Skip to content

Commit

Permalink
fix: add SOCI snapshotter hash check (#985)
Browse files Browse the repository at this point in the history
Issue #, if available:
Split from #969 

*Description of changes:*
This change fixes SOCI installation to verify pull artifacts matches
hardcoded hashchecks.

*Testing done:*
Updated unit tests to check for new hashcheck.

- [x] I've reviewed the guidance in CONTRIBUTING.md


#### License Acceptance

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.

Signed-off-by: Austin Vazquez <macedonv@amazon.com>
  • Loading branch information
austinvazquez authored Jun 21, 2024
1 parent 06b9027 commit 563f346
Show file tree
Hide file tree
Showing 2 changed files with 44 additions and 13 deletions.
21 changes: 18 additions & 3 deletions pkg/config/lima_config_applier.go
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,8 @@ import (

const (
sociVersion = "0.5.0"
sociAMD64Sha256Sum = "768f73dbd2c772386df1d12d0a371e9cbcefebea4856623335a2e8ea5170691c"
sociARM64Sha256Sum = "9238e00426ec67a725d511e232476248f2379d66a4ccab224a50ad4c56a0292e"
snapshotterProvisioningScriptHeader = "# snapshotter provisioning script"
sociInstallationProvisioningScriptHeader = snapshotterProvisioningScriptHeader + ": soci"
sociFileNameFormat = "soci-snapshotter-%s-linux-%s.tar.gz"
Expand All @@ -29,9 +31,17 @@ const (
if [ ! -f /usr/local/bin/soci ]; then
# download soci
set -e
# pull release tarball
release_tarball="%s"
curl --retry 2 --retry-max-time 120 -OL "%s"
# validate shasum
(sha256sum "${release_tarball}" | cut -d ' ' -f 1 | grep -xq "^%s$") || \
(echo "error: shasum verification failed for SOCI release tarball" && rm -f "${release_tarball}" && exit 1)
# move to usr/local/bin
tar -C /usr/local/bin -xvf %s ./soci ./soci-snapshotter-grpc
tar -C /usr/local/bin -xvf ${release_tarball} ./soci ./soci-snapshotter-grpc
# install as a systemd service
curl --retry 2 --retry-max-time 120 -OL "%s"
Expand Down Expand Up @@ -235,11 +245,16 @@ func (lca *limaConfigApplier) provisionSnapshotters(limaCfg *limayaml.LimaYAML)
}

func (lca *limaConfigApplier) provisionSociSnapshotter(limaCfg *limayaml.LimaYAML) {
sociFileName := fmt.Sprintf(sociFileNameFormat, sociVersion, lca.systemDeps.Arch())
arch := lca.systemDeps.Arch()
sociFileName := fmt.Sprintf(sociFileNameFormat, sociVersion, arch)
sociDownloadURL := fmt.Sprintf(sociDownloadURLFormat, sociVersion, sociFileName)
sociSha256Sum := sociAMD64Sha256Sum
if arch == "arm64" {
sociSha256Sum = sociARM64Sha256Sum
}
sociServiceDownloadURL := fmt.Sprintf(sociServiceDownloadURLFormat, sociVersion)
sociInstallationScript := fmt.Sprintf(sociInstallationScriptFormat, sociInstallationProvisioningScriptHeader,
sociDownloadURL, sociFileName, sociServiceDownloadURL)
sociFileName, sociDownloadURL, sociSha256Sum, sociServiceDownloadURL)
limaCfg.Provision = append(limaCfg.Provision, limayaml.Provision{
Mode: "system",
Script: sociInstallationScript,
Expand Down
36 changes: 26 additions & 10 deletions pkg/config/lima_config_applier_darwin_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ package config

import (
"fmt"
"runtime"
"testing"

