2017-11-16 05:28:03 +03:00
#!/bin/bash
set -xeuo pipefail
tests/compose: Target FCOS 31, move off of PAPR
Again, a lot going on here, but essentially, we adapt the compose tests
to run either privileged or fully unprivileged via supermin, just like
cosa.
I actually got more than halfway through this initially using `cosa
build` directly for testing. But in the end, we simply need more
flexibility than that. We want to be able to manipulate exactly how
rpm-ostree is called, and cosa is very opinionated about this (and may
also change from under us in the future).
(Another big difference for example is that cosa doesn't care about
non-unified mode, whereas we *need* to have coverage for this until we
fully kill it.)
Really, the most important bit we want from there is the
unprivileged-via-supermin bits. So we copy and adapt that here. One
obvious improvement then is sharing this code more easily (e.g. a
`cosa runasroot` or something?)
However, we still use the FCOS manifest (frozen at a specific tag). It's
a realistic example, and because of the lockfiles and pool, we get good
reproducibility.
2019-12-22 01:42:09 +03:00
dn = $( cd " $( dirname " $0 " ) " && pwd )
# shellcheck source=libcomposetest.sh
. " ${ dn } /libcomposetest.sh "
# Add a local rpm-md repo so we can mutate local test packages
treefile_append "repos" '["test-repo"]'
# test `recommends: false` (test-misc-tweaks tests the true path)
build_rpm foobar recommends foobar-rec
build_rpm foobar-rec
2021-04-02 00:36:22 +03:00
uinfo_cmd add TEST-SEC-LOW security low
build_rpm vuln-pkg uinfo TEST-SEC-LOW
uinfo_cmd add-ref TEST-SEC-LOW 1 http://example.com/vuln1 "CVE-12-34 vuln1"
tests/compose: Target FCOS 31, move off of PAPR
Again, a lot going on here, but essentially, we adapt the compose tests
to run either privileged or fully unprivileged via supermin, just like
cosa.
I actually got more than halfway through this initially using `cosa
build` directly for testing. But in the end, we simply need more
flexibility than that. We want to be able to manipulate exactly how
rpm-ostree is called, and cosa is very opinionated about this (and may
also change from under us in the future).
(Another big difference for example is that cosa doesn't care about
non-unified mode, whereas we *need* to have coverage for this until we
fully kill it.)
Really, the most important bit we want from there is the
unprivileged-via-supermin bits. So we copy and adapt that here. One
obvious improvement then is sharing this code more easily (e.g. a
`cosa runasroot` or something?)
However, we still use the FCOS manifest (frozen at a specific tag). It's
a realistic example, and because of the lockfiles and pool, we get good
reproducibility.
2019-12-22 01:42:09 +03:00
echo gpgcheck = 0 >> yumrepo.repo
ln " $PWD /yumrepo.repo " config/yumrepo.repo
2021-04-27 23:38:46 +03:00
treefile_append "packages" '["vuln-pkg"]'
treefile_pyedit "
tf[ 'repo-packages' ] = [ {
'repo' : 'test-repo' ,
'packages' : [ 'foobar' ] ,
} ]
"
2017-11-16 05:28:03 +03:00
tests/compose: Target FCOS 31, move off of PAPR
Again, a lot going on here, but essentially, we adapt the compose tests
to run either privileged or fully unprivileged via supermin, just like
cosa.
I actually got more than halfway through this initially using `cosa
build` directly for testing. But in the end, we simply need more
flexibility than that. We want to be able to manipulate exactly how
rpm-ostree is called, and cosa is very opinionated about this (and may
also change from under us in the future).
(Another big difference for example is that cosa doesn't care about
non-unified mode, whereas we *need* to have coverage for this until we
fully kill it.)
Really, the most important bit we want from there is the
unprivileged-via-supermin bits. So we copy and adapt that here. One
obvious improvement then is sharing this code more easily (e.g. a
`cosa runasroot` or something?)
