Minimize test images customization #403
Conversation
|
@ansasaki Just FYI for running in CI, probably need to use Dockerfile.upstream.c9s. |
ansasaki
force-pushed
the
generic_container
branch
8 times, most recently
from
8c68425
to
e4bc67b
Compare
container/functional/keylime_verifier_registrar_container-basic-attestation/test.sh
Outdated
Show resolved
Hide resolved
ansasaki
force-pushed
the
generic_container
branch
from
e4bc67b
to
772b353
Compare
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
container/functional/keylime_verifier_registrar_container-basic-attestation/test.sh
Fixed
Show fixed
Hide fixed
container/functional/keylime_verifier_registrar_container-basic-attestation/test.sh
Fixed
Show fixed
Hide fixed
container/functional/keylime_verifier_registrar_container-basic-attestation/test.sh
Fixed
Show fixed
Hide fixed
container/functional/keylime_verifier_registrar_container-basic-attestation/test.sh
Fixed
Show fixed
Hide fixed
ansasaki
force-pushed
the
generic_container
branch
7 times, most recently
from
45cd75c
to
6ae3f5b
Compare
ansasaki
force-pushed
the
generic_container
branch
4 times, most recently
from
9bf261c
to
90a4a58
Compare
ansasaki
changed the title
|
@kkaarreell @Koncpa I think this is ready for review. I removed most of the customization done to the images. The only remaining workaround left was for the issue with the permissions: the agent container is executed by root, and will drop privileges to the internal This workaround is applied to the built image, not on the Dockerfile. Theoretically, we could test the upstream Dockerfiles instead of the ones we created. I'll start working on the other part, where we fetch built images from a registry instead of building from the Dockerfile. |
|
@ansasaki I'm not sure, if won't be needed provide additional changes in keylime server role test repo and also rework your PR. There is used ssh access to container for conecting ansible for preparing keylime roles. It seems that in your PR try to remove all container customization related to ssh. Please correct me if I'm wrong. |
| @@ -2006,12 +2005,7 @@ limeconPrepareImage() { | |||
| ARGS="--volume /var/tmp/keylime_sources:/mnt/keylime_sources:z" | |||
| fi | |||
|
|
|||
| #set up for ssh access | |||
There was a problem hiding this comment.
Probably that should be keep it there regarding to containers for keylime ansible roles testing or rework it.
Yes, I'm trying to remove all customization, including the SSH setup from the test image, because the keylime images won't have that. This way we can use the same tests for the images we build as part of the test (from the dockerfiles) as well as for the images we obtain directly from the registry. If we rely on special setup (e.g. to add SSH access), then it would be difficult to reuse the tests for the images obtained from the registry. If the SSH access is strictly necessary, then we could create an image by adding the SSH setup on a layer on top of the tested image (used as a base image) for the test cases that need SSH. It is not ideal, but at least we could use the keylime images obtained from the registry as well as the test images built as part of the tests. |
|
Understand..Hm for rest of the test images is not necessary to have ssh access, just for systemd image which is use for keylime ansible role tests. Systemd image should have all necessary ssh setup in docker file, but we need somewhere else generate ssh keys which are essential for access and for now it's directly generate in func limeconPrepareImage. There are two options: create new function in lib for generating ssh keys or in every ansible role test generate ssh keys. Probably it would be better to have function for generating ssh keys...WDYT?? @kkaarreell |
|
I think this is fine. As you said, ordinary images do not need ssh access and for the systemd container (that we use for system roles testing) the ssh setup remains in place. So I believe nothing should be missing. We could possibly run system roles tests against Anderson's branch to double check. |
I just realized it won't be possible until we rebase keylime in RHEL since here we are targeting upstream while keylime_server role is for RHEL, i.e. the test code is currently not compatible. |
@kkaarreell But part of the ssh setup on host is removed in this PR, so we neeed to update it. |
I can put back the key generation part, but I think it would be better if either it is conditional, controlled by some environment variable, or in a separate helper function. Otherwise new keys would be generated for each built image, even though they are not used in most of them. |
|
I think that piece can be put into the respective test. |
Minimize test images customization to make possible to easily test other images. Signed-off-by: Anderson Toshiyuki Sasaki <[email protected]>
Signed-off-by: Anderson Toshiyuki Sasaki <[email protected]>
ansasaki
force-pushed
the
generic_container
branch
from
90a4a58
to
acab93d
Compare
|
Hi @ansasaki , do you plan further updates or can we merge it? |
I think we can merge this. I'll open a separate PR for next changes |
Minimize test images customization to make possible to easily test other images.