review-tools

Merge ~anonymouse67/review-tools:feature/lzo-test-part-2 into review-tools:master

  1. Git
  2. lp:~anonymouse67/review-tools
  3. feature/lzo-test-part-2
  4. Merge into master
Proposed by Ian Johnson
Status: Merged
Merged at revision: bf5af1523faa610414c7e4bc87c002f3ef0b10ae
Proposed branch: ~anonymouse67/review-tools:feature/lzo-test-part-2
Merge into: review-tools:master
Diff against target: 230 lines (+212/-1)
2 files modified
tests/manual-lzo-part2.sh (+211/-0)
tests/manual-lzo.sh (+1/-1)
Reviewer Review Type Date Requested Status
Jamie Strandboge (community) Approve
Review via email: mp+388512@code.launchpad.net

Description of the change

This script shares a large part of the loop with manual-lzo.sh, and it's purpose
is to verify that lzo squash'd snaps from that script are properly validated
when the store checks run in the cloud.

Note I have not finished a test run of this, but it started successfully and is currently progressing about 5/26 snaps done so far. I will leave a comment here when that test run is done.

To post a comment you must log in.
Revision history for this message
Ian Johnson (anonymouse67) wrote :

The script finished successfully on armhf bionic snaps. I will update the spreadsheet to indicate that testcase passed.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

It would be nice to share some code between the two, but these are test scripts that have been run by many and I'd prefer to not make changes at this time. If we need to do this for another algorithm, we can perhaps look at updating these.

LGTM, thanks!

