From d935d8b9b94d9c495dc3a8e4035fbc03c03115b0 Mon Sep 17 00:00:00 2001 From: Arnaud Patard Date: Mon, 29 Jun 2020 18:37:08 +0200 Subject: [PATCH 01/10] tools/test-setup.sh: Add workaround for CI failures on CentOS 8.2 The libssl bundled with vagrant is not compatible with the one coming from CentOS 8.2, leading to failures like: /opt/vagrant/embedded/lib/ruby/2.4.0/rubygems/core_ext/kernel_require.rb:55:in `require': /lib64/libk5crypto.so.3: undefined symbol: EVP_KDF_ctrl, version OPENSSL_1_1_1b The details seems to be that CentOS has backported some newer OpenSSL functions (eg EVP_KDF_ctrl) and patched krb5 to use them. Which means that there's no way that /lib64/libk5crypto.so.3 works with vagrant bundled OpenSSL. This should be probably fixed on vagrant rpm side, but for now rebuild krb5 to workaround the issue. Signed-off-by: Arnaud Patard --- tools/test-setup.sh | 33 ++++++++++++++++++++++++++++++++- 1 file changed, 32 insertions(+), 1 deletion(-) diff --git a/tools/test-setup.sh b/tools/test-setup.sh index bc9e0ca..8f3b0b6 100755 --- a/tools/test-setup.sh +++ b/tools/test-setup.sh @@ -32,7 +32,7 @@ sudo usermod --append --groups libvirt "$(whoami)" which vagrant || \ sudo $PKG_CMD install -y vagrant-libvirt || { - sudo $PKG_CMD install -y https://releases.hashicorp.com/vagrant/2.2.7/vagrant_2.2.7_x86_64.rpm + sudo $PKG_CMD install -y https://releases.hashicorp.com/vagrant/2.2.9/vagrant_2.2.9_x86_64.rpm } # https://bugzilla.redhat.com/show_bug.cgi?id=1839651 @@ -43,6 +43,37 @@ if [ -f /etc/fedora-release ]; then fi fi +# https://github.com/hashicorp/vagrant/issues/11020 +if [ -f /etc/centos-release ]; then + grep -qi '^CentOS Linux release 8.2.*' /etc/centos-release + if [ $? -eq 0 ]; then + # https://bugs.centos.org/view.php?id=17120 + relver="$(cat /etc/centos-release | awk '{print $4}')" + sudo sed -i /etc/yum.repos.d/CentOS-Sources.repo -e 's,$contentdir/,,g' + sudo sed -i /etc/yum.repos.d/CentOS-Sources.repo -e "s,\$releasever,$relver,g" + + sudo dnf install -y rpm-build autoconf libselinux-devel pam-devel bison byacc + mkdir -p rpmbuild/SOURCES + cd rpmbuild/SOURCES + dnf download --enablerepo=BaseOS-source --disablerepo=epel-source --disablerepo=epel --source krb5-libs + rpm2cpio krb5-1.17-*.src.rpm | cpio -id + # remove patch making incompatible with the openssl bundled with vagrant + sed -i ./krb5.spec -e 's,Patch.*Use-backported-version-of-OpenSSL-3-KDF-interface.patch,,' + # depends on previous patch + sed -i ./krb5.spec -e 's,Patch.*krb5-1.17post2-DES-3DES-fixups.patch,,' + # not sure why but makes the build fail + sed -i ./krb5.spec -e 's,Patch.*krb5-1.17post6-FIPS-with-PRNG-and-RADIUS-and-MD4.patch,,' + rpmbuild -bp krb5.spec --nodeps + cd ../BUILD/krb5-1.17/src + # Some flags are missing compared to the spec but theses ones seem to be enough + export CFLAGS="-I/opt/vagrant/embedded/include/ -fPIC -fno-strict-aliasing -fstack-protector-all" + export LDFLAGS=-L/opt/vagrant/embedded/lib64/ + ./configure --prefix=/opt/vagrant/embedded/ + make + sudo cp -a lib/crypto/libk5crypto.so.3* /opt/vagrant/embedded/lib64/ + fi +fi + vagrant plugin list | grep vagrant-libvirt || { export CONFIGURE_ARGS="with-libvirt-include=/usr/include/libvirt with-libvirt-lib=/usr/lib64" if [ -x /opt/vagrant/bin/vagrant ]; then From fdd702d02074911dc1b5984863ec34e3521e5beb Mon Sep 