storage: testing of FIPS compliant build #97428
Assignees
Labels
A-storage
Relating to our storage engine (Pebble) on-disk storage.
C-enhancement
Solution expected to add code/behavior + preserve backward-compat (pg compat issues are exception)
T-storage
Storage Team
Comments
nicktrav
added
C-enhancement
|
As an initial sanity check, I built a FIPS binary and kicked off a clearrange run that forced EAR: diff --git a/pkg/cmd/roachtest/tests/clearrange.go b/pkg/cmd/roachtest/tests/clearrange.go
index 6e622cd71bb..229c6228116 100644
--- a/pkg/cmd/roachtest/tests/clearrange.go
+++ b/pkg/cmd/roachtest/tests/clearrange.go
@@ -40,6 +40,7 @@ func registerClearRange(r registry.Registry) {
Run: func(ctx context.Context, t test.Test, c cluster.Cluster) {
runClearRange(ctx, t, c, checks, rangeTombstones)
},
+ EncryptionSupport: registry.EncryptionAlwaysEnabled,
})
// Using a separate clearrange test on zfs instead of randomly# Build cockroach.
$ ./dev build --cross=linuxfips
# Build auxiliary binaries.
$ ./dev build roachprod
$ ./dev build roachtest
$ ./dev build workload
# Run clearrange.
$ ./bin/roachtest run clearrange/checks=true/rangeTs=false --cockroach ./artifacts/cockroach --workload ./bin/workloadI'll report back. Eventually, these tests roachtests will be run at some cadence to provide coverage. That work is being tracked in DEVINF-675. |
|
Looks good so far: nickt@gceworker-nickt:~/go/src/github.com/cockroachdb/cockroach$ ./bin/roachtest run clearrange/checks=true/rangeTs=false --cockroach ./artifacts/cockroach --workload ./bin/workload
HTTP server listening on all network interfaces, port 8080.
23:22:55 main.go:569: test runner logs in: artifacts/_runner-logs/test_runner-1678749775.log
test runner logs in: artifacts/_runner-logs/test_runner-1678749775.log
23:22:55 test_runner.go:1221: [w0] Selected test: clearrange/checks=true/rangeTs=false run: 1.
23:22:55 test_runner.go:430: [w0] Creating new cluster for test clearrange/checks=true/rangeTs=false: n10cpu16
...
01:20:07 roachprod.go:1192: OK
01:20:07 cluster.go:1607: [w0] destroying cluster nickt-1678749775-01-n10cpu16 [tag:] (10 nodes)... done
01:20:07 test_runner.go:570: [w0] no work remaining; runWorker is bailing out...
no work remaining; runWorker is bailing out...
01:20:07 test_runner.go:522: [w0] Worker exiting; destroying cluster.
01:20:07 test_runner.go:343: PASS
PASSI shall run all of the |
|
I did a few more runs of the above, without issue. Going to close this out as we've done our sense checking of the EAR functionality with the FIPS build. We're expecting DEVINF-675 to help shake out bugs via automated tests. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is your feature request related to a problem? Please describe.
We're investigating a FIPS compliant build of CRDB. Such a build, given the changes to the Go runtime and encryption libraries, could have an impact on encryption codepaths, which would could affect the performance of Encryption-At-Rest (EAR).
Describe the solution you'd like
Sanity check the FIPS build to ensure it is performant w.r.t. non FIPS builds. All existing Storage unit- and roachtest should be passing.
Additional context
More context can be found here (internal link).
Jira issue: CRDB-24691
Epic DEVINF-478
The text was updated successfully, but these errors were encountered: