From 515c3a2f2441e101f8b5928a062de84cd8fc6074 Mon Sep 17 00:00:00 2001
From: apatard <apatard@hupstream.com>
Date: Wed, 22 Jul 2020 07:12:35 +0200
Subject: [PATCH] tools/test-setup.sh: Add workaround for CI failures on CentOS
 and fix Ubuntu support (#39)

* tools/test-setup.sh: Add workaround for CI failures on CentOS 8.2

The libssl bundled with vagrant is not compatible with the one coming
from CentOS 8.2, leading to failures like:

/opt/vagrant/embedded/lib/ruby/2.4.0/rubygems/core_ext/kernel_require.rb:55:in `require': /lib64/libk5crypto.so.3: undefined symbol: EVP_KDF_ctrl, version OPENSSL_1_1_1b

The details seems to be that CentOS has backported some newer OpenSSL functions
(eg EVP_KDF_ctrl) and patched krb5 to use them. Which means that there's no
way that /lib64/libk5crypto.so.3 works with vagrant bundled OpenSSL.

This should be probably fixed on vagrant rpm side, but for now rebuild krb5
to workaround the issue.

Signed-off-by: Arnaud Patard <apatard@hupstream.com>

* tools/test-setup.sh: Try to fix dnf cache error in CI

dnf download (as user) failed in zuul with error:
+ dnf download --enablerepo=BaseOS-source --disablerepo=epel-source --disablerepo=epel --source krb5-libs
enabling AppStream-source repository
enabling extras-source repository
enabling epel-modular-source repository
[Errno 13] Permission denied: '/var/cache/dnf/expired_repos.json'

This more or less looks like https://bugzilla.redhat.com/show_bug.cgi?id=1636909 but modifying/changing
dnf is obviously not an option so try using 'dnf makecache' to workaround the issue.

Signed-off-by: Arnaud Patard <apatard@hupstream.com>

* tools/test-setup.sh: Fix spelling error

Codecheck lint check found this spelling error, so fix it.

Signed-off-by: Arnaud Patard <apatard@hupstream.com>

* tools/test-setup.sh: Download krb5-libs as root

Previous commit was not enough to solve the permission issue and
I've yet to reproduce it with the official CentOS 8.2 vagrant libvirt
box. As an other possible solution, use sudo to download the .src.rpm.
It's working since the test user only needs to be able to read the
.src.rpm.

Signed-off-by: Arnaud Patard <apatard@hupstream.com>

* bindep.txt: Fix support for dpkg platforms

- remove "build-dep" dependency as it doesn't exist.
  Replace it with build-essential, even if the idea was probably to
  use "apt-get build-dep vagrant ruby-libvirt" as it the vagrant-libvirt doc
- Install python3/python3-dev
- Install qemu-system/qemu-utils.

This has been tested on debian 10 (with Debian's official vagrant
and vagrant-libvirt package) and on Xenial with hashicorp debian
package and manually installed vagrant-libvirt.

The only remaining possible test to do would be to try installing
vagrant-libvirt manually and using the offician Debian/Ubuntu vagrant
packages but I'm not sure it's a case needed for now.

Signed-off-by: Arnaud Patard <apatard@hupstream.com>

* tools/test-setup.sh: Fix on apt-get/dpkg platforms

- don't use rpm on Debian distribution family
- detect apt-get on Debian distribution family.

Signed-off-by: Arnaud Patard <apatard@hupstream.com>

* tools/test-setup.sh: fixes for Ubuntu Xenial

- the workaround for https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1588004
doesn't seem to be needed anymore
- Xenial has a too old version of vagrant, leading to failure with alpine
  boxes (missing trigger support), so remove vagrant in this case and use Hashicorp
  debian package.

Since this commit is adding a 3rd hack for vagrant setup, I've used a 'case'
relying on /etc/os-release to detect the distribution name and then detect the
distribution version. Unfortunately, doesn't work with the case of centos 8.2
since the version is 8 so the test on /etc/centos-release remains.

Signed-off-by: Arnaud Patard <apatard@hupstream.com>

* tools/test-setup.sh: Fix vagrant command line

The usermod command line is run on the same session as the one running
vagrant. This means that the current user is not in the libvirt group
when vagrant is called. It should be failing, as in Xenial, but the
libvirt socket rights are 0777 on Debian buster / Centos 8 / Fedora 31
which means that the bug was not noticed before.

Since I don't want to use exec -l (in order to get the "vagrant destroy -f"
command), I've choosen to use "sudo su -l "$(whoami)" -c " instead. Not
really nice but works.

