 md5 mgf1 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs12 pgp dnskey sshkey pem openssl wolfssl gcrypt botan pkcs8 af-alg fips-prf gmp curve25519 chapoly xcbc cmac hmac kdf ctr ccm gcm ntru drbg newhope bliss curl soup sqlite
libcharon:     dnscert ipseckey attr attr-sql load-tester kernel-libipsec kernel-pfkey kernel-netlink resolve save-keys socket-default socket-dynamic connmark forecast farp stroke vici sql updown eap-identity eap-sim eap-sim-file eap-aka eap-aka-3gpp2 eap-simaka-sql eap-md5 eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap tnc-ifmap tnc-pdp dhcp ha whitelist lookip addrblock unity counters
libtnccs:      tnc-imc tnc-imv tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic
libtpmtss:

以下开始strongswan的编译。

cd strongswan-5.9.14 && make -j 4
make[1]: Entering directory '/root/shared/compile/strongswan-5.9.14'
make -s all-recursive
make[2]: Entering directory '/root/shared/compile/strongswan-5.9.14'
Making all in src
make[3]: Entering directory '/root/shared/compile/strongswan-5.9.14/src'
Making all in .
Making all in include
Making all in libstrongswan
make[4]: Entering directory '/root/shared/compile/strongswan-5.9.14/src/libstrongswan'
make[5]: Entering directory '/root/shared/compile/strongswan-5.9.14/src/libstrongswan'
Making all in .
make[6]: Entering directory '/root/shared/compile/strongswan-5.9.14/src/libstrongswan'
  CC       library.lo
  CC       crypto/crypto_factory.lo
  ...
make[1]: Leaving directory '/root/shared/compile/strongswan-5.9.14'

cd strongswan-5.9.14 && make -j install && \
        cd ./src/libcharon/plugins/vici/python && python3 setup.py install
make[1]: Entering directory '/root/shared/compile/strongswan-5.9.14'
...
Processing dependencies for vici==5.9.14
Finished processing dependencies for vici==5.9.14
make: Leaving directory '/root/shared/compile'

如下为014_swid_generator.mk的编译日志。软件身份标签生成器[SoftWare IDentification (SWID) Tags Generator]。

chroot /srv/strongswan-testing/build/loop env PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin make SWANVERSION=5.9.14 -C /root/shared/compile -f 014_swid_generator.mk
make: Entering directory '/root/shared/compile'
wget --ca-directory="/usr/share/ca-certificates/mozilla" https://github.com/strongswan/swidGenerator/archive/v1.1.0.tar.gz -O swidGenerator-v1.1.0.tar.gz

Location: https://codeload.github.com/strongswan/swidGenerator/tar.gz/refs/tags/v1.1.0 [following]
...
2024-12-09 13:47:19 (14.3 MB/s) - ‘swidGenerator-v1.1.0.tar.gz’ saved [36370169]

[ -d swidGenerator-v1.1.0 ] || (mkdir -p swidGenerator-v1.1.0; tar -xf swidGenerator-v1.1.0.tar.gz --strip-components=1 -C swidGenerator-v1.1.0)
cd swidGenerator-v1.1.0 && SETUPTOOLS_USE_DISTUTILS=stdlib python3 setup.py install
...
Processing dependencies for swid-generator==1.1.0
Searching for distro
Reading https://pypi.org/simple/distro/
Downloading https://files.pythonhosted.org/packages/12/b3/231ffd4ab1fc9d679809f356cebee130ac7daa00d6d6f3206dd4fd137e9e/distro-1.9.0-py3-none-any.whl#sha256=7bffd925d65168f85027d8da9af6bddab658135b840670a223589bc0c8ef02b2
Best match: distro 1.9.0
Processing distro-1.9.0-py3-none-any.whl
Installing distro-1.9.0-py3-none-any.whl to /usr/local/lib/python3.11/dist-packages
Adding distro 1.9.0 to easy-install.pth file
Installing distro script to /usr/local/bin

