Kyua runs exec_cleanup after exec_test, i.e. execenv is expected to be initialized already. The only issue I can quickly spot is during non-usual interrupt handling (Ctrl+C) when execenv initialization probably had not happened before the cleanup was triggered, then cleanup is not expected to succeed anyway and it's okay if it reports an error (from its logic or from jexec).

Yes, both the caller and the callee have their proto in the headers with UTILS_NORETURN suffix. The latter depends on a compiler and may stand for __attribute__((noreturn)). But I think an explicit final else should not harm.

Agree, the comment is missing.

Yes, the simplest thing is implemented for now, currently it's based on program full path like /usr/tests/foo/bar plus a case name if presented. If required it's shortened down to the jail name limit, keeping the tail of the string, assuming it is the most unique part.

Yes, such situation is the most common one -- when usual so called "host" execenv is used, then init() does nothing. I think I left it as a separate thing for the sake of more obvious interface, and probably for the simpler responsibility of the execenv::exec() itself not to make it determine whether initialization is requied or it's done already (and probably keep additional state to maintain, just for that). For instance, an execution of the cleanup phase may make execenv::exec() life harder. Also, it could be important for possible new execenv implementations, I could think of execenv="bhyve" just as an example. What do you think?

Probably, it could be a separate patch. I've found a defect in the interrupt handling logic. Kyua already has logic to run cleanup for the spawned child processes (tests). But it does not collect all of them correctly and Kyua fails its expectations as a result. I guess it's hard to see it if no parallelism is used, but it's quite easy to reproduce it otherwise. And I needed to correctly run execenv cleanup phase (the new one, introduced by this patch) -- not to get dangling jails after Ctrl+C or some other abrupt termination. I think the respective code comment could be easily added here.

Yes, I added it to trigger this discussion due to it looks obvious that execenv="jail" based tests could soon enough start asking for some useful default not to set this for every single test case. Current implementation allows to override it by a test through execenv_jail metadata. Sure, we can use JAIL_MAX here as long as there are no technical objections.

I guess my idea was to have some limit anyway. Just in case. Not to let issues of third parties to flood Kyua logs. What do you think?

A code comment could be added here to make it clear.

Yes, they do hit the heap. Actually, the comment is a copy-pase of the existing process::exec() mechanism above the jail one. But the reality is that we use usual fork(2). Thanks, it needs comment update.

I understand that this is an expedient approach, but I don't like this method of generating and executing a script on the fly for each test execution.

I do not like it either :) Just the simplest and scoped (not to touch other things around as much as possible for now) solution to get the working prototype as soon as possible and reach the review quicker -- to optimize the time budget.

Can we have a standalone parameterized script that gets checked in and installed to /usr/libexec or so?

Oh, sounds like a bit better option if it's allowed to "pollute" the base such way :). This is where my incompleteness of global vision of the project does not allow to spawn such ideas and needs advices from the community.

Taking a further step back, why exactly do we need a script and jexec at all? Isn't it possible to use the jail system calls directly to do everything we want? I have done this one or twice when writing test cases and it's not too painful.

It sounds interesting.

(a little off-topic)
To be honest, my initial idea was to make it even simpler -- just add jail -cm <options> command= in front, without explicit execenv initialization and cleanup process. But the established jail(8) interface does not allow to do it easily and nowadays it's too late to break the POLA (e.g. see my patch https://reviews.freebsd.org/D42675), and there are other questions to the jail(8) like correct exit code communication in this context etc. But, probably for the sake of the execenv abstraction itself it's a good thing that it has explicit phases: execenv init, test exec, test cleanup exec, execenv cleanup.

Looking at D42410 I see that you do some things which require jexec, like set exec.prepare=kldload if_epair, but IMO this is not the right mechanism to load KLDs. Tests can easily load kernel modules themselves (and really this should be handled by the test framework).

Yes, currently this is the only working solution I have due to non-prison0 ones cannot load kernel modules. Here, I have not dug deeper yet to find alternatives or provide tests with the needed priv. Probably, you have some suggestions already.

Yes, I think an else would make this more clear.

So in general, it's impossible to guarantee that this will always work? :(

I agree that it's probably ok in practice, but it's hard to be sure.

How would execenv=bhyve work? What image would it boot?

It's definitely useful to have a framework for managing VMs which run tests; I have some lua scripts which do this, so one can build a src tree, create a VM image, boot and run all tests with a single command. IMO, kyua is probably not the right vehicle for that kind of functionality, but I don't know what you have in mind.

Hmm. I really wish it would be possible to specify this stuff in lua.

I cannot see a reason to avoid making children.max=JAIL_MAX the default. If individual tests want to override this for some reason, they are free to do so.

I don't understand this logic. If I'm using kyua to run test programs, then I definitely want to get the full output to understand what went wrong.

Can we just have a new test property, i.e., required_klds="if_epair pf", etc., and then kyua can handle this internally?

There is some inconsistency in the existing tests regarding KLDs. Some tests will load KLDs automatically (if they are running as root), some tests expect the user to load them first. I think the latter approach is a bit silly - if I'm running the tests, then of course I want them to do whatever they need to do. And, it makes the test suite as a whole less useful: I can't just run kyua test, I have to first do kldload carp dummynet if_ovpn if_stf ipdivert ipsec mac_bsdextended mqueuefs pf pflog pfsync sctp and then run kyua test. It's silly.

So, IMO tests should just load whatever modules they need. It would be even better if kyua can handle that, so that the requirements of each test can be declared.

Regarding the implementation here, my vote would be to try to avoid having a script at all, i.e., use the jail_* system calls directly and avoid relying on jexec features.

Yeah, IT frequently is about some trade-offs. Here it has some benefits being stateless and depend on input only, like SYN cookie as an example. The Ostrich algorithm looks to be fine here due to uniqueness of the program path is provided by a file system and uniqueness of a test case name is provided by ATF design.

But now I'm a bit worry about cases when a test author uses quite long descriptive test case naming, considering the jail name limit. There is a room for a little improvement, e.g. to shorten path and case name separately to preserve as much uniqueness as possible. But it looks like an additional complexity for no much win in return. What if we add the simplest hashing here? Probably you would like an idea to add something like CRC32 computed over the original path+case string before it's cut. Then a jail name could look like the following:
kyuaA1B2C3D4_usr_tests_sys_netpfil_pf_pass_block_nested_inline. And a shortened one could be like this: kyuaA1B2C305_ry_long_shortened_program_path_plus_case_name_string.

What do you think?

It was merely an example to reason about the separation of init and exec :) Thus, I try not to make execenv concept to be about jails only. If I have ideas about bhyve specifically then I will post a prototype patch to discuss it.

Probably I referred to bhyve as an example due to I had some quick "visions" months ago that probably execenv="bhyve" could be useful for some very specific tests like kernel crashing related or specific hardware behavior related, etc. But, for now it does not have any technical form to discuss, just high level quick thoughts to work on in future if I still find them interesting.

Fair enough. Anyway, jail(8) is not expected to be very talky.

We have 255 bytes for a jail name, as I remember. Probably we could even go with something more interesting like md5 or so, and additionally compact it into the name with some baseX. And we could still have enough space for the actual name. It looks to be useful to keep the name (path+case) as much as possible for the troubleshooting situations. Just thinking out loud.

It already has the respective code commented on the caller side -- executor::executor_handle::reap().

Now it's based on JAIL_MAX.

(off-topic)
I've added to my TODO to propose a separate patch for <sys/jail.h> in order to move the JAIL_MAX constant out from internals (ifdef _KERNEL). It will be interesting to hear from jail system supervisors whether it's a good idea.

Yeah, the same here, for two decades I've been striving towards a single command to run a test suite(s) of a product.

But my recent study of Kyua and the FreeBSD test suite formed the vision that the project decided to be based on the Kyua philosophy -- infrastructure tests for both developers and users. It means to be able to run tests right on the battlefield, not only during R&D (e.g. FreeBSD's CI) and manufacture (e.g. FreeBSD's releng process). And Kyua puts it such way that if during manufacture we want to run everything with a possibility to blow the test environment, on the other hand we would like to allow a soldier to run some self-check of the weapon but without actual rocket launching by default. Thus, the test suite is configurable and "explosive" tests should run only if an operator asks for it explicitly. That's why we have options like allow_sysctl_side_effects and some tests are designed to be skipped if expecatations are not fulfilled.

And the first existing tests I was working with confirmed this vision. I hope a good example could be firewall testing. For instance, if a host does not use ipfw but a test silently loads it for testing needs then such host may end up being non-functional over network due to the default settings provide a closed firewall type. That's why such tests simply check whether such module is loaded and skip themselves with a message which describes the expectations from the host's operator.

Working deeper with the FreeBSD test suite I've got the idea that some modules are okay to be loaded silently, e.g. if_epair. It sounded for me like it was decided (or it's just happened so) that relatively non-harmful modules can be silently loaded as a runtime dependency of a test. Sure, it's disputable, but this is how it is today.

While I was working on https://reviews.freebsd.org/D42410 I got acquainted with the whole FreeBSD test suite and found the mentioned inconsistency.

As for me, the idea of explicit declaration of expectations and requirements sounds profitable. First of all, it's kind of a self-documentation, e.g. I had to research which sysctl is needed for specific tests to get the expected feature enabled, or which package should be installed, etc. If a test declares it more explicit way then it will be easier to provide it with the expectations or to automate this process.

Sorry for the tl;dr, I just wanted to explain my worries that if we implement something like required_klds that unconditionally loads the mentioned modules then we will break behavior of the existing tests.

From my understanding, some action committee of developers (as it usually happens) could decide on the design of the FreeBSD test suite if we the past years of its usage lead us to the idea that doing it for both developers and users is less-profitable than just "for developers".

To sum up, I personally see at least the following possible next steps:

1. For now, keep current implementation which allows to load modules via jail(8) interface.
2. Decide on the conceptual direction of the whole test suite and implement respective declarative approach. I guess it may keep this jail support unresolved for much longer. I have no rush here, just as I feel it :).
3. Other ideas to come from the discussion.

What do you think?

This needs to be wrapped in curly braces or dedented appropriately.

Depending on the toolchain/preprocessor/reformatter/human, I could see where this could result in incorrect behavior at a later date.

Again, this should be wrapped in curly braces or dedented appropriately.

For example...?

Again, this should be wrapped in curly braces or dedented appropriately.

• "jail name max" should be provided via a C++ or libjail-provided constant.
• Hardcoding strlen((const char*)"kyua") instead of computing it (and letting the C++ compiler optimize it away) could result in programming errors later if someone fails to modify either the hardcoded prefix or this value.
• "kyua" should be stored in a well-defined/named constexpr.

Why squelch this error?

Why is this being ignored?

Again, why is this being ignored?

This seems like a potential programming error... why is this being ignored?

This puts all of the functions in the anonymous namespace; this could cause conflicts at a later date.

I'd use std::filesystem::current_path() instead: https://stackoverflow.com/a/2203694 . This would change the minimum required C++ standard to C++-17, which would likely be ok, given that clang added this support back in 7.x: https://en.cppreference.com/w/cpp/compiler_support/17 .

I don't think 1 is a good direction for now. We are not going to run all tests in jails by default (right?); we just need to make sure that any jailed tests are explicit about their dependencies so that kyua can decide whether or not to skip a test. I don't think kyua should be loading kernel modules.

Actually, the idea of the option 1 is not about jail(8), the only thing I saw behind this option is to keep existing tests unchanged and speed-up the whole test suite today -- my tests yielded ~x2 speedup (https://reviews.freebsd.org/D42410 has demo numbers). The exec.prepare parameter of jail(8) simply has been found handy for dealing with existing kld inconsistency without extra effort.

