a238ca9c76
Pre-FCOS we made an effort for automatic updates but nowadays with Fedora CoreOS we generally expect people to be using zincati. Until we fix the "agent registration" problem: https://github.com/coreos/rpm-ostree/issues/1747 Let's not confuse people by printing `AutomaticUpdates: disabled`. Only print if it's set to a value in non-verbose mode.
284 lines
10 KiB
Bash
Executable File
284 lines
10 KiB
Bash
Executable File
#!/bin/bash
|
|
#
|
|
# Copyright (C) 2018 Jonathan Lebon
|
|
#
|
|
# This library is free software; you can redistribute it and/or
|
|
# modify it under the terms of the GNU Lesser General Public
|
|
# License as published by the Free Software Foundation; either
|
|
# version 2 of the License, or (at your option) any later version.
|
|
#
|
|
# This library is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
# Lesser General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU Lesser General Public
|
|
# License along with this library; if not, write to the
|
|
# Free Software Foundation, Inc., 59 Temple Place - Suite 330,
|
|
# Boston, MA 02111-1307, USA.
|
|
|
|
set -euo pipefail
|
|
|
|
. ${commondir}/libtest.sh
|
|
. ${commondir}/libvm.sh
|
|
|
|
set -x
|
|
|
|
# Prepare an OSTree repo with updates
|
|
vm_ostreeupdate_prepare
|
|
|
|
# ok, we're done with prep, now let's rebase on the first revision and install a
|
|
# bunch of layered packages
|
|
vm_build_rpm layered-cake version 2.1 release 3
|
|
vm_build_rpm layered-enh
|
|
vm_build_rpm layered-sec-none
|
|
vm_build_rpm layered-sec-low
|
|
vm_build_rpm layered-sec-crit
|
|
vm_build_rpm layered-constant # this one we won't update
|
|
vm_rpmostree rebase vmcheckmote:vmcheck \
|
|
--install layered-cake \
|
|
--install layered-enh \
|
|
--install layered-sec-none \
|
|
--install layered-sec-low \
|
|
--install layered-sec-crit \
|
|
--install layered-constant
|
|
vm_cmd systemctl is-active ostree-finalize-staged.service
|
|
vm_reboot
|
|
vm_rpmostree status -v
|
|
vm_assert_status_jq \
|
|
'.deployments[0]["origin"] == "vmcheckmote:vmcheck"' \
|
|
'.deployments[0]["version"] == "v1"' \
|
|
'.deployments[0]["packages"]|length == 6' \
|
|
'.deployments[0]["packages"]|index("layered-cake") >= 0'
|
|
echo "ok prep"
|
|
|
|
# start it up again since we rebooted
|
|
vm_start_httpd ostree_server $REMOTE_OSTREE 8888
|
|
|
|
vm_rpmostree cleanup -m
|
|
|
|
# make sure that off means off
|
|
vm_change_update_policy off
|
|
vm_rpmostree status --verbose | grep 'AutomaticUpdates: disabled'
|
|
vm_rpmostree status > status.txt
|
|
assert_not_file_has_content status.txt 'AutomaticUpdates:'
|
|
vm_rpmostree upgrade --trigger-automatic-update-policy > out.txt
|
|
assert_file_has_content out.txt "Automatic updates are not enabled; exiting"
|
|
# check we didn't download any metadata (skip starting dir)
|
|
vm_cmd find /var/cache/rpm-ostree | tail -n +2 > out.txt
|
|
if [ -s out.txt ]; then
|
|
cat out.txt && assert_not_reached "rpmmd downloaded!"
|
|
fi
|
|
echo "ok disabled"
|
|
|
|
# runs --check and --preview, verifies rc matches what we expect, and capturing
|
|
# output for a following assert_output
|
|
assert_check_preview_rc() {
|
|
local expected_rc=$1; shift
|
|
local rc=0
|
|
vm_rpmostree upgrade --check > out.txt || rc=$?
