#1 Add CI tests using the standard test interface
Closed 2 years ago by plautrba. Opened 2 years ago by sturivny.
git://fedorapeople.org/~sturivny/libsepol new_tests  into  master

Add CI tests using the standard test interface
Serhii Turivny • 2 years ago  
tests/sepol_check_context/Makefile
file added
+63

@@ -0,0 +1,63 @@

+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ #

+ #   Makefile of /CoreOS/libsepol/Sanity/sepol_check_context

+ #   Description: Does sepol_check_context() work as expected?

+ #   Author: Milos Malik <mmalik@redhat.com>

+ #

+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ #

+ #   Copyright (c) 2017 Red Hat, Inc.

+ #

+ #   This copyrighted material is made available to anyone wishing

+ #   to use, modify, copy, or redistribute it subject to the terms

+ #   and conditions of the GNU General Public License version 2.

+ #

+ #   This program is distributed in the hope that it will be

+ #   useful, but WITHOUT ANY WARRANTY; without even the implied

+ #   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR

+ #   PURPOSE. See the GNU General Public License for more details.

+ #

+ #   You should have received a copy of the GNU General Public

+ #   License along with this program; if not, write to the Free

+ #   Software Foundation, Inc., 51 Franklin Street, Fifth Floor,

+ #   Boston, MA 02110-1301, USA.

+ #

+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ 

+ export TEST=/CoreOS/libsepol/Sanity/sepol_check_context

+ export TESTVERSION=1.0

+ 

+ BUILT_FILES=

+ 

+ FILES=$(METADATA) runtest.sh Makefile PURPOSE example.c testpolicy.te

+ 

+ .PHONY: all install download clean

+ 

+ run: $(FILES) build

+ 	./runtest.sh

+ 

+ build: $(BUILT_FILES)

+ 	test -x runtest.sh || chmod a+x runtest.sh

+ 

+ clean:

+ 	rm -f *~ $(BUILT_FILES)

+ 

+ include /usr/share/rhts/lib/rhts-make.include

+ 

+ $(METADATA): Makefile

+ 	@echo "Owner:           Milos Malik <mmalik@redhat.com>" > $(METADATA)

+ 	@echo "Name:            $(TEST)" >> $(METADATA)

+ 	@echo "TestVersion:     $(TESTVERSION)" >> $(METADATA)

+ 	@echo "Path:            $(TEST_DIR)" >> $(METADATA)

+ 	@echo "Description:     Does sepol_check_context() work as expected?" >> $(METADATA)

+ 	@echo "Type:            Sanity" >> $(METADATA)

+ 	@echo "TestTime:        5m" >> $(METADATA)

+ 	@echo "RunFor:          libsepol" >> $(METADATA)

+ 	@echo "Requires:        libsepol libsepol-devel gcc policycoreutils selinux-policy-devel" >> $(METADATA)

+ 	@echo "Priority:        Normal" >> $(METADATA)

+ 	@echo "License:         GPLv2" >> $(METADATA)

+ 	@echo "Confidential:    no" >> $(METADATA)

+ 	@echo "Destructive:     no" >> $(METADATA)

+ 

+ 	rhts-lint $(METADATA)

+ 

tests/sepol_check_context/PURPOSE
file added
+5

@@ -0,0 +1,5 @@

+ PURPOSE of /CoreOS/libsepol/Sanity/sepol_check_context

+ Author: Milos Malik <mmalik@redhat.com>

+ 

+ Does sepol_check_context() work as expected?

+ 

tests/sepol_check_context/example.c
file added
+35

@@ -0,0 +1,35 @@

+ #include <stdio.h>

+ #include <errno.h>

+ #include <sepol/sepol.h>

+ 

+ int main (int argc, char *argv[]) {

+     FILE *policyfile;

+ 

+     if (argc < 3) {

+         fprintf(stderr, "%s <binary-policy-path> <context>\n", argv[0]);

+         return 1;

+     }

+ 

+     policyfile = fopen(argv[1], "r");

+     if (policyfile == NULL) {

+         perror("fopen");

+         return 1;

+     }

+ 

+     if (sepol_set_policydb_from_file(policyfile) < 0) {

+         perror("sepol_set_policydb_from_file");

+         return 1;

+     }

+ 

+     if (sepol_check_context(argv[2]) < 0) {

+         perror("sepol_check_context");

+         return 1;

+     }

+ 

+     if (fclose(policyfile) != 0) {

+         perror("fclose");

+     }

+ 

+     return 0;

+ }

+ 

tests/sepol_check_context/runtest.sh
file added
+63

@@ -0,0 +1,63 @@

+ #!/bin/bash

+ # vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k

+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ #

+ #   runtest.sh of /CoreOS/libsepol/Sanity/sepol_check_context

+ #   Description: Does sepol_check_context() work as expected?

+ #   Author: Milos Malik <mmalik@redhat.com>

+ #

+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ #

+ #   Copyright (c) 2017 Red Hat, Inc.

+ #

+ #   This copyrighted material is made available to anyone wishing

+ #   to use, modify, copy, or redistribute it subject to the terms

+ #   and conditions of the GNU General Public License version 2.

+ #

+ #   This program is distributed in the hope that it will be

+ #   useful, but WITHOUT ANY WARRANTY; without even the implied

+ #   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR

+ #   PURPOSE. See the GNU General Public License for more details.

+ #

+ #   You should have received a copy of the GNU General Public

+ #   License along with this program; if not, write to the Free

+ #   Software Foundation, Inc., 51 Franklin Street, Fifth Floor,

+ #   Boston, MA 02110-1301, USA.

+ #

+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ 

+ # Include Beaker environment

+ . /usr/bin/rhts-environment.sh || exit 1

+ . /usr/share/beakerlib/beakerlib.sh || exit 1

+ 

+ PACKAGE="libsepol"

+ POLICY_PATH_PREFIX="/etc/selinux"

+ 

+ rlJournalStart

+     rlPhaseStartSetup

+         rlAssertRpm ${PACKAGE}

+         rlAssertRpm ${PACKAGE}-devel

+         rlRun "gcc -o example -lsepol example.c"

+         rlRun "make -f /usr/share/selinux/devel/Makefile"

+         rlRun "ls -l testpolicy.pp"

+     rlPhaseEnd

+ 

+     rlPhaseStartTest

+         for POLICY_KIND in minimum mls targeted ; do

+             if [ -d ${POLICY_PATH_PREFIX}/${POLICY_KIND}/policy ] ; then

+                 POLICY_PATH=`find ${POLICY_PATH_PREFIX}/${POLICY_KIND}/policy/ -type f -name policy.?? | head -n 1`

+                 rlRun "semodule -n -s ${POLICY_KIND} -r testpolicy" 0,1

+                 rlRun "./example ${POLICY_PATH} system_u:object_r:xyz_file_t:s0" 1

+                 rlRun "semodule -n -s ${POLICY_KIND} -i testpolicy.pp"

+                 rlRun "./example ${POLICY_PATH} system_u:object_r:xyz_file_t:s0"

+                 rlRun "semodule -n -s ${POLICY_KIND} -r testpolicy" 0,1

+             fi

+         done

+     rlPhaseEnd

+ 

+     rlPhaseStartCleanup

+         rlRun "rm -f ./example ./testpolicy.pp"

+     rlPhaseEnd

+ rlJournalPrintText

+ rlJournalEnd

+ 

tests/sepol_check_context/testpolicy.te
file added
+4

@@ -0,0 +1,4 @@

+ policy_module(testpolicy,1.0)

+ 

+ type xyz_file_t;

+ 

tests/tests.yml
file added
+16

@@ -0,0 +1,16 @@

+ ---

+ # Tests that run in all contexts

+ - hosts: localhost

+   roles:

+   - role: standard-test-beakerlib

+     tags:

+     - classic

+     - container

+     tests:

+     - sepol_check_context

+     required_packages:

+     - gcc

+     - libsepol-devel

+     - policycoreutils

+     - selinux-policy-devel

+     - findutils         # beakerlib needs find command

no initial comment

Justification

Adds tests according to the CI wiki specifically the standard test interface in the spec.

The playbook includes Tier1 level test cases that have been tested in the following contexts and is passing reliably: Classic and Container. Test logs are stored in the artifacts directory.

The following steps are used to execute the tests using the standard test interface:

Test enveronment

Make sure you have installed packages from the spec

# rpm -q ansible python2-dnf libselinux-python standard-test-roles
ansible-2.3.2.0-1.fc26.noarch
python2-dnf-2.6.3-11.fc26.noarch
libselinux-python-2.6-7.fc26.x86_64
standard-test-roles-2.4-1.fc26.noarch

Run tests for Classic

# export TEST_SUBJECTS=
# sudo ansible-playbook --tags classic tests.yml

Snip of the example test run for Classic tests:

TASK [standard-test-beakerlib : Check the results] ******************************************************************************************************************************************************************
changed: [localhost]

PLAY RECAP **********************************************************************************************************************************************************************************************************
localhost                  : ok=15   changed=8    unreachable=0    failed=0   

PASS sepol_check_context

Run tests for Container

# export TEST_SUBJECTS=docker:docker.io/library/fedora:26
# sudo ansible-playbook --tags=container tests.yml

Snip of the example test run for Container tests:

TASK [standard-test-beakerlib : Check the results] ******************************************************************************************************************************************************************
changed: [4847148ec698d86ecc1c2286380b3a38c54b8ddf9420cb571474e0ec239c635d]

PLAY RECAP **********************************************************************************************************************************************************************************************************
4847148ec698d86ecc1c2286380b3a38c54b8ddf9420cb571474e0ec239c635d : ok=15   changed=11   unreachable=0    failed=0   

PASS sepol_check_context

Notes

Tests will be enabled in CI, yet gating is currently disabled, so nothing will change. Tests will run on each dist-git commit, they are not triggered on koji builds and if you are using FMN, it should notify you of failures normally.

The RH QE maintainer contact in case you have questions: mmalik@redhat.com
The idea is that these tests become yours just as you're maintaining the package, there will of course be people around if you have questions or troubles.

The described classic test run doesn't work for me:

^_^ rpm -q ansible python2-dnf libselinux-python standard-test-roles
ansible-2.4.0.0-1.fc27.noarch
python2-dnf-2.7.3-1.fc27.noarch
libselinux-python-2.7-2.fc27.x86_64
standard-test-roles-2.4-1.fc27.noarch

^_^ export TEST_SUBJECTS=

^_^ ansible-playbook --tags classic tests.yml                                      
PLAY [localhost] ******************************************************************************************************************************************************************************
...    
TASK [standard-test-beakerlib : Install the beakerlib requirements] ***************************************************************************************************************************
ok: [localhost -> None] => (item=beakerlib)
failed: [localhost -> None] (item=restraint-rhts) => {"changed": false, "failed": true, "item": "restraint-rhts", "module_stderr": "No handlers could be found for logger \"dnf\"\nTraceback (most recent call last):\n  File \"/tmp/ansible_9cIvdo/ansible_module_dnf.py\", line 534, in <module>\n    main()\n  File \"/tmp/ansible_9cIvdo/ansible_module_dnf.py\", line 530, in main\n    ensure(module, base, params['state'], params['name'], params['autoremove'])\n  File \"/tmp/ansible_9cIvdo/ansible_module_dnf.py\", line 414, in ensure\n    base.install(pkg_spec)\n  File \"/usr/lib/python2.7/site-packages/dnf/base.py\", line 1680, in install\n    raise dnf.exceptions.MarkingError(_('no package matched'), pkg_spec)\ndnf.exceptions.MarkingError: no package matched\n", "module_stdout": "", "msg": "MODULE FAILURE", "rc": 0}
ok: [localhost -> None] => (item=rsync)
        to retry, use: --limit @/home/plautrba/devel/fedora/libsepol/tests/tests.retry

PLAY RECAP ************************************************************************************************************************************************************************************
localhost                  : ok=4    changed=1    unreachable=0    failed=1

I tested on:

[fedora][~]$ cat /etc/fedora-release
Fedora release 26 (Twenty Six)

I tested on:
[fedora][~]$ cat /etc/fedora-release
Fedora release 26 (Twenty Six)

I tested on Fedora 27 and it's reported against Rawhide :rabbit:

Run tests for Classic
$ export TEST_SUBJECTS=
$ sudo ansible-playbook --tags classic tests.yml

Note that any value assigned to TEST_SUBJECT is dropped by sudo:

^_^ export TEST_SUBJECTS=/home/plautrba/images/CentOS-6-x86_64-GenericCloud-1702.qcow

^_^ sudo bash -c 'echo $TEST_SUBJECTS'

^_^ sudo bash -c 'echo $HOME'
/root

I'm not sure what was updated but at least the following code can't work:

# export TEST_SUBJECTS=docker:docker.io/library/fedora:26
# sudo ansible-playbook --tags=container tests.yml

As I stated before, any value assigned to TEST_SUBJECT or any other variable is dropped by sudo

I'm tried this:

# export TEST_SUBJECTS=docker:docker.io/library/fedora:25
# ansible-playbook --tags=container tests.yml

But I can't see any docker process or docker image downloaded. It's still run on localhost. What I do wrong?

Looks like I need to use different command:

$ sudo ANSIBLE_INVENTORY=$(test -e inventory && echo inventory || echo /usr/share/ansible/inventory) TEST_SUBJECTS=docker:docker.io/library/fedora:26 TEST_ARTIFACTS=$PWD/artifacts ansible-playbook --tags container tests.yml

I'm tried this:

export TEST_SUBJECTS=docker:docker.io/library/fedora:25

ansible-playbook --tags=container tests.yml

But I can't see any docker process or docker image downloaded. It's still run on localhost. What I do wrong?

It is normal behavior. Just wait until image will be downloaded.

Here is full documentation:
https://fedoraproject.org/wiki/CI/Tests#Running_tests
Also, feel free to ping me in IRC: sturivny
if you have some questions=)

Now it's clear. You omitted export ANSIBLE_INVENTORY=$(test -e inventory && echo inventory || echo /usr/share/ansible/inventory) command from the instructions

# export TEST_SUBJECTS=docker:docker.io/library/fedora:25

# ansible-playbook --tags=container tests.yml     
PLAY [localhost] **************************************************************************************************************
TASK [Gathering Facts] ********************************************************************************************************
ok: [localhost]                                                
...

# export ANSIBLE_INVENTORY=$(test -e inventory && echo inventory || echo /usr/share/ansible/inventory)

# ansible-playbook --tags=container tests.yml     
Launching Docker container for docker.io/library/fedora:25     
Redirecting to /bin/systemctl start docker.service             
Unable to find image 'docker.io/fedora:25' locally             
Trying to pull repository docker.io/library/fedora ...         
...

Pull-Request has been closed by plautrba

2 years ago