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/tests/manual-lzo-part2.sh b/tests/manual-lzo-part2.sh
2new file mode 100755
3index 0000000..edd8237
4--- /dev/null
5+++ b/tests/manual-lzo-part2.sh
6@@ -0,0 +1,211 @@
7+#!/bin/bash
8+
9+#
10+# Author: Ian Johnson <ian.johnson@canonical.com>
11+# Copyright (C) 2020 Canonical Ltd.
12+#
13+# This script is distributed under the terms and conditions of the GNU General
14+# Public License, Version 3 or later. See http://www.gnu.org/copyleft/gpl.html
15+# for details.
16+#
17+# Notes:
18+# * to prevent snap refreshes during runs, especially for lxd which happens a
19+# lot, use:
20+# $ sudo snap set system refresh.hold="$(date --date="7 days" +%Y-%m-%dT%H:%M:%S%:z)"
21+# * The primary goal of this matrix is to capture different versions of
22+# squashfs-tools, across a range of architectures. It's not imperative that
23+# we get all possible values filled out, as it shouldn't be the case that
24+# other distros have weird patches on top of squashfs-tools that are also
25+# arch specific, so i.e. as long as we get a single debian run and a single
26+# arm64 run that should imply that debian with arm64 is likely ok
27+#
28+
29+set -ex
30+
31+# get the directory of this script
32+# snippet from https://stackoverflow.com/a/246128/10102404
33+SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null && pwd )"
34+
35+if [ "$#" != 1 ]; then
36+ echo "usage: ./manual-lzo-part2.sh <tarball>"
37+ exit 1
38+fi
39+
40+TARBALL="$1"
41+
42+# TODO: share common snippets of this script with manual-lzo.sh ?
43+function is_core_snap {
44+ if [ "$1" = "core" ] || [ "$1" = "core18" ] || [ "$1" = "core20" ] ; then
45+ return 0
46+ else
47+ return 1
48+ fi
49+}
50+
51+# step 0. ensure pre-reqs are available
52+# * snap is to download the snap
53+# * lxc is to create a xenial/bionic container to check the re-packed snap for
54+# deterministic repacking - the review-tools used in there does NOT is not
55+# kernel specific, so it's fine to use a container for this purpose
56+# * jq is for checking the output of review-tools for the specific test
57+# we care about
58+# * curl is to download the review-tools tarball to avoid git pulling it
59+
60+for cmd in snap lxc jq curl; do
61+ if ! command -v $cmd >/dev/null; then
62+ echo "$cmd is not installed, please install and run again"
63+ if [ "$cmd" = "lxc" ]; then
64+ echo "also initialize lxd with \`sudo lxd init\`, and do not use zfs storage backend as it is currently buggy with mksquashfs/unsquashfs"
65+ fi
66+ exit 1
67+ fi
68+done
69+
70+# we need a recent enough jq otherwise older ones, i.e. 1.3 from trusty archive
71+# will fail with an error like
72+# error: syntax error, unexpected QQSTRING_START, expecting $end
73+# . | ."snap.v2_security"."info"."security-snap-v2:squashfs_repack_checksum"."text"
74+# ^
75+# 1 compile error
76+
77+if [ "$(jq --help 2>&1| grep version | grep -Po 'version 1\.\K[0-9]')" -le "4" ]; then
78+ echo "jq version too old, please upgrade to at least 1.5"
79+ echo "hint: the snap is currently at 1.5, snap install jq"
80+ exit 1
81+fi
82+
83+# on some distros, i.e. debian sudo does not have /snap/bin on path
84+LXC=$(command -v lxc)
85+
86+# ensure that lxd is setup to not use zfs storage dir, as that is buggy
87+if sudo "$LXC" info | grep -q "storage: zfs"; then
88+ echo "zfs storage dir for lxd is not supported due to a bug, please use storage: dir"
89+ exit 1
90+fi
91+
92+function cleanup {
93+ echo "signalled unexpectedly, triggering cleanup..."
94+ set +x
95+ set +e
96+ trap - EXIT SIGINT SIGTERM
97+ for series in 16 18 20; do
98+ cont_name="review-tools-$series-04-checker"
99+ if sudo "$LXC" list --fast | grep -q "${cont_name}"; then
100+ sudo "$LXC" delete "${cont_name}" --force || true
101+ fi
102+ done
103+
104+ exit 1
105+}
106+trap cleanup EXIT SIGINT SIGTERM
107+
108+pushd "$SCRIPT_DIR"
109+
110+# download the review-tools tarball so we don't pull it every time
111+# TODO: it would be nice if github supported -C- to resume/not have to re-download
112+# this every time automatically with curl
113+curl -L -o review-tools.tgz https://github.com/anonymouse64/review-tools/archive/lzo-test-2.tar.gz
114+
115+# start the containers up front to share the same containers across all snaps
116+# this saves us networking time and ensures we
117+for series in 16 18 20; do
118+ cont_name="review-tools-$series-04-checker"
119+
120+ sudo "$LXC" launch "ubuntu:$series.04" "${cont_name}"
121+
122+ # wait for networking to work before pushing any files to the container
123+ sudo "$LXC" exec "${cont_name}" -- /bin/bash -c 'until nslookup -timeout=1 archive.ubuntu.com; do sleep 0.1; done'
124+
125+ sudo "$LXC" file push review-tools.tgz "${cont_name}/root/review-tools.tgz"
126+
127+ sudo "$LXC" exec "${cont_name}" -- apt update
