review-tools

Merge ~anonymouse67/review-tools:feature/lzo-test-part-2 into review-tools:master

  1. Git
  2. lp:~anonymouse67/review-tools
  3. feature/lzo-test-part-2
  4. Merge into master
Proposed by Ian Johnson
Status: Merged
Merged at revision: bf5af1523faa610414c7e4bc87c002f3ef0b10ae
Proposed branch: ~anonymouse67/review-tools:feature/lzo-test-part-2
Merge into: review-tools:master
Diff against target: 230 lines (+212/-1)
2 files modified
tests/manual-lzo-part2.sh (+211/-0)
tests/manual-lzo.sh (+1/-1)
Reviewer Review Type Date Requested Status
Jamie Strandboge (community) Approve
Review via email: mp+388512@code.launchpad.net

Description of the change

This script shares a large part of the loop with manual-lzo.sh, and it's purpose
is to verify that lzo squash'd snaps from that script are properly validated
when the store checks run in the cloud.

Note I have not finished a test run of this, but it started successfully and is currently progressing about 5/26 snaps done so far. I will leave a comment here when that test run is done.

To post a comment you must log in.
Revision history for this message
Ian Johnson (anonymouse67) wrote :

The script finished successfully on armhf bionic snaps. I will update the spreadsheet to indicate that testcase passed.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

It would be nice to share some code between the two, but these are test scripts that have been run by many and I'd prefer to not make changes at this time. If we need to do this for another algorithm, we can perhaps look at updating these.

LGTM, thanks!

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
diff --git a/tests/manual-lzo-part2.sh b/tests/manual-lzo-part2.sh
0new file mode 1007550new file mode 100755
index 0000000..edd8237
--- /dev/null
+++ b/tests/manual-lzo-part2.sh
@@ -0,0 +1,211 @@
1#!/bin/bash
2
3#
4# Author: Ian Johnson <ian.johnson@canonical.com>
5# Copyright (C) 2020 Canonical Ltd.
6#
7# This script is distributed under the terms and conditions of the GNU General
8# Public License, Version 3 or later. See http://www.gnu.org/copyleft/gpl.html
9# for details.
10#
11# Notes:
12# * to prevent snap refreshes during runs, especially for lxd which happens a
13# lot, use:
14# $ sudo snap set system refresh.hold="$(date --date="7 days" +%Y-%m-%dT%H:%M:%S%:z)"
15# * The primary goal of this matrix is to capture different versions of
16# squashfs-tools, across a range of architectures. It's not imperative that
17# we get all possible values filled out, as it shouldn't be the case that
18# other distros have weird patches on top of squashfs-tools that are also
19# arch specific, so i.e. as long as we get a single debian run and a single
20# arm64 run that should imply that debian with arm64 is likely ok
21#
22
23set -ex
24
25# get the directory of this script
26# snippet from https://stackoverflow.com/a/246128/10102404
27SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null && pwd )"
28
29if [ "$#" != 1 ]; then
30 echo "usage: ./manual-lzo-part2.sh <tarball>"
31 exit 1
32fi
33
34TARBALL="$1"
35
36# TODO: share common snippets of this script with manual-lzo.sh ?
37function is_core_snap {
38 if [ "$1" = "core" ] || [ "$1" = "core18" ] || [ "$1" = "core20" ] ; then
39 return 0
40 else
41 return 1
42 fi
43}
44
45# step 0. ensure pre-reqs are available
46# * snap is to download the snap
47# * lxc is to create a xenial/bionic container to check the re-packed snap for
48# deterministic repacking - the review-tools used in there does NOT is not
49# kernel specific, so it's fine to use a container for this purpose
50# * jq is for checking the output of review-tools for the specific test
51# we care about
52# * curl is to download the review-tools tarball to avoid git pulling it
53
54for cmd in snap lxc jq curl; do
55 if ! command -v $cmd >/dev/null; then
56 echo "$cmd is not installed, please install and run again"
57 if [ "$cmd" = "lxc" ]; then
58 echo "also initialize lxd with \`sudo lxd init\`, and do not use zfs storage backend as it is currently buggy with mksquashfs/unsquashfs"
59 fi
60 exit 1
61 fi
62done
63
64# we need a recent enough jq otherwise older ones, i.e. 1.3 from trusty archive
65# will fail with an error like
66# error: syntax error, unexpected QQSTRING_START, expecting $end
67# . | ."snap.v2_security"."info"."security-snap-v2:squashfs_repack_checksum"."text"
68# ^
69# 1 compile error
70
71if [ "$(jq --help 2>&1| grep version | grep -Po 'version 1\.\K[0-9]')" -le "4" ]; then
72 echo "jq version too old, please upgrade to at least 1.5"
73 echo "hint: the snap is currently at 1.5, snap install jq"
74 exit 1
75fi
76
77# on some distros, i.e. debian sudo does not have /snap/bin on path
78LXC=$(command -v lxc)
79
80# ensure that lxd is setup to not use zfs storage dir, as that is buggy
81if sudo "$LXC" info | grep -q "storage: zfs"; then
82 echo "zfs storage dir for lxd is not supported due to a bug, please use storage: dir"
83 exit 1
84fi
85
86function cleanup {
87 echo "signalled unexpectedly, triggering cleanup..."
88 set +x
89 set +e
90 trap - EXIT SIGINT SIGTERM
91 for series in 16 18 20; do
92 cont_name="review-tools-$series-04-checker"
93 if sudo "$LXC" list --fast | grep -q "${cont_name}"; then
94 sudo "$LXC" delete "${cont_name}" --force || true
95 fi
96 done
97
98 exit 1
99}
100trap cleanup EXIT SIGINT SIGTERM
101
102pushd "$SCRIPT_DIR"
103
104# download the review-tools tarball so we don't pull it every time
105# TODO: it would be nice if github supported -C- to resume/not have to re-download
106# this every time automatically with curl
107curl -L -o review-tools.tgz https://github.com/anonymouse64/review-tools/archive/lzo-test-2.tar.gz
108
109# start the containers up front to share the same containers across all snaps
110# this saves us networking time and ensures we
111for series in 16 18 20; do
112 cont_name="review-tools-$series-04-checker"
113
114 sudo "$LXC" launch "ubuntu:$series.04" "${cont_name}"
115
116 # wait for networking to work before pushing any files to the container
117 sudo "$LXC" exec "${cont_name}" -- /bin/bash -c 'until nslookup -timeout=1 archive.ubuntu.com; do sleep 0.1; done'
118
119 sudo "$LXC" file push review-tools.tgz "${cont_name}/root/review-tools.tgz"
120
121 sudo "$LXC" exec "${cont_name}" -- apt update
122 sudo "$LXC" exec "${cont_name}" -- apt upgrade -y
123
124 # dependencies for review-tools as per the snapcraft.yaml