"github.com/golang/mock/gomock"
Expand Down Expand Up @@ -105,16 +106,21 @@ func TestDiskLimaConfigApplier_Apply(t *testing.T) {
require.NoError(t, err)
cmd.EXPECT().Output().Return([]byte("13.0.0"), nil)
creator.EXPECT().Create("sw_vers", "-productVersion").Return(cmd)
deps.EXPECT().Arch()
deps.EXPECT().Arch().Return(runtime.GOARCH)
},
postRunCheck: func(t *testing.T, fs afero.Fs) {
sociFileName := fmt.Sprintf(sociFileNameFormat, sociVersion, "")
sociFileName := fmt.Sprintf(sociFileNameFormat, sociVersion, runtime.GOARCH)
sociDownloadURL := fmt.Sprintf(sociDownloadURLFormat, sociVersion, sociFileName)
sociShaSum := sociAMD64Sha256Sum
if runtime.GOARCH == "arm64" {
sociShaSum = sociARM64Sha256Sum
}
sociServiceDownloadURL := fmt.Sprintf(sociServiceDownloadURLFormat, sociVersion)
sociInstallationScript := fmt.Sprintf(sociInstallationScriptFormat,
sociInstallationProvisioningScriptHeader,
sociDownloadURL,
sociFileName,
sociDownloadURL,
sociShaSum,
sociServiceDownloadURL)

buf, err := afero.ReadFile(fs, "/override.yaml")
Expand Down Expand Up @@ -257,16 +263,21 @@ func TestDiskLimaConfigApplier_Apply(t *testing.T) {
require.NoError(t, err)
cmd.EXPECT().Output().Return([]byte("13.0.0"), nil)
creator.EXPECT().Create("sw_vers", "-productVersion").Return(cmd)
deps.EXPECT().Arch()
deps.EXPECT().Arch().Return(runtime.GOARCH)
},
postRunCheck: func(t *testing.T, fs afero.Fs) {
sociFileName := fmt.Sprintf(sociFileNameFormat, sociVersion, "")
sociFileName := fmt.Sprintf(sociFileNameFormat, sociVersion, runtime.GOARCH)
sociDownloadURL := fmt.Sprintf(sociDownloadURLFormat, sociVersion, sociFileName)
sociShaSum := sociAMD64Sha256Sum
if runtime.GOARCH == "arm64" {
sociShaSum = sociARM64Sha256Sum
}
sociServiceDownloadURL := fmt.Sprintf(sociServiceDownloadURLFormat, sociVersion)
sociInstallationScript := fmt.Sprintf(sociInstallationScriptFormat,
sociInstallationProvisioningScriptHeader,
sociDownloadURL,
sociFileName,
sociDownloadURL,
sociShaSum,
sociServiceDownloadURL)

buf, err := afero.ReadFile(fs, "/override.yaml")
Expand Down Expand Up @@ -316,16 +327,21 @@ func TestDiskLimaConfigApplier_Apply(t *testing.T) {
require.NoError(t, err)
cmd.EXPECT().Output().Return([]byte("13.0.0"), nil)
creator.EXPECT().Create("sw_vers", "-productVersion").Return(cmd)
deps.EXPECT().Arch()
deps.EXPECT().Arch().Return(runtime.GOARCH)
},
postRunCheck: func(t *testing.T, fs afero.Fs) {
sociFileName := fmt.Sprintf(sociFileNameFormat, sociVersion, "")
sociFileName := fmt.Sprintf(sociFileNameFormat, sociVersion, runtime.GOARCH)
sociDownloadURL := fmt.Sprintf(sociDownloadURLFormat, sociVersion, sociFileName)
sociShaSum := sociAMD64Sha256Sum
if runtime.GOARCH == "arm64" {
sociShaSum = sociARM64Sha256Sum
}
sociServiceDownloadURL := fmt.Sprintf(sociServiceDownloadURLFormat, sociVersion)
sociInstallationScript := fmt.Sprintf(sociInstallationScriptFormat,
sociInstallationProvisioningScriptHeader,
sociDownloadURL,
sociFileName,
sociDownloadURL,
sociShaSum,
sociServiceDownloadURL)

buf, err := afero.ReadFile(fs, "/override.yaml")
Expand Down Expand Up @@ -392,7 +408,7 @@ func TestDiskLimaConfigApplier_Apply(t *testing.T) {
require.NoError(t, err)
cmd.EXPECT().Output().Return([]byte("13.0.0"), nil)
creator.EXPECT().Create("sw_vers", "-productVersion").Return(cmd)
deps.EXPECT().Arch().Return("arm64")
deps.EXPECT().Arch().Return(runtime.GOARCH)
},
postRunCheck: func(t *testing.T, fs afero.Fs) {
buf, err := afero.ReadFile(fs, "/override.yaml")
Expand Down

0 comments on commit 563f346

Please sign in to comment.