Installed /usr/local/lib/python3.11/dist-packages/distro-1.9.0-py3.11.egg
Finished processing dependencies for swid-generator==1.1.0
make: Leaving directory '/root/shared/compile'

如下为015_strongTNC.mk的编译日志。strongTNC为strongswan的安全网络连接（Trusted Network Connect）扩展。它定义了所有VPN客户端需要满足的TNC策略和加强策略。strongTNC依赖于Django。参见依赖文件strongTNC-1.0.2/requirements.txt。

chroot /srv/strongswan-testing/build/loop env PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin make SWANVERSION=5.9.14 -C /root/shared/compile -f 015_strongTNC.mk
make: Entering directory '/root/shared/compile'
wget --ca-directory=/usr/share/ca-certificates/mozilla/ https://github.com/strongswan/strongTNC/archive/1.0.2.zip -O strongTNC-1.0.2.zip
Location: https://codeload.github.com/strongswan/strongTNC/zip/refs/tags/1.0.2 [following]
--2024-12-09 13:47:24--  https://codeload.github.com/strongswan/strongTNC/zip/refs/tags/1.0.2
...
2024-12-09 13:47:26 (1.52 MB/s) - ‘strongTNC-1.0.2.zip’ saved [913483]

[ -d strongTNC-1.0.2 ] || unzip strongTNC-1.0.2.zip
Archive:  strongTNC-1.0.2.zip
9c9170bc131ef156097878f07efb62a894d171da
  ...
  inflating: strongTNC-1.0.2/vagrant/provisioning/roles/strongtnc/vars/main.yml  
python3 -m venv /usr/local/venvs/tnc
/usr/local/venvs/tnc/bin/pip download -d strongTNC-deps -r strongTNC-1.0.2/requirements.txt
...
Successfully installed Django-3.2.15 Markdown-3.3.4 aiodns-3.2.0 asgiref-3.8.1 cffi-1.17.1 dj-database-url-0.4.1 django-filter-2.4.0 djangorestframework-3.12.4 djangorestframework-camel-case-1.2.0 dnspython-2.1.0 lxml-4.9.1 pyasn1-0.6.1 pyasn1_modules-0.4.1 pycares-4.5.0 pycparser-2.22 pytz-2020.1 slixmpp-1.8.2 sqlparse-0.5.2
cp -r strongTNC-1.0.2 /var/www/tnc && chgrp -R www-data /var/www/tnc && chmod g+sw /var/www/tnc
make: Leaving directory '/root/shared/compile'

脚本执行完成，On_Exit执行退出操作。

On_Exit: rm /srv/strongswan-testing/build/loop/etc/resolv.conf
On_Exit: umount /srv/strongswan-testing/build/loop/root/shared
On_Exit: umount /srv/strongswan-testing/build/loop/proc
On_Exit: umount /srv/strongswan-testing/build/loop
On_Exit: qemu-nbd -d /dev/nbd0
/dev/nbd0 disconnected

build-guestkernel

testing.conf文件中默认内核补丁ha-6.5-abicompat-raw-sockets.patch.bz2，发生下载失败，修改成使用ha-6.4-abicompat.patch.bz2。

cd $BUILDDIR

if [ ! -f "$KERNELTARBALL" ]
then
    url=https://cdn.kernel.org/pub/linux/kernel/v${KERNELVERSION:0:1}.x/$KERNELTARBALL
    log_action "Downloading $url"
    execute "wget -q $url"
fi

if [[ $KERNELPATCH && ! -f "$KERNELPATCH" ]]
then
    url=https://download.strongswan.org/testing/$KERNELPATCH
    log_action "Downloading $url"
    execute "wget -q $url"
fi

