[runtime-security] Execute runtime security functional tests using Kitchen #6328
Conversation
There was a problem hiding this comment.
LGTM assuming ^TestMkdir$ does what it seems it does and all paths are correct.
Note that until now on kitchen tests we only cared about the OS they ran on, and not the kernel version. If you want to test the EBPF code against several kernels, you might want to use something more specific than .kitchen_os_centos, .kitchen_os_ubuntu, etc.
But that can be a second iteration, this is much better already than where we were before :D
Edit: +1 to Kylian's comments above ^
...test/integration/dd-agent-runtime-security-test/rspec/dd-agent-runtime-security-test_spec.rb
Outdated
Show resolved
Hide resolved
lebauce
force-pushed
the
lebauce/kitchen-functional-tests
branch
from
c8cceb8
to
568a030
Compare
lebauce
force-pushed
the
lebauce/kitchen-functional-tests
branch
9 times, most recently
from
9173989
to
2a180b6
Compare
lebauce
force-pushed
the
lebauce/kitchen-functional-tests
branch
7 times, most recently
from
034e840
to
222f3ef
Compare
lebauce
force-pushed
the
lebauce/kitchen-functional-tests
branch
3 times, most recently
from
3ab077e
to
7c37116
Compare
| for i := 0; i != maxEnableRetry; i++ { | ||
| if err = m.EnableKprobe(secName, 512); err == nil { | ||
| break | ||
| func (m *Module) tryEnableKprobe(secName string) error { |
There was a problem hiding this comment.
Shall we have a metric associated to retries to ease debugging?
There was a problem hiding this comment.
We can discuss it with the team but I don't think this should be part of the PR
| package_name 'glibc.i686' | ||
| when 'ubuntu', 'debian' | ||
| package_name 'libc6-i386' | ||
| # when 'suse' |
There was a problem hiding this comment.
Is there a reason why this is commented?
There was a problem hiding this comment.
Yes, to not forget to do it when we'll be able to install packages on SUSE
| it 'displays PASS and returns 0' do | ||
| output = `sudo /tmp/security-agent/testsuite -test.v 1>&2` | ||
| retval = $? | ||
| expect(retval).to eq(0) |
There was a problem hiding this comment.
Do you want to also add expect(output).not_to include("FAIL") like in the following describe ?
There was a problem hiding this comment.
I don't think this is useful. If one test fails, it will return something different from 0
lebauce
force-pushed
the
lebauce/kitchen-functional-tests
branch
from
7c37116
to
ecaab51
Compare
.gitlab-ci.yml
Outdated
| @@ -143,6 +145,9 @@ variables: | |||
| .if_not_test_kitchen_deploy: &if_not_test_kitchen_deploy | |||
| if: $CI_COMMIT_BRANCH != "master" && $CI_COMMIT_TAG == null && $DEPLOY_AGENT != "true" && $CI_PIPELINE_SOURCE != "web" && $CI_PIPELINE_SOURCE != "api" | |||
|
|
|||
| .if_test_kitchen_security_agent: &if_test_kitchen_security_agent | |||
There was a problem hiding this comment.
Maybe if_agent_security_team_label would be more descriptive.
There was a problem hiding this comment.
It is not used any more (I wanted to trigger the kitchen tests based on labels on the PR but they are not available). Removed
lebauce
force-pushed
the
lebauce/kitchen-functional-tests
branch
from
ecaab51
to
4ef191d
Compare
What does this PR do?
Execute the runtime security agent functional tests using Kitchen
Motivation
Test the runtime security agent on multiple OS / kernel versions