#2 Add Atomic Host tests
Opened 2 years ago by dperpeet. Modified 2 years ago
rpms/ dperpeet/kernel master  into  master

@@ -0,0 +1,26 @@ 

+ From 1e4e593f005a49eab6a6c025184f3dd10c42bc32 Mon Sep 17 00:00:00 2001

+ From: Dominik Perpeet <dperpeet@redhat.com>

+ Date: Wed, 20 Sep 2017 13:11:00 +0200

+ Subject: [PATCH 1/3] Fix secureboot test to work with Atomic Host

+ 

+ ---

+  secureboot/check_SB_signature/runtest.sh | 4 ++--

+  1 file changed, 2 insertions(+), 2 deletions(-)

+ 

+ diff --git a/secureboot/check_SB_signature/runtest.sh b/secureboot/check_SB_signature/runtest.sh

+ index 10eceb9..2766a21 100755

+ --- a/secureboot/check_SB_signature/runtest.sh

+ +++ b/secureboot/check_SB_signature/runtest.sh

+ @@ -12,8 +12,8 @@ fi

+ 

+  validsig=$1

+  echo "Looking for Signature $validsig"

+ -kver=$(uname -r)

+ -signer=$(/usr/bin/pesign -i /boot/vmlinuz-$kver -S | grep "common name")

+ +vmlinuz=$(cat /proc/cmdline | sed -e 's/^.*BOOT_IMAGE=//' -e 's/ .*$//')

+ +signer=$(/usr/bin/pesign -i /boot/$vmlinuz -S | grep "common name")

+  echo $signer

+  if [ "$signer" == "The signer's common name is $validsig" ]; then

+         exit 0

+ --

+ 2.9.5

@@ -0,0 +1,30 @@ 

+ From 58bf63498ec2906dec66816c1cef0e01c966dcbc Mon Sep 17 00:00:00 2001

+ From: Dominik Perpeet <dperpeet@redhat.com>

+ Date: Wed, 20 Sep 2017 13:13:38 +0200

+ Subject: [PATCH 2/3] Use example config with enabled signature testing

+ 

+ ---

+  config.example => .config | 4 ++--

+  1 file changed, 2 insertions(+), 2 deletions(-)

+  rename config.example => .config (95%)

+ 

+ diff --git a/config.example b/.config

+ similarity index 95%

+ rename from config.example

+ rename to .config

+ index 6ae342e..76a9215 100644

+ --- a/config.example

+ +++ b/.config

+ @@ -11,8 +11,8 @@ submit=none

+  # disable_retest=y

+ 

+  # Check Signature for Secure Boot

+ -# checksig=y

+ -# validsig="Fedora Secure Boot Signer"

+ +checksig=y

+ +validsig="Fedora Secure Boot Signer"

+ 

+  # Test 3rd Party Modules

+  # thirdparty=y

+ --

+ 2.9.5

@@ -0,0 +1,30 @@ 

+ From 3cfd2db77fddfd635b7a08d6537bdeab3b28c026 Mon Sep 17 00:00:00 2001

+ From: Dominik Perpeet <dperpeet@redhat.com>

+ Date: Wed, 20 Sep 2017 14:03:31 +0200

+ Subject: [PATCH 3/3] Disable gcc check for Atomic Host

+ 

+ ---

+  runtests.sh | 8 ++++----

+  1 file changed, 4 insertions(+), 4 deletions(-)

+ 

+ diff --git a/runtests.sh b/runtests.sh

+ index 8820c2b..400d380 100755

+ --- a/runtests.sh

+ +++ b/runtests.sh

+ @@ -25,10 +25,10 @@ kver=$(uname -r)

+  release=$(cat /etc/redhat-release)

+ 

+  # Check for pre-requisites.

+ -if [ ! -f /usr/bin/gcc ]; then

+ -       echo Fedora kernel test suite needs gcc.

+ -       exit

+ -fi

+ +#if [ ! -f /usr/bin/gcc ]; then

+ +#      echo Fedora kernel test suite needs gcc.

+ +#      exit

+ +#fi

+ 

+  # unset MALLOC_CHECK_ and MALLOC_PERTURB_.  Some tests might not work well

+  # with those active (like libhugetlbfs)

+ --

+ 2.9.5

@@ -0,0 +1,63 @@ 

+ #!/bin/sh

+ 

+ # install dependencies

+ dnf -y install gcc make

+ 

+ cd /code/default/paxtest

+ make linux >/dev/null 2>/dev/null

+ if [ ! -f ./paxtest ]; then

+   echo "Something went wrong during paxtest build."

+   exit -1

+ fi

+ 

+ cd /code/default/selinux-dac-controls

+ gcc -g -O0 -o mmap_test mmap_test.c

+ if [ ! -f ./mmap_test ]; then

+   echo "Something went wrong during mmap_test build."

+   exit -1

+ fi

+ 

+ cd /code/default/timer-overhead

+ if [ ! -f ./timer-test ]; then

+         make

+         if [ "$?" -ne "0" ]; then

+                 echo "Timer-test build failed."

+                 exit -1

+         fi

+ fi

+ 

+ cd /code/default/insert_leap_second

+ if [ ! -f ./leap-a-day ]; then

+         gcc -o leap-a-day leap-a-day.c

+         if [ "$?" -ne "0" ]; then

+                 echo "leap-a-day build failed."

+                 exit 3

+         fi

+ fi

+ 

+ cd /code/default/memfd

+ if [ ! -f ./memfd_test ]; then

+         gcc -D_FILE_OFFSET_BITS=64 -o memfd_test memfd_test.c

+         if [ "$?" -ne "0" ]; then

+                 echo "memfd_test build failed."

+                 exit 3

+         fi

+ fi

+ 

+ cd /code/default/mq-memory-corruption

+ if [ ! -f ./mq-notify ]; then

+         gcc mq_notify-5.1.c -lrt -o mq-notify

+         if [ "$?" -ne "0" ]; then

+                 echo "mq-notify build failed."

+                 exit 3

+         fi

+ fi

+ 

+ cd /code/default/posix_timers

+ if [ ! -f ./posix_timers ]; then

+         gcc -o posix_timers posix_timers.c -lrt

+         if [ "$?" -ne "0" ]; then

+                 echo "posix_timers build failed."

+                 exit 3

+         fi

+ fi

file added
+82

@@ -0,0 +1,82 @@ 

+ # Test the Fedora kernel on Fedora Atomic Host

+ # Fedora Continuous Integration: https://fedoraproject.org/wiki/CI

+ ---

+ - hosts: localhost

+ 

+   vars:

+   - artifacts: ./artifacts

+   - remote_artifacts: /root/artifacts

+   - kernel_tests_dir: ./kernel-tests-git

+ 

+   tags:

+   - atomic

+ 

+   tasks:

+   - name: Check out kernel-tests

+     local_action:

+       module: git

+       repo: "https://pagure.io/kernel-tests.git"

+       dest: "{{ kernel_tests_dir }}"

+       version: "master"

+       force: yes

+ 

+   - name: Get the OS version running on the Atomic Host

+     shell: grep VERSION_ID /etc/os-release | sed  -e 's/VERSION_ID=//'

+     register: os_release

+ 

+   - name: Copy the script to compile the tests into the right directory

+     local_action: shell cp "{{ playbook_dir }}/kernel-tests/compile-tests.sh" "{{ kernel_tests_dir }}/"

+ 

+   - name: Make sure docker is started locally

+     local_action:

+       module: service

+       args:

+         name: docker

+         state: started

+ 

+   - name: Run the fedora container to compile the test binaries in the source tree

+     local_action: shell docker run -v {{ playbook_dir }}/{{ kernel_tests_dir }}:/code:Z fedora:{{ os_release.stdout }} /bin/sh /code/compile-tests.sh

+ 

+   - name: Apply patches to kernel-tests

+     local_action:

+        module: shell git am "{{ playbook_dir }}/kernel-tests/{{ item }}"

+        args:

+          chdir: "{{ kernel_tests_dir }}"

+     with_items:

+        - "0001-Fix-secureboot-test-to-work-with-Atomic-Host.patch"

+        - "0002-Use-example-config-with-enabled-signature-testing.patch"

+        - "0003-Disable-gcc-check-for-Atomic-Host.patch"

+ 

+   - name: Install the test files

+     synchronize:

+       src: "{{ kernel_tests_dir }}/"