However, we still use the FCOS manifest (frozen at a specific tag). It's
a realistic example, and because of the lockfiles and pool, we get good
reproducibility.
2019-12-22 01:42:09 +03:00
# Test --print-only. We also
2018-11-01 22:13:30 +03:00
# just in this test (for now) use ${basearch} to test substitution.
tests/compose: Target FCOS 31, move off of PAPR
Again, a lot going on here, but essentially, we adapt the compose tests
to run either privileged or fully unprivileged via supermin, just like
cosa.
I actually got more than halfway through this initially using `cosa
build` directly for testing. But in the end, we simply need more
flexibility than that. We want to be able to manipulate exactly how
rpm-ostree is called, and cosa is very opinionated about this (and may
also change from under us in the future).
(Another big difference for example is that cosa doesn't care about
non-unified mode, whereas we *need* to have coverage for this until we
fully kill it.)
Really, the most important bit we want from there is the
unprivileged-via-supermin bits. So we copy and adapt that here. One
obvious improvement then is sharing this code more easily (e.g. a
`cosa runasroot` or something?)
However, we still use the FCOS manifest (frozen at a specific tag). It's
a realistic example, and because of the lockfiles and pool, we get good
reproducibility.
2019-12-22 01:42:09 +03:00
# shellcheck disable=SC2016
treefile_set_ref '"fedora/stable/${basearch}/basic-unified"'
rpm-ostree compose tree --print-only " ${ treefile } " > treefile.json
2018-10-30 17:19:49 +03:00
# Verify it's valid JSON
jq -r .ref < treefile.json > ref.txt
2018-11-01 22:13:30 +03:00
# Test substitution of ${basearch}
2018-10-30 17:19:49 +03:00
assert_file_has_content_literal ref.txt " ${ treeref } "
tests/compose: Target FCOS 31, move off of PAPR
Again, a lot going on here, but essentially, we adapt the compose tests
to run either privileged or fully unprivileged via supermin, just like
cosa.
I actually got more than halfway through this initially using `cosa
build` directly for testing. But in the end, we simply need more
flexibility than that. We want to be able to manipulate exactly how
rpm-ostree is called, and cosa is very opinionated about this (and may
also change from under us in the future).
(Another big difference for example is that cosa doesn't care about
non-unified mode, whereas we *need* to have coverage for this until we
fully kill it.)
Really, the most important bit we want from there is the
unprivileged-via-supermin bits. So we copy and adapt that here. One
obvious improvement then is sharing this code more easily (e.g. a
`cosa runasroot` or something?)
However, we still use the FCOS manifest (frozen at a specific tag). It's
a realistic example, and because of the lockfiles and pool, we get good
reproducibility.
2019-12-22 01:42:09 +03:00
treefile_pyedit "tf['add-commit-metadata']['foobar'] = 'bazboo'"
treefile_pyedit "tf['add-commit-metadata']['overrideme'] = 'old var'"
2017-11-16 05:28:03 +03:00
# Test metadata json with objects, arrays, numbers
cat > metadata.json <<EOF
{
"exampleos.gitrepo" : {
"rev" : "97ec21c614689e533d294cdae464df607b526ab9" ,
"src" : "https://gitlab.com/exampleos/custom-atomic-host"
} ,
2019-07-08 17:34:59 +03:00
"exampleos.tests" : [ "smoketested" , "e2e" ] ,
"overrideme" : "new val"
2017-11-16 05:28:03 +03:00
}
EOF
tests/compose: Target FCOS 31, move off of PAPR
Again, a lot going on here, but essentially, we adapt the compose tests
to run either privileged or fully unprivileged via supermin, just like
cosa.
I actually got more than halfway through this initially using `cosa
build` directly for testing. But in the end, we simply need more
flexibility than that. We want to be able to manipulate exactly how
rpm-ostree is called, and cosa is very opinionated about this (and may
also change from under us in the future).
