Re-enable CI on C9S

RedHat-SP-Security · Oct 24, 2024 · f8bbfed · f8bbfed
1 parent e3117dd
commit f8bbfed
Show file tree

Hide file tree

Showing 6 changed files with 44 additions and 38 deletions.
diff --git a/.packit.yaml b/.packit.yaml
@@ -7,6 +7,7 @@ jobs:
     #- fedora-branched
     - fedora-all
     - centos-stream-10-x86_64
+    - centos-stream-9-x86_64
   skip_build: true
   tf_extra_params:
     environments:

diff --git a/functional/durable-attestion-sanity-on-localhost/test.sh b/functional/durable-attestion-sanity-on-localhost/test.sh
@@ -60,7 +60,7 @@ rlJournalStart
         rlRun "limeWaitForAgentRegistration ${AGENT_ID}"
 
         # create refstat from fake binary_bios_measurements
-        rlRun "python3 /usr/share/keylime/scripts/create_mb_refstate /var/tmp/binary_bios_measurements mb_refstate.txt"
+        rlRun "/usr/share/keylime/scripts/create_mb_refstate /var/tmp/binary_bios_measurements mb_refstate.txt"
 
         # create allowlist and excludelist
         TESTDIR=$(limeCreateTestDir)

diff --git a/functional/measured-boot-policy-sanity/test.sh b/functional/measured-boot-policy-sanity/test.sh
@@ -58,7 +58,7 @@ rlJournalStart
 
     rlPhaseStartTest "Add agent with tpm_policy generated by create_mb_refstate script"
         # use installed create_mb_refstate from /usr/share/keylime/scripts
-        rlRun "python3 /usr/share/keylime/scripts/create_mb_refstate $NO_SB_PARAM /sys/kernel/security/tpm0/binary_bios_measurements mb_refstate2.txt"
+        rlRun "/usr/share/keylime/scripts/create_mb_refstate $NO_SB_PARAM /sys/kernel/security/tpm0/binary_bios_measurements mb_refstate2.txt"
         rlRun -s "keylime_tenant -u $AGENT_ID --verify --tpm_policy '{}' --runtime-policy policy.json -f /etc/hostname -c add --mb_refstate mb_refstate2.txt"
         rlRun "limeWaitForAgentStatus $AGENT_ID 'Get Quote'"
         rlRun -s "keylime_tenant -c cvlist"

diff --git a/functional/measured-boot-swtpm-sanity/test.sh b/functional/measured-boot-swtpm-sanity/test.sh
@@ -78,7 +78,7 @@ rlJournalStart
 
     rlPhaseStartTest "Add agent with tpm_policy generated by create_mb_refstate script and incorrect PCR banks"
         # use installed create_mb_refstate from /usr/share/keylime/scripts
-        rlRun "python3 /usr/share/keylime/scripts/create_mb_refstate /var/tmp/binary_bios_measurements mb_refstate2.txt"
+        rlRun "/usr/share/keylime/scripts/create_mb_refstate /var/tmp/binary_bios_measurements mb_refstate2.txt"
         #rlRun "tsseventextend -tpm -if /var/tmp/binary_bios_measurements"
         rlRun -s "keylime_tenant -u $AGENT_ID --verify --tpm_policy '{}' --runtime-policy policy.json -f /etc/hostname -c add --mb-policy mb_refstate2.txt" 1
         rlRun "limeWaitForAgentStatus $AGENT_ID 'Tenant Quote Failed'"

diff --git a/plans/upstream-keylime-all-tests.fmf b/plans/upstream-keylime-all-tests.fmf
@@ -46,15 +46,15 @@ adjust+:
          - rpm -Uv https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm https://dl.fedoraproject.org/pub/epel/epel-next-release-latest-9.noarch.rpm || true
 
   # discover step adjustments
-  # disable code coverage measurement everywhere except F39 and CS9
-  - when: distro != centos-stream-9 and distro != fedora-39
+  # disable code coverage measurement everywhere except F39 and CS10
+  - when: distro != centos-stream-10 and distro != fedora-39
     discover+:
        test-:
          - /setup/enable_keylime_coverage
          - /setup/generate_coverage_report
 
-  # disable code coverage measurement everywhere except F39 and CS9
-  - when: distro != centos-stream-9 and distro != fedora-39
+  # disable code coverage measurement everywhere except F39 and CS10
+  - when: distro != centos-stream-10 and distro != fedora-39
     environment+:
        KEYLIME_RUST_CODE_COVERAGE: 0
     discover+:

diff --git a/setup/install_upstream_keylime/test.sh b/setup/install_upstream_keylime/test.sh
@@ -10,46 +10,41 @@
 rlJournalStart
 