相应日志如下。

wget -q https://cdn.kernel.org/pub/linux/kernel/v6.x/linux-6.8.1.tar.xz
wget -q https://download.strongswan.org/testing/ha-6.4-abicompat.patch.bz2
tar xJf linux-6.8.1.tar.xz
patching file include/linux/netfilter_defs.h
patching file include/net/netns/netfilter.h
patching file include/net/xfrm.h
Hunk #2 succeeded at 1832 (offset 2 lines).
patching file include/uapi/linux/netfilter.h
patching file net/ipv4/netfilter/Kconfig
patching file net/ipv4/netfilter/Makefile
patching file net/ipv4/netfilter/ipt_CLUSTERIP.c
patching file net/xfrm/xfrm_input.c
Hunk #3 succeeded at 447 (offset -4 lines).
Hunk #4 succeeded at 636 (offset -6 lines).
patching file net/xfrm/xfrm_output.c
Hunk #1 succeeded at 487 (offset 1 line).
Hunk #2 succeeded at 558 (offset 1 line).
patching file net/xfrm/xfrm_replay.c

配置内核，开始编译。

cd $KERNELDIR

if [ ! -f .config ]
then
    execute "cp $KERNELCONFIG .config" 0
fi

echo "Creating kernel configuration, you might get prompted for new parameters"
make oldconfig 2>&1 | tee -a $LOGFILE

log_action "Compiling the kernel"
execute "make -j5"

内核编译日志。

cp /home/kai/work/strongswan-5.9.14/testing/scripts/../config/kernel/config-6.8 .config
  HOSTCC  scripts/basic/fixdep
  
  HOSTCC  scripts/kconfig/util.o
  HOSTLD  scripts/kconfig/conf
*
* Restart config...
*
*
* Mitigations for speculative execution vulnerabilities
*
Mitigations for speculative execution vulnerabilities (SPECULATION_MITIGATIONS) [Y/n/?] y
  Remove the kernel mapping in user mode (PAGE_TABLE_ISOLATION) [Y/n/?] y
  Avoid speculative indirect branches in kernel (RETPOLINE) [Y/n/?] y
    Enable return-thunks (RETHUNK) [Y/n/?] y
      Enable UNRET on kernel entry (CPU_UNRET_ENTRY) [Y/n/?] y
  Mitigate RSB underflow with call depth tracking (CALL_DEPTH_TRACKING) [Y/n/?] y
    Enable call thunks and call depth tracking debugging (CALL_THUNKS_DEBUG) [N/y/?] n
  Enable IBPB on kernel entry (CPU_IBPB_ENTRY) [Y/n/?] y
  Enable IBRS on kernel entry (CPU_IBRS_ENTRY) [Y/n/?] y
  Mitigate speculative RAS overflow on AMD (CPU_SRSO) [Y/n/?] y
  Mitigate Straight-Line-Speculation (SLS) [N/y/?] n
  Force GDS Mitigation (GDS_FORCE_MITIGATION) [N/y/?] n
  RFDS Mitigation (MITIGATION_RFDS) [Y/n/?] (NEW) n
*
* Memory initialization
*
Initialize kernel stack variables at function entry
> 1. no automatic stack variable initialization (weakest) (INIT_STACK_NONE)
  2. pattern-init everything (strongest) (INIT_STACK_ALL_PATTERN) (NEW)
  3. zero-init everything (strongest and safest) (INIT_STACK_ALL_ZERO) (NEW)
choice[1-3?]: 
Enable heap memory zeroing on allocation by default (INIT_ON_ALLOC_DEFAULT_ON) [N/y/?] n
Enable heap memory zeroing on free by default (INIT_ON_FREE_DEFAULT_ON) [N/y/?] n
Enable register zeroing on function exit (ZERO_CALL_USED_REGS) [N/y/?] n
#
# configuration written to .config
#
make -j5
  GEN     arch/x86/include/generated/asm/orc_hash.h
...kzhang
  OBJCOPY arch/x86/boot/setup.bin
  BUILD   arch/x86/boot/bzImage
Kernel: arch/x86/boot/bzImage is ready  (#1)

build-certs

build-certs脚本生成strongswan测试用例使用到的证书文件。

mkdir -p $LOOPDIR
mkdir -p $IMGDIR

log_action "Connecting root image to NBD device $NBDEV"
execute "qemu-nbd -c $NBDEV $ROOTIMG"
do_on_exit qemu-nbd -d $NBDEV
partprobe $NBDEV

