Merge branch 'testing-trixie'

Use Debian trixie as base image for testing.

src/libimcv/imv/data.sql

@@ -622,6 +622,12 @@ INSERT INTO products (      /* 104 */
  'Debian 12 x86_64'
 );
 
+INSERT INTO products (      /* 105 */
+  name
+) VALUES (
+ 'Debian 13 x86_64'
+);
+
 /* Directories */
 
 INSERT INTO directories (		/*  1 */
@@ -1708,6 +1714,12 @@ INSERT INTO groups_product_defaults (
   17, 104
 );
 
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  17, 105
+);
+
 /* Policies */
 
 INSERT INTO policies (			/*  1 */

src/libstrongswan/utils/leak_detective.c

@@ -617,6 +617,7 @@ static char *whitelist[] = {
 	"OSSL_DECODER_CTX_new_for_pkey",
 	"OSSL_ENCODER_do_all_provided",
 	"OSSL_PROVIDER_try_load",
+	"OSSL_PROVIDER_try_load_ex",
 	"OSSL_PROVIDER_load",
 	"RAND_get0_private",
 	"RAND_get0_public",

testing/config/kvm/alice.xml

@@ -1,8 +1,8 @@
 <domain type='kvm'>
   <name>alice</name>
   <uuid>1f35c25d-6a7b-4ee1-2461-d7e530e7b2a9</uuid>
-  <memory unit='MiB'>200</memory>
-  <currentMemory unit='MiB'>200</currentMemory>
+  <memory unit='MiB'>260</memory>
+  <currentMemory unit='MiB'>260</currentMemory>
   <vcpu placement='static'>1</vcpu>
   <os>
     <type arch='x86_64' machine='pc'>hvm</type>

testing/config/kvm/bob.xml

@@ -1,8 +1,8 @@
 <domain type='kvm'>
   <name>bob</name>
   <uuid>72728516-377f-f5be-ea1d-b1f1e851538f</uuid>
-  <memory unit='MiB'>128</memory>
-  <currentMemory unit='MiB'>128</currentMemory>
+  <memory unit='MiB'>150</memory>
+  <currentMemory unit='MiB'>150</currentMemory>
   <vcpu placement='static'>1</vcpu>
   <os>
     <type arch='x86_64' machine='pc'>hvm</type>

testing/config/kvm/carol.xml

@@ -1,8 +1,8 @@
 <domain type='kvm'>
   <name>carol</name>
   <uuid>6bc2eef5-7faf-cde0-5f27-6fc29f93bc3d</uuid>
-  <memory unit='MiB'>128</memory>
-  <currentMemory unit='MiB'>128</currentMemory>
+  <memory unit='MiB'>150</memory>
+  <currentMemory unit='MiB'>150</currentMemory>
   <vcpu placement='static'>1</vcpu>
   <os>
     <type arch='x86_64' machine='pc'>hvm</type>

testing/config/kvm/dave.xml

@@ -1,8 +1,8 @@
 <domain type='kvm'>
   <name>dave</name>
   <uuid>05f1debe-4e38-4f3d-10a0-c07fbb70d816</uuid>
-  <memory unit='MiB'>128</memory>
-  <currentMemory unit='MiB'>128</currentMemory>
+  <memory unit='MiB'>150</memory>
+  <currentMemory unit='MiB'>150</currentMemory>
   <vcpu placement='static'>1</vcpu>
   <os>
     <type arch='x86_64' machine='pc'>hvm</type>

testing/config/kvm/moon.xml

@@ -1,8 +1,8 @@
 <domain type='kvm'>
   <name>moon</name>
   <uuid>b5e00ad3-1c81-3b2a-7f66-cdf8727b3c65</uuid>
-  <memory unit='MiB'>128</memory>
-  <currentMemory unit='MiB'>128</currentMemory>
+  <memory unit='MiB'>150</memory>
+  <currentMemory unit='MiB'>150</currentMemory>
   <vcpu placement='static'>4</vcpu>
   <os>
     <type arch='x86_64' machine='pc'>hvm</type>

testing/config/kvm/sun.xml

@@ -1,8 +1,8 @@
 <domain type='kvm'>
   <name>sun</name>
   <uuid>35341843-346c-a63a-786b-9df0fd5e6264</uuid>
-  <memory unit='MiB'>144</memory>
-  <currentMemory unit='MiB'>144</currentMemory>
+  <memory unit='MiB'>150</memory>
+  <currentMemory unit='MiB'>150</currentMemory>
   <vcpu placement='static'>2</vcpu>
   <os>
     <type arch='x86_64' machine='pc'>hvm</type>

testing/config/kvm/venus.xml

@@ -1,8 +1,8 @@
 <domain type='kvm'>
   <name>venus</name>
   <uuid>f0838df9-7cc0-84f5-6c14-2d16ab002e8d</uuid>
-  <memory unit='MiB'>128</memory>
-  <currentMemory unit='MiB'>128</currentMemory>
+  <memory unit='MiB'>150</memory>
+  <currentMemory unit='MiB'>150</currentMemory>
   <vcpu placement='static'>1</vcpu>
   <os>
     <type arch='x86_64' machine='pc'>hvm</type>

testing/config/kvm/winnetou.xml

@@ -1,8 +1,8 @@
 <domain type='kvm'>
   <name>winnetou</name>
   <uuid>b1d3d2f7-e20b-ab95-277e-66d4cac33cc3</uuid>
-  <memory unit='MiB'>160</memory>
-  <currentMemory unit='MiB'>160</currentMemory>
+  <memory unit='MiB'>200</memory>
+  <currentMemory unit='MiB'>200</currentMemory>
   <vcpu placement='static'>1</vcpu>
   <os>
     <type arch='x86_64' machine='pc'>hvm</type>

testing/do-tests

@@ -59,11 +59,13 @@ function usage()
 cat << EOF
 Usage:
   ${0##*/} [-h] [-v|-t] [-i|-e] [TESTDIRS]
-    --help            (-h)  show usage information
-    --verbose         (-v)  show complete logs on errors (implies -t)
-    --timestamps      (-t)  show timestamps in console.log
-    --pre             (-i)  run pretest script only (single test only)
-    --post            (-e)  run posttest script only (single test only)
+    --help              (-h)  show usage information
+    --verbose           (-v)  show complete logs on errors (implies -t)
+    --timestamps        (-t)  show timestamps in console.log
+    --pre               (-i)  run pretest script only (single test only)
+    --post              (-e)  run posttest script only (single test only)
+    --no-leaks [daemon] (-n)  disable leak detective in commands (e.g. swanctl)
+                              and optionally the daemon as well
 
     TESTDIRS  list of test directories (relative to testing/tests).
               wildcards (*) are supported. default is to run all tests.
@@ -91,6 +93,13 @@ while [ $# -gt 0 ]; do
 	-e|--post)
 		posttest_only=YES
 		;;
+	-n|--no-leaks)
+		export LEAK_DETECTIVE_DISABLE=1
+		if [[ "$2" =~ d(aemon)? ]]; then
+			export LEAK_DETECTIVE_DISABLE_DAEMON=1
+			shift
+		fi
+		;;
 	*)
 		TESTDIRS+=("$1")
 		;;

testing/hosts/default/etc/rsyslog.conf

@@ -119,7 +119,7 @@ news.notice			-/var/log/news/news.notice
 # NOTE: adjust the list below, or you'll go crazy if you have a reasonably
 #      busy site..
 #
-daemon.*;mail.*;\
-	news.err;\
-	*.=debug;*.=info;\
-	*.=notice;*.=warn	|/dev/xconsole
+#daemon.*;mail.*;\
+#	news.err;\
+#	*.=debug;*.=info;\
+#	*.=notice;*.=warn	|/dev/xconsole

testing/hosts/default/etc/ssh/sshd_config

@@ -12,5 +12,6 @@ PrintMotd no
 PrintLastLog no
 UsePAM no
 AcceptEnv LANG LC_*
-AcceptEnv LEAK_DETECTIVE_LOG
+AcceptEnv LEAK_DETECTIVE_*
+SetEnv LEAK_DETECTIVE_IGNORE_UNKNOWN=1
 Subsystem	sftp	/usr/lib/openssh/sftp-server

testing/hosts/default/etc/sysctl.conf

@@ -1,62 +0,0 @@
-#
-# /etc/sysctl.conf - Configuration file for setting system variables
-# See /etc/sysctl.d/ for additional system variables
-# See sysctl.conf (5) for information.
-#
-
-#kernel.domainname = example.com
-
-# Uncomment the following to stop low-level messages on console
-#kernel.printk = 3 4 1 3
-
-##############################################################3
-# Functions previously found in netbase
-#
-
-# Uncomment the next two lines to enable Spoof protection (reverse-path filter)
-# Turn on Source Address Verification in all interfaces to
-# prevent some spoofing attacks
-#net.ipv4.conf.default.rp_filter=1
-#net.ipv4.conf.all.rp_filter=1
-
-# Uncomment the next line to enable TCP/IP SYN cookies
-# See http://lwn.net/Articles/277146/
-# Note: This may impact IPv6 TCP sessions too
-#net.ipv4.tcp_syncookies=1
-
-# Uncomment the next line to enable packet forwarding for IPv4
-net.ipv4.ip_forward=1
-
-# Uncomment the next line to enable packet forwarding for IPv6
-#  Enabling this option disables Stateless Address Autoconfiguration
-#  based on Router Advertisements for this host
-net.ipv6.conf.all.forwarding=1
-
-
-###################################################################
-# Additional settings - these settings can improve the network
-# security of the host and prevent against some network attacks
-# including spoofing attacks and man in the middle attacks through
-# redirection. Some network environments, however, require that these
-# settings are disabled so review and enable them as needed.
-#
-# Do not accept ICMP redirects (prevent MITM attacks)
-#net.ipv4.conf.all.accept_redirects = 0
-#net.ipv6.conf.all.accept_redirects = 0
-# _or_
-# Accept ICMP redirects only for gateways listed in our default
-# gateway list (enabled by default)
-# net.ipv4.conf.all.secure_redirects = 1
-#
-# Do not send ICMP redirects (we are not a router)
-#net.ipv4.conf.all.send_redirects = 0
-#
-# Do not accept IP source route packets (we are not a router)
-#net.ipv4.conf.all.accept_source_route = 0
-#net.ipv6.conf.all.accept_source_route = 0
-#
-# Log Martian Packets
-#net.ipv4.conf.all.log_martians = 1
-
-# Enable coredump for suid binaries
-fs.suid_dumpable = 1

testing/hosts/default/etc/sysctl.d/99-strongswan.conf

@@ -0,0 +1,16 @@
+# Enable packet forwarding for IPv4
+net.ipv4.ip_forward=1
+
+# Enable packet forwarding for IPv6
+#  Enabling this option disables Stateless Address Autoconfiguration
+#  based on Router Advertisements for this host
+net.ipv6.conf.all.forwarding=1
+
+# Enable coredump for suid binaries
+fs.suid_dumpable = 1
+
+# As we run with very little memory, use the old default to reduce overhead
+vm.max_map_count = 65530
+
+# Allow overcommitting, in particular for forks
+vm.overcommit_memory = 1

testing/hosts/default/etc/systemd/system.conf.d/99-ignore-unknown-memory.conf

@@ -0,0 +1,2 @@
+[Manager]
+DefaultEnvironment=LEAK_DETECTIVE_IGNORE_UNKNOWN=1

testing/hosts/default/usr/local/bin/service

@@ -3,15 +3,20 @@
 # LEAK_DETECTIVE_LOG is set for automated runs, however, `service` strips
 # the environment. This wrapper is used to set the variable for the charon
 # init script.
+# Similar for LEAK_DETECTIVE_DISABLE. However, we don't pass that along
+# directly, to be able to run the daemon with it while still improving the
+# performance when collecting results etc.
 
 ORIG=/usr/sbin/service
-CONF=/etc/default/charon
+CONF=/etc/default/charon-tkm
 
-if [[ "$1" != "charon" ]]; then
+if [[ "$1" != "charon-tkm" ]]; then
 	$ORIG "$@"
 fi
 
-if [[ "$2" == "start" && -n $LEAK_DETECTIVE_LOG ]]; then
+if [[ "$2" == "start" && -n $LEAK_DETECTIVE_DISABLE_DAEMON ]]; then
+	echo "export LEAK_DETECTIVE_DISABLE=$LEAK_DETECTIVE_DISABLE_DAEMON" >> $CONF
+elif [[ "$2" == "start" && -n $LEAK_DETECTIVE_LOG ]]; then
 	echo "export LEAK_DETECTIVE_LOG=$LEAK_DETECTIVE_LOG" >> $CONF
 fi
 
@@ -19,4 +24,5 @@ $ORIG "$@"
 
 if [[ "$2" == "stop" ]]; then
 	sed -i '/LEAK_DETECTIVE_LOG/d' $CONF 2>/dev/null
+	sed -i '/LEAK_DETECTIVE_DISABLE/d' $CONF 2>/dev/null
 fi

testing/hosts/default/usr/local/bin/systemctl

@@ -3,6 +3,9 @@
 # LEAK_DETECTIVE_LOG is set for automated runs, however, this is not passed
 # to a process started via systemctl. This wrapper is used to set the variable
 # for the strongswan.service unit.
+# Similar for LEAK_DETECTIVE_DISABLE. However, we don't pass that along
+# directly, to be able to run the daemon with it while still improving the
+# performance when collecting results etc.
 
 ORIG=/bin/systemctl
 CONF=/lib/systemd/system/strongswan.service
@@ -11,7 +14,9 @@ if [[ "$2" != "strongswan" ]]; then
 	exec $ORIG "$@"
 fi
 
-if [[ "$1" == "start" && -n $LEAK_DETECTIVE_LOG ]]; then
+if [[ "$1" == "start" && -n $LEAK_DETECTIVE_DISABLE_DAEMON ]]; then
+	sed -i "s:Type=:Environment=LEAK_DETECTIVE_DISABLE=$LEAK_DETECTIVE_DISABLE_DAEMON\nType=:" $CONF 2>/dev/null
+elif [[ "$1" == "start" && -n $LEAK_DETECTIVE_LOG ]]; then
 	sed -i "s:Type=:Environment=LEAK_DETECTIVE_LOG=$LEAK_DETECTIVE_LOG\nType=:" $CONF 2>/dev/null
 fi
 
@@ -20,6 +25,7 @@ STATUS=$?
 
 if [[ "$1" == "stop" ]]; then
 	sed -i '/LEAK_DETECTIVE_LOG/d' $CONF 2>/dev/null
+	sed -i '/LEAK_DETECTIVE_DISABLE/d' $CONF 2>/dev/null
 fi
 
 exit $STATUS

testing/hosts/default/usr/local/sbin/ipsec

@@ -0,0 +1,12 @@
+#!/bin/bash
+#
+# LEAK_DETECTIVE_DISABLE might be set, however, we only want to actually use
+# it for the daemons if LEAK_DETECTIVE_DISABLE_DAEMON is set.
+
+ORIG=/usr/local/sbin/ipsec.orig
+
+if [[ "$1" == "start" && -z $LEAK_DETECTIVE_DISABLE_DAEMON ]]; then
+	unset LEAK_DETECTIVE_DISABLE
+fi
+
+$ORIG "$@"

testing/hosts/moon/etc/rc.local

@@ -1,20 +0,0 @@
-#!/bin/sh -e
-#
-# rc.local
-#
-# This script is executed at the end of each multiuser runlevel.
-# Make sure that the script will "exit 0" on success or any other
-# value on error.
-#
-# In order to enable or disable this script just change the execution
-# bits.
-#
-
-# Disable checksum offloading on eth1 because it does not currently work with
-# libvirt and isc-dhcp-server running on venus, see [1]
-# [1] - https://bugs.mageia.org/show_bug.cgi?id=1243
-
-ethtool --offload eth1 tx off >/dev/null 2>&1
-ethtool --offload eth1 rx off >/dev/null 2>&1
-
-exit 0

testing/hosts/winnetou/etc/ldap/slapd.conf

@@ -7,8 +7,8 @@ moduleload	back_mdb.la
 
 include		/etc/ldap/schema/core.schema
 
-pidfile		/var/run/openldap/slapd.pid
-argsfile	/var/run/openldap/slapd.args
+pidfile		/var/run/slapd/slapd.pid
+argsfile	/var/run/slapd/slapd.args
 
 #######################################################################
 # Database definitions

testing/scripts/build-baseimage

@@ -18,23 +18,11 @@ INC=$INC,libxml2-dev,libtspi-dev,libsqlite3-dev,openssh-server,tcpdump,psmisc
 INC=$INC,openssl,vim,sqlite3,conntrack,gdb,cmake,libltdl-dev,wget,gnupg,man-db
 INC=$INC,libboost-thread-dev,libboost-system-dev,git,iperf3,htop,valgrind,strace
 INC=$INC,gnat,gprbuild,acpid,acpi-support-base,libldns-dev,libunbound-dev
-INC=$INC,dnsutils,ca-certificates,unzip,libsystemd-dev
+INC=$INC,bind9-dnsutils,ca-certificates,unzip,libsystemd-dev
 INC=$INC,python3,python3-setuptools,python3-build,python3-dev,python3-daemon,python3-venv,
 INC=$INC,apt-transport-https,libjson-c-dev,libxslt1-dev,libapache2-mod-wsgi-py3
-INC=$INC,libxerces-c-dev,rsyslog,ncat,socat
+INC=$INC,libxerces-c-dev,rsyslog,ncat,socat,libiptc-dev,binutils-dev
 case "$BASEIMGSUITE" in
-buster)
-	INC=$INC,iptables-dev
-	;;
-*)
-	INC=$INC,libiptc-dev
-	;;
-esac
-case "$BASEIMGSUITE" in
-buster)
-	INC=$INC,libahven7-dev,libxmlada-schema8-dev,libgmpada8-dev
-	INC=$INC,libalog4-dev,dbus-user-session
-	;;
 bullseye)
 	INC=$INC,libahven9-dev,libxmlada-schema10-dev,libgmpada10-dev
 	INC=$INC,libalog6-dev,dbus-user-session
@@ -44,11 +32,15 @@ bullseye)
 	;;
 bookworm)
 	INC=$INC,libahven11-dev,libxmlada-schema12-dev,libgmpada12-dev
-	INC=$INC,libalog8-dev,dbus-user-session
+	INC=$INC,libalog8-dev,dbus-user-session,pipx
 	# workaround for dependency issue gdb -> libsource-highlight4v5 -> virtual
 	# package (libboost-regex1.74.0-icu67), which debootstrap can't resolve (#878961)
 	INC=$INC,libboost-regex1.74.0
 	;;
+trixie)
+	INC=$INC,libahven-dev,libxmlada-schema-dev,libgmpada-dev
+	INC=$INC,libalog-dev,dbus-user-session,pipx,systemd-dev
+	;;
 *)
 	echo_warn "Package list for '$BASEIMGSUITE' might has to be updated"
 	;;
@@ -60,7 +52,7 @@ APT1="libgcrypt20-dev traceroute iptables"
 APT="tmux"
 # additional services to disable
 case "$BASEIMGSUITE" in
-bookworm)
+bookworm|trixie)
 	;;
 *)
 	SERVICES="$SERVICES systemd-timesyncd"
@@ -86,6 +78,9 @@ log_action "Connecting image to NBD device $NBDEV"
 execute "qemu-nbd -c $NBDEV $BASEIMG"
 do_on_exit qemu-nbd -d $NBDEV
 
