Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

System tests: new system-df and passwd tests #7151

Merged
merged 1 commit into from
Jul 30, 2020
Merged

System tests: new system-df and passwd tests #7151

merged 1 commit into from
Jul 30, 2020

Conversation

edsantiago
Copy link
Member

Signed-off-by: Ed Santiago [email protected]

@edsantiago
Copy link
Member Author

Tested the modifiable-passwd test against 77fb3d2 (commit before #6991 merged); confirmed that the new test fails with:

adduser: warning: can't create backup copy '/etc/passwd-': Cross-device link
adduser: Resource busy

@edsantiago
Copy link
Member Author

I have a sinking feeling that this is related to CVE-2020-10713 and, sigh, I kind of bet all our CI is going to start failing:

[+0030s] Setting up grub-efi-amd64-signed (1.142.3+2.04-1ubuntu26.1) ...
[+0031s] mount: /var/lib/grub/esp: special device /dev/disk/by-id/google-persistent-disk-0-part15 does not exist.
[+0031s] dpkg: error processing package grub-efi-amd64-signed (--configure):
[+0031s]  installed grub-efi-amd64-signed package post-installation script subprocess returned error exit status 32
[+0031s] Processing triggers for systemd (245.4-4ubuntu3.2) ...
[+0031s] Processing triggers for man-db (2.9.1-1) ...
[+0033s] Processing triggers for install-info (6.7.0.dfsg.2-5) ...
[+0033s] Processing triggers for libc-bin (2.31-0ubuntu9) ...
[+0034s] Errors were encountered while processing:
[+0034s]  grub-efi-amd64-signed
[+0035s] E: Sub-process /usr/bin/dpkg returned an error code (1)
[+0035s] .
[+0035s] setup_environment.sh exit status: 100

@mheon
Copy link
Member

mheon commented Jul 29, 2020

LGTM

@rhatdan
Copy link
Member

rhatdan commented Jul 30, 2020

/lgtm
/hold
/approve

@openshift-ci-robot openshift-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jul 30, 2020
@openshift-ci-robot openshift-ci-robot added the lgtm Indicates that a PR is ready to be merged. label Jul 30, 2020
@openshift-ci-robot
Copy link
Collaborator

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: edsantiago, rhatdan

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci-robot openshift-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 30, 2020
@edsantiago
System tests: new system-df and passwd tests
84f4b87 
 - New test for containers#6991 - passwd file is writable even when
   run with --userns=keep-id

 - Enable another keep-id test, commented out due to containers#6593

 - New test for podman system df

Also, independently, removed this line:

   apt-get -y upgrade conmon

...because it's causing CI failures, probably because of the
boothole CVE, probably because the Ubuntu grub update was
rushed out. I believe it is safe to remove this, because
both Ubuntu 19 and 20 report:

   conmon is already the newest version (2.0.18~1).

Signed-off-by: Ed Santiago <[email protected]>
@openshift-ci-robot openshift-ci-robot removed the lgtm Indicates that a PR is ready to be merged. label Jul 30, 2020
@edsantiago
Copy link
Member Author

This now includes a fix for the Ubuntu upgrade problem. (Maybe "fix" is too strong a word, but anyway, CI is passing and should pass on any PRs rebased on this)

@TomSweeneyRedHat
Copy link
Member

LGTM
and happy green test buttons. @mheon, want to do the honors?

@mheon
Copy link
Member

mheon commented Jul 30, 2020

/lgtm
/hold cancel

@openshift-ci-robot openshift-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jul 30, 2020
@openshift-ci-robot openshift-ci-robot added the lgtm Indicates that a PR is ready to be merged. label Jul 30, 2020
@openshift-merge-robot openshift-merge-robot merged commit 05b3e0e into containers:master Jul 30, 2020
@cevich
Copy link
Member

cevich commented Jul 30, 2020

@edsantiago I think the CVE you found is a red-herring, or has since been fixed by a new package. The device not being available is odd, I'm not that worried about this because:

  1. Installing updates at runtime is generally a bad idea for runtime stability - partially remove here, fully removed in Cirrus: Add python packages to images #7138
  2. Runtime issues affecting boot will probably never impact our testing (reboots during testing unlikely to ever be supported or needed)
  3. Building new VM images in Cirrus: Add python packages to images #7138 did not hit this issue (thankfully) - The VMs are effectively rebooted between the test_build..._task and verify_test_built..._task. A partitioning/boot problem would have shown up there.

On a fresh #7138 Chewbuntu 20 VM I see the same (1.142.3+2.04-1ubuntu26.1)package is installed, but perhaps more importantly I can see the partition:

root@cevich-ubuntu-20-podman-6530021898584064:/# dpkg -l grub-efi-amd64-signed
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name                  Version                  Architecture Description
+++-=====================-========================-============-===============================================================
ii  grub-efi-amd64-signed 1.142.3+2.04-1ubuntu26.1 amd64        GRand Unified Bootloader, version 2 (EFI-AMD64 version, signed)

root@cevich-ubuntu-20-podman-6530021898584064:/# ls -la /dev/disk/by-id/google-persistent-disk-0-part15
lrwxrwxrwx 1 root root 11 Jul 30 16:03 /dev/disk/by-id/google-persistent-disk-0-part15 -> ../../sda15

So I think we'll be okay once my PR merges, but thanks for bringing the issue to me for a closer look.

@edsantiago
Copy link
Member Author

@cevich thanks, I'm not worried about this one. I have to assume that Ubuntu botched their grub CVE fix, then corrected that situation with a followup package. The fix I pushed here (removing the apt command) is just added safety.

@github-actions github-actions bot added the locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. label Sep 24, 2023
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 24, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@jwhonce jwhonce Awaiting requested review from jwhonce

@umohnani8 umohnani8 Awaiting requested review from umohnani8

Assignees

@rhatdan rhatdan

@mheon mheon

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@edsantiago @mheon @rhatdan @openshift-ci-robot @TomSweeneyRedHat @cevich @openshift-merge-robot