tests,ci: Move "test-basic" (bare mode) to installed test

Our CI uses default Docker, which has SELinux labeling but is rather
evil in returning `EOPNOTSUPP` to any attempts to set `security.selinux`,
even if to the same value.

The previous fire 🔥 for this was: https://github.com/ostreedev/ostree/pull/759

The `bare` repo mode really only makes sense as uid 0, so our installed
test framework is a good match for this.  However, the unit tests *do*
work in a privileged container even as non-root, and *also* should
work on SELinux-disabled systems.  So let's teach the test framework
how to skip in those situations.

I tested this both in a priv container (my default builder) and an unpriv
container (like our CI).

At the same time, start executing the `test-basic.sh` from an installed test,
so we get better coverage than before.

This is just the start - all of the sysroot tests really need the
same treatment.

Closes: #1217
Approved by: jlebon

diff --git a/.papr.yml b/.papr.yml
index 03489142724f377b2ed5b302bba7ae9061a06a84..9a25343119c406764fcad8bbb5ac2a1321d774bf 100644 (file)
--- a/.papr.yml
+++ b/.papr.yml
@@ -153,7 +153,7 @@ tests:
   - make install DESTDIR=$(pwd)/insttree
   - yum -y install rsync
   - rsync -rl -e 'ssh -o User=root' . vmcheck:ostree/
-  - ssh root@vmcheck './ostree/tests/installed/fah-prep.sh && ostree admin unlock && rsync -rlv ./ostree/insttree/usr/ /usr/ && ./ostree/tests/installed/run.sh'
+  - ssh root@vmcheck './ostree/tests/installed/fah-prep.sh && ./ostree/tests/installed/run.sh'
 
 ---
 

diff --git a/tests/basic-test.sh b/tests/basic-test.sh
index 742b1adaaabfd561f9d7569e7a997c734f37c189..482f6979b7c8c0d30ca402917615a0c0bcb1d887 100644 (file)
--- a/tests/basic-test.sh
+++ b/tests/basic-test.sh
@@ -19,11 +19,7 @@
 
 set -euo pipefail
 
-echo "1..$((73 + ${extra_basic_tests:-0}))"
-
-$CMD_PREFIX ostree --version > version.yaml
-python -c 'import yaml; yaml.safe_load(open("version.yaml"))'
-echo "ok yaml version"
+echo "1..$((72 + ${extra_basic_tests:-0}))"
 
 CHECKOUT_U_ARG=""
 CHECKOUT_H_ARGS="-H"

diff --git a/tests/installed/fah-prep.sh b/tests/installed/fah-prep.sh
index 0db4d15e2f6319922d25a4322df33b6c886e9d6f..865fa4f1204598749711fedb1f1efe02efacb52e 100755 (executable)
--- a/tests/installed/fah-prep.sh
+++ b/tests/installed/fah-prep.sh
@@ -6,3 +6,5 @@ if lvm lvs atomicos/docker-pool &>/dev/null; then
     lvm lvremove -f atomicos/docker-pool
 fi
 lvm lvextend -r -l +100%FREE atomicos/root
+ostree admin unlock
+rsync -rlv ./ostree/insttree/usr/ /usr/

diff --git a/tests/installed/itest-bare-unit.sh b/tests/installed/itest-bare-unit.sh
new file mode 100755 (executable)
index 0000000..c763faf
--- /dev/null
+++ b/tests/installed/itest-bare-unit.sh
@@ -0,0 +1,25 @@
+#!/bin/bash
+
+# Run test-basic.sh as root.
+# https://github.com/ostreedev/ostree/pull/1199
+
+set -xeuo pipefail
+
+dn=$(dirname $0)
+. ${dn}/libinsttest.sh
+
+# Use /var/tmp to hopefully use XFS + O_TMPFILE etc.
+tempdir=$(mktemp -d /var/tmp/tap-test.XXXXXX)
+touch ${tempdir}/.testtmp
+function cleanup () {
+    if test -f ${tempdir}/.testtmp; then
+             rm "${tempdir}" -rf
+    fi
+}
+trap cleanup EXIT
+cd ${tempdir}
+# This sort of bypasses the installed-tests spec;
+# fixing that would require installing g-d-t-r, though
+# more ideally we architect things with a "control" container
+# distinct from the host.
+/usr/libexec/installed-tests/libostree/test-basic.sh

diff --git a/tests/libtest.sh b/tests/libtest.sh
index 9bfc199f4f93861120e5e38ad50d88226c6a2da7..ed6cc43d279f6e9c39eb4565520ee46fbc1413ea 100755 (executable)
--- a/tests/libtest.sh
+++ b/tests/libtest.sh
@@ -546,6 +546,30 @@ skip_without_user_xattrs () {
     fi
 }
 
+# Skip unless SELinux is disabled, or we can relabel.
+# Default Docker has security.selinux xattrs, but returns
+# EOPNOTSUPP when trying to set them, even to the existing value.
+# https://github.com/ostreedev/ostree/pull/759
+# https://github.com/ostreedev/ostree/pull/1217
+skip_without_no_selinux_or_relabel () {
+    cd ${test_tmpdir}
+    echo testlabel > testlabel.txt
+    selinux_xattr=security.selinux
+    if getfattr --encoding=base64 -n ${selinux_xattr} testlabel.txt >label.txt 2>err.txt; then
+        label=$(grep -E -e "^${selinux_xattr}=" < label.txt |sed -e "s,${selinux_xattr}=,,")
+        if setfattr -n ${selinux_xattr} -v ${label} testlabel.txt 2>err.txt; then
+            echo "SELinux enabled in $(pwd), and have privileges to relabel"
+            return 0
+        else
+            sed -e 's/^/# /' < err.txt >&2
+            skip "Found SELinux label, but unable to set (Unprivileged Docker?)"
+        fi
+    else
+        sed -e 's/^/# /' < err.txt >&2
+        skip "Unable to retrieve SELinux label, assuming disabled"
+    fi
+}
+
 # https://brokenpi.pe/tools/strace-fault-injection
 _have_strace_fault_injection=''
 have_strace_fault_injection() {

diff --git a/tests/test-basic-user-only.sh b/tests/test-basic-user-only.sh
index 19262b7b6ed7655c2e3145341d2172df1b8e379a..6a2ca25f9bec7859fdf90a4bb18f1f2ab2d9e20a 100755 (executable)
--- a/tests/test-basic-user-only.sh
+++ b/tests/test-basic-user-only.sh
@@ -22,9 +22,13 @@ set -euo pipefail
 . $(dirname $0)/libtest.sh
 
 setup_test_repository "bare-user-only"
-extra_basic_tests=4
+extra_basic_tests=5
 . $(dirname $0)/basic-test.sh
 
+$CMD_PREFIX ostree --version > version.yaml
+python -c 'import yaml; yaml.safe_load(open("version.yaml"))'
+echo "ok yaml version"
+
 # Reset things so we don't inherit a lot of state from earlier tests
 cd ${test_tmpdir}
 rm repo files -rf

diff --git a/tests/test-basic.sh b/tests/test-basic.sh
index d1afe75f9ae4d5688d05ee823d64d728d40ee1fc..eaccc2f0234379f0bb89e1b4c6e5df55944f59fa 100755 (executable)
--- a/tests/test-basic.sh
+++ b/tests/test-basic.sh
@@ -21,6 +21,7 @@ set -euo pipefail
 
 . $(dirname $0)/libtest.sh
 
-setup_test_repository "bare"
+skip_without_no_selinux_or_relabel
 
+setup_test_repository "bare"
 . $(dirname $0)/basic-test.sh