17 00:00:00 2001 From: Arnaud Patard Date: Fri, 3 Jul 2020 10:18:53 +0200 Subject: [PATCH 02/10] tools/test-setup.sh: Try to fix dnf cache error in CI dnf download (as user) failed in zuul with error: + dnf download --enablerepo=BaseOS-source --disablerepo=epel-source --disablerepo=epel --source krb5-libs enabling AppStream-source repository enabling extras-source repository enabling epel-modular-source repository [Errno 13] Permission denied: '/var/cache/dnf/expired_repos.json' This more or less looks like https://bugzilla.redhat.com/show_bug.cgi?id=1636909 but modifying/changing dnf is obviously not an option so try using 'dnf makecache' to workaround the issue. Signed-off-by: Arnaud Patard --- tools/test-setup.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tools/test-setup.sh b/tools/test-setup.sh index 8f3b0b6..7278d05 100755 --- a/tools/test-setup.sh +++ b/tools/test-setup.sh @@ -51,6 +51,8 @@ if [ -f /etc/centos-release ]; then relver="$(cat /etc/centos-release | awk '{print $4}')" sudo sed -i /etc/yum.repos.d/CentOS-Sources.repo -e 's,$contentdir/,,g' sudo sed -i /etc/yum.repos.d/CentOS-Sources.repo -e "s,\$releasever,$relver,g" + # Should avoid the "error: [Errno 13] Permission denied: '/var/cache/dnf/expired_repos.json'" + sudo dnf makecache sudo dnf install -y rpm-build autoconf libselinux-devel pam-devel bison byacc mkdir -p rpmbuild/SOURCES From c96bd2299e133843bade50753bd2af99c16755ee Mon Sep 17 00:00:00 2001 From: Arnaud Patard Date: Fri, 3 Jul 2020 10:21:25 +0200 Subject: [PATCH 03/10] tools/test-setup.sh: Fix spelling error Codecheck lint check found this spelling error, so fix it. Signed-off-by: Arnaud Patard --- tools/test-setup.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/test-setup.sh b/tools/test-setup.sh index 7278d05..df84dbd 100755 --- a/tools/test-setup.sh +++ b/tools/test-setup.sh @@ -67,7 +67,7 @@ if [ -f /etc/centos-release ]; then sed -i ./krb5.spec -e 's,Patch.*krb5-1.17post6-FIPS-with-PRNG-and-RADIUS-and-MD4.patch,,' rpmbuild -bp krb5.spec --nodeps cd ../BUILD/krb5-1.17/src - # Some flags are missing compared to the spec but theses ones seem to be enough + # Some flags are missing compared to the spec but these ones seem to be enough export CFLAGS="-I/opt/vagrant/embedded/include/ -fPIC -fno-strict-aliasing -fstack-protector-all" export LDFLAGS=-L/opt/vagrant/embedded/lib64/ ./configure --prefix=/opt/vagrant/embedded/ From cff9e2a52fc975c9ae3f7ba0c2753270ec4f8208 Mon Sep 17 00:00:00 2001 From: Arnaud Patard Date: Fri, 3 Jul 2020 10:43:08 +0200 Subject: [PATCH 04/10] tools/test-setup.sh: Download krb5-libs as root Previous commit was not enough to solve the permission issue and I've yet to reproduce it with the official CentOS 8.2 vagrant libvirt box. As an other possible solution, use sudo to download the .src.rpm. It's working since the test user only needs to be able to read the .src.rpm. Signed-off-by: Arnaud Patard --- tools/test-setup.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/test-setup.sh b/tools/test-setup.sh index df84dbd..c768509 100755 --- a/tools/test-setup.sh +++ b/tools/test-setup.sh @@ -57,7 +57,7 @@ if [ -f /etc/centos-release ]; then sudo dnf install -y rpm-build autoconf libselinux-devel pam-devel bison byacc mkdir -p rpmbuild/SOURCES cd rpmbuild/SOURCES - dnf download --enablerepo=BaseOS-source --disablerepo=epel-source --disablerepo=epel --source krb5-libs + sudo dnf download --enablerepo=BaseOS-source --disablerepo=epel-source --disablerepo=epel --source krb5-libs rpm2cpio krb5-1.17-*.src.rpm | cpio -id # remove patch making incompatible with the openssl bundled with vagrant sed -i ./krb5.spec -e 's,Patch.*Use-backported-version-of-OpenSSL-3-KDF-interface.patch,,' From d6abc130d3cf2e1d802b2317e86f1d063fa0e32b Mon Sep 17 00:00:00 2001 From: Arnaud Patard Date: Fri, 3 Jul 2020 17:59:30 +0200 Subject: [PATCH 05/10] bindep.txt: Fix support for dpkg platforms - remove "build-dep" dependency as it doesn't exist. Replace it with build-essential, even if the idea was probably to use "apt-get build-dep vagrant ruby-libvirt" as it the vagrant-libvirt doc - Install python3/python3-dev - Install qemu-system/qemu-utils. This has been tested on debian 10 (with Debian's official vagrant and vagrant-libvirt package) and on Xenial with hashicorp debian package and manually installed vagrant-libvirt. The only remaining possible test to do would be to try installing vagrant-libvirt manually and using the offician Debian/Ubuntu vagrant packages but I'm not sure it's a case needed for now. Signed-off-by: Arnaud Patard --- bindep.txt | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/bindep.txt b/bindep.txt index 37ca1a8..6b0b22b 100644 --- a/bindep.txt +++ b/bindep.txt @@ -1,7 +1,7 @@ # This is a cross-platform list tracking distribution packages needed by tests; # see https://docs.openstack.org/infra/bindep/ for additional information. -build-dep [platform:dpkg] +build-essential [platform:dpkg] dnsmasq-base [platform:dpkg] ebtables [platform:dpkg] gcc [test platform:rpm] @@ -18,13 +18,15 @@ libxml2-dev [platform:dpkg] libxslt-dev [platform:dpkg] make [platform:centos-7] pkg-config [platform:dpkg] -python3 [test platform:rpm !platform:centos-7] +python3 [test platform:dpkg platform:rpm !platform:centos-7] python3-devel [test platform:rpm !platform:centos-7] +python3-dev [test platform:dpkg] python3-libselinux [test platform:rpm !platform:centos-7] python3-libvirt [test platform:rpm !platform:centos-7 platform:dpkg] python3-netifaces [test !platform:centos-7 platform:rpm] -python36 [test !platform:centos-7 !platform:fedora-28] -qemu [platform:dpkg] +python36 [test !platform:dpkg !platform:centos-7 !platform:fedora-28] +qemu-system [platform:dpkg] +qemu-utils [platform:dpkg] qemu-kvm [platform:rpm] ruby-dev [platform:dpkg] ruby-devel [!platform:centos-7 !platform:centos-8 platform:rpm] From 1c6024e0131af62383c42d1c6eb12eff471ad674 Mon Sep 17 00:00:00 2001 From: Arnaud Patard Date: Fri, 3 Jul 2020 18:07:38 +0200 Subject: [PATCH 06/10] tools/test-setup.sh: Fix on apt-get/dpkg platforms - don't use rpm on Debian distribution family - detect apt-get on Debian distribution family. Signed-off-by: Arnaud Patard --- tools/test-setup.sh | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/tools/test-setup.sh b/tools/test-setup.sh index c768509..290e4a1 100755 --- a/tools/test-setup.sh +++ b/tools/test-setup.sh @@ -16,7 +16,7 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )" command -v python3 python PYTHON=$(command -v python3 python|head -n1) -PKG_CMD=$(command -v dnf yum|head -n1) +PKG_CMD=$(command -v dnf yum apt-get|head -n1) sudo $PYTHON -m pip install -U tox "zipp<0.6.0;python_version=='2.7'" @@ -88,7 +88,12 @@ vagrant plugin list | grep vagrant-libvirt || { vagrant plugin install vagrant-libvirt } -rpm -qa | grep libselinux +if [ -f /etc/debian_version ]; then + dpkg -l | grep libselinux + [ -x /usr/bin/aa-enabled ] && echo "Apparmor: `/usr/bin/aa-enabled`" +else + rpm -qa | grep libselinux +fi vagrant version vagrant global-status From ca0865e4d101871e923f992a825f60c1c730208f Mon Sep 17 00:00:00 2001 From: Arnaud Patard Date: Fri, 3 Jul 2020 18:09:08 +0200 Subject: [PATCH 07/10] tools/test-setup.sh: fixes for Ubuntu Xenial - the workaround for https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1588004 doesn't seem to be needed anymore - Xenial has a too old version of vagrant, leading to failure with alpine boxes (missing trigger support), so remove vagrant in this case and use Hashicorp debian package. Since this commit is adding a 3rd hack for vagrant setup, I've used a 'case' relying on /etc/os-release to detect the distribution name and then detect the distribution version. Unfortunately, doesn't work with the case of centos 8.2 since the version is 8 so the test on /etc/centos-release remains. Signed-off-by: Arnaud Patard --- tools/test-setup.sh | 99 ++++++++++++++++++++++++++------------------- 1 file changed, 58 insertions(+), 41 deletions(-) diff --git a/tools/test-setup.sh b/tools/test-setup.sh index 290e4a1..5d83b4b 100755 --- a/tools/test-setup.sh +++ b/tools/test-setup.sh @@ -21,8 +21,6 @@ PKG_CMD=$(command -v dnf yum apt-get|head -n1) sudo $PYTHON -m pip install -U tox "zipp<0.6.0;python_version=='2.7'" # === LIBVIRT SETUP === -# https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1588004 -sudo rm -f /etc/systemd/libvirtd.service /etc/systemd/system/multi-user.target.wants/libvirt-bin.service || true sudo systemctl enable --now libvirtd sudo usermod --append --groups libvirt "$(whoami)" @@ -35,45 +33,64 @@ which vagrant || \ sudo $PKG_CMD install -y https://releases.hashicorp.com/vagrant/2.2.9/vagrant_2.2.9_x86_64.rpm } -# https://bugzilla.redhat.com/show_bug.cgi?id=1839651 -if [ -f /etc/fedora-release ]; then - grep -qi '^fedora.*31' /etc/fedora-release - if [ $? -eq 0 ]; then - sudo $PKG_CMD upgrade -y --enablerepo=updates-testing --advisory=FEDORA-2020-09c472786c - fi -fi - -# https://github.com/hashicorp/vagrant/issues/11020 -if [ -f /etc/centos-release ]; then - grep -qi '^CentOS Linux release 8.2.*' /etc/centos-release - if [ $? -eq 0 ]; then - # https://bugs.centos.org/view.php?id=17120 - relver="$(cat /etc/centos-release | awk '{print $4}')" - sudo sed -i /etc/yum.repos.d/CentOS-Sources.repo -e 's,$contentdir/,,g' - sudo sed -i /etc/yum.repos.d/CentOS-Sources.repo -e "s,\$releasever,$relver,g" - # Should avoid the "error: [Errno 13] Permission denied: '/var/cache/dnf/expired_repos.json'" - sudo dnf makecache - - sudo dnf install -y rpm-build autoconf libselinux-devel pam-devel bison byacc - mkdir -p rpmbuild/SOURCES - cd rpmbuild/SOURCES - sudo dnf download --enablerepo=BaseOS-source --disablerepo=epel-source --disablerepo=epel --source krb5-libs - rpm2cpio krb5-1.17-*.src.rpm | cpio -id - # remove patch making incompatible with the openssl bundled with vagrant - sed -i ./krb5.spec -e 's,Patch.*Use-backported-version-of-OpenSSL-3-KDF-interface.patch,,' - # depends on previous patch - sed -i ./krb5.spec -e 's,Patch.*krb5-1.17post2-DES-3DES-fixups.patch,,' - # not sure why but makes the build fail - sed -i ./krb5.spec -e 's,Patch.*krb5-1.17post6-FIPS-with-PRNG-and-RADIUS-and-MD4.patch,,' - rpmbuild -bp krb5.spec --nodeps - cd ../BUILD/krb5-1.17/src - # Some flags are missing compared to the spec but these ones seem to be enough - export CFLAGS="-I/opt/vagrant/embedded/include/ -fPIC -fno-strict-aliasing -fstack-protector-all" - export LDFLAGS=-L/opt/vagrant/embedded/lib64/ - ./configure --prefix=/opt/vagrant/embedded/ - make - sudo cp -a lib/crypto/libk5crypto.so.3* /opt/vagrant/embedded/lib64/ - fi +if [ -f /etc/os-release ]; then + source /etc/os-release + case "$NAME" in + Ubuntu) + case "$VERSION_ID" in + 18.04) + # ubuntu xenial vagrant is too old so it doesn't support triggers, used by the alpine box + sudo apt-get remove --purge -y vagrant + wget https://releases.hashicorp.com/vagrant/2.2.9/vagrant_2.2.9_x86_64.deb + sudo dpkg -i vagrant_2.2.9_x86_64.deb + ;; + *) + ;; + esac + ;; + Fedora) + case "$VERSION_ID" in + 31) + # https://bugzilla.redhat.com/show_bug.cgi?id=1839651 + sudo $PKG_CMD upgrade -y --enablerepo=updates-testing --advisory=FEDORA-2020-09c472786c + ;; + *) + ;; + esac + ;; + CentOS*) + # https://github.com/hashicorp/vagrant/issues/11020 + if grep -qi '^CentOS Linux release 8.2.*' /etc/centos-release ; then + # https://bugs.centos.org/view.php?id=17120 + relver="$(cat /etc/centos-release | awk '{print $4}')" + sudo sed -i /etc/yum.repos.d/CentOS-Sources.repo -e 's,$contentdir/,,g' + sudo sed -i /etc/yum.repos.d/CentOS-Sources.repo -e "s,\$releasever,$relver,g" + + sudo dnf install -y rpm-build autoconf libselinux-devel pam-devel bison byacc + mkdir -p rpmbuild/SOURCES + cd rpmbuild/SOURCES + # download as root to avoid the "error: [Errno 13] Permission denied: '/var/cache/dnf/expired_repos.json'" + sudo dnf download --enablerepo=BaseOS-source --disablerepo=epel-source --disablerepo=epel --source krb5-libs + rpm2cpio krb5-1.17-*.src.rpm | cpio -id + # remove patch making incompatible with the openssl bundled with vagrant + sed -i ./krb5.spec -e 's,Patch.*Use-backported-version-of-OpenSSL-3-KDF-interface.patch,,' + # depends on previous patch + sed -i ./krb5.spec -e 's,Patch.*krb5-1.17post2-DES-3DES-fixups.patch,,' + # not sure why but makes the build fail + sed -i ./krb5.spec -e 's,Patch.*krb5-1.17post6-FIPS-with-PRNG-and-RADIUS-and-MD4.patch,,' + rpmbuild -bp krb5.spec --nodeps + cd ../BUILD/krb5-1.17/src + # Some flags are missing compared to the spec but these ones seem to be enough + export CFLAGS="-I/opt/vagrant/embedded/include/ -fPIC -fno-strict-aliasing -fstack-protector-all" + export LDFLAGS=-L/opt/vagrant/embedded/lib64/ + ./configure --prefix=/opt/vagrant/embedded/ + make + sudo cp -a lib/crypto/libk5crypto.so.3* /opt/vagrant/embedded/lib64/ + fi + ;; + *) + ;; + esac fi vagrant plugin list | grep vagrant-libvirt || { From 85ba27dd124f9be90da403e526201a7504b9c23c Mon Sep 17 00:00:00 2001 From: Arnaud Patard Date: Fri, 3 Jul 2020 18:14:11 +0200 Subject: [PATCH 08/10] tools/test-setup.sh: Fix vagrant command line The usermod command line is run on the same session as the one running vagrant. This means that the current user is not in the libvirt group when vagrant is called. It should be failing, as in Xenial, but the libvirt socket rights