rpm-ostree/tests/vmcheck/test-misc-1.sh

#!/bin/bash
#
# Copyright (C) 2017,2018 Red Hat, Inc.
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2 of the License, or (at your option) any later version.
#
# This library is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
# Lesser General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public
# License along with this library; if not, write to the
# Free Software Foundation, Inc., 59 Temple Place - Suite 330,
# Boston, MA 02111-1307, USA.

set -euo pipefail

. ${commondir}/libtest.sh
. ${commondir}/libvm.sh

set -x

# Miscellaneous basic tests; most are nondestructive

# https://github.com/projectatomic/rpm-ostree/issues/1301
# FIXME: temporarily disabled as it really wants to start
# from a fresh instance and we don't currently guarantee that.
#
# But we'll rework the test suite to do that soon like
# https://github.com/ostreedev/ostree/pull/1462
# vm_cmd 'mv /etc/ostree/remotes.d{,.orig}'
# vm_cmd systemctl restart rpm-ostreed
# vm_cmd rpm-ostree status > status.txt
# assert_file_has_content status.txt 'Remote.*not found'
# vm_cmd 'mv /etc/ostree/remotes.d{.orig,}'
# vm_rpmostree reload
# echo "ok remote not found"

vm_rpmostree --version > version.yaml
python3 -c 'import yaml; v=yaml.safe_load(open("version.yaml")); assert("Version" in v["rpm-ostree"])'
echo "ok yaml version"

# Make sure we can't do various operations as non-root
vm_build_rpm foo
if vm_cmd_as core rpm-ostree pkg-add foo &> err.txt; then
    assert_not_reached "Was able to install a package as non-root!"
fi
assert_file_has_content err.txt 'PkgChange not allowed for user'
if vm_cmd_as core rpm-ostree reload &> err.txt; then
    assert_not_reached "Was able to reload as non-root!"
fi
assert_file_has_content err.txt 'ReloadConfig not allowed for user'
echo "ok auth"

wrapdir="/usr/libexec/rpm-ostree/wrapped"
if [ -d "${wrapdir}" ]; then
    # Test wrapped functions for rpm
    rpm --version
    rpm -qa > /dev/null
    rpm --verify >out.txt
    assert_file_has_content out.txt "rpm --verify is not necessary for ostree-based systems"
    rm -f out.txt
    if rpm -e bash 2>out.txt; then
        fatal "rpm -e worked"
    fi
    assert_file_has_content out.txt 'Dropping privileges as `rpm` was executed with not "known safe" arguments'

    if dracut --blah 2>out.txt; then
        fatal "dracut worked"
    fi
    assert_file_has_content out.txt 'This system is rpm-ostree based'
    rm -f out.txt
else
    echo "Missing ${wrapdir}; cliwrap not enabled"
fi

vm_rpmostree usroverlay
vm_cmd test -w /usr/bin
echo "ok usroverlay"

vm_shell_inline_sysroot_rw <<EOF
    rpm-ostree cleanup -p
    originpath=\$(ostree admin --print-current-dir).origin
    cp -a \${originpath}{,.orig}
    echo "unconfigured-state=Access to TestOS requires ONE BILLION DOLLARS" >> \${originpath}
    rpm-ostree reload
    rpm-ostree status
    if rpm-ostree upgrade 2>err.txt; then
       echo "Upgraded from unconfigured-state"
       exit 1
    fi
    grep -qFe 'ONE BILLION DOLLARS' err.txt
    mv \${originpath}{.orig,}
    rpm-ostree reload
EOF
echo "ok unconfigured status"
tests: Split test-basic into misc-{1,2} Our test suite originated when package layering was still being developed, but now that that's mature, the logic where layering tests are distinct makes less sense. The `basic` test had grown to really be a collection of many miscellaneous things. Let's make that more explicit. Further, let's avoid having each test suite grow too large; when a single test fails we don't have an easy way to rerun just that test, so a crude way to have faster local iteration is to split into groups. My plan is to reintroduce a `basic` test that covers the basics of all functionality - update, deploy, layering, etc. The advanced/corner cases of layering like the `rm -rf /` test would still live in a `test-layering.sh` or so. Closes: #1336 Approved by: jlebon 2018-04-16 02:47:22 +03:00			`#!/bin/bash`
			`#`
			`# Copyright (C) 2017,2018 Red Hat, Inc.`
			`#`
			`# This library is free software; you can redistribute it and/or`
			`# modify it under the terms of the GNU Lesser General Public`
			`# License as published by the Free Software Foundation; either`
			`# version 2 of the License, or (at your option) any later version.`
			`#`
			`# This library is distributed in the hope that it will be useful,`
			`# but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU`
			`# Lesser General Public License for more details.`
			`#`
			`# You should have received a copy of the GNU Lesser General Public`
			`# License along with this library; if not, write to the`
			`# Free Software Foundation, Inc., 59 Temple Place - Suite 330,`
			`# Boston, MA 02111-1307, USA.`

			`set -euo pipefail`

			`. ${commondir}/libtest.sh`
			`. ${commondir}/libvm.sh`

			`set -x`

			`# Miscellaneous basic tests; most are nondestructive`

			`# https://github.com/projectatomic/rpm-ostree/issues/1301`
			`# FIXME: temporarily disabled as it really wants to start`
			`# from a fresh instance and we don't currently guarantee that.`
			`#`
			`# But we'll rework the test suite to do that soon like`
			`# https://github.com/ostreedev/ostree/pull/1462`
			`# vm_cmd 'mv /etc/ostree/remotes.d{,.orig}'`
			`# vm_cmd systemctl restart rpm-ostreed`
			`# vm_cmd rpm-ostree status > status.txt`
			`# assert_file_has_content status.txt 'Remote.*not found'`
			`# vm_cmd 'mv /etc/ostree/remotes.d{.orig,}'`
			`# vm_rpmostree reload`
			`# echo "ok remote not found"`

			`vm_rpmostree --version > version.yaml`
tests: Bump to Python 3 only This bumps the requirement on the controlling host to Python 3 only. It also bumps the requirement on the target host to Python 3 as well since FCOS doesn't ship Python 2 right now. Though we'll need to eventually drop all Python usage anyway, but at least let's get tests passing on FCOS first. (See related previous patch). Closes: #1828 Approved by: cgwalters 2019-05-08 17:15:48 +03:00			`python3 -c 'import yaml; v=yaml.safe_load(open("version.yaml")); assert("Version" in v["rpm-ostree"])'`
tests: Split test-basic into misc-{1,2} Our test suite originated when package layering was still being developed, but now that that's mature, the logic where layering tests are distinct makes less sense. The `basic` test had grown to really be a collection of many miscellaneous things. Let's make that more explicit. Further, let's avoid having each test suite grow too large; when a single test fails we don't have an easy way to rerun just that test, so a crude way to have faster local iteration is to split into groups. My plan is to reintroduce a `basic` test that covers the basics of all functionality - update, deploy, layering, etc. The advanced/corner cases of layering like the `rm -rf /` test would still live in a `test-layering.sh` or so. Closes: #1336 Approved by: jlebon 2018-04-16 02:47:22 +03:00			`echo "ok yaml version"`

			`# Make sure we can't do various operations as non-root`
			`vm_build_rpm foo`
Rework vmcheck to use `kola spawn`, move off of PAPR There's a lot going on here, but essentially: 1. We change the `vmcheck` model so that it always operates on an immutable base image. It takes that image and dynamically launches a separate VM for each test using `kola spawn`. This means we can drop a lot of hacks around re-using the same VMs. 2. Following from 1., `vmoverlay` now takes as input a base image, overlays the built rpm-ostree bits, then creates a new base image. Of course, we don't have to do this in CI, because we build FCOS with the freshly built RPMs (so it uses `SKIP_VMOVERLAY=1`). `vmoverlay` then will be more for the developer case where one doesn't want to iterate via `cosa build` to test rpm-ostree changes. I say "will" because the functionality doesn't exist yet; I'd like to enhance `cosa dev-overlay` to do this. (Note `vmsync` should still works just as before too.) 3. `vmcheck` can be run without building the tree first, as `tests/vmcheck.sh`. The `make vmcheck` target still exists though for finger compatibility and better meshing with `vmoverlay` in the developer case. What's really nice about using kola spawn is that it takes care of a lot of things for us, such as the qemu command, journal and console gathering, and SSH. Similarly to the compose testsuites, we're using parallel here to run multiple vmcheck tests at once. (On developer laptops, we cap parallelism at `$(nproc) - 1`). 2019-12-13 20:23:41 +03:00			`if vm_cmd_as core rpm-ostree pkg-add foo &> err.txt; then`
tests: Split test-basic into misc-{1,2} Our test suite originated when package layering was still being developed, but now that that's mature, the logic where layering tests are distinct makes less sense. The `basic` test had grown to really be a collection of many miscellaneous things. Let's make that more explicit. Further, let's avoid having each test suite grow too large; when a single test fails we don't have an easy way to rerun just that test, so a crude way to have faster local iteration is to split into groups. My plan is to reintroduce a `basic` test that covers the basics of all functionality - update, deploy, layering, etc. The advanced/corner cases of layering like the `rm -rf /` test would still live in a `test-layering.sh` or so. Closes: #1336 Approved by: jlebon 2018-04-16 02:47:22 +03:00			`assert_not_reached "Was able to install a package as non-root!"`
			`fi`
			`assert_file_has_content err.txt 'PkgChange not allowed for user'`
Rework vmcheck to use `kola spawn`, move off of PAPR There's a lot going on here, but essentially: 1. We change the `vmcheck` model so that it always operates on an immutable base image. It takes that image and dynamically launches a separate VM for each test using `kola spawn`. This means we can drop a lot of hacks around re-using the same VMs. 2. Following from 1., `vmoverlay` now takes as input a base image, overlays the built rpm-ostree bits, then creates a new base image. Of course, we don't have to do this in CI, because we build FCOS with the freshly built RPMs (so it uses `SKIP_VMOVERLAY=1`). `vmoverlay` then will be more for the developer case where one doesn't want to iterate via `cosa build` to test rpm-ostree changes. I say "will" because the functionality doesn't exist yet; I'd like to enhance `cosa dev-overlay` to do this. (Note `vmsync` should still works just as before too.) 3. `vmcheck` can be run without building the tree first, as `tests/vmcheck.sh`. The `make vmcheck` target still exists though for finger compatibility and better meshing with `vmoverlay` in the developer case. What's really nice about using kola spawn is that it takes care of a lot of things for us, such as the qemu command, journal and console gathering, and SSH. Similarly to the compose testsuites, we're using parallel here to run multiple vmcheck tests at once. (On developer laptops, we cap parallelism at `$(nproc) - 1`). 2019-12-13 20:23:41 +03:00			`if vm_cmd_as core rpm-ostree reload &> err.txt; then`
tests: Split test-basic into misc-{1,2} Our test suite originated when package layering was still being developed, but now that that's mature, the logic where layering tests are distinct makes less sense. The `basic` test had grown to really be a collection of many miscellaneous things. Let's make that more explicit. Further, let's avoid having each test suite grow too large; when a single test fails we don't have an easy way to rerun just that test, so a crude way to have faster local iteration is to split into groups. My plan is to reintroduce a `basic` test that covers the basics of all functionality - update, deploy, layering, etc. The advanced/corner cases of layering like the `rm -rf /` test would still live in a `test-layering.sh` or so. Closes: #1336 Approved by: jlebon 2018-04-16 02:47:22 +03:00			`assert_not_reached "Was able to reload as non-root!"`
			`fi`
			`assert_file_has_content err.txt 'ReloadConfig not allowed for user'`
			`echo "ok auth"`

