Hi Nikolay, Seems like we have been able to run the system tests with TLS 1.3. Do we run them nightly?
Ismael On Fri, Feb 14, 2020 at 4:17 AM Nikolay Izhikov <nizhi...@apache.org> wrote: > Hello, Kafka team. > > I ran system tests that use SSL for the TLSv1.3. > You can find the results of the tests in the Jira ticket [1], [2], [3], > [4]. > > I also, need a changes [5] in `security_config.py` to execute system tests > with TLSv1.3(more info in PR description). > Please, take a look. > > Test environment: > • openjdk11 > • trunk + changes from my PR [5]. > > Full system tests results have volume 15gb. > Should I share full logs with you? > > What else should be done before we can enable TLSv1.3 by default? > > [1] > https://issues.apache.org/jira/browse/KAFKA-9319?focusedCommentId=17036927&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-17036927 > > [2] > https://issues.apache.org/jira/browse/KAFKA-9319?focusedCommentId=17036928&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-17036928 > > [3] > https://issues.apache.org/jira/browse/KAFKA-9319?focusedCommentId=17036929&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-17036929 > > [4] > https://issues.apache.org/jira/browse/KAFKA-9319?focusedCommentId=17036930&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-17036930 > > [5] > https://github.com/apache/kafka/pull/8106/files#diff-6dd015b94706f6920d9de524c355ddd8R51 > > > 29 янв. 2020 г., в 15:27, Nikolay Izhikov <nizhikov....@gmail.com> > написал(а): > > > > Hello, Rajini. > > > > Thanks for the feedback. > > > > I’ve searched tests by the «ssl» keyword and found the following tests: > > > > ./test/kafkatest/services/kafka_log4j_appender.py > > ./test/kafkatest/services/listener_security_config.py > > ./test/kafkatest/services/security/security_config.py > > ./test/kafkatest/tests/core/security_test.py > > > > Is this all tests that need to be run with the TLSv1.3 to ensure we can > enable it by default? > > > >> 28 янв. 2020 г., в 14:58, Rajini Sivaram <rajinisiva...@gmail.com> > написал(а): > >> > >> Hi Nikolay, > >> > >> Not sure of the total space required. But you can run a collection of > tests at a time instead of running them all together. That way, you could > just run all the tests that enable SSL. Details of running a subset of > tests are in the README in tests. > >> > >> On Mon, Jan 27, 2020 at 6:29 PM Nikolay Izhikov <nizhi...@apache.org> > wrote: > >> Hello, Rajini. > >> > >> I’m tried to run all system tests but failed for now. > >> It happens, that system tests generates a lot of logs. > >> I had a 250GB of the free space but it all was occupied by the log from > half of the system tests. > >> > >> Do you have any idea what is summary disc space I need to run all > system tests? > >> > >>> 7 янв. 2020 г., в 14:49, Rajini Sivaram <rajinisiva...@gmail.com> > написал(а): > >>> > >>> Hi Nikolay, > >>> > >>> There a couple of things you could do: > >>> > >>> 1) Run all system tests that use SSL with TLSv1.3. I had run a subset, > but > >>> it will be good to run all of them. You can do this locally using > docker > >>> with JDK 11 by updating the files in tests/docker. You will need to > update > >>> tests/kafkatest/services/security/security_config.py to enable only > >>> TLSv1.3. Instructions for running system tests using docker are in > >>> https://github.com/apache/kafka/blob/trunk/tests/README.md. > >>> 2) For integration tests, we run a small number of tests using TLSv1.3 > if > >>> the tests are run using JDK 11 and above. We need to do this for system > >>> tests as well. There is an open JIRA: > >>> https://issues.apache.org/jira/browse/KAFKA-9319. Feel free to assign > this > >>> to yourself if you have time to do this. > >>> > >>> Regards, > >>> > >>> Rajini > >>> > >>> > >>> On Tue, Jan 7, 2020 at 5:15 AM Николай Ижиков <nizhi...@apache.org> > wrote: > >>> > >>>> Hello, Rajini. > >>>> > >>>> Can you, please, clarify, what should be done? > >>>> I can try to do tests by myself. > >>>> > >>>>> 6 янв. 2020 г., в 21:29, Rajini Sivaram <rajinisiva...@gmail.com> > >>>> написал(а): > >>>>> > >>>>> Hi Brajesh. > >>>>> > >>>>> No one is working on this yet, but will follow up with the Confluent > >>>> tools > >>>>> team to see when this can be done. > >>>>> > >>>>> On Mon, Jan 6, 2020 at 3:29 PM Brajesh Kumar <kbrajesh...@gmail.com> > >>>> wrote: > >>>>> > >>>>>> Hello Rajini, > >>>>>> > >>>>>> What is the plan to run system tests using JDK 11? Is someone > working on > >>>>>> this? > >>>>>> > >>>>>> On Mon, Jan 6, 2020 at 3:00 PM Rajini Sivaram < > rajinisiva...@gmail.com> > >>>>>> wrote: > >>>>>> > >>>>>>> Hi Nikolay, > >>>>>>> > >>>>>>> We can leave the KIP open and restart the discussion once system > tests > >>>>>> are > >>>>>>> running. > >>>>>>> > >>>>>>> Thanks, > >>>>>>> > >>>>>>> Rajini > >>>>>>> > >>>>>>> On Mon, Jan 6, 2020 at 2:46 PM Николай Ижиков <nizhi...@apache.org > > > >>>>>> wrote: > >>>>>>> > >>>>>>>> Hello, Rajini. > >>>>>>>> > >>>>>>>> Thanks, for the feedback. > >>>>>>>> > >>>>>>>> Should I mark this KIP as declined? > >>>>>>>> Or just wait for the system tests results? > >>>>>>>> > >>>>>>>>> 6 янв. 2020 г., в 17:26, Rajini Sivaram <rajinisiva...@gmail.com > > > >>>>>>>> написал(а): > >>>>>>>>> > >>>>>>>>> Hi Nikolay, > >>>>>>>>> > >>>>>>>>> Thanks for the KIP. We currently run system tests using JDK 8 and > >>>>>> hence > >>>>>>>> we > >>>>>>>>> don't yet have full system test results with TLS 1.3 which > requires > >>>>>> JDK > >>>>>>>> 11. > >>>>>>>>> We should wait until that is done before enabling TLS1.3 by > default. > >>>>>>>>> > >>>>>>>>> Regards, > >>>>>>>>> > >>>>>>>>> Rajini > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> On Mon, Dec 30, 2019 at 5:36 AM Николай Ижиков < > nizhi...@apache.org> > >>>>>>>> wrote: > >>>>>>>>> > >>>>>>>>>> Hello, Team. > >>>>>>>>>> > >>>>>>>>>> Any feedback on this KIP? > >>>>>>>>>> Do we need this in Kafka? > >>>>>>>>>> > >>>>>>>>>>> 24 дек. 2019 г., в 18:28, Nikolay Izhikov <nizhi...@apache.org > > > >>>>>>>>>> написал(а): > >>>>>>>>>>> > >>>>>>>>>>> Hello, > >>>>>>>>>>> > >>>>>>>>>>> I'd like to start a discussion of KIP. > >>>>>>>>>>> Its goal is to enable TLSv1.3 and disable obsolete versions by > >>>>>>> default. > >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>> > >>>>>>>> > >>>>>>> > >>>>>> > >>>> > https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=142641956 > >>>>>>>>>>> > >>>>>>>>>>> Your comments and suggestions are welcome. > >>>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>> > >>>>>> > >>>>>> > >>>>>> -- > >>>>>> Regards, > >>>>>> Brajesh Kumar > >>>>>> > >>>> > >>>> > >> > > > >
