Skip to content

Commit

Permalink
check /sysroot permission
Browse files Browse the repository at this point in the history
  • Loading branch information
yih-redhat authored and runcom committed Oct 17, 2022
1 parent 8eb80e1 commit 3c8ae48
Show file tree
Hide file tree
Showing 3 changed files with 34 additions and 13 deletions.
6 changes: 3 additions & 3 deletions test/cases/ostree-raw-image.sh
Original file line number Diff line number Diff line change
Expand Up @@ -489,7 +489,7 @@ ansible_become_pass=${EDGE_USER_PASSWORD}
EOF

# Test IoT/Edge OS
sudo ansible-playbook -v -i "${TEMPDIR}"/inventory -e image_type="${OSTREE_OSNAME}" -e ostree_commit="${INSTALL_HASH}" /usr/share/tests/osbuild-composer/ansible/check_ostree.yaml || RESULTS=0
sudo ansible-playbook -v -i "${TEMPDIR}"/inventory -e image_type="${OSTREE_OSNAME}" -e edge_type=edge-raw-image -e ostree_commit="${INSTALL_HASH}" /usr/share/tests/osbuild-composer/ansible/check_ostree.yaml || RESULTS=0
check_result

# Clean up BIOS VM
Expand Down Expand Up @@ -572,7 +572,7 @@ ansible_become_pass=${EDGE_USER_PASSWORD}
EOF

# Test IoT/Edge OS
sudo ansible-playbook -v -i "${TEMPDIR}"/inventory -e image_type="${OSTREE_OSNAME}" -e ostree_commit="${INSTALL_HASH}" /usr/share/tests/osbuild-composer/ansible/check_ostree.yaml || RESULTS=0
sudo ansible-playbook -v -i "${TEMPDIR}"/inventory -e image_type="${OSTREE_OSNAME}" -e edge_type=edge-raw-image -e ostree_commit="${INSTALL_HASH}" /usr/share/tests/osbuild-composer/ansible/check_ostree.yaml || RESULTS=0
check_result

##################################################################
Expand Down Expand Up @@ -726,7 +726,7 @@ ansible_become_pass=${EDGE_USER_PASSWORD}
EOF

# Test IoT/Edge OS
sudo ansible-playbook -v -i "${TEMPDIR}"/inventory -e image_type="${OSTREE_OSNAME}" -e ostree_commit="${UPGRADE_HASH}" /usr/share/tests/osbuild-composer/ansible/check_ostree.yaml || RESULTS=0
sudo ansible-playbook -v -i "${TEMPDIR}"/inventory -e image_type="${OSTREE_OSNAME}" -e edge_type=edge-raw-image -e ostree_commit="${UPGRADE_HASH}" /usr/share/tests/osbuild-composer/ansible/check_ostree.yaml || RESULTS=0
check_result

# Final success clean up
Expand Down
8 changes: 4 additions & 4 deletions test/cases/ostree-simplified-installer.sh
Original file line number Diff line number Diff line change
Expand Up @@ -510,7 +510,7 @@ ansible_become_pass=${EDGE_USER_PASSWORD}
EOF

# Test IoT/Edge OS
sudo ansible-playbook -v -i "${TEMPDIR}"/inventory -e image_type=redhat -e ostree_commit="${INSTALL_HASH}" -e fdo_credential="true" /usr/share/tests/osbuild-composer/ansible/check_ostree.yaml || RESULTS=0
sudo ansible-playbook -v -i "${TEMPDIR}"/inventory -e image_type=redhat -e ostree_commit="${INSTALL_HASH}" -e edge_type=edge-simplified-installer -e fdo_credential="true" /usr/share/tests/osbuild-composer/ansible/check_ostree.yaml || RESULTS=0
check_result

# Clean up BIOS VM
Expand Down Expand Up @@ -630,7 +630,7 @@ ansible_become_pass=${EDGE_USER_PASSWORD}
EOF

# Test IoT/Edge OS
sudo ansible-playbook -v -i "${TEMPDIR}"/inventory -e image_type=redhat -e ostree_commit="${INSTALL_HASH}" -e fdo_credential="true" /usr/share/tests/osbuild-composer/ansible/check_ostree.yaml || RESULTS=0
sudo ansible-playbook -v -i "${TEMPDIR}"/inventory -e image_type=redhat -e ostree_commit="${INSTALL_HASH}" -e edge_type=edge-simplified-installer -e fdo_credential="true" /usr/share/tests/osbuild-composer/ansible/check_ostree.yaml || RESULTS=0
check_result

