From 33e1b341461c753e95062209e16a1e2a72e744a9 Mon Sep 17 00:00:00 2001 From: Claudiu Belu Date: Thu, 17 Oct 2024 08:30:46 +0000 Subject: [PATCH] Changes rock base to bare Switching to a bare-based image will reduce the overall image size and reduces attack surface area. The image is supposed to run a script, thus we need a few packages installed. Switch the container user to root. It is supposed to have access to certain host folders through hostPath mounts, and thus, it should be able to modify them (e.g.: create /var/log/sriovdp folder). We can no longer use ensure_image_contains_paths to check if files exist in the rock images, since they are now bare-based. Instead, we can use ensure_image_contains_paths_bare, which checks the image layers instead. Because of this, we need sufficient permissions to check the /var/lib/docker folder. Adds an extra sanity check during the integration test, making sure that there is no error reported in Pebble while starting the service. --- 3.6.2/rockcraft.yaml | 15 +++++++++++++-- .../test_sriov_net_device_plugin.py | 19 ++++++++++++++++++- tests/sanity/test_sriov_net_device_plugin.py | 4 ++-- tests/tox.ini | 4 +++- 4 files changed, 36 insertions(+), 6 deletions(-) diff --git a/3.6.2/rockcraft.yaml b/3.6.2/rockcraft.yaml index 1d74953..f481efd 100644 --- a/3.6.2/rockcraft.yaml +++ b/3.6.2/rockcraft.yaml @@ -11,9 +11,8 @@ description: | license: Apache-2.0 version: 3.6.2 -base: ubuntu@22.04 +base: bare build-base: ubuntu@22.04 -run-user: _daemon_ platforms: amd64: @@ -34,6 +33,18 @@ services: entrypoint-service: install-cni parts: + add-base-files: + plugin: nil + stage-packages: + - base-files + - bash + - coreutils + - gawk + override-build: | + # Need to add symlink to awk. + mkdir -p $CRAFT_PART_INSTALL/usr/bin + ln -s gawk $CRAFT_PART_INSTALL/usr/bin/awk + build-deps: plugin: nil build-snaps: diff --git a/tests/integration/test_sriov_net_device_plugin.py b/tests/integration/test_sriov_net_device_plugin.py index 398aedd..1c4a42e 100644 --- a/tests/integration/test_sriov_net_device_plugin.py +++ b/tests/integration/test_sriov_net_device_plugin.py @@ -7,7 +7,7 @@ from pathlib import Path from k8s_test_harness import harness -from k8s_test_harness.util import env_util, k8s_util +from k8s_test_harness.util import constants, env_util, k8s_util LOG = logging.getLogger(__name__) @@ -71,3 +71,20 @@ def test_integration_sriov_ndp(tmp_path: Path, module_instance: harness.Instance k8s_util.wait_for_daemonset( module_instance, "kube-sriov-device-plugin-amd64", "kube-system" ) + + # Sanity check: make sure there isn't an error in Pebble that it couldn't start the service. + process = module_instance.exec( + [ + "k8s", + "kubectl", + "logs", + "-n", + constants.K8S_NS_KUBE_SYSTEM, + "daemonset.apps/kube-sriov-device-plugin-amd64", + ], + check=True, + capture_output=True, + text=True, + ) + + assert '(Start service "install-cni") failed' not in process.stdout diff --git a/tests/sanity/test_sriov_net_device_plugin.py b/tests/sanity/test_sriov_net_device_plugin.py index 5c2aafe..0e30c01 100644 --- a/tests/sanity/test_sriov_net_device_plugin.py +++ b/tests/sanity/test_sriov_net_device_plugin.py @@ -20,7 +20,7 @@ def test_sriov_dpdk_rock(): image = rock.image # check rock filesystem. - docker_util.ensure_image_contains_paths(image, ROCK_EXPECTED_FILES) + docker_util.ensure_image_contains_paths_bare(image, ROCK_EXPECTED_FILES) # check binary. process = docker_util.run_in_docker(image, ["sriovdp", "--help"], False) @@ -31,5 +31,5 @@ def test_sriov_dpdk_rock(): assert "DDPTool version 1.0.1.12" in process.stdout # check /entrypoint.sh script. - process = docker_util.run_in_docker(image, ["/entrypoint.sh"], False) + process = docker_util.run_in_docker(image, ["bash", "-x", "/entrypoint.sh"], False) assert "open /etc/pcidp/config.json: no such file or directory" in process.stderr diff --git a/tests/tox.ini b/tests/tox.ini index ffc76ce..a2e5fc3 100644 --- a/tests/tox.ini +++ b/tests/tox.ini @@ -35,8 +35,10 @@ commands = description = Run integration tests deps = -r {tox_root}/requirements-test.txt +allowlist_externals = + sudo commands = - pytest -v \ + sudo -E {envpython} -m pytest -v \ --maxfail 1 \ --tb native \ --log-cli-level DEBUG \