(Another big difference for example is that cosa doesn't care about
non-unified mode, whereas we *need* to have coverage for this until we
fully kill it.)
Really, the most important bit we want from there is the
unprivileged-via-supermin bits. So we copy and adapt that here. One
obvious improvement then is sharing this code more easily (e.g. a
`cosa runasroot` or something?)
However, we still use the FCOS manifest (frozen at a specific tag). It's
a realistic example, and because of the lockfiles and pool, we get good
reproducibility.
2019-12-22 01:42:09 +03:00
2019-07-18 18:25:24 +03:00
# Test --parent at the same time (hash is `echo | sha256sum`)
tests/compose: Target FCOS 31, move off of PAPR
Again, a lot going on here, but essentially, we adapt the compose tests
to run either privileged or fully unprivileged via supermin, just like
cosa.
I actually got more than halfway through this initially using `cosa
build` directly for testing. But in the end, we simply need more
flexibility than that. We want to be able to manipulate exactly how
rpm-ostree is called, and cosa is very opinionated about this (and may
also change from under us in the future).
(Another big difference for example is that cosa doesn't care about
non-unified mode, whereas we *need* to have coverage for this until we
fully kill it.)
Really, the most important bit we want from there is the
unprivileged-via-supermin bits. So we copy and adapt that here. One
obvious improvement then is sharing this code more easily (e.g. a
`cosa runasroot` or something?)
However, we still use the FCOS manifest (frozen at a specific tag). It's
a realistic example, and because of the lockfiles and pool, we get good
reproducibility.
2019-12-22 01:42:09 +03:00
runcompose --add-metadata-from-json $( pwd ) /metadata.json \
2019-07-18 18:25:24 +03:00
--parent 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
2017-11-16 05:28:03 +03:00
2018-12-06 00:51:40 +03:00
# Run it again, but without RPMOSTREE_PRESERVE_TMPDIR. Should be a no-op. This
# exercises fd handling in the tree context.
tests/compose: Target FCOS 31, move off of PAPR
Again, a lot going on here, but essentially, we adapt the compose tests
to run either privileged or fully unprivileged via supermin, just like
cosa.
I actually got more than halfway through this initially using `cosa
build` directly for testing. But in the end, we simply need more
flexibility than that. We want to be able to manipulate exactly how
rpm-ostree is called, and cosa is very opinionated about this (and may
also change from under us in the future).
(Another big difference for example is that cosa doesn't care about
non-unified mode, whereas we *need* to have coverage for this until we
fully kill it.)
Really, the most important bit we want from there is the
unprivileged-via-supermin bits. So we copy and adapt that here. One
obvious improvement then is sharing this code more easily (e.g. a
`cosa runasroot` or something?)
However, we still use the FCOS manifest (frozen at a specific tag). It's
a realistic example, and because of the lockfiles and pool, we get good
reproducibility.
2019-12-22 01:42:09 +03:00
( unset RPMOSTREE_PRESERVE_TMPDIR && runcompose)
2018-12-06 00:51:40 +03:00
echo "ok no cachedir"
tests/compose: Target FCOS 31, move off of PAPR
Again, a lot going on here, but essentially, we adapt the compose tests
to run either privileged or fully unprivileged via supermin, just like
cosa.
I actually got more than halfway through this initially using `cosa
build` directly for testing. But in the end, we simply need more
flexibility than that. We want to be able to manipulate exactly how
rpm-ostree is called, and cosa is very opinionated about this (and may
also change from under us in the future).
(Another big difference for example is that cosa doesn't care about
non-unified mode, whereas we *need* to have coverage for this until we
fully kill it.)
Really, the most important bit we want from there is the
unprivileged-via-supermin bits. So we copy and adapt that here. One
obvious improvement then is sharing this code more easily (e.g. a
`cosa runasroot` or something?)
However, we still use the FCOS manifest (frozen at a specific tag). It's
a realistic example, and because of the lockfiles and pool, we get good
reproducibility.
