Skip to content

Commit a177543

Browse files
krnowakkrnowak
committed
kola: Add AVC checks for cl.update tests
These start off with an old version of Flatcar and get updated to a new one.
1 parent 2978a06 commit a177543

File tree

1 file changed

+47
-0
lines changed

1 file changed

+47
-0
lines changed

kola/tests/update/update.go

+47
Original file line numberDiff line numberDiff line change
@@ -53,6 +53,11 @@ func init() {
5353
// (see scripts/ci-automation/vendor-testing/qemu_update.sh)
5454
return kola.UpdatePayloadFile == ""
5555
},
56+
// Skip AVC checks, we will do our own only on the
57+
// last boot logs, as the older logs may come from an
58+
// old version of Flatcar that still has some AVC
59+
// messages.
60+
Flags: []register.Flag{register.NoSELinuxAVCChecks},
5661
})
5762
register.Register(&register.Test{
5863
Name: "cl.update.docker-btrfs-compat",
@@ -71,6 +76,11 @@ func init() {
7176
SkipFunc: func(version semver.Version, channel, arch, platform string) bool {
7277
return kola.UpdatePayloadFile == ""
7378
},
79+
// Skip AVC checks, we will do our own only on the
80+
// last boot logs, as the older logs may come from an
81+
// old version of Flatcar that still has some AVC
82+
// messages.
83+
Flags: []register.Flag{register.NoSELinuxAVCChecks},
7484
Distros: []string{"cl"},
7585
})
7686
register.Register(&register.Test{
@@ -118,6 +128,11 @@ systemd:
118128
- name: chronyd.service
119129
mask: true
120130
`),
131+
// Skip AVC checks, we will do our own only on the
132+
// last boot logs, as the older logs may come from an
133+
// old version of Flatcar that still has some AVC
134+
// messages.
135+
Flags: []register.Flag{register.NoSELinuxAVCChecks},
121136
})
122137
register.Register(&register.Test{
123138
Name: "cl.sysext.boot.old",
@@ -164,6 +179,32 @@ func Serve() error {
164179
return omahawrapper.Serve()
165180
}
166181

182+
func checkNoAVCMessages(c cluster.TestCluster, m platform.Machine) {
183+
version := c.MustSSH(m, `set -euo pipefail; grep -m 1 "^VERSION=" /usr/lib/os-release | cut -d = -f 2`)
184+
if len(version) == 0 {
185+
c.Fatalf("got an empty version from os-release")
186+
}
187+
188+
sv, err := semver.NewVersion(string(version))
189+
if err != nil {
190+
c.Fatalf("failed to parse os-release version: %v", err)
191+
}
192+
193+
if sv.LessThan(semver.Version{Major: kola.AVCChecksMajorVersion}) {
194+
// skip AVC checks altogether - too old Flatcar version
195+
return
196+
}
197+
198+
// end with "true" to return 0 in case grep selects no lines and returns 1
199+
out, err := c.SSH(m, `journalctl -b | grep -ie 'avc:[[:space:]]*denied'; true`)
200+
if err != nil {
201+
c.Fatalf("failed to get AVC messages from last boot in journal from machine %s: %v", m.ID(), err)
202+
}
203+
if len(out) > 0 {
204+
c.Fatalf("found AVC messages in last boot logs on machine %s", m.ID())
205+
}
206+
}
207+
167208
func payloadPrepareMachine(conf *conf.UserData, c cluster.TestCluster) (string, platform.Machine) {
168209
addr := configureOmahaServer(c, c.Machines()[0])
169210

@@ -205,6 +246,7 @@ func payloadPerformUpdate(addr string, m platform.Machine, c cluster.TestCluster
205246
func payload(c cluster.TestCluster) {
206247
addr, m := payloadPrepareMachine(nil, c)
207248
payloadPerformUpdate(addr, m, c)
249+
checkNoAVCMessages(c, m)
208250
}
209251

210252
func btrfs_compat(c cluster.TestCluster) {
@@ -252,6 +294,7 @@ systemd:
252294

253295
c.MustSSH(m, `docker image ls | grep alpine || { echo "ERROR: Container image 'alpine' disappeared after update"; docker image ls; exit 1; } `)
254296
c.MustSSH(m, `docker ps --all | grep docker_btrfs_driver_test || { echo "ERROR: Container 'docker_btrfs_driver_test' disappeared after update"; docker ps --all; exit 1; } `)
297+
checkNoAVCMessages(c, m)
255298
}
256299

257300
func configureOmahaServer(c cluster.TestCluster, srv platform.Machine) string {
@@ -391,6 +434,9 @@ func oemPayload(c cluster.TestCluster) {
391434
arch := strings.SplitN(kola.QEMUOptions.Board, "-", 2)[0]
392435
_ = c.MustSSH(m, `curl -fsSLO --retry-delay 1 --retry 60 --retry-connrefused --retry-max-time 60 --connect-timeout 20 https://bincache.flatcar-linux.net/images/`+arch+`/`+version+`/flatcar_test_update-oem-azure.gz`)
393436
_ = c.MustSSH(m, `sudo flatcar-update --to-version `+version+` --to-payload /updates/update.gz --extension ./flatcar_test_update-oem-azure.gz --disable-afterwards --force-dev-key`)
437+
438+
checkNoAVCMessages(c, m)
439+
394440
c.Logf("Rebooting test machine after flatcar-update run (2nd reboot)")
395441
if err := m.Reboot(); err != nil {
396442
c.Fatalf("reboot failed: %v", err)
@@ -400,6 +446,7 @@ func oemPayload(c cluster.TestCluster) {
400446
_ = c.MustSSH(m, `test ! -e /oem/python/shouldbedeleted && test ! -e /etc/systemd/system/waagent.service`)
401447
_ = c.MustSSH(m, `test -e /oem/sysext/active-oem-azure`)
402448
_ = c.MustSSH(m, `systemd-sysext status --json=pretty | jq --raw-output '.[] | select(.hierarchy == "/usr") | .extensions[]' | grep -q oem-azure`)
449+
checkNoAVCMessages(c, m)
403450
}
404451

405452
func sysextBootLogicOld(c cluster.TestCluster) {

0 commit comments

Comments
 (0)