|
|
assert_streq $rc $expected_rc
|
|
vm_rpmostree upgrade --preview > out-verbose.txt || rc=$?
|
|
assert_streq $rc $expected_rc
|
|
}
|
|
|
|
# check that --check/--preview still works
|
|
assert_check_preview_rc 77
|
|
assert_file_has_content out.txt "No updates available."
|
|
assert_file_has_content out-verbose.txt "No updates available."
|
|
echo "ok --check/--preview no updates"
|
|
|
|
# ok, let's test out check
|
|
vm_change_update_policy check
|
|
vm_rpmostree status | grep 'AutomaticUpdates: check'
|
|
|
|
# build an *older version* and check that we don't report an update
|
|
vm_build_rpm layered-cake version 2.1 release 2
|
|
cursor=$(vm_get_journal_cursor)
|
|
vm_cmd systemctl start rpm-ostreed-automatic.service
|
|
vm_wait_content_after_cursor $cursor 'Txn AutomaticUpdateTrigger.*successful'
|
|
vm_rpmostree status -v > out.txt
|
|
assert_not_file_has_content out.txt "AvailableUpdate"
|
|
# And check the unit name https://github.com/projectatomic/rpm-ostree/pull/1368
|
|
vm_get_journal_after_cursor $cursor journal.txt
|
|
assert_file_has_content journal.txt 'client(id:cli.*unit:rpm-ostreed-automatic.service'
|
|
rm -f journal.txt
|
|
|
|
# build a *newer version* and check that we report an update
|
|
vm_build_rpm layered-cake version 2.1 release 4
|
|
vm_rpmostree upgrade --trigger-automatic-update-policy
|
|
vm_rpmostree status > out.txt
|
|
assert_file_has_content out.txt "AvailableUpdate"
|
|
assert_file_has_content out.txt "Diff: 1 upgraded"
|
|
assert_not_file_has_content out.txt "SecAdvisories"
|
|
vm_rpmostree status -v > out.txt
|
|
assert_file_has_content out.txt "Upgraded: layered-cake 2.1-3 -> 2.1-4"
|
|
# make sure we don't report ostree-based stuff somehow
|
|
! grep -A999 'AvailableUpdate' out.txt | grep "Version"
|
|
! grep -A999 'AvailableUpdate' out.txt | grep "Timestamp"
|
|
! grep -A999 'AvailableUpdate' out.txt | grep "Commit"
|
|
echo "ok check mode layered only"
|
|
|
|
# confirm no filelists were fetched
|
|
vm_cmd find /var/cache/rpm-ostree -iname '*filelists*' > out.txt
|
|
if [ -s out.txt ]; then
|
|
cat out.txt && assert_not_reached "Filelists were downloaded!"
|
|
fi
|
|
echo "ok no filelists"
|
|
|
|
# now add some advisory updates
|
|
vm_build_rpm layered-enh version 2.0 uinfo VMCHECK-ENH
|
|
vm_build_rpm layered-sec-none version 2.0 uinfo VMCHECK-SEC-NONE
|
|
vm_rpmostree upgrade --trigger-automatic-update-policy
|
|
vm_rpmostree status > out.txt
|
|
assert_file_has_content out.txt "SecAdvisories: 1 unknown severity"
|
|
vm_rpmostree status -v > out.txt
|
|
assert_file_has_content out.txt \
|
|
"SecAdvisories: VMCHECK-SEC-NONE Unknown layered-sec-none-2.0-1.x86_64"
|
|
assert_not_file_has_content out.txt "VMCHECK-ENH"
|
|
|
|
assert_output() {
|
|
assert_file_has_content out.txt \
|
|
"SecAdvisories: 1 unknown severity, 1 low, 1 critical"
|
|
assert_file_has_content out-verbose.txt \
|
|
"SecAdvisories: VMCHECK-SEC-NONE Unknown layered-sec-none-2.0-1.x86_64" \
|
|
" VMCHECK-SEC-LOW Low layered-sec-low-2.0-1.x86_64" \
|
|
" VMCHECK-SEC-CRIT Critical layered-sec-crit-2.0-1.x86_64" \
|
|
"CVE-43-21 vuln5" \
|
|
"http://example.com/vuln5" \
|
|
"CVE-87-65 CVE-21-09 vuln7" \
|
|
"http://example.com/vuln7"
|
|
|
|
assert_not_file_has_content out-verbose.txt \
|
|
"layered-constant 1.0-1 -> 1.0-1" \
|
|
"vuln6" "JUNK" "vuln8"
|
|
|
|
# make sure any future call doesn't forget to create fresh ones
|
|
rm -f out.txt out-verbose.txt
|
|
}
|
|
|
|
# now add all of them
|
|
vm_build_rpm layered-sec-low version 2.0 uinfo VMCHECK-SEC-LOW
|
|
vm_build_rpm layered-sec-crit version 2.0 uinfo VMCHECK-SEC-CRIT
|
|
vm_uinfo add-ref VMCHECK-SEC-CRIT 5 http://example.com/vuln5 "CVE-43-21 vuln5"
|
|
vm_uinfo add-ref VMCHECK-SEC-CRIT 6 http://example.com/vuln6 "CVE-43-21 vuln6"
|
|
vm_uinfo add-ref VMCHECK-SEC-CRIT 7 http://example.com/vuln7 "CVE-87-65 CVE-21-09 vuln7"
|
|
vm_uinfo add-ref VMCHECK-SEC-CRIT 8 http://example.com/vuln8 "CVE-12-JUNK CVE-JUNK vuln8"
|
|
vm_rpmostree upgrade --trigger-automatic-update-policy
|
|
vm_rpmostree status > out.txt
|
|
vm_rpmostree status -v > out-verbose.txt
|
|
assert_output
|
|
echo "ok check mode layered only with advisories"
|
|
|
|
# check we see the same output with --check/--preview
|
|
# clear out cache first to make sure they start from scratch
|
|
vm_rpmostree cleanup -m
|
|
vm_cmd systemctl stop rpm-ostreed
|
|
assert_check_preview_rc 0
|
|
assert_output
|
|
echo "ok --check/--preview layered pkgs check policy"
|
|
|
|
# check that --check/--preview still works even with policy off
|
|
vm_change_update_policy off
|
|
vm_rpmostree cleanup -m
|
|
vm_cmd systemctl stop rpm-ostreed
|
|
vm_rpmostree status --verbose | grep 'AutomaticUpdates: disabled'
|
|
assert_check_preview_rc 0
|
|
assert_output
|
|
echo "ok --check/--preview layered pkgs off policy"
|
|
|
|
# ok now let's add ostree updates in the picture
|
|
vm_change_update_policy check
|
|
vm_ostreeupdate_create v2
|
|
vm_rpmostree upgrade --trigger-automatic-update-policy
|
|
|
|
# make sure we only pulled down the commit metadata
|
|
if vm_cmd ostree checkout vmcheckmote:vmcheck --subpath /usr/share/rpm; then
|
|
assert_not_reached "Was able to checkout /usr/share/rpm?"
|
|
fi
|
|
|
|
assert_output2() {
|
|
vm_assert_status_jq \
|
|
'.["cached-update"]["origin"] == "vmcheckmote:vmcheck"' \
|
|
'.["cached-update"]["version"] == "v2"' \
|
|
'.["cached-update"]["ref-has-new-commit"] == true' \
|
|
'.["cached-update"]["gpg-enabled"] == false'
|
|
|
|
# we could assert more json here, though how it's presented to users is
|
|
# important, and implicitly tests the json
|
|
assert_file_has_content out.txt \
|
|
"SecAdvisories: 1 unknown severity, 1 low, 1 critical" \
|
|
'Diff: 10 upgraded, 1 downgraded, 1 removed, 1 added'
|
|
|
|
assert_file_has_content out-verbose.txt \
|
|
"VMCHECK-SEC-NONE Unknown base-pkg-sec-none-2.0-1.x86_64" \
|
|
"VMCHECK-SEC-NONE Unknown layered-sec-none-2.0-1.x86_64" \
|
|
"VMCHECK-SEC-LOW Low base-pkg-sec-low-2.0-1.x86_64" \
|
|
"CVE-12-34 vuln1" \
|
|
"http://example.com/vuln1" \
|
|
"CVE-56-78 CVE-90-12 vuln3" \
|
|
"http://example.com/vuln3" \
|
|
"VMCHECK-SEC-LOW Low layered-sec-low-2.0-1.x86_64" \
|
|
"VMCHECK-SEC-CRIT Critical base-pkg-sec-crit-2.0-1.x86_64" \
|
|
"VMCHECK-SEC-CRIT Critical layered-sec-crit-2.0-1.x86_64" \
|
|
"CVE-43-21 vuln5" \
|
|
"http://example.com/vuln5" \
|
|
"CVE-87-65 CVE-21-09 vuln7" \
|
|
"http://example.com/vuln7" \
|
|
'Upgraded: base-pkg-enh 1.0-1 -> 2.0-1' \
|
|
' base-pkg-foo 1.4-7 -> 1.4-8' \
|
|
'Downgraded: base-pkg-bar 1.0-1 -> 0.9-3' \
|
|
'Removed: base-pkg-baz-1.1-1.x86_64' \
|
|
'Added: base-pkg-boo-3.7-2.11.x86_64'
|
|
|
|
assert_not_file_has_content out-verbose.txt \
|
|
"layered-constant 1.0-1 -> 1.0-1" \
|
|
"vuln2" "JUNK" "vuln4" \
|
|
"vuln6" "JUNK" "vuln8" \
|
|
|
|
# make sure any future call doesn't forget to create fresh ones
|
|
rm -f out.txt out-verbose.txt
|
|
}
|
|
|
|
vm_rpmostree status > out.txt
|
|
vm_rpmostree status -v > out-verbose.txt
|
|
assert_output2
|
|
echo "ok check mode ostree"
|
|
|
|
# check that we get similar output with --check/--preview
|
|
|
|
assert_check_preview_rc 0
|
|
assert_output2
|
|
echo "ok --check/--preview base pkgs check policy"
|
|
|
|
vm_change_update_policy off
|
|
vm_rpmostree cleanup -m
|
|
vm_cmd systemctl stop rpm-ostreed
|
|
assert_check_preview_rc 0
|
|
assert_output2
|
|
echo "ok --check/--preview base pkgs off policy"
|
|
|
|
assert_default_deployment_is_update() {
|
|
vm_assert_status_jq \
|
|
'.deployments[0]["origin"] == "vmcheckmote:vmcheck"' \
|
|
'.deployments[0]["version"] == "v2"' \
|
|
'.deployments[0]["packages"]|length == 6' \
|
|
'.deployments[0]["packages"]|index("layered-cake") >= 0'
|
|
vm_rpmostree db list $(vm_get_pending_csum) > list.txt
|
|
assert_file_has_content list.txt 'layered-cake-2.1-4.x86_64'
|
|
}
|
|
|
|
# now let's upgrade and check that it matches what we expect
|
|
# (but start from scratch to check that vanilla `upgrade` also builds the cache)
|
|
vm_rpmostree cleanup -m
|
|
vm_cmd systemctl stop rpm-ostreed
|
|
vm_rpmostree upgrade
|
|
vm_rpmostree status > out.txt
|
|
vm_rpmostree status -v > out-verbose.txt
|
|
# we should have printed as part of the pending deployment
|
|
assert_not_file_has_content out.txt "Available update"
|
|
assert_not_file_has_content out-verbose.txt "Available update"
|
|
assert_output2
|
|
assert_default_deployment_is_update
|
|
echo "ok upgrade"
|