2019-12-22 01:42:09 +03:00
# shellcheck source=libbasic-test.sh
. " ${ dn } /libbasic-test.sh "
2017-11-16 05:28:03 +03:00
basic_test
# This one is done by postprocessing /var
tests/compose: Target FCOS 31, move off of PAPR
Again, a lot going on here, but essentially, we adapt the compose tests
to run either privileged or fully unprivileged via supermin, just like
cosa.
I actually got more than halfway through this initially using `cosa
build` directly for testing. But in the end, we simply need more
flexibility than that. We want to be able to manipulate exactly how
rpm-ostree is called, and cosa is very opinionated about this (and may
also change from under us in the future).
(Another big difference for example is that cosa doesn't care about
non-unified mode, whereas we *need* to have coverage for this until we
fully kill it.)
Really, the most important bit we want from there is the
unprivileged-via-supermin bits. So we copy and adapt that here. One
obvious improvement then is sharing this code more easily (e.g. a
`cosa runasroot` or something?)
However, we still use the FCOS manifest (frozen at a specific tag). It's
a realistic example, and because of the lockfiles and pool, we get good
reproducibility.
2019-12-22 01:42:09 +03:00
ostree --repo= " ${ repo } " cat " ${ treeref } " /usr/lib/tmpfiles.d/pkg-filesystem.conf > autovar.txt
2017-11-16 05:28:03 +03:00
# Picked this one at random as an example of something that won't likely be
# converted to tmpfiles.d upstream. But if it is, we can change this test.
assert_file_has_content_literal autovar.txt 'd /var/cache 0755 root root - -'
tests/compose: Target FCOS 31, move off of PAPR
Again, a lot going on here, but essentially, we adapt the compose tests
to run either privileged or fully unprivileged via supermin, just like
cosa.
I actually got more than halfway through this initially using `cosa
build` directly for testing. But in the end, we simply need more
flexibility than that. We want to be able to manipulate exactly how
rpm-ostree is called, and cosa is very opinionated about this (and may
also change from under us in the future).
(Another big difference for example is that cosa doesn't care about
non-unified mode, whereas we *need* to have coverage for this until we
fully kill it.)
Really, the most important bit we want from there is the
unprivileged-via-supermin bits. So we copy and adapt that here. One
obvious improvement then is sharing this code more easily (e.g. a
`cosa runasroot` or something?)
However, we still use the FCOS manifest (frozen at a specific tag). It's
a realistic example, and because of the lockfiles and pool, we get good
reproducibility.
2019-12-22 01:42:09 +03:00
ostree --repo= " ${ repo } " cat " ${ treeref } " /usr/lib/tmpfiles.d/pkg-chrony.conf > autovar.txt
2017-11-16 05:28:03 +03:00
# And this one has a non-root uid
2021-04-28 05:10:36 +03:00
assert_file_has_content_literal autovar.txt 'd /var/lib/chrony 0750 chrony chrony - -'
2018-09-07 17:48:28 +03:00
# see rpmostree-importer.c
tests/compose: Target FCOS 31, move off of PAPR
Again, a lot going on here, but essentially, we adapt the compose tests
to run either privileged or fully unprivileged via supermin, just like
cosa.
I actually got more than halfway through this initially using `cosa
build` directly for testing. But in the end, we simply need more
flexibility than that. We want to be able to manipulate exactly how
rpm-ostree is called, and cosa is very opinionated about this (and may
also change from under us in the future).
(Another big difference for example is that cosa doesn't care about
non-unified mode, whereas we *need* to have coverage for this until we
fully kill it.)
Really, the most important bit we want from there is the
unprivileged-via-supermin bits. So we copy and adapt that here. One
obvious improvement then is sharing this code more easily (e.g. a
`cosa runasroot` or something?)
However, we still use the FCOS manifest (frozen at a specific tag). It's
a realistic example, and because of the lockfiles and pool, we get good
reproducibility.