# Clean up BIOS VM
Expand Down Expand Up @@ -751,7 +751,7 @@ ansible_become_pass=${EDGE_USER_PASSWORD}
EOF

# Test IoT/Edge OS
sudo ansible-playbook -v -i "${TEMPDIR}"/inventory -e image_type=redhat -e ostree_commit="${INSTALL_HASH}" -e fdo_credential="true" /usr/share/tests/osbuild-composer/ansible/check_ostree.yaml || RESULTS=0
sudo ansible-playbook -v -i "${TEMPDIR}"/inventory -e image_type=redhat -e ostree_commit="${INSTALL_HASH}" -e edge_type=edge-simplified-installer -e fdo_credential="true" /usr/share/tests/osbuild-composer/ansible/check_ostree.yaml || RESULTS=0
check_result

########################
Expand Down Expand Up @@ -885,7 +885,7 @@ ansible_become_pass=${EDGE_USER_PASSWORD}
EOF

# Test IoT/Edge OS
sudo ansible-playbook -v -i "${TEMPDIR}"/inventory -e image_type=redhat -e ostree_commit="${UPGRADE_HASH}" -e fdo_credential="true" /usr/share/tests/osbuild-composer/ansible/check_ostree.yaml || RESULTS=0
sudo ansible-playbook -v -i "${TEMPDIR}"/inventory -e image_type=redhat -e ostree_commit="${UPGRADE_HASH}" -e edge_type=edge-simplified-installer -e fdo_credential="true" /usr/share/tests/osbuild-composer/ansible/check_ostree.yaml || RESULTS=0
check_result

# Final success clean up
Expand Down
33 changes: 27 additions & 6 deletions test/data/ansible/check_ostree.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@
workspace: "{{ lookup('env', 'WORKSPACE') }}"
skip_rollback_test: "false"
fdo_credential: "false"
edge_type: "none"
embeded_container: "false"
total_counter: "0"
failed_counter: "0"
Expand Down Expand Up @@ -236,7 +237,28 @@
shell: findmnt -r -o OPTIONS -n /sysroot | awk -F "," '{print $1}'
register: result_sysroot_mount_status

- name: /sysroot should be mount with rw permission
# https://fedoraproject.org/wiki/Changes/Silverblue_Kinoite_readonly_sysroot
# There are three checks here for /sysroot permission based on pr https://github.com/osbuild/osbuild-composer/pull/3053
# 1. for edge-commit and edge-installer, check ro when fedora >= 37
# 2. for edge-commit and edge-installer, check rw for other os.
# 3. for edge-simplified-installer and edge-raw-image, check ro for all os.
- name: /sysroot should be mount with ro permission for edge-commit and edge-installer on Fedora >= 37
block:
- assert:
that:
- result_sysroot_mount_status.stdout == "ro"
fail_msg: "/sysroot is not mounted with ro permission"
success_msg: "/sysroot is mounted with ro permission"
always:
- set_fact:
total_counter: "{{ total_counter | int + 1 }}"
rescue:
- name: failed count + 1
set_fact:
failed_counter: "{{ failed_counter | int + 1 }}"
when: (edge_type == "none") and (ansible_facts['distribution'] == 'Fedora' and ansible_facts['distribution_version'] is version('37', '>='))

- name: /sysroot should be mount with rw permission for edge-commit and edge-installer on all OS except Fedora >= 37
block:
- assert:
that:
Expand All @@ -250,11 +272,10 @@
- name: failed count + 1
set_fact:
failed_counter: "{{ failed_counter | int + 1 }}"
when: (ansible_facts['distribution'] == 'Fedora' and ansible_facts['distribution_version'] is version('37', '<')) or
(ansible_facts['distribution'] == 'CentOS') or (ansible_facts['distribution'] == 'RedHat')
when: (edge_type == "none") and ((ansible_facts['distribution'] == 'Fedora' and ansible_facts['distribution_version'] is version('37', '<')) or
(ansible_facts['distribution'] == 'CentOS') or (ansible_facts['distribution'] == 'RedHat'))

# https://fedoraproject.org/wiki/Changes/Silverblue_Kinoite_readonly_sysroot
- name: /sysroot should be mount with ro permission since Fedora 37
- name: /sysroot should be mount with ro permission for edge-simplified-installer and edge-raw-image
block:
- assert:
that:
Expand All @@ -268,7 +289,7 @@
- name: failed count + 1
set_fact:
failed_counter: "{{ failed_counter | int + 1 }}"
when: ansible_facts['distribution'] == 'Fedora' and ansible_facts['distribution_version'] is version('37', '>=')
when: edge_type == "edge-simplified-installer" or edge_type == "edge-raw-image"

# case: check /var mount point
- name: check /var mount point
Expand Down

0 comments on commit 3c8ae48

Please sign in to comment.