r2 - 06 Apr 2008 - 12:38:54 - NetClimeYou are here: Wiki >  AppLogic24 Web > CatGatewayINSSLTP
ALERT! AppLogic 2.4 Documentation The latest production release is AppLogic 3.0.30

INSSL - Test Plan

Preparation

Host platform

The automated tests described here for the INSSL appliance are designed to run on a Linux system.

3rd-party tools

Both of the 3-rd party utilities used in the test are included in binary form in the test archive, for easy running of the test. Below is a description of these utilities and where the sources for them can be found.

thttpd

The test for INSSL uses three instances of the THTTPD web server as back-ends for the load-balancer (GPL, from http://www.acme.com/software/thttpd/, version used in the tests: 2.25b http://www.acme.com/software/thttpd/thttpd-2.25b.tar.gz, but really any version will work fine).

http_load

a simple load-generator tool, for performance testing (GPL, from http://www.acme.com/software/http_load/, version used in the tests: http://www.acme.com/software/http_load/http_load-29jun2005.tar.gz).

Tests Summary

Automatic tests (mandatory)

  • protocol compliance - INSSL serves both 1.0 and 1.1 clients (nb: emulate 1.0 clt using telnet)
  • performance - throughput test, reqs/second, http and https
  • performance - throughput test, bytes/second (small & large file: 100 bytes, 6K), http and https
  • performance - concurrent sessions test - opening up to the max number of connections at the same time

Manual / special tests (optional)

These tests either require operator intervention or special test conditions that are not available on the AppLogic grids that are currently set up.

  • preserve client IP in logs
  • l7_accept property test
  • l3_accept property test
  • allowed_hosts test
  • ssl cert tests

Running the Tests

To run the tests on the controller:

Copy and un-compress the tests archive file.

Create a test application by connecting 2 instances of the LINUX appliance (srv1, srv2) and one instance of NET(ctl1) as follows:

INSSL.http -> srv1.in
INSSL.aux -> srv2.in

Your test application should look something like this:

inssl-tst.png

Note that the names of the instances are important, they have to be INSSL (the testee), clt1, srv1, and srv2. The test scripts will access them all by name.

Change to the directory where the tests were un-archived.

Prepare the test setup, by running the following command (this also verifies SSH connectivity to the test appliance instances, needed to control the test automatically):

bash tst-prep.sh localhost app-name

where app-name is the name of the test harness application.

The script will take a minute or so to run, and will start the test harness and copy all necessary files into it.

If the setup completes without errors, run the tests:

bash runall.sh localhost app-name</var

Preparing the 3rd Party tools

If re-building the test utilities (thttpd and http_load) is needed, do the following:

  • download and un-archive the sources
  • build the sources (./configure ; make ), but don't do 'make install'
  • copy the thttpd binary into the test root directory, copy the http_load bindary into the ./remote sub-directory in the test root directory
  • run the tests, as described above

Design

Structure

The test application is built from from the following:

  • an AppLogic application (test harness) containing the component under test (INSSL) and the instances of the LINUX and NET appliances.
  • test utilities and a remote test script, intended to run on the AppLogic controller. The test may also be run from a remote console that has SSH access to the AppLogic controller. Note: the remote access to the controller uses the experimental access macros that are being developed for use with a "closed" controller. Their use requires the setup of a "restricted" key, instead of or in addition to the normal (full access) SSH key in the .ssh/authorized_keys file on the controller.

The test script is fully automated and includes the ability to install the necessary test software on the LINUX and NET instances comprising the test harness.

Back-end Setup - Web space contents

The test script configures each of the LINUX instances that serve as back-end HTTP servers for the test with the following structure of files (shown here relative to the HTTP namespace root of the server):

/index.html tiny web page (<100 bytes). The contents of this page are different for each back-end server.
/bugz.html snapshot of a Bugzilla front page, 6K HTML code. A larger file for data throughput tests.

Test Details

protocol compliance - INSSL serves both 1.0 and 1.1 clients

HTTP 1.1 client operation is verified by all the above tests (done with 'wget'). Use the /dev/tcp pseudo-file in bash to submit a 'get / HTTP/1.0' (with no headers, etc. - just the request line). This should be accepted by INSSL and a valid page should be returned.

performance - throughput test, reqs/second

IMPORTANT: The net.ipv4.tcp_tw_recycle option must be set to 1 for this test (sysctl -w net.ipv4.tcp_tw_recycle=1). Without this, the client is unlikely to be able to supply the necessary load due to slow timing-out of closed TCP sockets.

Use the 'http-load' utility to measure the request rate that INSSL can handle. 'http-load' should be used with '-parallel X' option, to submit requests as fast as it can, up to X pending requests in parallel (use X=3..10 - when requesting a static page from the THTTPD back-end, the response should be fast enough to saturate the CPU on which INSSL is running with very few pending requests). The /index.html file is requested for this test (<100 bytes size).

performance - throughput test, bytes/second (small & large file: 100 bytes, 6K)

The setup is the same as for the req/s test, but this time a larger file is requested.

performance - concurrent sessions test - opening up to the max number of connections at the same time

NOTE: INSSL must be given its max. memory for this test.

In this test, the http_load application is set to open a large number of simultaneous connections. This should complete without delay for up to the max # of connections supported by INSSL.

Once the max request limit is reached, the test drops all connections and after a short delay repeats the procedure, to verify that INSSL cleans up properly and can continue accepting new requests.

preserve client IP

l7_accept property test

  • Start the application with l7_accept set to none and verify that pound is not started on INSSL
  • Start the application with l7_accept set to both without setting a certificate and verify that application fails

l3_accept property test

  • set l3_accept_proto to tcp, l3_accept_port to 25 and check that the port is forwarded to srv2 (use nmap on ctl1 to generate the request and tcpdump on srv2 to verify it is recieved)
  • set l3_accept_proto to tcp, l3_accept_port blank and check that all tcp ports are forwarded to srv2 (use nmap on ctl1 to generate request on port 21, 53 and 3306 and tcpdump on srv2 to verify it is recieved)
  • set l3_accept_proto to udp, l3_accept_port to 25 and check that the port is forwarded to srv2 (use nmap on ctl1 to generate the request and tcpdump on srv2 to verify it is recieved)
  • set l3_accept_proto to udp, l3_accept_port blank and check that all tcp ports are forwarded to srv2 (use nmap on ctl1 to generate request on port 21, 53 and 3306 and tcpdump on srv2 to verify it is recieved)
  • set l3_accept_proto to raw, l3_accept_port to 46 and check that the port is forwarded to srv2 (use nmap on ctl1 to generate the request and tcpdump on srv2 to verify it is recieved)

allowed_hosts test

  • set allowed_hosts to a value different from the external IP of NET and verify that access to INSSL is denied (both to http and aux terminals)
  • set allowed_hosts to the external IP of NET and verify that access to INSSL is allowed (both to http and aux terminals)

ssl cert tests

  • put a password protected certificate and check that INSSL fails to start
  • put invalid certificate and check INSSL fails to start

webdav

  • enable webdav on srv2 and INSSL, verify that a valid upload can be made.
  • disable webdav on INSSL and verify that a webdav upload fails

-- NetClime - 02 Apr 2008

 
Copyright © CA 2005-2011. All Rights Reserved.
%