+# wait for disk to become ready with newer QEMU versions
+sleep 1
+
 log_action "Partitioning disk"
 sfdisk /dev/nbd0 >>$LOGFILE 2>&1 << EOF
 ;
@@ -125,13 +120,13 @@ EOF
 execute_chroot "locale-gen"
 
 log_action "Downloading signing key for custom apt repo"
-execute_chroot "wget -q $BASEIMGEXTKEY -O /tmp/key"
+execute_chroot "wget -q $BASEIMGEXTKEY -O /tmp/strongswan.key"
 log_action "Installing signing key for custom apt repo"
-execute_chroot "apt-key add /tmp/key"
+execute_chroot "mv /tmp/strongswan.key /etc/apt/keyrings/"
 
 log_action "Enabling custom apt repo"
 cat > $LOOPDIR/etc/apt/sources.list.d/strongswan.list << EOF
-deb $BASEIMGEXTREPO $BASEIMGSUITE main
+deb [signed-by=/etc/apt/keyrings/strongswan.key] $BASEIMGEXTREPO $BASEIMGSUITE main
 EOF
 log_status $?
 

testing/scripts/build-certs

@@ -22,6 +22,8 @@ mkdir -p $IMGDIR
 log_action "Connecting root image to NBD device $NBDEV"
 execute "qemu-nbd -c $NBDEV $ROOTIMG"
 do_on_exit qemu-nbd -d $NBDEV
+# wait for disk to become ready with newer QEMU versions
+sleep 1
 blockdev --rereadpt $NBDEV
 
 log_action "Mounting $NBDPARTITION to $LOOPDIR"

testing/scripts/build-guestimages

@@ -37,14 +37,19 @@ mkdir -p $LOOPDIR
 # just to be sure
 do_on_exit qemu-nbd -d $NBDEV
 do_on_exit umount $LOOPDIR
+do_on_exit umount $LOOPDIR/proc
 
 for host in $STRONGSWANHOSTS
 do
 	log_action "Creating guest image for $host"
 	execute "qemu-img create -b $ROOTIMG -f $IMGEXT -F $IMGEXT $IMGDIR/$host.$IMGEXT" 0
 	execute "qemu-nbd -c $NBDEV $IMGDIR/$host.$IMGEXT" 0
+	# wait for disk to become ready with newer QEMU versions
+	sleep 1
 	blockdev --rereadpt $NBDEV
 	execute "mount $NBDPARTITION $LOOPDIR" 0
+	execute "mount -t proc none $LOOPDIR/proc" 0
+	execute "mv $LOOPDIR/usr/local/sbin/ipsec $LOOPDIR/usr/local/sbin/ipsec.orig" 0
 	execute "cp -rf $HOSTSDIR/default/* $LOOPDIR" 0
 	execute "cp -rf $HOSTSDIR/${host}/etc $LOOPDIR" 0
 	execute_chroot "ldconfig" 0
@@ -74,24 +79,14 @@ do
 		execute_chroot "dnssec-signzone -K /etc/bind -o org. /etc/bind/db.org" 0
 		execute_chroot "dnssec-signzone -K /etc/bind -o . /etc/bind/db.root" 0
 
-		# on bullseye and newer, enabling via bind9 doesn't work, while
-		# disabling does, so use named here. on the other hand, older releases
-		# like buster don't have named service files
-		SERVICES="apache2 slapd"
-		case "$BASEIMGSUITE" in
-		buster)
-			SERVICES="$SERVICES bind9"
-			;;
-		*)
-			SERVICES="$SERVICES named"
-			;;
-		esac
+		SERVICES="apache2 slapd named"
 		for service in $SERVICES
 		do
 			execute_chroot "systemctl enable $service" 0
 		done
 	fi
 	sync
+	execute "umount -l $LOOPDIR/proc" 0
 	execute "umount -l $LOOPDIR" 0
 	execute "qemu-nbd -d $NBDEV" 0
 	log_status 0

testing/scripts/build-strongswan

@@ -115,6 +115,8 @@ case "$GUEST" in
 esac
 
 do_on_exit qemu-nbd -d $NBDEV
+# wait for disk to become ready with newer QEMU versions
+sleep 1
 blockdev --rereadpt $NBDEV
 
 log_action "Mounting $NBDPARTITION to $LOOPDIR"
@@ -195,7 +197,7 @@ do
 		execute_chroot "make SRCDIR=/root/strongswan BUILDDIR=/root/shared/build-strongswan QUICK_REBUILD=$QUICK_REBUILD -f /root/shared/build-strongswan/$r"
 	else
 		cp $RECPDIR/$r ${LOOPDIR}/root/shared/compile
-		execute_chroot "make SWANVERSION=$TARBALL -C /root/shared/compile -f $r"
+		execute_chroot "make SWANVERSION=$TARBALL BASEIMG=$BASEIMGSUITE -C /root/shared/compile -f $r"
 	fi
 done
 

testing/scripts/chroot

@@ -42,6 +42,8 @@ root)
 esac
 
 do_on_exit qemu-nbd -d $NBDEV
+# wait for disk to become ready with newer QEMU versions
+sleep 1
 blockdev --rereadpt $NBDEV
 
 log_action "Mounting $NBDPARTITION to $LOOPDIR"
@@ -68,4 +70,4 @@ echo
 fi
 
 export debian_chroot="$1"
-chroot $LOOPDIR /bin/bash -i
+chroot $LOOPDIR /bin/bash -l

testing/scripts/function.sh

@@ -48,9 +48,23 @@ execute()
 
 # execute command in chroot
 # $1 - command to execute
+# $2 - whether or not to log command exit status
+#      (0 -> disable exit status logging)
 execute_chroot()
 {
-	execute "chroot $LOOPDIR env PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin $@"
+	cmd=${1}
+	echo chroot $LOOPDIR $cmd >>$LOGFILE 2>&1
+	chroot $LOOPDIR /bin/bash -l <<-EOF >>$LOGFILE 2>&1
+		$cmd
+	EOF
+	status=$?
+	[ "$2" != 0 ] && log_status $status
+	if [ $status != 0 ]; then
+		echo
+		echo "! Command chroot $LOOPDIR $cmd failed, exiting (status $status)"
+		echo "! Check why here $LOGFILE"
+		exit 1
+	fi
 }
 
 # write green status message to console

testing/scripts/recipes/006_tkm-rpc.mk

@@ -2,7 +2,7 @@
 
 PKG = tkm-rpc
 SRC = https://git.codelabs.ch/git/$(PKG).git
-REV = v0.4
+REV = c43c7d2a070d37e4063b83be0dc01425bf890206
 
 PREFIX = /usr/local/ada
 

testing/scripts/recipes/008_xfrm-ada.mk

@@ -2,7 +2,7 @@
 
 PKG = xfrm-ada
 SRC = https://git.codelabs.ch/git/$(PKG).git
-REV = v0.1
+REV = e0590c6bb3c6a5b7f2edd8f95dce9e8c77e22230
 
 PREFIX = /usr/local/ada
 

testing/scripts/recipes/010_tkm.mk

@@ -2,7 +2,11 @@
 
 PKG = tkm
 SRC = https://git.codelabs.ch/git/$(PKG).git
+ifeq (,$(filter $(BASEIMG),bullseye bookworm))
+REV = 85d49c9255360663c344ccf3175092524dc66eae
+else
 REV = v0.3
+endif
 
 export ADA_PROJECT_PATH=/usr/local/ada/lib/gnat
 

testing/scripts/recipes/014_swid_generator.mk

@@ -17,4 +17,8 @@ $(TAR):
 	@touch $@
 
 install: .$(PKG)-unpacked-$(REV)
+ifeq (,$(filter $(BASEIMG),bullseye bookworm))
+	cd $(DIR) && pipx install --global --system-site-packages .
+else
 	cd $(DIR) && SETUPTOOLS_USE_DISTUTILS=stdlib python3 setup.py install
+endif

testing/scripts/recipes/015_strongTNC.mk

@@ -1,13 +1,15 @@
 #!/usr/bin/make
 
 PKG = strongTNC
-REV = 1.0.2
+REV = f0ed6fa8ef6bcde56283c6da1bdbdaa3d651eb11
 DIR = $(PKG)-$(REV)
 ZIP = $(PKG)-$(REV).zip
 SRC = https://github.com/strongswan/$(PKG)/archive/$(REV).zip
 DEPS = $(PKG)-deps
 VENV = /usr/local/venvs/tnc
 
+EXTRAS = setuptools legacy-cgi
+
 all: install
 
 $(ZIP):
@@ -19,10 +21,10 @@ $(ZIP):
 
 .$(PKG)-deps-$(REV): .$(PKG)-unpacked-$(REV)
 	python3 -m venv $(VENV)
-	$(VENV)/bin/pip download -d $(DEPS) -r $(DIR)/requirements.txt
+	$(VENV)/bin/pip download -d $(DEPS) -r $(DIR)/requirements.txt $(EXTRAS)
 	@touch $@
 
 install: .$(PKG)-deps-$(REV)
 	python3 -m venv $(VENV)
-	$(VENV)/bin/pip install --no-index --find-links=file://`pwd`/$(DEPS) -r $(DIR)/requirements.txt
+	$(VENV)/bin/pip install --no-index --find-links=file://`pwd`/$(DEPS) -r $(DIR)/requirements.txt $(EXTRAS)
 	cp -r $(DIR) /var/www/tnc && chgrp -R www-data /var/www/tnc && chmod g+sw /var/www/tnc

testing/ssh_config

@@ -2,7 +2,7 @@ Host *
 	LogLevel QUIET
 	# debian default
 	SendEnv LANG LC_*
-	SendEnv LEAK_DETECTIVE_LOG
+	SendEnv LEAK_DETECTIVE_*
 	StrictHostKeyChecking no
 	UserKnownHostsFile /dev/null
 	GSSAPIAuthentication yes

testing/testing.conf

@@ -49,7 +49,7 @@ fi
 # Base image settings
 # The base image is a pristine OS installation created using debootstrap.
 : ${BASEIMGSIZE=2500}
-: ${BASEIMGSUITE=bookworm}
+: ${BASEIMGSUITE=trixie}
 : ${BASEIMGARCH=amd64}
 : ${BASEIMG=$IMGDIR/debian-$BASEIMGSUITE-$BASEIMGARCH.$IMGEXT}
 : ${BASEIMGMIRROR=http://http.debian.net/debian}

testing/tkm/Dockerfile

@@ -23,12 +23,12 @@
 #
 #   make -j check TESTS_RUNNERS=tkm TESTS_TKM=1
 
-FROM debian:bookworm
+FROM debian:trixie
 
 ARG packages="autoconf automake bison build-essential ca-certificates ccache \
 flex git gperf libssl-dev libtool pkg-config \
-gnat gprbuild libahven11-dev libxmlada-schema12-dev libgmpada12-dev \
-libalog8-dev"
+gnat gprbuild libahven-dev libxmlada-schema-dev libgmpada-dev \
+libalog-dev"
 
 RUN apt-get update && \
   DEBIAN_FRONTEND=noninteractive apt-get install -qq -y \
@@ -48,8 +48,8 @@ RUN cd /tmp/recipes \
   && make -f 010_tkm.mk \
   && rm -rf /tmp/recipes
 
-ENV ADA_PROJECT_PATH /usr/local/ada/lib/gnat
-ENV PATH /usr/lib/ccache:$PATH
+ENV ADA_PROJECT_PATH=/usr/local/ada/lib/gnat
+ENV PATH=/usr/lib/ccache:$PATH
 
 COPY tkm/generate-config.sh /usr/local/share/tkm/
 COPY tests/tkm/host2host-initiator/hosts/moon/etc/tkm/tkm.conf /usr/local/share/tkm/