Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Test upsteam container images #429

Merged
merged 11 commits into from
Aug 24, 2023
Merged

Test upsteam container images #429

merged 11 commits into from
Aug 24, 2023

Conversation

ansasaki
Copy link
Contributor

@ansasaki ansasaki commented Aug 4, 2023
edited
Loading

  • Add a helper function to pull images from a registry.
  • Add a test plan to test upstream container images
  • Use --entrypoint to override the container entrypoint and allow passing arguments to the commands inside the container in limeconRun
  • Allow passing the agent working directory in limeconRunAgent
  • Add a Dockerfile for the revocation webhook in keylime_ipv6_multihost test
  • Avoid the need for python inside the container in keylime_ipv6_multihost by replacing python payload script with shell script

github-advanced-security[bot]
github-advanced-security bot found potential problems Aug 4, 2023
View reviewed changes
Library/test-helpers/lib.sh Fixed Show fixed Hide fixed
@ansasaki ansasaki force-pushed the test-images branch 4 times, most recently from d41e660 to 8375ac2 Compare August 9, 2023 10:12
@kkaarreell
Copy link
Collaborator

kkaarreell commented Aug 10, 2023
edited
Loading

I am wondering what's behind those test failure, seems like there was an issue with agent start. Unfortunately, logging for containers is not currently ideal.

EDIT: seems there is in fact something in logs

error: unexpected argument 'keylime_agent' found

Usage: sudo RUST_LOG=keylime_agent=trace ./target/debug/keylime_agent

For more information, try '--help'.

@ansasaki
Copy link
Contributor Author

I am wondering what's behind those test failure, seems like there was an issue with agent start. Unfortunately, logging for containers is not currently ideal.

EDIT: seems there is in fact something in logs

error: unexpected argument 'keylime_agent' found

Usage: sudo RUST_LOG=keylime_agent=trace ./target/debug/keylime_agent

For more information, try '--help'.

I already fixed this locally. For images that already have an entrypoint set, you need to override it, otherwise the trailing commands are provided as arguments.

But I hit another issue: the upstream agent container image does not create an internal keylime user, making it impossible to drop privileges. Either we run as root or we add a keylime user there.

I think it is better to add the keylime user there for now. I'll create a PR and ask for review.

@ansasaki ansasaki force-pushed the test-images branch 2 times, most recently from b3bbb62 to 1ec2ec1 Compare August 10, 2023 17:10
@ansasaki
Copy link
Contributor Author

Added the keylime user via keylime/rust-keylime#635

@ansasaki ansasaki force-pushed the test-images branch 10 times, most recently from 62f6ffa to 959f93e Compare August 15, 2023 17:15
@ansasaki ansasaki force-pushed the test-images branch 3 times, most recently from 4c159b9 to 00e0032 Compare August 16, 2023 12:59
@ansasaki ansasaki force-pushed the test-images branch 2 times, most recently from 97d014d to 5c48481 Compare August 16, 2023 14:45
@ansasaki ansasaki force-pushed the test-images branch 3 times, most recently from bcec874 to 5ba47f5 Compare August 21, 2023 12:33
@ansasaki
Copy link
Contributor Author

/packit retest

@kkaarreell
Copy link
Collaborator

kkaarreell commented Aug 21, 2023
edited
Loading

I am trying to address C9S failure in #450.
Please rebase.

kkaarreell
kkaarreell reviewed Aug 21, 2023
View reviewed changes
container/functional/keylime_agent_container-basic-attestation/test.sh
@@ -8,6 +8,8 @@

[ -n "$AGENT_DOCKERFILE" ] || AGENT_DOCKERFILE=Dockerfile.upstream.c9s

[ -n "$REGISTRY" ] || REGISTRY=quay.io
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we make images configurable through envvars as well?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Now I can see we do configure it through envvars, it's just not clearly visible in the test. What about adding a comment to the top?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'll try to make it clear.

kkaarreell
kkaarreell approved these changes Aug 21, 2023
View reviewed changes
Copy link
Collaborator

@kkaarreell kkaarreell left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for the update. Looks good, I would just consider adding a comment to a test mentioning which images can be defined using envvars from the outside.

@kkaarreell
Copy link
Collaborator

@Koncpa please take a look at it as it introduces some new functions and concepts.

@kkaarreell kkaarreell requested a review from Koncpa August 21, 2023 21:05
@Koncpa
Copy link
Collaborator

Koncpa commented Aug 22, 2023

@Koncpa please take a look at it as it introduces some new functions and concepts.

Sure, I'll take a look.

Koncpa
Koncpa reviewed Aug 22, 2023
View reviewed changes
Library/test-helpers/lib.sh Outdated Show resolved Hide resolved
@ansasaki
Use --entrypoint to override image entrypoint in podman run
27978a7 
This makes it possible to run using the same command line regardless of
the image having an entrypoint set or not.

Also, allow passing arguments to the command inside the container

Signed-off-by: Anderson Toshiyuki Sasaki <[email protected]>
@ansasaki
Add helper function limeconPullImage
6d42c35 
The helper function limeconPullImage will pull an image from a remote
registry and optionally tag it with a name and tag locally.

Signed-off-by: Anderson Toshiyuki Sasaki <[email protected]>
@Koncpa
Copy link
Collaborator

Koncpa commented Aug 22, 2023

Just one nitpick, but otherwise LGTM! Thank you.

@ansasaki
Test with verifier and registrar images from registry
5116eb7 
Enable container tests to run against images obtained from registries
instead of built locally.

Signed-off-by: Anderson Toshiyuki Sasaki <[email protected]>
@ansasaki
Add plan to test upstream containers
421abe5 
Signed-off-by: Anderson Toshiyuki Sasaki <[email protected]>
@ansasaki
Test upstream agent image
317296f 
Modify containers test plan to test using images from upstream registry
for the verifier, registrar, and agent.

Signed-off-by: Anderson Toshiyuki Sasaki <[email protected]>
@ansasaki
Library: Expand Dockerfile path only if not found
685e09f 
If a Dockerfile for any component is provided via environment variable,
check if it exists and, only if not found, try to find in
limeLibraryDir.

Signed-off-by: Anderson Toshiyuki Sasaki <[email protected]>
@ansasaki
Library: Use entrypoint to chown certificate dir for agent
677e5e9 
Use --entrypoint to override the image entrypoint in case it has an
entrypoint set.

The agent needs the certificate directory to be accessible by the
internal 'keylime' user in order to drop privileges inside the
container.  For this, it is necessary for the files owner uid to match
the internal 'keylime' uid.

Signed-off-by: Anderson Toshiyuki Sasaki <[email protected]>
@ansasaki
Library: Allow passing working directory for agent container
bb58119 
The agent will store data in /var/lib/keylime which needs to be
accessible by the unprivileged user in the container.

Signed-off-by: Anderson Toshiyuki Sasaki <[email protected]>
@ansasaki
Avoid the need for python inside the agent container
7dc8e00 
Replace the python payload action with a shell payload action to avoid
the need for python inside the agent container.

Signed-off-by: Anderson Toshiyuki Sasaki <[email protected]>
@ansasaki
Create container for revocation webhook.
c54cf72 
Use a separate container for the revocation webhook.

Signed-off-by: Anderson Toshiyuki Sasaki <[email protected]>
@ansasaki
Fix ShellCheck finding
d317897 
Signed-off-by: Anderson Toshiyuki Sasaki <[email protected]>
@kkaarreell kkaarreell merged commit 4723530 into RedHat-SP-Security:main Aug 24, 2023
6 checks passed
@ansasaki ansasaki deleted the test-images branch August 24, 2023 12:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Koncpa Koncpa Koncpa left review comments

@kkaarreell kkaarreell kkaarreell approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ansasaki @kkaarreell @Koncpa