2019-12-22 01:42:09 +03:00
if ostree --repo= " ${ repo } " cat " ${ treeref } " /usr/lib/tmpfiles.d/pkg-rpm.conf > rpm.txt 2>/dev/null; then
2018-09-07 17:48:28 +03:00
assert_not_file_has_content rpm.txt 'd /var/lib/rpm'
fi
2020-02-02 18:15:51 +03:00
ostree --repo= " ${ repo } " cat " ${ treeref } " /usr/lib/tmpfiles.d/pkg-pam.conf > autovar.txt
# Verify translating /var/run -> /run
assert_file_has_content_literal autovar.txt 'd /run/console'
2017-11-16 05:28:03 +03:00
echo "ok autovar"
2017-11-17 23:06:50 +03:00
2021-04-02 00:36:22 +03:00
rpm-ostree db list --repo= " ${ repo } " " ${ treeref } " --advisories > db-list-adv.txt
assert_file_has_content_literal db-list-adv.txt TEST-SEC-LOW
uinfo_cmd add TEST-SEC-CRIT security critical
build_rpm vuln-pkg version 2.0 uinfo TEST-SEC-CRIT
uinfo_cmd add-ref TEST-SEC-CRIT 2 http://example.com/vuln2 "CVE-56-78 vuln2"
echo "ok db list --advisories"
2019-05-08 07:13:43 +03:00
# And redo it to trigger relabeling. Also test --no-parent at the same time.
tests/compose: Target FCOS 31, move off of PAPR
Again, a lot going on here, but essentially, we adapt the compose tests
to run either privileged or fully unprivileged via supermin, just like
cosa.
I actually got more than halfway through this initially using `cosa
build` directly for testing. But in the end, we simply need more
flexibility than that. We want to be able to manipulate exactly how
rpm-ostree is called, and cosa is very opinionated about this (and may
also change from under us in the future).
(Another big difference for example is that cosa doesn't care about
non-unified mode, whereas we *need* to have coverage for this until we
fully kill it.)
Really, the most important bit we want from there is the
unprivileged-via-supermin bits. So we copy and adapt that here. One
obvious improvement then is sharing this code more easily (e.g. a
`cosa runasroot` or something?)
However, we still use the FCOS manifest (frozen at a specific tag). It's
a realistic example, and because of the lockfiles and pool, we get good
reproducibility.
2019-12-22 01:42:09 +03:00
origrev = $( ostree --repo= " ${ repo } " rev-parse " ${ treeref } " )
runcompose --force-nocache --no-parent
newrev = $( ostree --repo= " ${ repo } " rev-parse " ${ treeref } " )
2017-11-17 23:06:50 +03:00
assert_not_streq " ${ origrev } " " ${ newrev } "
echo "ok rerun"
2019-05-08 07:13:43 +03:00
# And check that --no-parent worked.
tests/compose: Target FCOS 31, move off of PAPR
Again, a lot going on here, but essentially, we adapt the compose tests
to run either privileged or fully unprivileged via supermin, just like
cosa.
I actually got more than halfway through this initially using `cosa
build` directly for testing. But in the end, we simply need more
flexibility than that. We want to be able to manipulate exactly how
rpm-ostree is called, and cosa is very opinionated about this (and may
also change from under us in the future).
(Another big difference for example is that cosa doesn't care about
non-unified mode, whereas we *need* to have coverage for this until we
fully kill it.)
Really, the most important bit we want from there is the
unprivileged-via-supermin bits. So we copy and adapt that here. One
obvious improvement then is sharing this code more easily (e.g. a
`cosa runasroot` or something?)
However, we still use the FCOS manifest (frozen at a specific tag). It's
a realistic example, and because of the lockfiles and pool, we get good
reproducibility.
2019-12-22 01:42:09 +03:00
if ostree rev-parse --repo " ${ repo } " " ${ newrev } " ^ 2>error.txt; then
2019-05-08 07:13:43 +03:00
assert_not_reached "New revision has a parent even with --no-parent?"
fi
2019-07-08 19:22:29 +03:00
assert_file_has_content_literal error.txt 'has no parent'
2019-05-08 07:13:43 +03:00
echo "ok --no-parent"
2021-01-12 00:53:05 +03:00
2021-04-02 00:36:22 +03:00
rpm-ostree db list --repo= " ${ repo } " " ${ treeref } " --advisories > db-list-adv.txt
assert_not_file_has_content_literal db-list-adv.txt TEST-SEC-LOW
assert_file_has_content_literal db-list-adv.txt TEST-SEC-CRIT
2021-04-02 00:38:59 +03:00
rpm-ostree db diff --repo= " ${ repo } " " ${ origrev } " " ${ newrev } " --advisories > db-diff-adv.txt
assert_not_file_has_content_literal db-diff-adv.txt TEST-SEC-LOW
assert_file_has_content_literal db-diff-adv.txt TEST-SEC-CRIT
echo "ok db diff --advisories"
2021-04-02 00:36:22 +03:00
2021-01-12 00:53:05 +03:00
build_rpm dodo-base
build_rpm dodo requires dodo-base
build_rpm solitaire
2021-01-30 02:19:33 +03:00
# this is pretty terrible... need --json for `rpm-ostree db list`
kernel_vra = $( rpm-ostree db list --repo= ${ repo } ${ treeref } kernel | tail -n1 | cut -d- -f2-)
kernel_v = $( cut -d- -f1 <<< " $kernel_vra " )
kernel_ra = $( cut -d- -f2- <<< " $kernel_vra " )
kernel_r = ${ kernel_ra %.x86_64 }
build_rpm kernel-core version ${ kernel_v } release ${ kernel_r }
build_rpm kernel-devel version ${ kernel_v } release ${ kernel_r }
build_rpm kernel-headers version ${ kernel_v } release ${ kernel_r }
2021-01-12 00:53:05 +03:00
cat > extensions.yaml << EOF
extensions:
extinct-birds:
packages:
- dodo
- solitaire
2021-01-27 01:46:02 +03:00
another-arch:
packages:
- nonexistent
architectures:
- badarch
2021-01-30 02:19:33 +03:00
kernel-devel:
kind: development
packages:
- kernel-core
- kernel-devel
- kernel-headers
match-base-evr: kernel
2021-01-12 00:53:05 +03:00
EOF
# we don't actually need root here, but in CI the cache may be in a qcow2 and
# the supermin code is gated behind `runasroot`
runasroot rpm-ostree compose extensions --repo= ${ repo } \
--cachedir= ${ test_tmpdir } /cache --base-rev ${ treeref } \
--output-dir extensions ${ treefile } extensions.yaml \
--touch-if-changed extensions-changed
ls extensions/{ dodo-1.0,dodo-base-1.0,solitaire-1.0} -*.rpm
2021-01-30 02:19:33 +03:00
ls extensions/kernel-{ core,devel,headers} -${ kernel_v } -${ kernel_r } .x86_64.rpm
2021-01-12 00:53:05 +03:00
test -f extensions-changed
2021-01-27 01:46:02 +03:00
assert_jq extensions/extensions.json \
2021-01-30 02:19:33 +03:00
'.extensions|length == 2' \
'.extensions["extinct-birds"]' \
'.extensions["kernel-devel"]'
2021-01-12 00:53:05 +03:00
echo "ok extensions"
rm extensions-changed
runasroot rpm-ostree compose extensions --repo= ${ repo } \
2021-03-04 23:06:58 +03:00
--cachedir= ${ test_tmpdir } /cache \
2021-01-12 00:53:05 +03:00
--output-dir extensions ${ treefile } extensions.yaml \
--touch-if-changed extensions-changed
if test -f extensions-changed; then
fatal "found extensions-changed"
fi
echo "ok extensions no change"