-
Notifications
You must be signed in to change notification settings - Fork 684
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implemented packages metadata to the test suite #6126
Conversation
Changes identified: Recommended tests to execute: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Testing random rule:
python3 tests/test_suite.py rule --libvirt qemu:///system ssgts_rhel8 --datastream build/ssg-rhel8-ds.xml selinux_state
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2020-09-29-1257/test_suite.log
ERROR - Nothing has been tested!
Traceback (most recent call last):
File "tests/test_suite.py", line 369, in <module>
main()
File "tests/test_suite.py", line 365, in main
options.func(options)
File "/home/jcerny/work/git/scap-security-guide/tests/ssg_test_suite/rule.py", line 385, in perform_rule_check
checker.test_target(options.target)
File "/home/jcerny/work/git/scap-security-guide/tests/ssg_test_suite/oscap.py", line 650, in test_target
self._test_target(target)
File "/home/jcerny/work/git/scap-security-guide/tests/ssg_test_suite/rule.py", line 253, in _test_target
self._prepare_environment()
File "/home/jcerny/work/git/scap-security-guide/tests/ssg_test_suite/rule.py", line 221, in _prepare_environment
self._ensure_package_present_for_all_scenarios()
File "/home/jcerny/work/git/scap-security-guide/tests/ssg_test_suite/rule.py", line 205, in _ensure_package_present_for_all_scenarios
for rule, scenarios in scenarios_by_rule.items():
NameError: name 'scenarios_by_rule' is not defined
Could you take a look into this?
msg = "Cannot extract data tarball {0}.".format(remote_archive_file) | ||
logging.error(msg) | ||
raise RuntimeError(msg) | ||
print("Setting up test setup scripts", file=log_file) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The unit tests on RHEL 7 fails, probably Python 2.7 doesn't know file=
yet.
from ssg_test_suite import common
E File "/home/jenkins/workspace/scap-security-guide-pull-requests/label/rhel7/tests/ssg_test_suite/common.py", line 281
E print("Setting up test setup scripts", file=log_file)
E ^
E SyntaxError: invalid syntax
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It doesn't know print
as a function - that's an easy fix.
try: | ||
run_with_stdout_logging("scp", SSH_ADDITIONAL_OPTS + (what, scp_dest), log_file) | ||
except Exception: | ||
logging.error(error_msg) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we can add the text of the exception (str(exc)
) the same way as in execute_remote_command
.
tests/ssg_test_suite/common.py
Outdated
INSTALL_COMMANDS = dict( | ||
fedora=("dnf", "install", "-y"), | ||
rhel7=("yum", "install", "-y"), | ||
rhel8=("yum", "install", "-y"), | ||
) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
coding style
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What's wrong?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd say that the indentation of items in dict. One level of indentation looks better.
INSTALL_COMMANDS = dict(
fedora=("dnf", "install", "-y"),
rhel7=("yum", "install", "-y"),
rhel8=("yum", "install", "-y"),
)
And I don't know if the last comma is intended.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OK, makes sense.
The comma is indented, it makes additions git-friendly.
# platform = multi_platform_all | ||
|
||
dnf install -y gdm | ||
# packages = gdm |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
❤️
def _test_target(self, target): | ||
def _ensure_package_present_for_all_scenarios(self): | ||
packages_required = set() | ||
for rule, scenarios in scenarios_by_rule.items(): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The scenarios_by_rule
isn't defined.
bb47c33
to
253780f
Compare
FAILURE |
7daaa43
to
1ebb5ba
Compare
@openscap-ci test this please |
/test e2e-aws-rhcos4-e8 |
tests/ssg_test_suite/common.py
Outdated
if "fedora" in cpe: | ||
return "fedora" | ||
if "redhat:enterprise_linux" in cpe: | ||
version = re.match(r"enterprise_linux:(\d)+:", cpe).groups()[1] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This causes problems for me when running rule test scenarios against a RHEL 8 VM target.
