Hey everyone!
I noticed that openconnect project relies onĀ
1. Maintainers having access to real hardware
2. Issue reporter providing a lot of log files/dumps for maintainers to work on
While (1) is not ideal because not every maintainer has access to firewalls in
question, (2) is limited too because sometimes it's really hard to get enough
info, and not every bug reporter can even give exact firewall software version
info, not to mention a relevant configuration of firewall.
Here comes my suggestion/question:
Would you accept a pull request with some kind of local firewall deployment
automation, for developers to experiment on (if they have time, of course)?
I imagine the following artifacts:
1. Shell scripts/Vagrant Box to bring VM up
2. Ansible playbooks (maybe triggered from vagrant itself) for idempotent
configuration of VPN in question
So in best case scenario, to reproduce some case, developer should:
get a .qcow2 file of virtual firewall in question (the hardest part),
cd to
integration/anyconnect/asav-x.y.z-some-test-case
and execute
vagrant up
, then get a preferred beverage while vagrant and ansible prepares a test
environment for them, and start hacking!
The other variant is to utilize GNS3, or even EVE-NG for creating and sharing
topologies, but i think that:
a) Vagrant and ansible are more usable in other day-to-day tasks for developer
enthusiast, and more transferable as skills to use on other projects, making
them more interesting/rewarding
b) I want a workflow to be as pain-free as possible, because getting images to
work on is a pain already, and executing single command seems simple enough
c) We don't need "a topology", we need one firewall with "public" and "private"
interface, without outbound internet access, and a SSL-VPN daemon to interact
with, nothing more, so a single VM seems good enough
d) Some advanced cases might require other VMs/Containers, i.e. radius server,
SSO server and so one, and GNS3 and friends are not really the tools to deploy
and maintain that.
There are some conceptual questions though:
1. Vagrant is not that portable, and cisco, for example, targets KVM, ESXi and
HyperV only, leaving VirtualBox users and whatever macOS has as hypervisor for
themselves
2. Ansible is also "best served" on linux
3. I don't have anything other that linux to test and support this on, so
basically i hope that developers are linux users themselves
4. Getting a proper OS image would most certainly require some kind of support
contract, and while checksums of images are mostly accessible from vendor
websites, and there are a lot of images lying on some nice http/ftp servers
around the web, some people might not even bother downloading and checking
them, due to legality concerns and their limited free time
So, before i started hacking in this direction (which might even fail due to
some Vagrant issues), would maintainers of openconnect even be interested in
this?
And hey, thanks for giving me an opportunity to work on my favorite OS for
years, without tainting my machine with some proprietary cr.. i mean, software.
With best regards,
Joe
_______________________________________________
openconnect-devel mailing list
openconnect-devel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/openconnect-devel