are 0777 on Debian buster / Centos 8 / Fedora 31 which means that the bug was not noticed before. Since I don't want to use exec -l (in order to get the "vagrant destroy -f" command), I've choosen to use "sudo su -l "$(whoami)" -c " instead. Not really nice but works. Signed-off-by: Arnaud Patard --- tools/test-setup.sh | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/tools/test-setup.sh b/tools/test-setup.sh index 5d83b4b..b4895d8 100755 --- a/tools/test-setup.sh +++ b/tools/test-setup.sh @@ -124,5 +124,6 @@ vagrant plugin list | tee >(grep -q "No plugins installed." && { # we will use during testing. cd $DIR -vagrant up --no-provision -vagrant destroy -f +# sudo su: dirty hack to make sure that usermod change has been taken into account +sudo su -l "$(whoami)" -c "cd $(pwd) && vagrant up --no-provision" +sudo su -l "$(whoami)" -c "cd $(pwd) && vagrant destroy -f" From e0bdc50e9ba32bc07711da73fef7fb813ca626b7 Mon Sep 17 00:00:00 2001 From: Arnaud Patard Date: Mon, 6 Jul 2020 10:24:29 +0200 Subject: [PATCH 09/10] tools/test-setup.sh: Make sure we're in $HOME/rpmbuild/SOURCES While the workaround for centos 8.2 issue CI is working fine locally, it fails on Zuul with: error: Bad source: /home/zuul/rpmbuild/SOURCES/krb5-1.17-pdfs.tar: No such file or directory The issue is not certain, so: - make sure we're using $HOME/rpmbuild/SOURCES to extract and build kbr5 - make cpio verbose. Signed-off-by: Arnaud Patard --- tools/test-setup.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tools/test-setup.sh b/tools/test-setup.sh index b4895d8..08fc94f 100755 --- a/tools/test-setup.sh +++ b/tools/test-setup.sh @@ -67,11 +67,11 @@ if [ -f /etc/os-release ]; then sudo sed -i /etc/yum.repos.d/CentOS-Sources.repo -e "s,\$releasever,$relver,g" sudo dnf install -y rpm-build autoconf libselinux-devel pam-devel bison byacc - mkdir -p rpmbuild/SOURCES - cd rpmbuild/SOURCES + mkdir -p "$HOME/rpmbuild/SOURCES" + cd "$HOME/rpmbuild/SOURCES" # download as root to avoid the "error: [Errno 13] Permission denied: '/var/cache/dnf/expired_repos.json'" sudo dnf download --enablerepo=BaseOS-source --disablerepo=epel-source --disablerepo=epel --source krb5-libs - rpm2cpio krb5-1.17-*.src.rpm | cpio -id + rpm2cpio krb5-1.17-*.src.rpm | cpio -idv # remove patch making incompatible with the openssl bundled with vagrant sed -i ./krb5.spec -e 's,Patch.*Use-backported-version-of-OpenSSL-3-KDF-interface.patch,,' # depends on previous patch From f244c25e8e9a8114ee32104b24f27ec10f0936ba Mon Sep 17 00:00:00 2001 From: Arnaud Patard Date: Mon, 6 Jul 2020 10:46:58 +0200 Subject: [PATCH 10/10] bindep.txt: Install make on CentOS 8 While trying to get a test setup near to the zuul CI, it seems that make is installed here but not in Zuul, so add it to the bindep.txt file, as done for CentOS 7. Signed-off-by: Arnaud Patard --- bindep.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bindep.txt b/bindep.txt index 6b0b22b..177de44 100644 --- a/bindep.txt +++ b/bindep.txt @@ -16,7 +16,7 @@ libvirt-dev [platform:dpkg] libvirt-devel [platform:rpm] libxml2-dev [platform:dpkg] libxslt-dev [platform:dpkg] -make [platform:centos-7] +make [platform:centos-7 platform:centos-8] pkg-config [platform:dpkg] python3 [test platform:dpkg platform:rpm !platform:centos-7] python3-devel [test platform:rpm !platform:centos-7]