-
Notifications
You must be signed in to change notification settings - Fork 159
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
tests/kola: remove dtb exceptions in upgrade test SELinux checks #3237
tests/kola: remove dtb exceptions in upgrade test SELinux checks #3237
Conversation
I'm not really sure if we can remove these exceptions yet. After an upgrade there are still two deployments around. Does the OSTree fix fix the old deployment too such that we guarantee all files in You could try applying this patch to the upgrade test and then running it to see what the results are: fedora-coreos-config/tests/kola/upgrade/extended/test.sh Lines 22 to 28 in 7ef7e40
so you would |
Unluckily no, sorry that I just did testing using the fixed ostree and ignore the old deployment which already has the wrong label, in this case the old deployment will keep the wrong label as ostree will not copy |
I think that's fine and expected. It just means we can't remove this exception for now. OR maybe we could |
a6ce4e3
to
3eefeae
Compare
Thinking about this a little more can we make it conditional? Would you mind testing something like on aarch64? diff --git a/tests/kola/upgrade/extended/test.sh b/tests/kola/upgrade/extended/test.sh
index 4c880d96..3bca64aa 100755
--- a/tests/kola/upgrade/extended/test.sh
+++ b/tests/kola/upgrade/extended/test.sh
@@ -162,10 +162,34 @@ wait-for-coreos-fix-selinux-labels() {
echo "Waited for coreos-fix-selinux-labels.service to finish"
}
+# Check if the rollback deployment has the dtb copy fix and if not
+# delete the rollback deployment.
+# https://github.com/coreos/fedora-coreos-tracker/issues/1808
+#
+# NOTE: we can drop this once the newest barrier release for all
+# streams is newer than 41.20241028.x.x.
+drop_rollback_if_needed() {
+ # The dtb copy issue was only ever an issue ever on aarch64
+ [ "$(arch)" != 'aarch64' ] && return
+ # We only need to drop if the rollback deployment is older than
+ # when the fixed ostree was included. It should be fixed in the
+ # next round of releases after 41.20241028. Note 41.20241028.0.0
+ # is not a real build and uses `0` for the stream identifier, but
+ # should sort accordingly.
+ previous=$(rpm-ostree status --json | jq -r '.deployments[] | select(.booted == false).version')
+ if ! vergt $previous '41.20241028.0.0'; then
+ echo "Dropping rollback deployment because it could have mislabeled dtb files"
+ rpm-ostree cleanup -r
+ fi
+}
+
selinux-sanity-check() {
# First make sure the migrations/fix script has finished if this is the boot
# where the fixes are taking place.
wait-for-coreos-fix-selinux-labels
+ # Next if the dtb copy fix wasn't present in the previous deployment
+ # then we'll delete that deployment before proceeding
+ drop_rollback_if_needed
# Verify SELinux labels are sane. Migration scripts should have cleaned
# up https://github.com/coreos/fedora-coreos-tracker/issues/1772
unlabeled="$(find /sysroot -context '*unlabeled_t*' -print0 | xargs --null -I{} ls -ldZ '{}')" |
You are correct, the dtb files are only on aarch64, will try to find out how to run upgrade tests on aarch64, |
3eefeae
to
55370f9
Compare
Do testing with this PR failed when running from
|
55370f9
to
710456c
Compare
right. it won't work until the next builds on the prod streams, but you can test against the non-prod streams now, which is what all future tests will do:
This ^^ should work without your latest commit. |
tests/kola/upgrade/extended/test.sh
Outdated
# is not a real build and uses `0` for the stream identifier, but | ||
# should sort accordingly. | ||
previous=$(rpm-ostree status --json | jq -r '.deployments[] | select(.booted == false).version') | ||
if (! vergt $previous '41.20241028.0.0') && vergt $version '41.20241028.0.0'; then |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If previous version is older and current still does not include the fixed ostree, will not cleanup the rollback, not sure if this makes sense.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can you see if this works: #3237 (comment)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
With the patch in #3237 (comment), failed but not related the code, seems the next-devel latest is 41.20241027.10.0
, maybe should use testing-devel
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes! sorry. we disalbed next-devel
earlier this week and I guess it didn't have the new OSTree RPM yet. Can you try with testing-devel
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, tried testing-devel
, no lucky.