log_action "Mounting $NBDPARTITION to $LOOPDIR"
execute "mount $NBDPARTITION $LOOPDIR"
do_on_exit umount $LOOPDIR

log_action "Mounting proc filesystem to $LOOPDIR/proc"
execute "mount -t proc none $LOOPDIR/proc"
do_on_exit umount $LOOPDIR/proc

mkdir -p $LOOPDIR/root/testing
log_action "Mounting ${DIR} as /root/testing"
execute "bindfs -u $SRCUID -g $SRCGID --create-for-user=$SRCUID --create-for-group=$SRCGID ${DIR} $LOOPDIR/root/testing"
do_on_exit umount $LOOPDIR/root/testing

log_action "Building certificates"
execute_chroot "/root/testing/scripts/build-certs-chroot"

具体有build-certs-chroot脚本完成。

qemu-nbd -c /dev/nbd0 /srv/strongswan-testing/build/images/root.qcow2
mount /dev/nbd0p1 /srv/strongswan-testing/build/loop
mount -t proc none /srv/strongswan-testing/build/loop/proc
bindfs -u 1000 -g 1000 --create-for-user=1000 --create-for-group=1000 /home/kai/work/strongswan-5.9.14/testing/scripts/.. /srv/strongswan-testing/build/loop/root/testing
chroot /srv/strongswan-testing/build/loop env PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin /root/testing/scripts/build-certs-chroot

build-guestimages

测试配置文件testing.conf中定义了STRONGSWANHOSTS变量：${STRONGSWANHOSTS=“alice bob carol dave moon sun venus winnetou”}。以下为每个客户机生成镜像。

for host in $STRONGSWANHOSTS
do
    log_action "Creating guest image for $host"
    execute "qemu-img create -b $ROOTIMG -f $IMGEXT -F $IMGEXT $IMGDIR/$host.$IMGEXT" 0
    execute "qemu-nbd -c $NBDEV $IMGDIR/$host.$IMGEXT" 0
    partprobe $NBDEV
    execute "mount $NBDPARTITION $LOOPDIR" 0
    execute "cp -rf $HOSTSDIR/default/* $LOOPDIR" 0
    execute "cp -rf $HOSTSDIR/${host}/etc $LOOPDIR" 0
    execute_chroot "ldconfig" 0
    execute "mkdir $LOOPDIR/etc/pts" 0

    if [ "$host" = "alice" ]
    then
        execute "mkdir $LOOPDIR/var/log/apache2/tnc" 0
        execute_chroot "chgrp www-data /etc/pts" 0
        execute_chroot "chmod g+w /etc/pts" 0
    fi

winnetou作为测试服务器，需要安装apache2，openldap，dns等服务。

    if [ "$host" = "winnetou" ]
    then
        execute "mkdir $LOOPDIR/var/log/apache2/ocsp" 0
        execute "cp -rf $DIR/../images $LOOPDIR/var/www/" 0
        execute "cp -rf $DIR/../css $LOOPDIR/var/www/" 0
        execute "mkdir $LOOPDIR/var/www/testresults" 0
        execute_chroot "a2enmod -q cgid" 0
        execute_chroot "a2enmod -q rewrite" 0
        execute_chroot "mkdir /var/www/certs" 0
        execute_chroot "mkdir /var/www/certs/research /var/www/certs/sales" 0
        execute_chroot "/etc/ca/generate-crl" 0
        execute_chroot "rm -rf /var/lib/ldap/*" 0
        execute_chroot "slapadd -l /etc/ldap/ldif.txt -f /etc/ldap/slapd.conf" 0
        execute_chroot "chown -R openldap:openldap /var/lib/ldap" 0
        execute_chroot "dnssec-signzone -K /etc/bind -o strongswan.org. /etc/bind/db.strongswan.org" 0
        execute_chroot "dnssec-signzone -K /etc/bind -o org. /etc/bind/db.org" 0
        execute_chroot "dnssec-signzone -K /etc/bind -o . /etc/bind/db.root" 0

        # on bullseye and newer, enabling via bind9 doesn't work, while
        # disabling does, so use named here. on the other hand, older releases
        # like buster don't have named service files
        SERVICES="apache2 slapd"
        case "$BASEIMGSUITE" in
        buster)
            SERVICES="$SERVICES bind9"
            ;;
        *)
            SERVICES="$SERVICES named"
            ;;
        esac
        for service in $SERVICES
        do
            execute_chroot "systemctl enable $service" 0
        done
    fi
    sync
    execute "umount -l $LOOPDIR" 0
    execute "qemu-nbd -d $NBDEV" 0
    log_status 0
done

alice虚机镜像构建日志。

qemu-img create -b /srv/strongswan-testing/build/images/root.qcow2 -f qcow2 -F qcow2 /srv/strongswan-testing/build/images/alice.qcow2
Formatting '/srv/strongswan-testing/build/images/alice.qcow2', fmt=qcow2 cluster_size=65536 extended_l2=off compression_type=zlib size=2621440000 backing_file=/srv/strongswan-testing/build/images/root.qcow2 backing_fmt=qcow2 lazy_refcounts=off refcount_bits=16
qemu-nbd -c /dev/nbd0 /srv/strongswan-testing/build/images/alice.qcow2
mount /dev/nbd0p1 /srv/strongswan-testing/build/loop
cp -rf /home/kai/work/strongswan-5.9.14/testing/scripts/../hosts/default/etc /home/kai/work/strongswan-5.9.14/testing/scripts/../hosts/default/root /home/kai/work/strongswan-5.9.14/testing/scripts/../hosts/default/usr /srv/strongswan-testing/build/loop
cp -rf /home/kai/work/strongswan-5.9.14/testing/scripts/../hosts/alice/etc /srv/strongswan-testing/build/loop
chroot /srv/strongswan-testing/build/loop env PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin ldconfig
mkdir /srv/strongswan-testing/build/loop/etc/pts
mkdir /srv/strongswan-testing/build/loop/var/log/apache2/tnc
chroot /srv/strongswan-testing/build/loop env PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin chgrp www-data /etc/pts
chroot /srv/strongswan-testing/build/loop env PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin chmod g+w /etc/pts
umount -l /srv/strongswan-testing/build/loop
qemu-nbd -d /dev/nbd0
/dev/nbd0 disconnected

bob虚机镜像构建日志。

qemu-img create -b /srv/strongswan-testing/build/images/root.qcow2 -f qcow2 -F qcow2 /srv/strongswan-testing/build/images/bob.qcow2
Formatting '/srv/strongswan-testing/build/images/bob.qcow2', fmt=qcow2 cluster_size=65536 extended_l2=off compression_type=zlib size=2621440000 backing_file=/srv/strongswan-testing/build/images/root.qcow2 backing_fmt=qcow2 lazy_refcounts=off refcount_bits=16
qemu-nbd -c /dev/nbd0 /srv/strongswan-testing/build/images/bob.qcow2
mount /dev/nbd0p1 /srv/strongswan-testing/build/loop
cp -rf /home/kai/work/strongswan-5.9.14/testing/scripts/../hosts/default/etc /home/kai/work/strongswan-5.9.14/testing/scripts/../hosts/default/root /home/kai/work/strongswan-5.9.14/testing/scripts/../hosts/default/usr /srv/strongswan-testing/build/loop
cp -rf /home/kai/work/strongswan-5.9.14/testing/scripts/../hosts/bob/etc /srv/strongswan-testing/build/loop
chroot /srv/strongswan-testing/build/loop env PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin ldconfig
mkdir /srv/strongswan-testing/build/loop/etc/pts
umount -l /srv/strongswan-testing/build/loop
qemu-nbd -d /dev/nbd0
/dev/nbd0 disconnected