Add support for wrapping binaries (rpm, dracut, grubby) We need to be friendlier to people who are transitioning from "traditional" yum managed systems. This patchset starts to lay out the groundwork for supporting "intercepting" binaries that are in the tree. For backwards compatibility, this feature is disabled by default, to enable it, one can add `cliwrap: true` to the manifest. To start with for example, we wrap `/usr/bin/rpm` and cause it to drop privileges. This way it can't corrupt anything; we're not just relying on the read-only bind mount. For example nothing will accidentally get written to `/var/lib/rpm`. Now a tricky thing with this one is we do want it to write if we're in an unlocked state. There are various other examples of binaries we want to intercept, among them: - `grubby` -> `rpm-ostree kargs` - `dracut` -> `rpm-ostree initramfs` - `yum` -> well...we'll talk about that later 2019-02-23 21:46:59 +03:00			`wrapdir="/usr/libexec/rpm-ostree/wrapped"`
			`if [ -d "${wrapdir}" ]; then`
			`# Test wrapped functions for rpm`
			`rpm --version`
			`rpm -qa > /dev/null`
			`rpm --verify >out.txt`
			`assert_file_has_content out.txt "rpm --verify is not necessary for ostree-based systems"`
			`rm -f out.txt`
			`if rpm -e bash 2>out.txt; then`
			`fatal "rpm -e worked"`
			`fi`
			assert_file_has_content out.txt 'Dropping privileges as `rpm` was executed with not "known safe" arguments'

			`if dracut --blah 2>out.txt; then`
			`fatal "dracut worked"`
			`fi`
			`assert_file_has_content out.txt 'This system is rpm-ostree based'`
			`rm -f out.txt`
			`else`
			`echo "Missing ${wrapdir}; cliwrap not enabled"`
			`fi`

tests: Split test-basic into misc-{1,2} Our test suite originated when package layering was still being developed, but now that that's mature, the logic where layering tests are distinct makes less sense. The `basic` test had grown to really be a collection of many miscellaneous things. Let's make that more explicit. Further, let's avoid having each test suite grow too large; when a single test fails we don't have an easy way to rerun just that test, so a crude way to have faster local iteration is to split into groups. My plan is to reintroduce a `basic` test that covers the basics of all functionality - update, deploy, layering, etc. The advanced/corner cases of layering like the `rm -rf /` test would still live in a `test-layering.sh` or so. Closes: #1336 Approved by: jlebon 2018-04-16 02:47:22 +03:00			`vm_rpmostree usroverlay`
			`vm_cmd test -w /usr/bin`
			`echo "ok usroverlay"`

vmcheck: Work around read-only /sysroot We need to adapt some of our tests here which assume that `/sysroot` is writable. However, in FCOS this is no longer the case now that we enable `sysroot.readonly`. We only remount rw for the couple of operations that need it so that we still retain coverage for the ro path everywhere else. 2020-03-18 22:05:57 +03:00			`vm_shell_inline_sysroot_rw <<EOF`
tests: Split test-basic into misc-{1,2} Our test suite originated when package layering was still being developed, but now that that's mature, the logic where layering tests are distinct makes less sense. The `basic` test had grown to really be a collection of many miscellaneous things. Let's make that more explicit. Further, let's avoid having each test suite grow too large; when a single test fails we don't have an easy way to rerun just that test, so a crude way to have faster local iteration is to split into groups. My plan is to reintroduce a `basic` test that covers the basics of all functionality - update, deploy, layering, etc. The advanced/corner cases of layering like the `rm -rf /` test would still live in a `test-layering.sh` or so. Closes: #1336 Approved by: jlebon 2018-04-16 02:47:22 +03:00			`rpm-ostree cleanup -p`
			`originpath=\$(ostree admin --print-current-dir).origin`
			`cp -a \${originpath}{,.orig}`
			`echo "unconfigured-state=Access to TestOS requires ONE BILLION DOLLARS" >> \${originpath}`
			`rpm-ostree reload`
			`rpm-ostree status`
			`if rpm-ostree upgrade 2>err.txt; then`
			`echo "Upgraded from unconfigured-state"`
			`exit 1`
			`fi`
			`grep -qFe 'ONE BILLION DOLLARS' err.txt`
			`mv \${originpath}{.orig,}`
			`rpm-ostree reload`
			`EOF`
			`echo "ok unconfigured status"`