     rlPhaseStartTest "Install keylime and its dependencies"
-        # remove all install keylime packages
-        rlRun "yum remove -y --noautoremove python3-keylime\* keylime\*"
-        # build and install keylime-99 dummy RPM
-        rlRun -s "rpmbuild -bb keylime.spec"
-        RPMPKG=$( awk '/Wrote:/ { print $2 }' $rlRun_LOG )
-        # replace installed keylime with our newly built dummy package
-        rlRun "rpm -Uvh $RPMPKG"
-        EXTRA_PKGS="python3-lark-parser python3-packaging"
-        # for RHEL8 and CentOS Stream8 configure Sergio's copr repo providing necessary dependencies
-        if rlIsRHEL 8 || rlIsCentOS 8; then
-            rlRun 'cat > /etc/yum.repos.d/keylime.repo <<_EOF
-[copr:copr.fedorainfracloud.org:scorreia:keylime]
-name=Copr repo for keylime owned by scorreia
-baseurl=https://download.copr.fedorainfracloud.org/results/scorreia/keylime/centos-stream-\$releasever-\$basearch/
-type=rpm-md
-skip_if_unavailable=True
-gpgcheck=1
-gpgkey=https://download.copr.fedorainfracloud.org/results/scorreia/keylime/pubkey.gpg
-repo_gpgcheck=0
-enabled=1
-enabled_metadata=1
-priority=999
-_EOF'
-            EXTRA_PKGS="python3-pip"
-            rlIsRHEL '<10' && EXTRA_DNF_ARGS="--enablerepo epel" || EXTRA_DNF_ARGS=""
-            EXTRA_PIP_PKGS="packaging lark-parser typing_extensions"
-        elif rlIsRHEL 9 || rlIsCentOS 9; then
-            EXTRA_PKGS+=" python3-typing-extensions"
+        EXTRA_PKGS="git-core libselinux-python3 patch procps-ng tpm2-abrmd tpm2-tss tpm2-tools rpm-build"
+        PYTHON_PKGS="python3-alembic python3-cryptography python3-gpg python3-jinja2 python3-jsonschema python3-pip python3-psutil python3-pyasn1 python3-pyasn1-modules python3-pyyaml python3-requests python3-sqlalchemy python3-tornado python3-lark-parser python3-packaging"
+        if rlIsRHELLike 9; then
+            EXTRA_PKGS+=" gpgme gcc python3.12-devel libpq-devel"
+            PYTHON_PKGS="python3.12 python3.12-setuptools python3.12-pip python3.12-requests python3.12-pyyaml python3.12-wheel python3-gpg"
+            EXTRA_PIP_PKGS="typing-extensions cryptography packaging pyasn1 pyasn1-modules jinja2 lark jsonschema tornado sqlalchemy psutil alembic pymysql psycopg2"
         elif rlIsFedora 36; then
             EXTRA_PKGS+=" python3-pip"
             EXTRA_PIP_PKGS="typing_extensions"
         fi
-        rlRun "yum -y install git-core libselinux-python3 patch procps-ng python3-alembic python3-cryptography python3-gpg python3-jinja2 python3-jsonschema python3-pip python3-psutil python3-pyasn1 python3-pyasn1-modules python3-pyyaml python3-requests python3-sqlalchemy python3-tornado tpm2-abrmd tpm2-tss tpm2-tools ${EXTRA_PKGS} ${EXTRA_DNF_ARGS}"
+        rlRun "yum -y install ${EXTRA_PKGS} ${PYTHON_PKGS} ${EXTRA_DNF_ARGS}"
         if [ -z "$KEYLIME_TEST_DISABLE_REVOCATION" ] && rlIsFedora; then
             rlRun "yum -y install python3-zmq"
         fi
         # need to install few more pgs from pip
         if [ -n "$EXTRA_PIP_PKGS" ]; then
-            rlRun "pip3 install $EXTRA_PIP_PKGS"
+	    if rlIsRHELLike 9; then
+                rlRun "pip3.12 install $EXTRA_PIP_PKGS"
+	    else
+                rlRun "pip3 install $EXTRA_PIP_PKGS"
+	    fi
         fi
+	# need to fake python3.12-gpg since it cannot be installed
+	if rlIsRHELLike 9; then
+            rlRun "cp -r /usr/lib64/python3.9/site-packages/gpg /usr/lib64/python3.12/site-packages/"
+	    rlRun "find /usr/lib64/python3.12/site-packages/gpg -name __pycache__ -exec rm -rf {} \\;" 0,1
+	    rlRun "mv /usr/lib64/python3.12/site-packages/gpg/_gpgme.cpython-39-x86_64-linux-gnu.so /usr/lib64/python3.12/site-packages/gpg/_gpgme.cpython-312-x86_64-linux-gnu.so"
+	fi
+        # remove all install keylime packages
+        rlRun "yum remove -y --noautoremove python3-keylime\* keylime\*"
+        # build and install keylime-99 dummy RPM
+        rlRun -s "rpmbuild -bb keylime.spec"
+        RPMPKG=$( awk '/Wrote:/ { print $2 }' $rlRun_LOG )
+        # replace installed keylime with our newly built dummy package
+        rlRun "rpm -Uvh $RPMPKG"
         if [ -d /var/tmp/keylime_sources ]; then
             rlLogInfo "Installing keylime from /var/tmp/keylime_sources"
         else
@@ -71,7 +66,11 @@ _EOF'
         [ -d /usr/local/lib/python*/site-packages/keylime-*/keylime/migrations ] && rlRun "rm -rf /usr/local/lib/python*/site-packages/keylime-*/keylime/migrations"
         [ -d /etc/keylime ] && rlRun "mv /etc/keylime /etc/keylime.backup$$" && "rm -rf /etc/keylime"
         rlRun "mkdir -p /etc/keylime && chmod 700 /etc/keylime"
-        rlRun "python3 setup.py install"
+        if rlIsRHELLike 9; then
+            rlRun "python3.12 setup.py install"
+        else
+            rlRun "python3 setup.py install"
+        fi
 
         # create directory structure in /etc/keylime and copy config files there
         for comp in "verifier" "tenant" "registrar" "ca" "logging"; do
@@ -82,6 +81,12 @@ _EOF'
         # install scripts to /usr/share/keylime
         rlRun "mkdir -p /usr/share/keylime"
         rlRun "cp -r scripts /usr/share/keylime/"
+        # update Python version for Python scripts
+        if rlIsRHELLike 9; then
+            for F in $( find /usr/share/keylime/scripts -type f ); do
+                file $F | grep -qi 'python' && rlRun "sed -i '1 s/python3/python3.12/' $F"
+	    done
+        fi
 
         if $INSTALL_SERVICE_FILES; then
             rlRun "cd services; bash installer.sh"