carol虚机镜像构建日志。

qemu-img create -b /srv/strongswan-testing/build/images/root.qcow2 -f qcow2 -F qcow2 /srv/strongswan-testing/build/images/carol.qcow2
Formatting '/srv/strongswan-testing/build/images/carol.qcow2', fmt=qcow2 cluster_size=65536 extended_l2=off compression_type=zlib size=2621440000 backing_file=/srv/strongswan-testing/build/images/root.qcow2 backing_fmt=qcow2 lazy_refcounts=off refcount_bits=16
qemu-nbd -c /dev/nbd0 /srv/strongswan-testing/build/images/carol.qcow2
mount /dev/nbd0p1 /srv/strongswan-testing/build/loop
cp -rf /home/kai/work/strongswan-5.9.14/testing/scripts/../hosts/default/etc /home/kai/work/strongswan-5.9.14/testing/scripts/../hosts/default/root /home/kai/work/strongswan-5.9.14/testing/scripts/../hosts/default/usr /srv/strongswan-testing/build/loop
cp -rf /home/kai/work/strongswan-5.9.14/testing/scripts/../hosts/carol/etc /srv/strongswan-testing/build/loop
chroot /srv/strongswan-testing/build/loop env PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin ldconfig
mkdir /srv/strongswan-testing/build/loop/etc/pts
umount -l /srv/strongswan-testing/build/loop
qemu-nbd -d /dev/nbd0
/dev/nbd0 disconnected

dave虚机镜像构建日志。

qemu-img create -b /srv/strongswan-testing/build/images/root.qcow2 -f qcow2 -F qcow2 /srv/strongswan-testing/build/images/dave.qcow2
Formatting '/srv/strongswan-testing/build/images/dave.qcow2', fmt=qcow2 cluster_size=65536 extended_l2=off compression_type=zlib size=2621440000 backing_file=/srv/strongswan-testing/build/images/root.qcow2 backing_fmt=qcow2 lazy_refcounts=off refcount_bits=16
qemu-nbd -c /dev/nbd0 /srv/strongswan-testing/build/images/dave.qcow2
mount /dev/nbd0p1 /srv/strongswan-testing/build/loop
cp -rf /home/kai/work/strongswan-5.9.14/testing/scripts/../hosts/default/etc /home/kai/work/strongswan-5.9.14/testing/scripts/../hosts/default/root /home/kai/work/strongswan-5.9.14/testing/scripts/../hosts/default/usr /srv/strongswan-testing/build/loop
cp -rf /home/kai/work/strongswan-5.9.14/testing/scripts/../hosts/dave/etc /srv/strongswan-testing/build/loop
chroot /srv/strongswan-testing/build/loop env PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin ldconfig
mkdir /srv/strongswan-testing/build/loop/etc/pts
umount -l /srv/strongswan-testing/build/loop
qemu-nbd -d /dev/nbd0
/dev/nbd0 disconnected

moon虚机镜像构建日志。

qemu-img create -b /srv/strongswan-testing/build/images/root.qcow2 -f qcow2 -F qcow2 /srv/strongswan-testing/build/images/moon.qcow2
Formatting '/srv/strongswan-testing/build/images/moon.qcow2', fmt=qcow2 cluster_size=65536 extended_l2=off compression_type=zlib size=2621440000 backing_file=/srv/strongswan-testing/build/images/root.qcow2 backing_fmt=qcow2 lazy_refcounts=off refcount_bits=16
qemu-nbd -c /dev/nbd0 /srv/strongswan-testing/build/images/moon.qcow2
mount /dev/nbd0p1 /srv/strongswan-testing/build/loop
cp -rf /home/kai/work/strongswan-5.9.14/testing/scripts/../hosts/default/etc /home/kai/work/strongswan-5.9.14/testing/scripts/../hosts/default/root /home/kai/work/strongswan-5.9.14/testing/scripts/../hosts/default/usr /srv/strongswan-testing/build/loop
cp -rf /home/kai/work/strongswan-5.9.14/testing/scripts/../hosts/moon/etc /srv/strongswan-testing/build/loop
chroot /srv/strongswan-testing/build/loop env PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin ldconfig
mkdir /srv/strongswan-testing/build/loop/etc/pts
umount -l /srv/strongswan-testing/build/loop
qemu-nbd -d /dev/nbd0
/dev/nbd0 disconnected

sun虚机镜像构建日志。

qemu-img create -b /srv/strongswan-testing/build/images/root.qcow2 -f qcow2 -F qcow2 /srv/strongswan-testing/build/images/sun.qcow2
Formatting '/srv/strongswan-testing/build/images/sun.qcow2', fmt=qcow2 cluster_size=65536 extended_l2=off compression_type=zlib size=2621440000 backing_file=/srv/strongswan-testing/build/images/root.qcow2 backing_fmt=qcow2 lazy_refcounts=off refcount_bits=16
qemu-nbd -c /dev/nbd0 /srv/strongswan-testing/build/images/sun.qcow2
mount /dev/nbd0p1 /srv/strongswan-testing/build/loop
cp -rf /home/kai/work/strongswan-5.9.14/testing/scripts/../hosts/default/etc /home/kai/work/strongswan-5.9.14/testing/scripts/../hosts/default/root /home/kai/work/strongswan-5.9.14/testing/scripts/../hosts/default/usr /srv/strongswan-testing/build/loop
cp -rf /home/kai/work/strongswan-5.9.14/testing/scripts/../hosts/sun/etc /srv/strongswan-testing/build/loop
chroot /srv/strongswan-testing/build/loop env PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin ldconfig
mkdir /srv/strongswan-testing/build/loop/etc/pts
umount -l /srv/strongswan-testing/build/loop
qemu-nbd -d /dev/nbd0
/dev/nbd0 disconnected

venus虚机镜像构建日志。

qemu-img create -b /srv/strongswan-testing/build/images/root.qcow2 -f qcow2 -F qcow2 /srv/strongswan-testing/build/images/venus.qcow2
Formatting '/srv/strongswan-testing/build/images/venus.qcow2', fmt=qcow2 cluster_size=65536 extended_l2=off compression_type=zlib size=2621440000 backing_file=/srv/strongswan-testing/build/images/root.qcow2 backing_fmt=qcow2 lazy_refcounts=off refcount_bits=16
qemu-nbd -c /dev/nbd0 /srv/strongswan-testing/build/images/venus.qcow2
mount /dev/nbd0p1 /srv/strongswan-testing/build/loop
cp -rf /home/kai/work/strongswan-5.9.14/testing/scripts/../hosts/default/etc /home/kai/work/strongswan-5.9.14/testing/scripts/../hosts/default/root /home/kai/work/strongswan-5.9.14/testing/scripts/../hosts/default/usr /srv/strongswan-testing/build/loop
cp -rf /home/kai/work/strongswan-5.9.14/testing/scripts/../hosts/venus/etc /srv/strongswan-testing/build/loop
chroot /srv/strongswan-testing/build/loop env PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin ldconfig
mkdir /srv/strongswan-testing/build/loop/etc/pts
umount -l /srv/strongswan-testing/build/loop
qemu-nbd -d /dev/nbd0
/dev/nbd0 disconnected

