From 4d8667fe51859d67dd6f5f7154dc24eb5a4526c7 Mon Sep 17 00:00:00 2001 From: yih Date: Tue, 16 Jan 2024 15:02:33 +0800 Subject: [PATCH] edge:add iot-simplified-installer test case --- test/cases/ostree-simplified-installer.sh | 114 +++++++++++++--------- test/data/ansible/check_ostree.yaml | 71 +++++++++++++- 2 files changed, 138 insertions(+), 47 deletions(-) diff --git a/test/cases/ostree-simplified-installer.sh b/test/cases/ostree-simplified-installer.sh index c8ef49fa64..d031907115 100755 --- a/test/cases/ostree-simplified-installer.sh +++ b/test/cases/ostree-simplified-installer.sh @@ -24,13 +24,18 @@ until [ -f /etc/fdo/aio/configs/serviceinfo_api_server.yml ] do sleep 2 done -# Prepare service api server config filef +# Prepare service api server config file sudo /usr/local/bin/yq -iy '.service_info.diskencryption_clevis |= [{disk_label: "/dev/vda4", reencrypt: true, binding: {pin: "tpm2", config: "{}"}}]' /etc/fdo/aio/configs/serviceinfo_api_server.yml if [[ "$VERSION_ID" == "9.4" || "$VERSION_ID" == "9" ]]; then # Modify manufacturing server config to process fdo # guest interface during onboarding sudo sed -i 's/SerialNumber/MACAddress/g' /etc/fdo/aio/configs/manufacturing_server.yml fi +# Fedora iot-simplified-installer uses /dev/vda3, https://github.com/osbuild/osbuild-composer/issues/3527 +if [[ "${ID}" == "fedora" ]]; then + echo "Change vda4 to vda3 for fedora in serviceinfo config file" + sudo sed -i 's/vda4/vda3/' /etc/fdo/aio/configs/serviceinfo_api_server.yml +fi sudo systemctl restart fdo-aio # workaround for bug https://bugzilla.redhat.com/show_bug.cgi?id=2213660 @@ -127,8 +132,9 @@ KERNEL_RT_PKG="kernel-rt" # Set up variables. SYSROOT_RO="false" -ANSIBLE_USER="admin" +ANSIBLE_USER="simple" FDO_USER_ONBOARDING="false" +IMAGE_TYPE=redhat # Set FIPS variable default FIPS="${FIPS:-false}" @@ -171,6 +177,18 @@ case "${ID}-${VERSION_ID}" in sudo setenforce 0 getenforce ;; + "fedora-"*) + OSTREE_REF="fedora/${VERSION_ID}/${ARCH}/iot" + PARENT_REF="fedora/${VERSION_ID}/${ARCH}/iot" + OS_VARIANT="fedora-unknown" + CONTAINER_TYPE="iot-container" + INSTALLER_TYPE="iot-simplified-installer" + REF_PREFIX="fedora-iot" + SYSROOT_RO="true" + IMAGE_TYPE="fedora" + ANSIBLE_USER=fdouser + FDO_USER_ONBOARDING="true" + ;; *) redprint "unsupported distro: ${ID}-${VERSION_ID}" exit 1;; @@ -180,10 +198,10 @@ if [[ "$FDO_USER_ONBOARDING" == "true" ]]; then # FDO user does not have password, use ssh key and no sudo password instead sudo /usr/local/bin/yq -iy ".service_info.initial_user |= {username: \"fdouser\", sshkeys: [\"${SSH_KEY_PUB}\"]}" /etc/fdo/aio/configs/serviceinfo_api_server.yml # No sudo password required by ansible - tee /tmp/fdouser > /dev/null << EOF + sudo tee /var/lib/fdo/fdouser > /dev/null << EOF fdouser ALL=(ALL) NOPASSWD: ALL EOF - sudo /usr/local/bin/yq -iy '.service_info.files |= [{path: "/etc/sudoers.d/fdouser", source_path: "/tmp/fdouser"}]' /etc/fdo/aio/configs/serviceinfo_api_server.yml + sudo /usr/local/bin/yq -iy '.service_info.files |= [{path: "/etc/sudoers.d/fdouser", source_path: "/var/lib/fdo/fdouser"}]' /etc/fdo/aio/configs/serviceinfo_api_server.yml sudo systemctl restart fdo-aio fi # Wait for fdo server to be running @@ -276,7 +294,7 @@ build_image() { # Wait for the ssh server up to be. wait_for_ssh_up () { - SSH_STATUS=$(sudo ssh "${SSH_OPTIONS[@]}" -i "${SSH_KEY}" admin@"${1}" '/bin/bash -c "echo -n READY"') + SSH_STATUS=$(sudo ssh "${SSH_OPTIONS[@]}" -i "${SSH_KEY}" simple@"${1}" '/bin/bash -c "echo -n READY"') if [[ $SSH_STATUS == READY ]]; then echo 1 else @@ -286,7 +304,7 @@ wait_for_ssh_up () { # Wait for FDO onboarding finished. wait_for_fdo () { - SSH_STATUS=$(sudo ssh "${SSH_OPTIONS[@]}" -i "${SSH_KEY}" admin@"${1}" "id -u ${ANSIBLE_USER} > /dev/null 2>&1 && echo -n READY") + SSH_STATUS=$(sudo ssh "${SSH_OPTIONS[@]}" -i "${SSH_KEY}" simple@"${1}" "id -u ${ANSIBLE_USER} > /dev/null 2>&1 && echo -n READY") if [[ $SSH_STATUS == READY ]]; then echo 1 else @@ -381,18 +399,16 @@ version = "*" [[packages]] name = "sssd" version = "*" +EOF +# Fedora does not have kernel-rt +if [[ "$ID" != "fedora" ]]; then + tee -a "$BLUEPRINT_FILE" >> /dev/null << EOF [customizations.kernel] name = "${KERNEL_RT_PKG}" - -[[customizations.user]] -name = "admin" -description = "Administrator account" -password = "${EDGE_USER_PASSWORD_SHA512}" -key = "${SSH_KEY_PUB}" -home = "/home/admin/" -groups = ["wheel"] EOF +fi + greenprint "📄 container blueprint" cat "$BLUEPRINT_FILE" @@ -565,7 +581,7 @@ EOF # Test IoT/Edge OS sudo ansible-playbook -v -i "${TEMPDIR}"/inventory \ - -e image_type=redhat \ + -e image_type=${IMAGE_TYPE} \ -e ostree_commit="${INSTALL_HASH}" \ -e skip_rollback_test="true" \ -e edge_type=edge-simplified-installer \ @@ -632,7 +648,6 @@ append = "enforcing=0" EOF fi - greenprint "📄 installer blueprint" cat "$BLUEPRINT_FILE" @@ -716,7 +731,7 @@ for _ in $(seq 0 30); do done # With new ostree-libs-2022.6-3, edge vm needs to reboot twice to make the /sysroot readonly -sudo ssh "${SSH_OPTIONS[@]}" -i "${SSH_KEY}" "admin@${EDGE_GUEST_ADDRESS}" 'nohup sudo systemctl reboot &>/dev/null & exit' +sudo ssh "${SSH_OPTIONS[@]}" -i "${SSH_KEY}" "simple@${EDGE_GUEST_ADDRESS}" 'nohup sudo systemctl reboot &>/dev/null & exit' # Sleep 10 seconds here to make sure vm restarted already sleep 10 for _ in $(seq 0 30); do @@ -752,7 +767,7 @@ EOF # Test IoT/Edge OS sudo ansible-playbook -v -i "${TEMPDIR}"/inventory \ - -e image_type=redhat \ + -e image_type=${IMAGE_TYPE} \ -e ostree_commit="${INSTALL_HASH}" \ -e skip_rollback_test="true" \ -e edge_type=edge-simplified-installer \ @@ -786,7 +801,6 @@ description = "A rhel-edge simplified-installer image" version = "0.0.1" modules = [] groups = [] - [customizations] installation_device = "/dev/vda" EOF @@ -798,6 +812,14 @@ EOF fi tee -a "$BLUEPRINT_FILE" >> /dev/null << EOF +[[customizations.user]] +name = "simple" +description = "Administrator account" +password = "${EDGE_USER_PASSWORD_SHA512}" +key = "${SSH_KEY_PUB}" +home = "/home/simple/" +groups = ["wheel"] + [customizations.fdo] manufacturing_server_url="http://${FDO_SERVER_ADDRESS}:8080" diun_pub_key_hash="${DIUN_PUB_KEY_HASH}" @@ -898,7 +920,7 @@ if [[ "${ANSIBLE_USER}" == "fdouser" ]]; then fi # With new ostree-libs-2022.6-3, edge vm needs to reboot twice to make the /sysroot readonly -sudo ssh "${SSH_OPTIONS[@]}" -i "${SSH_KEY}" "admin@${EDGE_GUEST_ADDRESS}" 'nohup sudo systemctl reboot &>/dev/null & exit' +sudo ssh "${SSH_OPTIONS[@]}" -i "${SSH_KEY}" "simple@${EDGE_GUEST_ADDRESS}" 'nohup sudo systemctl reboot &>/dev/null & exit' # Sleep 10 seconds here to make sure vm restarted already sleep 10 for _ in $(seq 0 30); do @@ -938,7 +960,7 @@ fi # Test IoT/Edge OS sudo ansible-playbook -v -i "${TEMPDIR}"/inventory \ - -e image_type=redhat \ + -e image_type=${IMAGE_TYPE} \ -e ostree_commit="${INSTALL_HASH}" \ -e skip_rollback_test="true" \ -e edge_type=edge-simplified-installer \ @@ -972,17 +994,15 @@ version = "*" [[packages]] name = "wget" version = "*" +EOF +# Fedora does not have kernel-rt +if [[ "$ID" != "fedora" ]]; then + tee -a "$BLUEPRINT_FILE" >> /dev/null << EOF [customizations.kernel] name = "${KERNEL_RT_PKG}" - -[[customizations.user]] -name = "admin" -description = "Administrator account" -password = "${EDGE_USER_PASSWORD_SHA512}" -home = "/home/admin/" -groups = ["wheel"] EOF +fi greenprint "📄 rebase blueprint" cat "$BLUEPRINT_FILE" @@ -1039,8 +1059,8 @@ sudo composer-cli compose delete "${COMPOSE_ID}" > /dev/null sudo composer-cli blueprints delete rebase > /dev/null greenprint "🗳 Rebase ostree image/commit" -sudo ssh "${SSH_OPTIONS[@]}" -i "${SSH_KEY}" admin@${EDGE_GUEST_ADDRESS} "echo '${EDGE_USER_PASSWORD}' |sudo -S rpm-ostree rebase ${REF_PREFIX}:${OSTREE_REF}" -sudo ssh "${SSH_OPTIONS[@]}" -i "${SSH_KEY}" admin@${EDGE_GUEST_ADDRESS} "echo '${EDGE_USER_PASSWORD}' |nohup sudo -S systemctl reboot &>/dev/null & exit" +sudo ssh "${SSH_OPTIONS[@]}" -i "${SSH_KEY}" simple@${EDGE_GUEST_ADDRESS} "echo '${EDGE_USER_PASSWORD}' |sudo -S rpm-ostree rebase ${REF_PREFIX}:${OSTREE_REF}" +sudo ssh "${SSH_OPTIONS[@]}" -i "${SSH_KEY}" simple@${EDGE_GUEST_ADDRESS} "echo '${EDGE_USER_PASSWORD}' |nohup sudo -S systemctl reboot &>/dev/null & exit" # Sleep 10 seconds here to make sure vm restarted already sleep 10 @@ -1077,7 +1097,7 @@ EOF # Test IoT/Edge OS sudo ansible-playbook -v -i "${TEMPDIR}"/inventory \ - -e image_type=redhat \ + -e image_type=${IMAGE_TYPE} \ -e ostree_commit="${REBASE_HASH}" \ -e skip_rollback_test="true" \ -e edge_type=edge-simplified-installer \ @@ -1121,6 +1141,14 @@ groups = [] [customizations] installation_device = "/dev/vda" + +[[customizations.user]] +name = "simple" +description = "Administrator account" +password = "${EDGE_USER_PASSWORD_SHA512}" +key = "${SSH_KEY_PUB}" +home = "/home/simple/" +groups = ["wheel"] EOF if [ "${FIPS}" == "true" ]; then @@ -1217,7 +1245,7 @@ for _ in $(seq 0 30); do done # With new ostree-libs-2022.6-3, edge vm needs to reboot twice to make the /sysroot readonly -sudo ssh "${SSH_OPTIONS[@]}" -i "${SSH_KEY}" "admin@${EDGE_GUEST_ADDRESS}" 'nohup sudo systemctl reboot &>/dev/null & exit' +sudo ssh "${SSH_OPTIONS[@]}" -i "${SSH_KEY}" "simple@${EDGE_GUEST_ADDRESS}" 'nohup sudo systemctl reboot &>/dev/null & exit' # Sleep 10 seconds here to make sure vm restarted already sleep 10 for _ in $(seq 0 30); do @@ -1242,7 +1270,7 @@ ${EDGE_GUEST_ADDRESS} [ostree_guest:vars] ansible_python_interpreter=/usr/bin/python3 -ansible_user=admin +ansible_user=simple ansible_private_key_file=${SSH_KEY} ansible_ssh_common_args="-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null" ansible_become=yes @@ -1252,7 +1280,7 @@ EOF # Test IoT/Edge OS sudo ansible-playbook -v -i "${TEMPDIR}"/inventory \ - -e image_type=redhat \ + -e image_type=${IMAGE_TYPE} \ -e ostree_commit="${INSTALL_HASH}" \ -e skip_rollback_test="true" \ -e edge_type=edge-simplified-installer \ @@ -1289,17 +1317,15 @@ version = "*" [[packages]] name = "wget" version = "*" +EOF +# Fedora does not have kernel-rt +if [[ "$ID" != "fedora" ]]; then + tee -a "$BLUEPRINT_FILE" >> /dev/null << EOF [customizations.kernel] name = "${KERNEL_RT_PKG}" - -[[customizations.user]] -name = "admin" -description = "Administrator account" -password = "${EDGE_USER_PASSWORD_SHA512}" -home = "/home/admin/" -groups = ["wheel"] EOF +fi greenprint "📄 upgrade blueprint" cat "$BLUEPRINT_FILE" @@ -1357,8 +1383,8 @@ sudo composer-cli compose delete "${COMPOSE_ID}" > /dev/null sudo composer-cli blueprints delete upgrade > /dev/null greenprint "🗳 Upgrade ostree image/commit" -sudo ssh "${SSH_OPTIONS[@]}" -i "${SSH_KEY}" admin@${EDGE_GUEST_ADDRESS} "echo '${EDGE_USER_PASSWORD}' |sudo -S rpm-ostree upgrade" -sudo ssh "${SSH_OPTIONS[@]}" -i "${SSH_KEY}" admin@${EDGE_GUEST_ADDRESS} "echo '${EDGE_USER_PASSWORD}' |nohup sudo -S systemctl reboot &>/dev/null & exit" +sudo ssh "${SSH_OPTIONS[@]}" -i "${SSH_KEY}" simple@${EDGE_GUEST_ADDRESS} "echo '${EDGE_USER_PASSWORD}' |sudo -S rpm-ostree upgrade" +sudo ssh "${SSH_OPTIONS[@]}" -i "${SSH_KEY}" simple@${EDGE_GUEST_ADDRESS} "echo '${EDGE_USER_PASSWORD}' |nohup sudo -S systemctl reboot &>/dev/null & exit" # Sleep 10 seconds here to make sure vm restarted already sleep 10 @@ -1395,7 +1421,7 @@ EOF # Test IoT/Edge OS sudo ansible-playbook -v -i "${TEMPDIR}"/inventory \ - -e image_type=redhat \ + -e image_type=${IMAGE_TYPE} \ -e ostree_commit="${UPGRADE_HASH}" \ -e skip_rollback_test="true" \ -e edge_type=edge-simplified-installer \ diff --git a/test/data/ansible/check_ostree.yaml b/test/data/ansible/check_ostree.yaml index db3b4c5e8f..15d9173f0d 100644 --- a/test/data/ansible/check_ostree.yaml +++ b/test/data/ansible/check_ostree.yaml @@ -14,6 +14,7 @@ test_custom_dirs_files: "false" sysroot_ro: "false" fips: "false" + image_type: "none" tasks: # current target host's IP address @@ -284,6 +285,27 @@ when: - "'/dev/mapper/rootvg-rootlv' in result_sysroot_source.stdout" - fdo_credential == "true" + - image_type == "redhat" + + # on fedora, it grows to 18.49G + - name: "pv size should bigger than 18G for simplified installer" + block: + - assert: + that: + - "'18' in result_pv_size.stdout" + fail_msg: "pv size is not bigger than 18G" + success_msg: "pv size is bigger than 18G" + always: + - set_fact: + total_counter: "{{ total_counter | int + 1 }}" + rescue: + - name: failed count + 1 + set_fact: + failed_counter: "{{ failed_counter | int + 1 }}" + when: + - "'/dev/mapper/rootvg-rootlv' in result_sysroot_source.stdout" + - fdo_credential == "true" + - image_type == "fedora" # raw image does not have coreos-installer to grow fs to 19G - name: "pv size should keep at 9G for raw image" @@ -324,7 +346,28 @@ - name: failed count + 1 set_fact: failed_counter: "{{ failed_counter | int + 1 }}" - when: "'/dev/mapper/rootvg-rootlv' in result_sysroot_source.stdout" + when: + - "'/dev/mapper/rootvg-rootlv' in result_sysroot_source.stdout" + - image_type == "redhat" + + # lv size on fedora is 7.8G, https://github.com/osbuild/osbuild-composer/issues/3529 + - name: "/sysroot lv size should be 7.8G on fedora" + block: + - assert: + that: + - "'7.8G' in result_sysroot_lv_size.stdout" + fail_msg: "lv size is not 7.8G" + success_msg: "lv size is 7.8G" + always: + - set_fact: + total_counter: "{{ total_counter | int + 1 }}" + rescue: + - name: failed count + 1 + set_fact: + failed_counter: "{{ failed_counter | int + 1 }}" + when: + - "'/dev/mapper/rootvg-rootlv' in result_sysroot_source.stdout" + - image_type == "fedora" # case: check /sysroot mount status - name: check /sysroot mount status @@ -997,12 +1040,33 @@ - name: failed count + 1 set_fact: failed_counter: "{{ failed_counter | int + 1 }}" - when: fdo_credential == "true" + when: + - fdo_credential == "true" + - image_type == "redhat" - name: check fdo-client-linuxapp logs command: journalctl -u fdo-client-linuxapp register: result_fdo_client_linuxapp_journalctl - when: fdo_credential == "true" + when: + - fdo_credential == "true" + + - name: wait for FDO re-encryption + block: + - shell: cryptsetup luksDump /dev/vda3 + register: result + until: not result.stdout_lines is search("cipher_null-ecb") + retries: 30 + delay: 60 + always: + - set_fact: + total_counter: "{{ total_counter | int + 1 }}" + rescue: + - name: failed count + 1 + set_fact: + failed_counter: "{{ failed_counter | int + 1 }}" + when: + - fdo_credential == "true" + - image_type == "fedora" - debug: var: result_fdo_client_linuxapp_journalctl @@ -1030,6 +1094,7 @@ failed_counter: "{{ failed_counter | int + 1 }}" when: - fdo_credential == "true" + - image_type == "redhat" - (ansible_facts['distribution_version'] is version('9.4', '>=')) or (ansible_facts['distribution_version'] is version('9', '==')) # case: checking firewall customizations