Implemented packages metadata to the test suite #6126
Conversation
|
Changes identified: Recommended tests to execute: |
jan-cerny
changed the title
There was a problem hiding this comment.
Testing random rule:
python3 tests/test_suite.py rule --libvirt qemu:///system ssgts_rhel8 --datastream build/ssg-rhel8-ds.xml selinux_state
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2020-09-29-1257/test_suite.log
ERROR - Nothing has been tested!
Traceback (most recent call last):
File "tests/test_suite.py", line 369, in <module>
main()
File "tests/test_suite.py", line 365, in main
options.func(options)
File "/home/jcerny/work/git/scap-security-guide/tests/ssg_test_suite/rule.py", line 385, in perform_rule_check
checker.test_target(options.target)
File "/home/jcerny/work/git/scap-security-guide/tests/ssg_test_suite/oscap.py", line 650, in test_target
self._test_target(target)
File "/home/jcerny/work/git/scap-security-guide/tests/ssg_test_suite/rule.py", line 253, in _test_target
self._prepare_environment()
File "/home/jcerny/work/git/scap-security-guide/tests/ssg_test_suite/rule.py", line 221, in _prepare_environment
self._ensure_package_present_for_all_scenarios()
File "/home/jcerny/work/git/scap-security-guide/tests/ssg_test_suite/rule.py", line 205, in _ensure_package_present_for_all_scenarios
for rule, scenarios in scenarios_by_rule.items():
NameError: name 'scenarios_by_rule' is not defined
Could you take a look into this?
| msg = "Cannot extract data tarball {0}.".format(remote_archive_file) | ||
| logging.error(msg) | ||
| raise RuntimeError(msg) | ||
| print("Setting up test setup scripts", file=log_file) |
There was a problem hiding this comment.
The unit tests on RHEL 7 fails, probably Python 2.7 doesn't know file= yet.
from ssg_test_suite import common
E File "/home/jenkins/workspace/scap-security-guide-pull-requests/label/rhel7/tests/ssg_test_suite/common.py", line 281
E print("Setting up test setup scripts", file=log_file)
E ^
E SyntaxError: invalid syntax
There was a problem hiding this comment.
It doesn't know print as a function - that's an easy fix.
| try: | ||
| run_with_stdout_logging("scp", SSH_ADDITIONAL_OPTS + (what, scp_dest), log_file) | ||
| except Exception: | ||
| logging.error(error_msg) |
There was a problem hiding this comment.
I think we can add the text of the exception (str(exc)) the same way as in execute_remote_command.
tests/ssg_test_suite/common.py
Outdated
| INSTALL_COMMANDS = dict( | ||
| fedora=("dnf", "install", "-y"), | ||
| rhel7=("yum", "install", "-y"), | ||
| rhel8=("yum", "install", "-y"), | ||
| ) |
There was a problem hiding this comment.
I'd say that the indentation of items in dict. One level of indentation looks better.
INSTALL_COMMANDS = dict(
fedora=("dnf", "install", "-y"),
rhel7=("yum", "install", "-y"),
rhel8=("yum", "install", "-y"),
)
And I don't know if the last comma is intended.
There was a problem hiding this comment.
OK, makes sense.
The comma is indented, it makes additions git-friendly.
| # platform = multi_platform_all | ||
|
|
||
| dnf install -y gdm | ||
| # packages = gdm |
| def _test_target(self, target): | ||
| def _ensure_package_present_for_all_scenarios(self): | ||
| packages_required = set() | ||
| for rule, scenarios in scenarios_by_rule.items(): |
There was a problem hiding this comment.
The scenarios_by_rule isn't defined.
matejak
force-pushed
the
tests_packages
branch
from
bb47c33
to
253780f
Compare
|
FAILURE |
matejak
force-pushed
the
tests_packages
branch
2 times, most recently
from
7daaa43
to
1ebb5ba
Compare
|
@openscap-ci test this please |
|
/test e2e-aws-rhcos4-e8 |
tests/ssg_test_suite/common.py
Outdated
| if "fedora" in cpe: | ||
| return "fedora" | ||
| if "redhat:enterprise_linux" in cpe: | ||
| version = re.match(r"enterprise_linux:(\d)+:", cpe).groups()[1] |
There was a problem hiding this comment.
This causes problems for me when running rule test scenarios against a RHEL 8 VM target.
| version = re.match(r"enterprise_linux:(\d)+:", cpe).groups()[1] | |
| version = re.search(r"enterprise_linux:(\d+)", cpe).groups()[0] |
There was a problem hiding this comment.
It turned out to be even more complicated, but thanks for the suggestion - you were right on the search part.
| log_file_name = os.path.join(LogHelper.LOG_DIR, "env-preparation.log") | ||
|
|
||
| with open(log_file_name, 'a') as log_file: | ||
| print("Installing packages", file=log_file) |
There was a problem hiding this comment.
There is something weird about this. When I open env-preparation.log in the run log directory, I can see the output of yum command there, and after that there is "Installing packages" and the ssh command arguments. It should be before the yum output. It might be something with locking or flushing the log file.
Before each test, all scenarios are examined, and list of all packages to install is gathered. Those packages are installed to the base tests_upladed snapshot using an SSH command that is determined according to CPEs of the datastream benchmark, so Fedora ends up with dnf, while RHEL7 with yum.
matejak
force-pushed
the
tests_packages
branch
2 times, most recently
from
1aed579
to
99814cb
Compare
It's the platform where tests are run rather than the benchmark platform which is important when determining what package manager to use.
matejak
force-pushed
the
tests_packages
branch
from
99814cb
to
55e7b0b
Compare
| @@ -292,17 +324,14 @@ def _get_scenarios(self, rule_dir, scripts, scenarios_regex, benchmark_cpes): | |||
|
|
|||
| return scenarios | |||
|
|
|||
| def _check_rule(self, rule, remote_dir, state, remediation_available): | |||
| def _check_rule(self, rule, scenarios, remote_dir, state, remediation_available): | |||
There was a problem hiding this comment.
CombinedChecker class in ssg_test_suite/combined.py inherits from RuleChecker and uses this _check_rule method. Please, fix the method usage there.
There was a problem hiding this comment.
Good catch, this is a non-trivial finding, and I have done my best to make the RuleChecker more extension-friendly, so the CombinedChecker doesn't contain duplicated code.
| @@ -242,42 +245,56 @@ def create_tarball(): | |||
| return fp.name | |||
|
|
|||
|
|
|||
| def execute_remote_command(machine, args, log_file, error_msg=""): | |||
There was a problem hiding this comment.
There are already similar functions to this, eg. run_cmd_remote and _run_cmd. I haven't checked, but what do you think? Can we somehow unify them?
There was a problem hiding this comment.
I would love to, but preferably not in this PR.
|
|
||
|
|
||
| def cpes_to_platform(cpes): | ||
| for cpe in cpes: |
There was a problem hiding this comment.
Why does it eat a list? In the only usage you artifically create a list with a single item.
There was a problem hiding this comment.
It used to work with a list of CPEs that were associated with a benchmark, and to basically find the OS one among them. We don't use that right now, but I think that it may come in handy.
tests/ssg_test_suite/common.py
Outdated
| log_file.flush() | ||
| execute_remote_command( | ||
| machine, INSTALL_COMMANDS[platform] + tuple(packages), log_file, | ||
| "Couldn't install required packages {packages}".format(packages=packages)) |
It now moved the "Installing pcakges" string to the right position, but the command is still printed after it. |
matejak
force-pushed
the
tests_packages
branch
from
a3f07db
to
d3e2676
Compare
|
LGTM |
|
/test e2e-aws-rhcos4-e8 |
|
@openscap-ci test this please |
| def _rule_should_be_tested(self, rule, rules_to_be_tested): | ||
| if rule.short_id not in rules_to_be_tested: | ||
| return False | ||
| return True |
There was a problem hiding this comment.
It's weird but let's not delay it.
|
@matejak It's great! I'm only waiting for CI. |
|
/test e2e-aws-rhcos4-e8 |
This PR centralises installation of packages that are used to test scenarios.
As some checks now require packages installed in order to be applicable, it could be that if 5 scenarios required a package that was not present in the test suite image, it had to be downloaded and installed 5 times, which is wasteful and takes a long time too.
Using the new approach, all scenarios are examined prior to the test execution, and list of all packages to install is gathered.
Those packages are installed to the base
tests_upladedsnapshot using an SSH command that is deduced according to CPEs of the datastream benchmark, so Fedora ends up with dnf, while RHEL7 with yum.What this PR consists of:
send_scripts- two functions were extracted, and one of those is then reused. Similar functions already exist in the module, but I think that further refactoring in this regard is out of scope of this PR.data.upload.loglog file has been renamed toenv-preparation.log.