diff --git a/tests/kola/misc-ign-ro/config.fcc b/tests/kola/misc-ign-ro/config.fcc index 7dcb62bf93..f96a9eb9b1 100644 --- a/tests/kola/misc-ign-ro/config.fcc +++ b/tests/kola/misc-ign-ro/config.fcc @@ -1,6 +1,12 @@ variant: fcos -version: 1.1.0 +version: 1.2.0 storage: + directories: + # This is for verifying that `kubernetes_file_t` labeled files can be + # watched by systemd + # See: https://github.com/coreos/fedora-coreos-tracker/issues/861 + # See: https://github.com/containers/container-selinux/issues/135 + - path: /etc/kubernetes files: - path: /etc/systemd/zram-generator.conf mode: 0644 @@ -33,3 +39,49 @@ storage: AKbyaAqbChEy9CvDgyv6qxTYU+eeBImLKS3PH2uW5etc/69V/sDojqpH3hEffsOt 9g== -----END CERTIFICATE----- + - path: /etc/kubernetes/envfile + # This is for verifying that `kubernetes_file_t` labeled files can be + # read by systemd + # See: https://bugzilla.redhat.com/show_bug.cgi?id=1973418 + mode: 0644 + contents: + inline: | + KUBE="FCOS" +systemd: + units: + - name: kube-env.service + # This is for verifying that `kubernetes_file_t` labeled files can be + # read by systemd + # See: https://bugzilla.redhat.com/show_bug.cgi?id=1973418 + enabled: true + contents: | + [Service] + EnvironmentFile=/etc/kubernetes/envfile + ExecStart=/usr/bin/echo ${KUBE} + RemainAfterExit=yes + Type=oneshot + [Install] + WantedBy=multi-user.target + - name: kube-watch.service + # This is for verifying that `kubernetes_file_t` labeled files can be + # watched by systemd + # See: https://github.com/coreos/fedora-coreos-tracker/issues/861 + # See: https://github.com/containers/container-selinux/issues/135 + contents: | + [Service] + ExecStart=/usr/bin/echo "Found it" + RemainAfterExit=yes + Type=oneshot + [Install] + WantedBy=multi-user.target + - name: kube-watch.path + # This is for verifying that `kubernetes_file_t` labeled files can be + # watched by systemd + # See: https://github.com/coreos/fedora-coreos-tracker/issues/861 + # See: https://github.com/containers/container-selinux/issues/135 + enabled: true + contents: | + [Path] + PathExists=/etc/kubernetes/kubeconfig + [Install] + WantedBy=multi-user.target diff --git a/tests/kola/misc-ign-ro/test.sh b/tests/kola/misc-ign-ro/test.sh index 6321fc7207..26e3e5b2cb 100755 --- a/tests/kola/misc-ign-ro/test.sh +++ b/tests/kola/misc-ign-ro/test.sh @@ -36,3 +36,42 @@ if [ "$context" != "system_u:object_r:net_conf_t:s0" ]; then fatal "SELinux context on stub-resolv.conf is wrong" fi ok "SELinux context on stub-resolv.conf is correct" + +# In order to verify that `kubernetes_file_t` labeled files can be read by +# systemd, we check to see if the `kube-env` service started successfully +# and that the service wrote to the journal successfully. +# See: https://bugzilla.redhat.com/show_bug.cgi?id=1973418 +if [ "$(systemctl is-failed kube-env.service)" != "active" ]; then + fatal "kube-env.service failed unexpectedly" +fi +ok "kube-env.service successfully started" + +# Verify that 'FCOS' was wrtitten to the journal +if [ "$(journalctl -o cat -u kube-env.service | sed -n 2p)" != "FCOS" ]; then + fatal "kube-env.service did not write 'FCOS' to journal" +fi +ok "kube-env.service ran and wrote 'FCOS' to the journal" + +# This is for verifying that `kubernetes_file_t` labeled files can be +# watched by systemd +# See: https://github.com/coreos/fedora-coreos-tracker/issues/861 +# See: https://github.com/containers/container-selinux/issues/135 +if [ "$(systemctl is-active kube-watch.path)" != "active" ]; then + fatal "kube-watch.path did not activate successfully" +fi +ok "kube-watch.path successfully activated" + +if [ "$(touch /etc/kubernetes/kubeconfig)" ]; then + fatal "Unable to create /etc/kubernetes/kubeconfig" +fi +ok "successfully created /etc/kubernetes/kubeconfig" + +if [ "$(systemctl is-active kube-watch.service)" != "active" ]; then + fatal "kube-watch.service did not successfully activate" +fi +ok "kube-watch.service activated successfully" + +if [ "$(journalctl -o cat -u kube-watch.service | sed -n 2p)" != "Found it" ]; then + fatal "kube-watch.service did not print message to journal" +fi +ok "Found message from kube-watch.service in journal"