New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
test: Fedora 26 has branched start testing there #6294
Conversation
bot: Image refresh for fedora-26 |
Building the image fails right now somewhere during kickstarting with
Let's see what the bot says, and then I'll file a bug. |
Bots don't seem to pick up fedora-26 images yet, but kickstarting started working for me again locally. |
Some of the storage tests should be fixed by PR #6293. |
Nice! I was just starting to figure out the same things. |
@petervo, could you look at the kubernetes failures? |
Cockpit expects NetworkManager 1.6.0 to have certain checkpoint bugs fixed. Looks like they might still exist. I'll check. |
Rebased after merging #6293. |
Wrt. the "internal error in login process": This is a real SELinux policy bug, not a test problem. The relevant message seems to be:
and if I add a This changed recently in Fedora 26. However, both in F25 and F26 the labels on /usr/libexec/cockpit-ssh are the same: Trying to debug this:
With I just found https://bugzilla.redhat.com/show_bug.cgi?id=1381331 which seems to be about this. We have this hack in our spec file:
But without it it doesn't work either. I followed up on the Fedora bug. So a canned fix would be this, but I don't know where to place it: cat <<EOF > /tmp/local.te
module local 1.0;
require {
type cockpit_ws_exec_t;
type cockpit_ws_t;
class file execute_no_trans;
}
allow cockpit_ws_t cockpit_ws_exec_t:file execute_no_trans;
EOF
checkmodule -M -m -o /tmp/local.mod /tmp/local.te
semodule_package -o /tmp/local.pp -m /tmp/local.mod
semodule -i /tmp/local.pp We could put it into the tests, but it's a fix that you really need at runtime. For that we presumably need some spec modules for compiling a SELinux policy "properly" and ship the compiled one in the package? Or do we need to wait until it goes into |
Looking at the kubernetes tests, it looks like there's a bunch of adjustments necessary: First thing is
which causes
I pushed this fix. But this will require an image rebuild (I just hacked it in with After that, it fails with
This was reported in kubernetes/kubernetes#38380 and is apparently some fallout from a Go library change. There was a fix/workaround in kubernetes, but this might not yet have landed in Fedora 26? Allegedly this happens when parsing an URL without a schema, but the only two occurrences that we have do have a schema already:
So I'm not sure how we can work around that. I reproduced in a clean Fedora 26 env and reported a bug. |
The lsblk change is reported in https://bugzilla.redhat.com/show_bug.cgi?id=1441175, and they say it's a real regression. |
Re |
I pushed a ridiculously ugly hack to adjust the SELinux policy. The original plan was to only do this if the selinux-policy shipped rules don't allow this yet, but this is difficult: One needs something like that to determine this:
But that would require setools-console and setools-python3 as new dependencies, and the command also takes painfully long. I didn't find a better way to inquire the current capabilities of cockpit_ws_t, suggestions welcome. But this policy snippet should be additive, so it shouldn't collide with selinux-policy-targetted once that gets updated. If you think this is too ugly (and we most definitively should not release F26 with that!), I'm also okay with dropping that commit and adding a known issue instead. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we add a big nasty error message in the %post script to highlight the SELinux fail?
tools/cockpit.spec
Outdated
@@ -358,6 +358,16 @@ Cockpit support for remoting to other servers, bastion hosts, and a basic dashbo | |||
# HACK: Until policy changes make it downstream | |||
# https://bugzilla.redhat.com/show_bug.cgi?id=1381331 | |||
test -f %{_bindir}/chcon && chcon -t cockpit_ws_exec_t %{_libexecdir}/cockpit-ssh | |||
%if 0%{?fedora} > 0 && 0%{?fedora} >= 26 | |||
if type semodule >/dev/null 2>&1; then |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
echo "HACK: Workaround for broken SELinux policy: https://bugzilla.redhat.com/show_bug.cgi?id=1381331" > &2
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sure! The current test finished and confirmed we are down to one failing test (selinux troubleshooter), so I pushed a fixup.
About We don't seem to get any notifications about new alerts from setroubleshootd. That's why the page stays empty. Manual reloading shows the expected alert. Once a alert is shown, getting its details fails. Setroubleshootd returns a backtrace as a D-Bus Error:
|
The reason for that also seems to be the AttributeError. The journal shows
|
Rebased, still needs a new image. I'll make it. |
That didn't work, but it might tomorrow. Let's just use what we have. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would squash the commits "test: Add known PCP issue also for fedora-26" and the "New" image into the first one. Otherwise this looks good to me now, thanks!
Someone else should also review though, as I meddled with this PR a lot too.
Now that Fedora 26 has branched, we won't be releasing into the main Fedora 25 channels any longer. We don't yet remove support for Fedora 24 because other pull requests are coming that migrate Avocado and Selenium stuff later. Also remove a HACK that's supposedly fixed on Fedora 26.
It conflicts with plain docker...
We need to pass extra flags to activate the fixes in NM that we need for them. Let's do that separately.
kube-apiserver.service runs with "User=kube" on Fedora 26, so make sure it can read the keys.
kubernetes is broken in Fedora 26: https://bugzilla.redhat.com/show_bug.cgi?id=1441218 See issue cockpit-project#6327
With Fedora 26's SELinux version, cockpit_ws_t needs the "execute_no_trans" capability to run cockpit-ssh. Apply a ridiculously ugly %post hack until it gets fixed properly in the policy. See <https://bugzilla.redhat.com/show_bug.cgi?id=1381331>.
Now that Fedora 26 has branched, we won't be releasing into the
main Fedora 25 channels any longer.
We don't yet remove support for Fedora 24 because other pull
requests are coming that migrate Avocado and Selenium stuff
later.
Also remove a HACK that's supposedly fixed on Fedora 26.