Openjdk-infrastructure: Provide remote access solution to be able to run manual GUI tests on the JCK boxes

Created on 7 Mar 2018  路  23Comments  路  Source: AdoptOpenJDK/openjdk-infrastructure

VNC would seem the most sensible option, either standalone or via an x11vnc server running on an Xvfb display, but we need some solution to be able to run the manual JCK GUI tests on the (Linux, initially) JCK boxes.

Should we firewall off the VNC port and only allow connections via an ssh tunnel?

Assigning to @geraintwjones to share around the updating of the JCK playbooks.

  • [x] Linux
  • [x] Windows
  • [ ] Mac
  • [ ] AIX
  • [ ] Solaris
Machine Request wontfix

All 23 comments

We need to ensure that its secure... VNC should not be directly accessible. forcing the user to ssh in first. and limiting the GUI to the jenkins user.

As suggested in my original post firewalling off the VNC port to only allow from 127.0.0.1 should be enough to alleviate any security concerns.

@geraintwjones A quick scan of that link suggests that those instructions don't cover blocking the direct insecure connection, just tells you how to connect securely.

I have never set up VNC before, and know nothing about it. If this needs to be done quickly (which I believe it does), I suggest someone else does it, or you wait for me to figure out what I need to do.

This is the approach I'm taking...

  • Update and run the playbook to Install vnc4server on the JCK machines.
  • The playbook changes will NOT include starting the VNC server.
  • Whoever runs the tests need to...

    • Start the server with -localhost and setting the password

    • Connect to the VNC server

    • Run the test

    • Stop (kill) the VNC server

Does that sound reasonable? We'd need to provide instructions to tell them how to do this.

@bblondin Geraint's change will only install the package, not start it. I think "leaving that to the user running the tests" is possibly the best option as per Geraint's comment above (which they can do under a personal user account on the machine) and we will provide documentation on how to connect securely with an ssh tunnel. We'll need to verify that -localhost will work as expected too with the installed package

Installed vnc4server on a local Ubuntu machine. Started it with the -localhost parameter.
I was NOT able to telnet to it either locally or remotely using its FQDN.
I WAS able to telnet to it locally using localhost instead of FQDN.

Ok, sounds good. Please let me know when you have a system up and running. I'd like to pen test it.

Initial draft of instructions for JCK manual testers (FYI @lumpfish)

  1. Install a VNC client on your local machine (often called vncviewer on linux, or grab one from e.g. http://tigervnc.org on Windows
  2. If you have a command line ssh client you can use the command in the next step. Otherwise, if you're using PuTTy Windows set the options in the screen shown in the screen shot below before connecting into the test machine (you may find it useful to save this configuration)
  3. ssh -L 5910:localhost:5910 [email protected] < 5910 should normally be the port if you select :10 in the next step, otherwise it'll be higher or lower than that
  4. Start vncserver -localhost :10 via the ssh connection and give it a password if you haven't already (:10 is an arbitrary number but I'd rather it was out of the way of any Xvfb used for the automated testing
  5. Run vncviewer or whatever your installed VNC client is called and point it at localhost:10 (changing the number if you chose a value other than 10 when you started the server

puttyforwarding

@sxa555 - I created a few documents in the JCK8 wiki - e.g. https://github.com/AdoptOpenJDK/JCK8/wiki/Executing-JCK-Interactive-Tests so we should link this setup into those. Although the wikis being specific to each repository means that with this approach we'll have to keep recreating essentially the same document for each new JCK release.

Or we could just declare the JCK8 wiki to be the master and point to it from the other versioned ones

I ran the playbook against the following JCK machines...

  • jck-softlayer-ubuntu1604-x64-1
  • jck-packet-ubuntu1604-armv8-1
  • jck-osuosl-ubuntu1604-ppc64le-1
  • jck-osuosl-ubuntu1604-ppc64le-2

I also tried to run it against jck-softlayer-ubuntu1604-x64-2, but that failed with the following error...

fatal: [jck-softlayer-ubuntu1604-x64-2]: UNREACHABLE! => {"changed": false, "msg": "Failed to connect to the host via ssh: Permission denied (publickey,password).\r\n", "unreachable": true}

@sxa555 Those draft instructions look great! Can you move to a CONTRIBUTING.md or wiki? Perhaps in the JCK repo actually now that I think about it.

Yep @karianna - Simon already has a document for running the manual tests - the link he mentioned above - and this issue were always just my draft notes before moving them there - I'll do that now :-)

@geraintwjones Can you do it on the s390x JCK machines too please?

@lumpfish I haven't ran through those instructions myself yet, but if you have any issues (since I'm not in the office again til Tuesday) ping me on slack (I'll likely not have easy access to github comments) and I'll attempt to assist but they should work ok ;-) Once you're happy that it works feel free to close this issue.

@lumpfish Have you had a chance to verfiy that this is working?

We used VNC set up on the Linux JCK machines to run the JCK on the openjdk8-openj9 builds. The instructions for how to do the setup are included in the JCK repository wiki here: https://github.com/AdoptOpenJDK/JCK/wiki, which have been followed successfully by someone other than me!
Windows, Mac, AIX and Solaris have not yet been attempted. We could leave this issue open till they're all done, or close this and open new ones as we hit issues on the other platforms.

@lumpfish Thanks - I've updated the issue with a checklist so we can track the other platforms

On Linux we have used a shared jcktestr account which we have allowed people access to via ssh keys while they are performing the testing (and taken the machines offline in jenkins while such testing is being performed. The instructions for VNC tell people to use an ssh tunnel in order to connect securely to the VNC instance.

On Windows we have provided remote access to a jcktester account.

As Mr.Fish says above, AIX and Mac have yet to be run through a certification process. Solaris is not in scope as yet but I would not envision any significant problems using VNC on there.

Related: https://github.com/AdoptOpenJDK/openjdk-infrastructure/issues/424 https://github.com/AdoptOpenJDK/openjdk-infrastructure/issues/432

FYI @CJKwork we could probably do with adding a new piece to the ubuntu JCK playbook to create the jcktestr user too.

Re comment above, ubuntu playbook has been modified to also create the jcktestr user.

Cancelling this as we're not running JCK tests

Was this page helpful?
0 / 5 - 0 ratings

Related issues

Willsparker picture Willsparker  路  9Comments

Mesbah-Alam picture Mesbah-Alam  路  4Comments

judovana picture judovana  路  5Comments

aahlenst picture aahlenst  路  6Comments

sxa picture sxa  路  7Comments