Signed-off-by: Arnaud Patard <apatard@hupstream.com>

* tools/test-setup.sh: Make sure we're in $HOME/rpmbuild/SOURCES

While the workaround for centos 8.2 issue CI is working fine locally,
it fails on Zuul with:
error: Bad source: /home/zuul/rpmbuild/SOURCES/krb5-1.17-pdfs.tar: No such file or directory

The issue is not certain, so:
- make sure we're using $HOME/rpmbuild/SOURCES to extract and build kbr5
- make cpio verbose.

Signed-off-by: Arnaud Patard <apatard@hupstream.com>

* bindep.txt: Install make on CentOS 8

While trying to get a test setup near to the zuul CI, it seems that
make is installed here but not in Zuul, so add it to the bindep.txt
file, as done for CentOS 7.

Signed-off-by: Arnaud Patard <apatard@hupstream.com>
---
 bindep.txt          | 12 ++++---
 tools/test-setup.sh | 82 ++++++++++++++++++++++++++++++++++++++-------
 2 files changed, 76 insertions(+), 18 deletions(-)

diff --git a/bindep.txt b/bindep.txt
index 37ca1a8..177de44 100644
--- a/bindep.txt
+++ b/bindep.txt
@@ -1,7 +1,7 @@
 # This is a cross-platform list tracking distribution packages needed by tests;
 # see https://docs.openstack.org/infra/bindep/ for additional information.
 
-build-dep [platform:dpkg]
+build-essential [platform:dpkg]
 dnsmasq-base [platform:dpkg]
 ebtables [platform:dpkg]
 gcc [test platform:rpm]
@@ -16,15 +16,17 @@ libvirt-dev [platform:dpkg]
 libvirt-devel [platform:rpm]
 libxml2-dev [platform:dpkg]
 libxslt-dev [platform:dpkg]
-make [platform:centos-7]
+make [platform:centos-7 platform:centos-8]
 pkg-config [platform:dpkg]
-python3 [test platform:rpm !platform:centos-7]
+python3 [test platform:dpkg platform:rpm !platform:centos-7]
 python3-devel [test platform:rpm !platform:centos-7]
+python3-dev [test platform:dpkg]
 python3-libselinux [test platform:rpm !platform:centos-7]
 python3-libvirt [test platform:rpm !platform:centos-7 platform:dpkg]
 python3-netifaces [test !platform:centos-7 platform:rpm]
-python36 [test !platform:centos-7 !platform:fedora-28]
-qemu [platform:dpkg]
+python36 [test !platform:dpkg !platform:centos-7 !platform:fedora-28]
+qemu-system [platform:dpkg]
+qemu-utils [platform:dpkg]
 qemu-kvm [platform:rpm]
 ruby-dev [platform:dpkg]
 ruby-devel [!platform:centos-7 !platform:centos-8 platform:rpm]
diff --git a/tools/test-setup.sh b/tools/test-setup.sh
index bc9e0ca..08fc94f 100755
--- a/tools/test-setup.sh
+++ b/tools/test-setup.sh
@@ -16,13 +16,11 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
 command -v python3 python
 
 PYTHON=$(command -v python3 python|head -n1)
-PKG_CMD=$(command -v dnf yum|head -n1)
+PKG_CMD=$(command -v dnf yum apt-get|head -n1)
 
 sudo $PYTHON -m pip install -U tox "zipp<0.6.0;python_version=='2.7'"
 
 # === LIBVIRT SETUP ===
-# https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1588004
-sudo rm -f /etc/systemd/libvirtd.service /etc/systemd/system/multi-user.target.wants/libvirt-bin.service || true
 sudo systemctl enable --now libvirtd
 sudo usermod --append --groups libvirt "$(whoami)"
 
@@ -32,15 +30,67 @@ sudo usermod --append --groups libvirt "$(whoami)"
 
 which vagrant || \
     sudo $PKG_CMD install -y vagrant-libvirt || {
-        sudo $PKG_CMD install -y https://releases.hashicorp.com/vagrant/2.2.7/vagrant_2.2.7_x86_64.rpm
+        sudo $PKG_CMD install -y https://releases.hashicorp.com/vagrant/2.2.9/vagrant_2.2.9_x86_64.rpm
     }
 