That patch is named "run all in jail by default" for short, but its actual idea is to enable execenv="jail" with a single knob for the whole suite and negate it with execenv="host" for the tests which are not capable to be run within a jail or they are not meant to do so like non-root tests (required_user="unprivileged"). And the test suite polishing process could slowly take place after, e.g.: alter some tests to be jail capable to improve parallelism and speedup the suite more, revise some tests to fix kld inconsistency and drop exec.prepare usage respectively, etc. The actual usage of exec.prepare is like a TODO marker of the tests which need fix of kld inconsistency.

So, the whole idea is to get the test suite run faster today w/o modification of the existing tests and CI configuration -- i.e. get benefit for the FreeBSD development process much sooner comparing to months or years of slow migration to execenv="jail" per test. And the logic of the tests are not altered, we simply run them faster. And that second patch shows that this idea works and can provide about x2 speed today, and I guess more CPU can yield more.

Another interesting feature of this approach demonstrated by that second patch is that tests which are capable to be run in a jail still can do that without being jailed. This kyua patch has a logic that if a test case has both is_exclusive="true" and execenv="jail" defined then it will be run in parallel, i.e. it's not practical to follow is_exclusive="true" flag and run such test sequentially. It means that if we do not need to run such test in a jail it still has is_exclusive="true" flag correctly defined, i.e. it needs to be run sequentially for its own reasons. But if we go with "opt-in" option per test as we agreed before then it means that we may end up nailing tests to be always run within a jail only, and if we want to turn it off for the whole test suite (who knows, maybe some troubleshooting case will require to avoid jails to find a bug) it will mean to alter metadata of every single test who opted-in -- what practically means it's impossible.

I guess now you have deeper context of the deal and probably find that second patch interesting by looking at its overall idea from another angle. Okay-okay, agree, now it looks like I'm trying to sell again after a failed cold call :)

Coming back to our previous agreements, we decided to go with "opt-in" per test and the good news is that this kyua patch does not depend on this decision -- it's about how to use kyua jail support not how to implement it. And, via the review process, we may encourage opted-in tests to fix kld inconsistency if any not to use exec.prepare, as an example pf tests will end up expecting both pf and if_epair being prepared by a host's operator (I guess all vnet based tests will end up to expect if_epair because of the common util functions). And we will update CI configuration to pre-load such unshadowed modules.

So in general, it's impossible to guarantee that this will always work? :(
I agree that it's probably ok in practice, but it's hard to be sure.

It looks that jail naming is the only open question left, from the overall design perspective. Do you have preferences here? Should we do some hashing today or it can be picked up later?

I guess execenv can be anything what is found practical, e.g. "bhyve", "qemu", or "docker" if we think outside of the FreeBSD project itself.

Sure, as long as the overall idea is accepted we now can invest time to polish the things.

It simply follows the existing style, e.g. tests_needing_cleanup(), when we pick only values of a specific type.

This whole function, wait_any(), is a giant if-else switch actually. The original code forms this branching around try-catch type casting and I decided to follow the same idea to simplify the diff and the review process respectively. There were two types only, and this patch adds the third one. Agree, it's not perfect, but refactoring along with the key changes (this is the cornerstone function for this patch) could be too much for the reviewers and minimize chances to attract attention to the path. And the desired refactoring may happen later separately. The whole approach of this patch is to follow the existing Kyua architecture and style as much as possible.

I think we could help the current state of the code with another comment instead of just "ignored" word to ease the reading. And our TODO lists could be extended with the idea to refactor it in future with typeid() or something else.

Just following the style of existing code. I guess there is no issue to avoid this.

Yeah, it would be great to stay within the C++ itself for the sake of Kyua as a separate cross-platform project, but I've tried to avoid modernism due to this: https://cgit.freebsd.org/src/commit/usr.bin/kyua?id=42fb28cef42e883d808c9efadd44016563248817.

Fortunately, it's not so bad due to getcwd() is from POSIX.

This function should have a comment explaining its limitations.

Shouldn't this be PATH_MAX?

Yeah, the initial request for the comment was lost within the discussion of the name generation approach. As long as it's decided now it's time to add the comment.

Thanks, this part has been missed to get polished after the initial prototype. And 256 was not even close :)

man pages want a new line for every new sentence.

Thanks for reminding about man linting.