125 sudo "$LXC" exec "${cont_name}" -- apt install -y binutils fakeroot file libdb5.3 libmagic1 python3-magic python3-requests python3-simplejson python3-yaml squashfs-tools
126 sudo "$LXC" exec "${cont_name}" -- apt clean
127
128 sudo "$LXC" exec "${cont_name}" -- mkdir /root/review-tools
129 sudo "$LXC" exec "${cont_name}" -- tar -C /root/review-tools --strip-components=1 -xf /root/review-tools.tgz
130done
131
132# get the full list of snaps from the tarball
133# see shellcheck 2207 for why this mapfile, etc.
134# note this only works on bash 4.x+ however
135mapfile -t all_snaps < <(tar --wildcards -tf "$TARBALL" '*.snap' | grep -Po '(.+)(?=_lzo.snap)')
136
137for sn in "${all_snaps[@]}" ; do
138 # first extract the snap file from the tarball, we do this one at a time to
139 # optimize total disk space usage during the test
140 tar -xf "$TARBALL" "${sn}_lzo.snap"
141
142 sudo echo "useless sudo to stay authenticated against sudo during loops..." > /dev/null
143
144 # step 4. run the review-tools inside the various ubuntu lxc containers to
145 # check that the snap is unsquashed and resquashed to the same blob
146 for series in 16 18 20; do
147 cont_name="review-tools-$series-04-checker"
148
149 sudo "$LXC" file push "${sn}_lzo.snap" "${cont_name}/root/${sn}_lzo.snap"
150
151 # the core* base snaps are not properly checked within the lxd container
152 # by the review-tools because they have files like /dev/* that are not
153 # properly preserved when unpacked and repacked inside the lxd container
154 # because lxd does not allow mknod, etc.
155 # as such, the check for the base snaps is somewhat artifical, but we
156 # still expect a specific message from the review-tools to ensure that
157 # something else didn't fail
158 # note that root owned files and setuid files are ok here (i.e. from the
159 # chromium and snapd snaps), because we created the squashfs files above
160 # as root for snaps that have setuid, and when unpacking within the lxd
161 # container the files are ok to be created setuid, owned as root, etc.
162 if is_core_snap "$sn"; then
163 expected="OK (check not enforced for base and os snaps)"
164 else
165 expected="OK"
166 fi
167
168 # use SNAP_ENFORCE_RESQUASHFS_COMP=0 to ensure that we don't fail on
169 # snaps that haven't been given permission to upload with lzo compression
170 # also use --json so that we can check specifically the result of the
171 # squashfs_repack_checksum test, as some snaps like chromium have been
172 # granted permission to use interfaces that normally trigger a review,
173 # but we don't have that state available to us about the interfaces and
174 # we don't really care about that the interface usage anyways
175 repack_check=$(
176 sudo "$LXC" exec \
177 --cwd /root/review-tools \
178 --env SNAP_ENFORCE_RESQUASHFS_COMP=0 \
179 --env SNAP_DEBUG_RESQUASHFS=1 \
180 --env PYTHONPATH=/root/review-tools \
181 "${cont_name}" -- \
182 /root/review-tools/bin/snap-review --json "/root/${sn}_lzo.snap" || true
183 )
184
185 if [ "$(echo "$repack_check" | jq -r '."snap.v2_security".info."security-snap-v2:squashfs_repack_checksum".text')" != "$expected" ]; then
186 echo ">>> TEST FAIL <<< snap $sn lzo compressed failed review-tools check for squashfs_repack_checksum in lxd $series.04 container"
187 exit 1
188 fi
189
190 # We're done with the lzo in the container
191 sudo "$LXC" exec "${cont_name}" -- rm -f "/root/${sn}_lzo.snap"
192
193 sudo echo "useless sudo to keep authenticated against sudo during loops..." > /dev/null
194 done
195
196 rm "${sn}_lzo.snap"
197done
198
199for series in 16 18 20; do
200 cont_name="review-tools-$series-04-checker"
201
202 sudo "$LXC" stop "${cont_name}" --force
203 sudo "$LXC" delete "${cont_name}" --force
204done
205
206popd
207
208echo "test done, results in $TARBALL"
209
210# reset the cleanup so we don't unnecessarily run it and exit with non-zero status
211trap - EXIT SIGINT SIGTERM
diff --git a/tests/manual-lzo.sh b/tests/manual-lzo.sh
index b21ced2..8735c2e 100755
--- a/tests/manual-lzo.sh
+++ b/tests/manual-lzo.sh
@@ -107,7 +107,7 @@ function is_core_snap {
107107
108# step 0. ensure pre-reqs are available108# step 0. ensure pre-reqs are available
109# * snap is to download the snap109# * snap is to download the snap
110# * unsquahfs is to unpack the snap110# * unsquashfs is to unpack the snap
111# * mksquashfs is to re-pack the snap111# * mksquashfs is to re-pack the snap
112# * lxc is to create a xenial/bionic container to check the re-packed snap for112# * lxc is to create a xenial/bionic container to check the re-packed snap for
113# deterministic repacking - the review-tools used in there does NOT is not113# deterministic repacking - the review-tools used in there does NOT is not

Subscribers

People subscribed via source and target branches

to all changes: