launchpad-buildd

Merge ~cjwatson/launchpad-buildd:clamav-database-url into launchpad-buildd:master

  1. Git
  2. lp:~cjwatson/launchpad-buildd
  3. clamav-database-url
  4. Merge into master
Proposed by Colin Watson
Status: Merged
Approved by: Colin Watson
Approved revision: aa7940302c7b74eb75c679aae17d4ebdaa3dfc44
Merge reported by: Otto Co-Pilot
Merged at revision: not available
Proposed branch: ~cjwatson/launchpad-buildd:clamav-database-url
Merge into: launchpad-buildd:master
Diff against target: 140 lines (+77/-0)
5 files modified
debian/changelog (+6/-0)
lpbuildd/ci.py (+11/-0)
lpbuildd/target/run_ci.py (+16/-0)
lpbuildd/target/tests/test_run_ci.py (+24/-0)
lpbuildd/tests/test_ci.py (+20/-0)
Reviewer Review Type Date Requested Status
Andrey Fedoseev (community) Approve
Review via email: mp+432172@code.launchpad.net

Commit message

Allow configuring builders to use a different ClamAV database URL

Description of the change

This is a property of the environment rather than of the build, so we put it in the builder's configuration file.

To post a comment you must log in.
Revision history for this message
Andrey Fedoseev (andrey-fedoseev) :
review: Approve
Revision history for this message
Colin Watson (cjwatson) :
Revision history for this message
Andrey Fedoseev (andrey-fedoseev) :
Revision history for this message
Colin Watson (cjwatson) :
Revision history for this message
Andrey Fedoseev (andrey-fedoseev) :

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index dab52b4..41fce54 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,9 @@
6+launchpad-buildd (224) UNRELEASED; urgency=medium
7+
8+ * Allow configuring builders to use a different ClamAV database URL.
9+
10+ -- Colin Watson <cjwatson@ubuntu.com> Wed, 26 Oct 2022 08:55:39 +0200
11+
12 launchpad-buildd (223) focal; urgency=medium
13
14 * Add optional malware scanning at the end of CI build jobs, currently
15diff --git a/lpbuildd/ci.py b/lpbuildd/ci.py
16index 6083298..04aa5f8 100644
17--- a/lpbuildd/ci.py
18+++ b/lpbuildd/ci.py
19@@ -86,6 +86,17 @@ class CIBuildManager(BuildManagerProxyMixin, DebianBuildManager):
20 if self.scan_malware:
21 args.append("--scan-malware")
22 try:
23+ # Not precisely a proxy, but it's similar in the sense of
24+ # providing additional network endpoints that we use instead of
25+ # the default behaviour, and using a section that doesn't exist
26+ # in the default configuration is convenient for our production
27+ # deployments.
28+ clamav_database_url = self._builder._config.get(
29+ "proxy", "clamavdatabase")
30+ args.extend(["--clamav-database-url", clamav_database_url])
31+ except (NoSectionError, NoOptionError):
32+ pass
33+ try:
34 snap_store_proxy_url = self._builder._config.get(
35 "proxy", "snapstore")
36 args.extend(["--snap-store-proxy-url", snap_store_proxy_url])
37diff --git a/lpbuildd/target/run_ci.py b/lpbuildd/target/run_ci.py
38index 491943b..4ebf765 100644
39--- a/lpbuildd/target/run_ci.py
40+++ b/lpbuildd/target/run_ci.py
41@@ -3,6 +3,7 @@
42
43 import logging
44 import os
45+import tempfile
46
47 from lpbuildd.target.build_snap import SnapChannelsAction
48 from lpbuildd.target.operation import Operation
49@@ -37,6 +38,10 @@ class RunCIPrepare(BuilderProxyOperationMixin, VCSOperationMixin,
50 default=False,
51 help="perform malware scans on output files",
52 )
53+ parser.add_argument(
54+ "--clamav-database-url",
55+ help="override default ClamAV database URL",
56+ )
57
58 def install(self):
59 logger.info("Running install phase...")
60@@ -71,6 +76,17 @@ class RunCIPrepare(BuilderProxyOperationMixin, VCSOperationMixin,
61 # lpbuildd.target.lxd configures the container not to run most
62 # services, which is convenient since it allows us to ensure
63 # that ClamAV's database is up to date before proceeding.
64+ if self.args.clamav_database_url:
65+ freshclam_path = "/etc/clamav/freshclam.conf"
66+ with tempfile.NamedTemporaryFile(mode="w+") as freshclam_file:
67+ self.backend.copy_out(freshclam_path, freshclam_file.name)
68+ freshclam_file.seek(0, os.SEEK_END)
69+ print(
70+ f"PrivateMirror {self.args.clamav_database_url}",
71+ file=freshclam_file,
72+ )
73+ freshclam_file.flush()
74+ self.backend.copy_in(freshclam_file.name, freshclam_path)
75 kwargs = {}
76 env = self.build_proxy_environment(proxy_url=self.args.proxy_url)
77 if env:
78diff --git a/lpbuildd/target/tests/test_run_ci.py b/lpbuildd/target/tests/test_run_ci.py
79index ba941ea..c855eec 100644
80--- a/lpbuildd/target/tests/test_run_ci.py
81+++ b/lpbuildd/target/tests/test_run_ci.py
82@@ -188,6 +188,30 @@ class TestRunCIPrepare(TestCase):
83 RanCommand(["freshclam", "--quiet"], **env),
84 ]))
85
86+ def test_install_scan_malware_with_clamav_database_url(self):
87+ args = [
88+ "run-ci-prepare",
89+ "--backend=fake", "--series=focal", "--arch=amd64", "1",
90+ "--git-repository", "lp:foo",
91+ "--scan-malware",
92+ "--clamav-database-url", "http://clamav.example/",
93+ ]
94+ run_ci_prepare = parse_args(args=args).operation
95+ run_ci_prepare.backend.add_file(
96+ "/etc/clamav/freshclam.conf", b"Test line\n")
97+ run_ci_prepare.install()
98+ self.assertThat(run_ci_prepare.backend.run.calls, MatchesListwise([
99+ RanAptGet("install", "git", "clamav"),
100+ RanSnap("install", "lxd"),
101+ RanSnap("install", "--classic", "lpcraft"),
102+ RanCommand(["lxd", "init", "--auto"]),
103+ RanCommand(["freshclam", "--quiet"]),
104+ ]))
105+ self.assertEqual(
106+ (b"Test line\nPrivateMirror http://clamav.example/\n",
107+ stat.S_IFREG | 0o644),
108+ run_ci_prepare.backend.backend_fs["/etc/clamav/freshclam.conf"])
109+
110 def test_repo_git(self):
111 args = [
112 "run-ci-prepare",
113diff --git a/lpbuildd/tests/test_ci.py b/lpbuildd/tests/test_ci.py
114index bf1b468..d8a9ef9 100644
115--- a/lpbuildd/tests/test_ci.py
116+++ b/lpbuildd/tests/test_ci.py
117@@ -379,3 +379,23 @@ class TestCIBuildManagerIteration(TestCase):
118 shutil.rmtree(get_build_path(
119 self.buildmanager.home, self.buildmanager._buildid))
120 self.assertIn("jobs", self.buildmanager.status())
121+
122+ @defer.inlineCallbacks
123+ def test_iterate_with_clamav_database_url(self):
124+ # If proxy.clamavdatabase is set, the build manager passes it via
125+ # the --clamav-database-url option.
126+ self.builder._config.set(
127+ "proxy", "clamavdatabase", "http://clamav.example/")
128+ args = {
129+ "git_repository": "https://git.launchpad.test/~example/+git/ci",
130+ "git_path": "main",
131+ "jobs": [[("build", "0")], [("test", "0")]],
132+ "scan_malware": True,
133+ }
134+ expected_prepare_options = [
135+ "--git-repository", "https://git.launchpad.test/~example/+git/ci",
136+ "--git-path", "main",
137+ "--scan-malware",
138+ "--clamav-database-url", "http://clamav.example/",
139+ ]
140+ yield self.startBuild(args, expected_prepare_options)

Subscribers

People subscribed via source and target branches