128+ sudo "$LXC" exec "${cont_name}" -- apt upgrade -y
129+
130+ # dependencies for review-tools as per the snapcraft.yaml
131+ sudo "$LXC" exec "${cont_name}" -- apt install -y binutils fakeroot file libdb5.3 libmagic1 python3-magic python3-requests python3-simplejson python3-yaml squashfs-tools
132+ sudo "$LXC" exec "${cont_name}" -- apt clean
133+
134+ sudo "$LXC" exec "${cont_name}" -- mkdir /root/review-tools
135+ sudo "$LXC" exec "${cont_name}" -- tar -C /root/review-tools --strip-components=1 -xf /root/review-tools.tgz
136+done
137+
138+# get the full list of snaps from the tarball
139+# see shellcheck 2207 for why this mapfile, etc.
140+# note this only works on bash 4.x+ however
141+mapfile -t all_snaps < <(tar --wildcards -tf "$TARBALL" '*.snap' | grep -Po '(.+)(?=_lzo.snap)')
142+
143+for sn in "${all_snaps[@]}" ; do
144+ # first extract the snap file from the tarball, we do this one at a time to
145+ # optimize total disk space usage during the test
146+ tar -xf "$TARBALL" "${sn}_lzo.snap"
147+
148+ sudo echo "useless sudo to stay authenticated against sudo during loops..." > /dev/null
149+
150+ # step 4. run the review-tools inside the various ubuntu lxc containers to
151+ # check that the snap is unsquashed and resquashed to the same blob
152+ for series in 16 18 20; do
153+ cont_name="review-tools-$series-04-checker"
154+
155+ sudo "$LXC" file push "${sn}_lzo.snap" "${cont_name}/root/${sn}_lzo.snap"
156+
157+ # the core* base snaps are not properly checked within the lxd container
158+ # by the review-tools because they have files like /dev/* that are not
159+ # properly preserved when unpacked and repacked inside the lxd container
160+ # because lxd does not allow mknod, etc.
161+ # as such, the check for the base snaps is somewhat artifical, but we
162+ # still expect a specific message from the review-tools to ensure that
163+ # something else didn't fail
164+ # note that root owned files and setuid files are ok here (i.e. from the
165+ # chromium and snapd snaps), because we created the squashfs files above
166+ # as root for snaps that have setuid, and when unpacking within the lxd
167+ # container the files are ok to be created setuid, owned as root, etc.
168+ if is_core_snap "$sn"; then
169+ expected="OK (check not enforced for base and os snaps)"
170+ else
171+ expected="OK"
172+ fi
173+
174+ # use SNAP_ENFORCE_RESQUASHFS_COMP=0 to ensure that we don't fail on
175+ # snaps that haven't been given permission to upload with lzo compression
176+ # also use --json so that we can check specifically the result of the
177+ # squashfs_repack_checksum test, as some snaps like chromium have been
178+ # granted permission to use interfaces that normally trigger a review,
179+ # but we don't have that state available to us about the interfaces and
180+ # we don't really care about that the interface usage anyways
181+ repack_check=$(
182+ sudo "$LXC" exec \
183+ --cwd /root/review-tools \
184+ --env SNAP_ENFORCE_RESQUASHFS_COMP=0 \
185+ --env SNAP_DEBUG_RESQUASHFS=1 \
186+ --env PYTHONPATH=/root/review-tools \
187+ "${cont_name}" -- \
188+ /root/review-tools/bin/snap-review --json "/root/${sn}_lzo.snap" || true
189+ )
190+
191+ if [ "$(echo "$repack_check" | jq -r '."snap.v2_security".info."security-snap-v2:squashfs_repack_checksum".text')" != "$expected" ]; then
192+ echo ">>> TEST FAIL <<< snap $sn lzo compressed failed review-tools check for squashfs_repack_checksum in lxd $series.04 container"
193+ exit 1
194+ fi
195+
196+ # We're done with the lzo in the container
197+ sudo "$LXC" exec "${cont_name}" -- rm -f "/root/${sn}_lzo.snap"
198+
199+ sudo echo "useless sudo to keep authenticated against sudo during loops..." > /dev/null
200+ done
201+
202+ rm "${sn}_lzo.snap"
203+done
204+
205+for series in 16 18 20; do
206+ cont_name="review-tools-$series-04-checker"
207+
208+ sudo "$LXC" stop "${cont_name}" --force
209+ sudo "$LXC" delete "${cont_name}" --force
210+done
211+
212+popd
213+
214+echo "test done, results in $TARBALL"
215+
216+# reset the cleanup so we don't unnecessarily run it and exit with non-zero status
217+trap - EXIT SIGINT SIGTERM
218diff --git a/tests/manual-lzo.sh b/tests/manual-lzo.sh
219index b21ced2..8735c2e 100755
220--- a/tests/manual-lzo.sh
221+++ b/tests/manual-lzo.sh
222@@ -107,7 +107,7 @@ function is_core_snap {
223
224 # step 0. ensure pre-reqs are available
225 # * snap is to download the snap
226-# * unsquahfs is to unpack the snap
227+# * unsquashfs is to unpack the snap
228 # * mksquashfs is to re-pack the snap
229 # * lxc is to create a xenial/bionic container to check the re-packed snap for
230 # deterministic repacking - the review-tools used in there does NOT is not

Subscribers

People subscribed via source and target branches

to all changes: