-
Notifications
You must be signed in to change notification settings - Fork 290
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
tests,ci: Move "test-basic" (bare mode) to installed test #1217
Conversation
Our CI uses default Docker, which has SELinux labeling but is rather evil in returning `EOPNOTSUPP` to any attempts to set `security.selinux`, even if to the same value. The previous fire 🔥 for this was: ostreedev#759 The `bare` repo mode really only makes sense as uid 0, so our installed test framework is a good match for this. However, the unit tests *do* work in a privileged container even as non-root, and *also* should work on SELinux-disabled systems. So let's teach the test framework how to skip in those situations. I tested this both in a priv container (my default builder) and an unpriv container (like our CI). At the same time, start executing the `test-basic.sh` from an installed test, so we get better coverage than before. This is just the start - all of the sysroot tests really need the same treatment.
Migrated from #1199 |
OK, this should be ready for review. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
SELinux enabled in /var/tmp/tap-test.Rjr7BJ, and have privileges to relabel
\o/
tests/libtest.sh
Outdated
# Skip unless SELinux is disabled, or we can relabel. | ||
# Default Docker has security.selinux xattrs, but returns | ||
# EOPNOTSUPP when trying to set them, even to the existing value. | ||
# https://github.com/ostreedev/ostree/pull/1182 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this the right link? I don't see anything about that there.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixup ⬇️
label=$(grep -E -e "^${selinux_xattr}=" < label.txt |sed -e "s,${selinux_xattr}=,,") | ||
if setfattr -n ${selinux_xattr} -v ${label} testlabel.txt 2>err.txt; then | ||
echo "SELinux enabled in $(pwd), and have privileges to relabel" | ||
return 0 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should cache the result of this here too just like the others, though we can do that later!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Possibly, though right now it's a file-global skip
unlike the other skip_one
s.
☀️ Test successful - status-atomicjenkins |
Our CI uses default Docker, which has SELinux labeling but is rather
evil in returning
EOPNOTSUPP
to any attempts to setsecurity.selinux
,even if to the same value.
The previous fire 🔥 for this was: #759
The
bare
repo mode really only makes sense as uid 0, so our installedtest framework is a good match for this. However, the unit tests do
work in a privileged container even as non-root, and also should
work on SELinux-disabled systems. So let's teach the test framework
how to skip in those situations.
I tested this both in a priv container (my default builder) and an unpriv
container (like our CI).
At the same time, start executing the
test-basic.sh
from an installed test,so we get better coverage than before.
This is just the start - all of the sysroot tests really need the
same treatment.