Re: [PATCH 4/4] virt-aa-helper: test: add test for new option -P
On Mon, Oct 11, 2021 at 07:59:47AM +0200, Christian Ehrhardt wrote: > On Thu, Oct 7, 2021 at 7:25 PM Ioanna Alifieraki > > +# For the next test to run apparmor needs to be installed and enabled. > > +# In some environments (e.g. containers) even though apparmor is > > +# installed, it is not enabled because securityfs is not mounted. > > +# In those environments this test cannot run so skip it. > > +# This test also needs to be run as root. > > +if [ `eval id -u` = 0 ] && [ -x "$(command -v aa-enabled)" ] && [ `eval > > aa-enabled` = "Yes" ]; then > > This is great to be checked before causing a failure, but a question > to the libvirt-CI experts, > how doable (or not) would it be to get apparmor installed on those > distro testbeds that support it? Assuming the necessary packages are included in the container image, what else is needed to have apparmor running? Does apparmor need to be running in the host OS as well for it to work in containers? Does the "securityfs" thing mentioned in the comment above need to be passed through from the host OS? Our CI pipeline uses containers running on the GitLab infrastructure. I'm not sure what they're using as host OS, but if it's something like Fedora for example I would expect that running apparmor would be a problem. If special filesystems need to be passed to the container, that's probably going to pose a challenge too. > Are there any good pointers one would start to look at adapting those > testbeds? The container images are generated from the Dockerfiles in ci/containers, which in turn are generated using the lcitool utility that's being developed as part of https://gitlab.com/libvirt/libvirt-ci/ If you want to include more packages, you should start by defining a mapping for it in guests/lcitool/lcitool/ansible/vars/mappings.yml and then adding it to guests/lcitool/lcitool/ansible/vars/projects/libvirt.yml That's the short version. If you're looking for more information, just let me know and I'll be happy to help :) -- Andrea Bolognani / Red Hat / Virtualization
Re: [PATCH 4/4] virt-aa-helper: test: add test for new option -P
On Thu, Oct 7, 2021 at 7:25 PM Ioanna Alifieraki wrote: > > Create a corrupt profile and expect to be removed after the test is run. > > Signed-off-by: Ioanna Alifieraki > --- > tests/meson.build | 1 + > tests/virt-aa-helper-test | 29 + > 2 files changed, 30 insertions(+) > > diff --git a/tests/meson.build b/tests/meson.build > index dfbc2c01e2..991cfc402d 100644 > --- a/tests/meson.build > +++ b/tests/meson.build > @@ -40,6 +40,7 @@ tests_env = [ >'LC_ALL=C', >'LIBVIRT_AUTOSTART=0', >'G_DEBUG=fatal-warnings', > + 'sysconfdir=@0@'.format(get_option('prefix') / get_option('sysconfdir')), > ] > > if use_expensive_tests > diff --git a/tests/virt-aa-helper-test b/tests/virt-aa-helper-test > index 83f53acef6..135c4968b5 100755 > --- a/tests/virt-aa-helper-test > +++ b/tests/virt-aa-helper-test > @@ -16,6 +16,7 @@ fi > output="/dev/null" > use_valgrind="" > ld_library_path="$abs_top_builddir/src/" > +profile_path="$sysconfdir/apparmor.d/libvirt/" > if [ ! -z "$1" ] && [ "$1" = "-d" ]; then > output="/dev/stdout" > shift > @@ -399,6 +400,34 @@ testme "0" "shmem doorbell" "-r -u $valid_uuid" > "$test_xml" "\"/var/lib/libvirt/ > sed -e "s,###UUID###,$uuid,g" -e "s,###DISK###,$disk1,g" -e > "s,, type='ivshmem-doorbell'/> path='/var/lib/libvirt/ivshmem_socket'/>,g" "$template_xml" > > "$test_xml" > testme "0" "shmem doorbell serverpath" "-r -u $valid_uuid" "$test_xml" > "\"/var/lib/libvirt/ivshmem_socket\"\s*rw,$" > > +# For the next test to run apparmor needs to be installed and enabled. > +# In some environments (e.g. containers) even though apparmor is > +# installed, it is not enabled because securityfs is not mounted. > +# In those environments this test cannot run so skip it. > +# This test also needs to be run as root. > +if [ `eval id -u` = 0 ] && [ -x "$(command -v aa-enabled)" ] && [ `eval > aa-enabled` = "Yes" ]; then This is great to be checked before causing a failure, but a question to the libvirt-CI experts, how doable (or not) would it be to get apparmor installed on those distro testbeds that support it? Are there any good pointers one would start to look at adapting those testbeds? > + sed -e "s,###UUID###,$uuid,g" -e "s,###DISK###,$disk2,g" > "$template_xml" > "$test_xml" > +# Running the tests does not require libvirt to be installed. As a > +# result the appropriate directories have not been created. Create > them > +# now to run the test. > +mkdir -p "$profile_path" > + # create a corrupted profile > + touch "$profile_path/$valid_uuid" > + testme "0" "purge" "-r -u $valid_uuid" "$test_xml" > + # All the tests are run with the --dry-run option this test is > + # never going to fail because the profile is not going to be loaded. > + # However, since we touch the profile if it's still here after the > test > + # it means that something went wrong, so make the test fail. > + if [ -f "$profile_path/$valid_uuid" ]; then > + echo "FAIL: failed to purge corrupted profile" >$output > + echo " '$extra_args $args': " > + errors=$(($errors + 1)) > + # remove corrupted profile anyways not to interfere with > + # subsequent runs of the tests. > + rm "$profile_path/$valid_uuid" > + fi > +fi > + > testme "0" "help" "-h" > > echo "" >$output > -- > 2.17.1 > -- Christian Ehrhardt Staff Engineer, Ubuntu Server Canonical Ltd
Re: [PATCH 4/4] virt-aa-helper: test: add test for new option -P
On a Thursday in 2021, Ioanna Alifieraki wrote: Create a corrupt profile and expect to be removed after the test is run. Signed-off-by: Ioanna Alifieraki --- tests/meson.build | 1 + tests/virt-aa-helper-test | 29 + 2 files changed, 30 insertions(+) Reviewed-by: Ján Tomko Jano signature.asc Description: PGP signature
[PATCH 4/4] virt-aa-helper: test: add test for new option -P
Create a corrupt profile and expect to be removed after the test is run. Signed-off-by: Ioanna Alifieraki --- tests/meson.build | 1 + tests/virt-aa-helper-test | 29 + 2 files changed, 30 insertions(+) diff --git a/tests/meson.build b/tests/meson.build index dfbc2c01e2..991cfc402d 100644 --- a/tests/meson.build +++ b/tests/meson.build @@ -40,6 +40,7 @@ tests_env = [ 'LC_ALL=C', 'LIBVIRT_AUTOSTART=0', 'G_DEBUG=fatal-warnings', + 'sysconfdir=@0@'.format(get_option('prefix') / get_option('sysconfdir')), ] if use_expensive_tests diff --git a/tests/virt-aa-helper-test b/tests/virt-aa-helper-test index 83f53acef6..135c4968b5 100755 --- a/tests/virt-aa-helper-test +++ b/tests/virt-aa-helper-test @@ -16,6 +16,7 @@ fi output="/dev/null" use_valgrind="" ld_library_path="$abs_top_builddir/src/" +profile_path="$sysconfdir/apparmor.d/libvirt/" if [ ! -z "$1" ] && [ "$1" = "-d" ]; then output="/dev/stdout" shift @@ -399,6 +400,34 @@ testme "0" "shmem doorbell" "-r -u $valid_uuid" "$test_xml" "\"/var/lib/libvirt/ sed -e "s,###UUID###,$uuid,g" -e "s,###DISK###,$disk1,g" -e "s,,,g" "$template_xml" > "$test_xml" testme "0" "shmem doorbell serverpath" "-r -u $valid_uuid" "$test_xml" "\"/var/lib/libvirt/ivshmem_socket\"\s*rw,$" +# For the next test to run apparmor needs to be installed and enabled. +# In some environments (e.g. containers) even though apparmor is +# installed, it is not enabled because securityfs is not mounted. +# In those environments this test cannot run so skip it. +# This test also needs to be run as root. +if [ `eval id -u` = 0 ] && [ -x "$(command -v aa-enabled)" ] && [ `eval aa-enabled` = "Yes" ]; then + sed -e "s,###UUID###,$uuid,g" -e "s,###DISK###,$disk2,g" "$template_xml" > "$test_xml" +# Running the tests does not require libvirt to be installed. As a +# result the appropriate directories have not been created. Create them +# now to run the test. +mkdir -p "$profile_path" + # create a corrupted profile + touch "$profile_path/$valid_uuid" + testme "0" "purge" "-r -u $valid_uuid" "$test_xml" + # All the tests are run with the --dry-run option this test is + # never going to fail because the profile is not going to be loaded. + # However, since we touch the profile if it's still here after the test + # it means that something went wrong, so make the test fail. + if [ -f "$profile_path/$valid_uuid" ]; then + echo "FAIL: failed to purge corrupted profile" >$output + echo " '$extra_args $args': " + errors=$(($errors + 1)) + # remove corrupted profile anyways not to interfere with + # subsequent runs of the tests. + rm "$profile_path/$valid_uuid" + fi +fi + testme "0" "help" "-h" echo "" >$output -- 2.17.1