version = re.match(r"enterprise_linux:(\d)+:", cpe).groups()[1] | |
version = re.search(r"enterprise_linux:(\d+)", cpe).groups()[0] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It turned out to be even more complicated, but thanks for the suggestion - you were right on the search part.
log_file_name = os.path.join(LogHelper.LOG_DIR, "env-preparation.log") | ||
|
||
with open(log_file_name, 'a') as log_file: | ||
print("Installing packages", file=log_file) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There is something weird about this. When I open env-preparation.log
in the run log directory, I can see the output of yum command there, and after that there is "Installing packages" and the ssh command arguments. It should be before the yum output. It might be something with locking or flushing the log file.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, it was the flush.
Before each test, all scenarios are examined, and list of all packages to install is gathered. Those packages are installed to the base tests_upladed snapshot using an SSH command that is determined according to CPEs of the datastream benchmark, so Fedora ends up with dnf, while RHEL7 with yum.
1aed579
to
99814cb
Compare
It's the platform where tests are run rather than the benchmark platform which is important when determining what package manager to use.
99814cb
to
55e7b0b
Compare
@@ -292,17 +324,14 @@ def _get_scenarios(self, rule_dir, scripts, scenarios_regex, benchmark_cpes): | |||
|
|||
return scenarios | |||
|
|||
def _check_rule(self, rule, remote_dir, state, remediation_available): | |||
def _check_rule(self, rule, scenarios, remote_dir, state, remediation_available): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
CombinedChecker
class in ssg_test_suite/combined.py
inherits from RuleChecker
and uses this _check_rule
method. Please, fix the method usage there.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good catch, this is a non-trivial finding, and I have done my best to make the RuleChecker
more extension-friendly, so the CombinedChecker
doesn't contain duplicated code.
@@ -242,42 +245,56 @@ def create_tarball(): | |||
return fp.name | |||
|
|||
|
|||
def execute_remote_command(machine, args, log_file, error_msg=""): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There are already similar functions to this, eg. run_cmd_remote
and _run_cmd
. I haven't checked, but what do you think? Can we somehow unify them?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would love to, but preferably not in this PR.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OK, fair enough
|
||
|
||
def cpes_to_platform(cpes): | ||
for cpe in cpes: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why does it eat a list? In the only usage you artifically create a list with a single item.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It used to work with a list of CPEs that were associated with a benchmark, and to basically find the OS one among them. We don't use that right now, but I think that it may come in handy.
tests/ssg_test_suite/common.py
Outdated
log_file.flush() | ||
execute_remote_command( | ||
machine, INSTALL_COMMANDS[platform] + tuple(packages), log_file, | ||
"Couldn't install required packages {packages}".format(packages=packages)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
too big indentation
It now moved the "Installing pcakges" string to the right position, but the command is still printed after it. |
a3f07db
to
d3e2676
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nitpick indentation review :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ah, my last review didn't include these comments... sorry for that
LGTM |
/test e2e-aws-rhcos4-e8 |
@openscap-ci test this please |
def _rule_should_be_tested(self, rule, rules_to_be_tested): | ||
if rule.short_id not in rules_to_be_tested: | ||
return False | ||
return True |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's weird but let's not delay it.
@matejak It's great! I'm only waiting for CI. |
/test e2e-aws-rhcos4-e8 |
This PR centralises installation of packages that are used to test scenarios.
As some checks now require packages installed in order to be applicable, it could be that if 5 scenarios required a package that was not present in the test suite image, it had to be downloaded and installed 5 times, which is wasteful and takes a long time too.
Using the new approach, all scenarios are examined prior to the test execution, and list of all packages to install is gathered.
Those packages are installed to the base
tests_upladed
snapshot using an SSH command that is deduced according to CPEs of the datastream benchmark, so Fedora ends up with dnf, while RHEL7 with yum.What this PR consists of:
send_scripts
- two functions were extracted, and one of those is then reused. Similar functions already exist in the module, but I think that further refactoring in this regard is out of scope of this PR.data.upload.log
log file has been renamed toenv-preparation.log
.