winnetou虚机镜像构建日志。

qemu-img create -b /srv/strongswan-testing/build/images/root.qcow2 -f qcow2 -F qcow2 /srv/strongswan-testing/build/images/winnetou.qcow2
Formatting '/srv/strongswan-testing/build/images/winnetou.qcow2', fmt=qcow2 cluster_size=65536 extended_l2=off compression_type=zlib size=2621440000 backing_file=/srv/strongswan-testing/build/images/root.qcow2 backing_fmt=qcow2 lazy_refcounts=off refcount_bits=16
qemu-nbd -c /dev/nbd0 /srv/strongswan-testing/build/images/winnetou.qcow2
mount /dev/nbd0p1 /srv/strongswan-testing/build/loop
cp -rf /home/kai/work/strongswan-5.9.14/testing/scripts/../hosts/default/etc /home/kai/work/strongswan-5.9.14/testing/scripts/../hosts/default/root /home/kai/work/strongswan-5.9.14/testing/scripts/../hosts/default/usr /srv/strongswan-testing/build/loop
cp -rf /home/kai/work/strongswan-5.9.14/testing/scripts/../hosts/winnetou/etc /srv/strongswan-testing/build/loop
chroot /srv/strongswan-testing/build/loop env PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin ldconfig
mkdir /srv/strongswan-testing/build/loop/etc/pts
mkdir /srv/strongswan-testing/build/loop/var/log/apache2/ocsp
cp -rf /home/kai/work/strongswan-5.9.14/testing/scripts/../images /srv/strongswan-testing/build/loop/var/www/
cp -rf /home/kai/work/strongswan-5.9.14/testing/scripts/../css /srv/strongswan-testing/build/loop/var/www/
mkdir /srv/strongswan-testing/build/loop/var/www/testresults
chroot /srv/strongswan-testing/build/loop env PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin a2enmod -q cgid
Enabling module cgid.
chroot /srv/strongswan-testing/build/loop env PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin a2enmod -q rewrite
Enabling module rewrite.
chroot /srv/strongswan-testing/build/loop env PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin mkdir /var/www/certs
chroot /srv/strongswan-testing/build/loop env PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin mkdir /var/www/certs/research /var/www/certs/sales
chroot /srv/strongswan-testing/build/loop env PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin /etc/ca/generate-crl
read EC key
writing EC key
chroot /srv/strongswan-testing/build/loop env PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin rm -rf /var/lib/ldap/*
chroot /srv/strongswan-testing/build/loop env PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin slapadd -l /etc/ldap/ldif.txt -f /etc/ldap/slapd.conf
chroot /srv/strongswan-testing/build/loop env PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin chown -R openldap:openldap /var/lib/ldap
chroot /srv/strongswan-testing/build/loop env PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin dnssec-signzone -K /etc/bind -o strongswan.org. /etc/bind/db.strongswan.org
Verifying the zone using the following algorithms:
- RSASHA256
Zone fully signed:
Algorithm: RSASHA256: KSKs: 1 active, 0 stand-by, 0 revoked
                      ZSKs: 1 active, 0 stand-by, 0 revoked
/etc/bind/db.strongswan.org.signed
chroot /srv/strongswan-testing/build/loop env PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin dnssec-signzone -K /etc/bind -o org. /etc/bind/db.org
Verifying the zone using the following algorithms:
- RSASHA256
Zone fully signed:
Algorithm: RSASHA256: KSKs: 1 active, 0 stand-by, 0 revoked
                      ZSKs: 1 active, 0 stand-by, 0 revoked
/etc/bind/db.org.signed
chroot /srv/strongswan-testing/build/loop env PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin dnssec-signzone -K /etc/bind -o . /etc/bind/db.root
Verifying the zone using the following algorithms:
- RSASHA256
Zone fully signed:
Algorithm: RSASHA256: KSKs: 1 active, 0 stand-by, 0 revoked
                      ZSKs: 1 active, 0 stand-by, 0 revoked
/etc/bind/db.root.signed
chroot /srv/strongswan-testing/build/loop env PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin systemctl enable apache2
Synchronizing state of apache2.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable apache2
Created symlink /etc/systemd/system/multi-user.target.wants/apache2.service → /lib/systemd/system/apache2.service.
chroot /srv/strongswan-testing/build/loop env PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin systemctl enable slapd
slapd.service is not a native service, redirecting to systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable slapd
chroot /srv/strongswan-testing/build/loop env PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin systemctl enable named
Synchronizing state of named.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable named
Created symlink /etc/systemd/system/bind9.service → /lib/systemd/system/named.service.
Created symlink /etc/systemd/system/multi-user.target.wants/named.service → /lib/systemd/system/named.service.
umount -l /srv/strongswan-testing/build/loop
qemu-nbd -d /dev/nbd0
/dev/nbd0 disconnected

脚本结束，执行退出操作。

On_Exit: umount /srv/strongswan-testing/build/loop
umount: /srv/strongswan-testing/build/loop: not mounted.
On_Exit: qemu-nbd -d /dev/nbd0
/dev/nbd0 disconnected