+       dest: /root/

+       mode: push

+       ssh_args: "-o UserKnownHostsFile=/dev/null"

+ 

+   - name: Install tests and dependencies

+     shell: rpm-ostree install pesign && rpm-ostree ex livefs

+ 

+   - name: Make artifacts directory

+     file: path={{ remote_artifacts }} state=directory owner=root mode=755 recurse=yes

+ 

+   - name: Test block

+     block:

+       - name: Execute the tests

+         shell: exec > {{ remote_artifacts }}/test.log 2>&1 && /root/runtests.sh

+       - name: Copy detailed results

+         shell: cp /root/logs/* {{ remote_artifacts }}/

+ 

+     always:

+       - name: Gather logs

+         shell: (cd {{ remote_artifacts }}; find . -maxdepth 1 -type f) | cut -d'/' -f2

+         register: artifacts_to_fetch

+       - name: Pull out the logs

+         # use fetch here because synchronize in pull mode seems to ask for a password locally

+         fetch:

+           src: "{{ remote_artifacts }}/{{ item }}"

+           dest: "{{ artifacts }}"

+           flat: yes

+           # we don't have md5 on the Atomic Host

+           validate_checksum: no

+         with_items: "{{ artifacts_to_fetch.stdout_lines }}"

Adds tests according to the CI wiki [0] specifically the standard test interface in the spec [1].

The playbook uses kernel-tests and compiles them in a docker container matching the major release of the Atomic Host.

I tested this with Fedora-Atomic-26-20170905.0.x86_64.qcow2, as root (to enable docker) with the following steps:

export ANSIBLE_INVENTORY=$(test -e inventory && echo inventory || echo /usr/share/ansible/inventory)
export TEST_SUBJECTS=~/Fedora-Atomic-26-20170905.0.x86_64.qcow2
ansible-playbook --tags=atomic tests.yml

Results in the test.log:

Test suite called with default
./secureboot/check_SB_signature                                  PASS
./default/cachedrop                                              PASS
./default/insert_leap_second                                     PASS
./default/libhugetlbfs                                           SKIP
./default/memfd                                                  PASS
./default/modsign                                                SKIP
./default/mq-memory-corruption                                   PASS
./default/paxtest                                                PASS
./default/posix_timers                                           PASS
./default/selinux-dac-controls                                   PASS
./default/stack-randomness                                       PASS
./default/sysfs-perms                                            PASS
./default/timer-overhead                                         PASS

Test suite complete                                              PASS

After the run, the additional log file is also downloaded into the artifacts dir. In my case, the contents of my artifacts directory after running the playbook were:

Fedora-Atomic-26-20170905.0.x86_64.qcow2.log
kernel-test-1506010125.log.txt
test.log

The reason I didn't pull logs using synchronize was that I kept getting prompted for my password that way.

[0] https://fedoraproject.org/wiki/CI,
[1] https://fedoraproject.org/wiki/Changes/InvokingTests

After talking with @jforbes, there are open questions on which kernel builds these tests are run on.
- Sometimes, there are commits which don't result in viable kernels, because fixes by others need to be merged first
- Realistically, only viable (trusted) koji builds should be tested. Other builds are not useful enough to spend time on debugging failures.

Most importantly, kernels not build by very specific people in koji do not get signed with the correct secureboot keys. Even scratch builds by people who do have permissions are not built on the signing hosts, they have to be official builds to get signed. This is probably the single most important check in these tests from a gating standpoint.

The CI pipeline will be building all packages in Koji. @dperpeet can you check if that is happening now or when it is planned to happen? https://github.com/CentOS-PaaS-SIG/ci-pipeline

Once that koji building in place (or already is ... @dperpeet please let me know), I can cross check to see what it takes to get the CI pipeline to have the appropriate permissions to produce such builds.

Keep in mind that although the CI pipeline builds and composes on every single commit, Fedora's pipeline integration then only chooses pipeline results relevant to what is being delivered via Bodhi.

It's okay if certain commits in dist-git for the kernel repo don't result in a viable kernel.

That said, the above issue with koji and a signed build still needs to be worked through.

The build isn't happening in koji right now. I've confirmed that the signing test fails as expected on the images built by the pipeline.

Let's continue this discussion here when we have kernels that pass the signing test.

Why did this block on signing again?