-# https://bugzilla.redhat.com/show_bug.cgi?id=1839651
-if [ -f /etc/fedora-release ]; then
-    grep -qi '^fedora.*31' /etc/fedora-release
-    if [ $? -eq 0 ]; then
-        sudo $PKG_CMD upgrade -y --enablerepo=updates-testing --advisory=FEDORA-2020-09c472786c
-    fi
+if [ -f /etc/os-release ]; then
+    source /etc/os-release
+    case "$NAME" in
+        Ubuntu)
+            case "$VERSION_ID" in
+                18.04)
+                    # ubuntu xenial vagrant is too old so it doesn't support triggers, used by the alpine box
+                    sudo apt-get remove --purge -y vagrant
+                    wget https://releases.hashicorp.com/vagrant/2.2.9/vagrant_2.2.9_x86_64.deb
+                    sudo dpkg -i vagrant_2.2.9_x86_64.deb
+                    ;;
+                *)
+                    ;;
+            esac
+            ;;
+        Fedora)
+            case "$VERSION_ID" in
+                31)
+                    # https://bugzilla.redhat.com/show_bug.cgi?id=1839651
+                    sudo $PKG_CMD upgrade -y --enablerepo=updates-testing --advisory=FEDORA-2020-09c472786c
+                    ;;
+                *)
+                    ;;
+            esac
+            ;;
+        CentOS*)
+            # https://github.com/hashicorp/vagrant/issues/11020
+            if grep -qi '^CentOS Linux release 8.2.*' /etc/centos-release ; then
+                # https://bugs.centos.org/view.php?id=17120
+                relver="$(cat /etc/centos-release | awk '{print $4}')"
+                sudo sed -i /etc/yum.repos.d/CentOS-Sources.repo -e 's,$contentdir/,,g'
+                sudo sed -i /etc/yum.repos.d/CentOS-Sources.repo -e "s,\$releasever,$relver,g"
+
+                sudo dnf install -y rpm-build autoconf libselinux-devel pam-devel bison byacc
+                mkdir -p "$HOME/rpmbuild/SOURCES"
+                cd "$HOME/rpmbuild/SOURCES"
+                # download as root to avoid the "error: [Errno 13] Permission denied: '/var/cache/dnf/expired_repos.json'"
+                sudo dnf download --enablerepo=BaseOS-source --disablerepo=epel-source --disablerepo=epel --source krb5-libs
+                rpm2cpio krb5-1.17-*.src.rpm | cpio -idv
+                # remove patch making incompatible with the openssl bundled with vagrant
+                sed -i ./krb5.spec -e 's,Patch.*Use-backported-version-of-OpenSSL-3-KDF-interface.patch,,'
+                # depends on previous patch
+                sed -i ./krb5.spec -e 's,Patch.*krb5-1.17post2-DES-3DES-fixups.patch,,'
+                # not sure why but makes the build fail
+                sed -i ./krb5.spec -e 's,Patch.*krb5-1.17post6-FIPS-with-PRNG-and-RADIUS-and-MD4.patch,,'
+                rpmbuild -bp krb5.spec --nodeps
+                cd ../BUILD/krb5-1.17/src
+                # Some flags are missing compared to the spec but these ones seem to be enough
+                export CFLAGS="-I/opt/vagrant/embedded/include/ -fPIC -fno-strict-aliasing -fstack-protector-all"
+                export LDFLAGS=-L/opt/vagrant/embedded/lib64/
+                ./configure --prefix=/opt/vagrant/embedded/
+                make
+                sudo cp -a lib/crypto/libk5crypto.so.3* /opt/vagrant/embedded/lib64/
+            fi
+            ;;
+        *)
+            ;;
+    esac
 fi
 
 vagrant plugin list | grep vagrant-libvirt || {
@@ -55,7 +105,12 @@ vagrant plugin list | grep vagrant-libvirt || {
     vagrant plugin install vagrant-libvirt
 }
 
-rpm -qa | grep libselinux
+if [ -f /etc/debian_version ]; then
+    dpkg -l | grep libselinux
+    [ -x /usr/bin/aa-enabled ] && echo "Apparmor: `/usr/bin/aa-enabled`"
+else
+    rpm -qa | grep libselinux
+fi
 
 vagrant version
 vagrant global-status
@@ -69,5 +124,6 @@ vagrant plugin list | tee >(grep -q "No plugins installed." && {
 # we will use during testing.
 cd $DIR
 
-vagrant up --no-provision
-vagrant destroy -f
+# sudo su: dirty hack to make sure that usermod change has been taken into account
+sudo su -l "$(whoami)" -c "cd $(pwd) && vagrant up --no-provision"
+sudo su -l "$(whoami)" -c "cd $(pwd) && vagrant destroy -f"