I think it is because when doing upgrade based on older version (with unfixed ostree), which will make the two deployments both with wrong label, and cleanup the rollback only remove the previous deployment.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ahh. I see, yes. in that case dropping the rollback deployment doesn't really give us anything.
what we can do is still apply the exceptions but only in case that it's needed. something like:
diff --git a/tests/kola/upgrade/extended/test.sh b/tests/kola/upgrade/extended/test.sh
index 0e069e5a..39bc3278 100755
--- a/tests/kola/upgrade/extended/test.sh
+++ b/tests/kola/upgrade/extended/test.sh
@@ -162,10 +162,34 @@ wait-for-coreos-fix-selinux-labels() {
echo "Waited for coreos-fix-selinux-labels.service to finish"
}
+# Check if the rollback deployment has the dtb copy fix, which
+# means that the dtb files should have the correct SELinux labels.
+# https://github.com/coreos/fedora-coreos-tracker/issues/1808
+#
+# NOTE: we can drop this once the newest barrier release for all
+# streams is newer than 41.20241028.x.x.
+has_dtb_cp_fix() {
+ # The dtb copy issue was only ever an issue ever on aarch64
+ [ "$(arch)" != 'aarch64' ] && return 0
+ # We have the dtb copy fix if the rollback deployment is newer than
+ # when the fixed ostree was included. It should be fixed in the
+ # next round of releases after 41.20241028. Note 41.20241028.0.0
+ # is not a real build and uses `0` for the stream identifier, but
+ # should sort accordingly.
+ previous=$(rpm-ostree status --json | jq -r '.deployments[] | select(.booted == false).version')
+ if ! vergt $previous '41.20241028.0.0'; then
+ return 0
+ else
+ return 1
+ fi
+}
+
selinux-sanity-check() {
# First make sure the migrations/fix script has finished if this is the boot
# where the fixes are taking place.
wait-for-coreos-fix-selinux-labels
+ # Check to see if we have the dtb copy fix
+ has_dtb_cp_fix || add_dtb_exception='true'$
# Verify SELinux labels are sane. Migration scripts should have cleaned
# up https://github.com/coreos/fedora-coreos-tracker/issues/1772
unlabeled="$(find /sysroot -context '*unlabeled_t*' -print0 | xargs --null -I{} ls -ldZ '{}')"
@@ -207,7 +231,9 @@ selinux-sanity-check() {
# https://github.com/coreos/fedora-coreos-tracker/issues/1806
[[ "${path}" =~ /etc/selinux/targeted/active/ ]] && continue
# https://github.com/coreos/fedora-coreos-tracker/issues/1808
- [[ "${path}" =~ /boot/ostree/.*/dtb ]] && continue
+ if [ "${add_dtb_exception}" == 'true' ]; then
+ [[ "${path}" =~ /boot/ostree/.*/dtb ]] && continue
+ fi
if [[ "${exceptions[$path]:-noexception}" == 'noexception' ]]; then
echo "Unexpected mislabeled file found: ${path}"
found="1"
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If update to following, test is passed.
+ if ! vergt $previous '41.20241028.0.0'; then
+ return 1
+ else
+ return 0
+ fi
Sorry I misunderstood this, if booting os with unfixed ostree, then upgrade, then dtb files in both deployments will have the wrong labels. If in this case we get the fixed ostree, if do another upgrade, the old deployment will keep the wrong label, not sure if we have such upgrade test, for example upgrade A -> B -> C. |
710456c
to
e573d80
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
|
Fixes coreos/fedora-coreos-tracker#1808