Closed cgwalters closed 7 years ago
Also, the Docker approach would give us uid 0 in a container, which would allow us to write much more interesting tests that more fully exercise the "running as uid 0" parts of ostree/yum while still providing system saftey. Unfortunately, these tests couldn't be run in Brew, but that'd be OK, there are other systems that could support running them.
Yeh, on the yum side we have unit tests for the internal stuff which runs at %check time. But we just rely on developer testing, mock/etc. and shipping it in rawhide for external testing. QA has some infrastructure that allows them to easily create test packages and repos., and they use that to create small test cases with real data (I think the infrastructure code is public, but it'd still be annoying to create 100+ packages I think).
Not sure if you know about: http://fakeroot.alioth.debian.org/ ... but that is in Fedora.
neither fakeroot or yocto's pseudo project are able to emulate all that is needed by "rpm-ostree compose tree".
I've started working on an LD_PRELOAD library that should shadow all the calls that require root from rpm-ostree, it doesn't seem like a trivial task, there are many cases that must be handled. I am not yet convinced that this is the correct way though, it seems very fragile.
pesudo is fairly actively maintained at least. What system calls failed? If it's some of the container bits, we could just turn that off (though obviously, the more we do this, the less we're testing the real system).
Options I see:
sudo make rootcheck
This is like https://wiki.gnome.org/Initiatives/GnomeGoals/InstalledTests but as root. We have to do a sudo make install
over the running system, but there's a test suite that operates using the installed binaries, but doesn't break the host. This is similar to what https://github.com/projectatomic/atomic/blob/master/test.sh is doing.
A variant of the above where we do make rpm
using a local spec file, then inject it into a Docker (or other) container. Or just make install DESTDIR=
, then copy that over into a container. There are a lot of advantages to this - e.g. we could support testing a rawhide build from a RHEL7 host, etc.
Like the above, but with VMs. This is what Cockpit (and other projects I'm sure) do: https://github.com/cockpit-project/cockpit/blob/332c0e4813a541304014603c87cb1e394a3fe307/test/testvm.py#L127
Where the VM approach would be useful for us is that ostree obviously wants to change the kernel configuration. However, this type of testing I think just doesn't fit very well into the make check
model. It's best to have it live externally IMO, and make check
remains unprivileged unit tests.
For example pseudo misses emulation unshare.
I've continued adding wrappers of libc functions, until I realized I was ending up with a clone of pseudo. So I reverted to using pseudo and add a new library for the missing pieces, it is much less code to maintain now:
https://github.com/giuseppe/rpm-ostree/tree/giuseppe/test-compose
TODO:
1) Move the emulation of unshare
to pseudo.
2) Properly support execle
in pseudo, so we can test the post-process phase as well. It seems that it doesn't honor a chroot.
3) RPM-ostree calls directly the clone
syscall unless mount
fails with EINVAL. This probably should be still done, or we need to wrap it in a way to allow us to emulate it through LD_PRELOAD.
I think we could skip emulation of some of the container syscalls safely enough. Emulating clone
is a bit trickier...maybe we could just degrade it to fork
without any container features?
Can we depend on pseudo
as a package at some point instead of a submodule? A submodule is ok for now though.
IMHO, it is safer if the version used in the tests is more loose than the version used by rpm-ostree and we keep using clone
and emulate it as best as we can as the "make check" version of compose is not much more than a smoke test. I plan to remove the hack in the fork
wrapper once the exec* wrappers in pseudo honors the chroot settings (I have a patch here) and thus we will be able to run depmod and dracut within the rootfs and do the no-op there instead of the fork
wrapper itself.
after thinking more about it, I think such a complex test as running a compose should rather be done using an installed tests and run as root. We should introduce "make check tests" only for unit testing as we do with ostree. What do you think?
I pushed some other commits to:
https://github.com/giuseppe/rpm-ostree/tree/giuseppe/test-compose
I reverted the usage of pseudo, as it looks too fragile environment for any serious testing.
I've moved the compose test under installed tests, and expect they are executed as root user. There is one warning coming from glibc inotify implementation that makes tests fail on Fedora 21/22, this could be fixed by changing the G_DEBUG
setting in libtest.sh
(or overloading it in the compose tests) but since the tests run without issues on Rawhide, I left it unchanged.
Root installed tests sound OK to me...it hasn't been defined in the spec, but that doesn't block us from doing it =) Maybe something like Type=headless-root
or something?
Nothing blocks us though from doing the sudo make rootcheck
option, right? That might be easier than root-installed tests.
Yes, that can be done as well. Would you drop installed tests completely or provide both functionalities?
it doesn't look like the test repository will work smoothly in the same way from installed tests and when we run tests locally with make check
.
Do you think it makes sense to take rid of the installed tests completely and rewrite the tests to be run only locally and maintain only one version?
I will add a check to check if the tests requiring root permissions run with UID=0 or skip them otherwise.
I've sent a pull request for the compose test. I think we can make the cleanup later, in case we decide to drop installed tests and use only make check (and we should probably make this uniformly with ostree)
This was done.
Ideally, we would have something for "make check"/InstalledTests that runs though a basic tree compose. I was a bit surprised to see that at least yum doesn't appear to have any test repo metadata or packages.
librepo does: https://github.com/Tojaj/librepo/tree/master/tests/test_data and it also has tests that use it. A technical reason this is nice for librepo is that it can run as non-root.
But unfortunately 'compose tree' would bomb out with yum if we're running "make check" as non-root (as we're constrained to do by RPM %check in a Koji/Brew environment).
Ideas:
sudo make sudo-check
that uses containers (Docker?) Basically the Docker container wouldyum install rpm-ostree
, thensudo make install DESTDIR=/tmp/tmpdir.XXXX/ && tar cf /tmp/tmpdir.XXXX
, then unpack that tarball into a Docker container. (Or we just make a local RPM, and install that)