Bats 1.4.X fix: BATS_TMPDIR

[NorseGaud]

Description

While working on #2104, some of the TLS tests were locking my docker up or failing.

(The failure below is using the verbose flags that are a pending PR in bats-core)

✗ begin 186 checking tls: cipher list - rsa intermediate
   (from function `assert_success' in file test/test_helper/bats-assert/src/assert.bash, line 114,
    from function `collect_cipherlist_data' in file test/security_tls_cipherlists.bats, line 154,
    from function `check_ports' in file test/security_tls_cipherlists.bats, line 86,
    in test file test/security_tls_cipherlists.bats, line 47)
     `check_ports 'rsa' 'intermediate'' failed
   $ docker run -d --name tls_test_cipherlists --volume /Users/norsegaud/docker-mailserver/test/duplicate_configs/security_tls_cipherlists.bats/:/tmp/docker-mailserver/ --volume /Users/norsegaud/docker-mailserver/test/test-files/ssl/example.test/:/config/ssl/:ro --env DMS_DEBUG=0 --env ENABLE_POP3=1 --env SSL_TYPE=manual --env SSL_CERT_PATH=/config/ssl/cert.rsa.pem --env SSL_KEY_PATH=/config/ssl/key.rsa.pem --env TLS_LEVEL=intermediate --network test-network --network-alias example.test --hostname mail.example.test --tty mailserver-testing:ci
     f7d78f74fc3eedaa1277f63d9b7a2d06f22fbae7705f75b842b56bed71fce40b
   [ TASKLOG ]  mail.example.test is up and running
   $ docker run --rm --user 501:20 --network test-network --volume /Users/norsegaud/docker-mailserver/test/test-files/ssl/example.test/:/config/ssl/:ro --volume /var/folders/vb/pjyhgj4s491_k0t025_j56y00000gn/T//results/rsa/intermediate/:/output --workdir /output drwetter/testssl.sh:3.1dev --quiet --file /config/ssl/testssl.txt --mode parallel --overwrite --preference
     standard_init_linux.go:228: exec user process caused: permission denied
   
   -- command failed --
   status : 1
   output : standard_init_linux.go:228: exec user process caused: permission denied
   --

It turns out this is because of a change with BATS_TMPDIR. See bats-core/bats-core#410 (comment) and bats-core/bats-core#365 (comment)

Type of change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Improvement (non-breaking change that does improve existing functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• This change requires a documentation update

Checklist:

• My code follows the style guidelines of this project
• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation (README.md or the documentation under docs/)
• If necessary I have added tests that prove my fix is effective or that my feature works
• New and existing unit tests pass locally with my changes

[polarathene]

The linked discussions reference the ENV var as meant for internal usage in bats only, that remains the case for the renamed variant.

It seems advised here how to handle temporary directories with bats. I would assume /tmp is a safe location choice to write to, but not sure if that is consistent across environments, perhaps the location should be changed?

There's also some related new ENV added, that are documented here.BATS_FILE_TMPDIR may be relevant choice here (directory that persists through all tests of a bats test file), although I think automatic cleanup happens after running the test which might be an issue for inspection during failures (as in the failure can be debugged by inspecting these log files, in this case the cipher suite not matching test expectations).

---

It's unclear why your latest change is failing... upstream bats sets TMPDIR and BATS_TMPDIR here, TMPDIR is shown as being handled here along with the old BATS_TMPDIR being set: export BATS_TMPDIR="${TMPDIR:-/tmp}", yet the CI error is saying:

mkdir: cannot create directory ‘/results’: Permission denied

Which AFAIK doesn't look right, seems like it's missing /tmp prefix that should have been set earlier in the test?:

docker-mailserver/test/security_tls_cipherlists.bats

Line 135 in f333740

mkdir -p "${TLS_RESULTS_DIR}/${RESULTS_PATH}"

That seems to be missing $RESULTS_PATH suffix too..?:

docker-mailserver/test/security_tls_cipherlists.bats

Line 84 in f333740

local RESULTS_PATH="${KEY_TYPE_LABEL}/${TLS_LEVEL}"

What I do notice is that only /results is plain text, the prefix + suffix generation of the path is through vars. Are they some how all empty now? I'll try reproduce the test failure myself in a moment.

[ap-wtioit]

I also got similar errors on our CI now (for master branch, did work on Friday), that do not happen on my local dev environment

not ok 186 checking tls: cipher list - rsa intermediate
# (from function `assert_success' in file test/test_helper/bats-assert/src/assert.bash, line 114,
#  from function `collect_cipherlist_data' in file test/security_tls_cipherlists.bats, line 154,
#  from function `check_ports' in file test/security_tls_cipherlists.bats, line 86,
#  in test file test/security_tls_cipherlists.bats, line 47)
#   `check_ports 'rsa' 'intermediate'' failed
# [ TASKLOG ]  mail.example.test is up and running
# 
# -- command failed --
# status : 1
# output : standard_init_linux.go:228: exec user process caused: permission denied
# --
# 
# tls_test_cipherlists
not ok 187 checking tls: cipher list - rsa modern
# (from function `assert_success' in file test/test_helper/bats-assert/src/assert.bash, line 114,
#  from function `collect_cipherlist_data' in file test/security_tls_cipherlists.bats, line 154,
#  from function `check_ports' in file test/security_tls_cipherlists.bats, line 86,
#  in test file test/security_tls_cipherlists.bats, line 51)
#   `check_ports 'rsa' 'modern'' failed
# [ TASKLOG ]  mail.example.test is up and running
# 
# -- command failed --
# status : 1
# output : standard_init_linux.go:228: exec user process caused: permission denied
# --
# 
# tls_test_cipherlists
not ok 188 checking tls: cipher list - ecdsa intermediate
# (from function `assert_success' in file test/test_helper/bats-assert/src/assert.bash, line 114,
#  from function `collect_cipherlist_data' in file test/security_tls_cipherlists.bats, line 154,
#  from function `check_ports' in file test/security_tls_cipherlists.bats, line 86,
#  in test file test/security_tls_cipherlists.bats, line 55)
#   `check_ports 'ecdsa' 'intermediate'' failed
# [ TASKLOG ]  mail.example.test is up and running
# 
# -- command failed --
# status : 1
# output : standard_init_linux.go:228: exec user process caused: permission denied
# --
# 
# tls_test_cipherlists
not ok 189 checking tls: cipher list - ecdsa modern
# (from function `assert_success' in file test/test_helper/bats-assert/src/assert.bash, line 114,
#  from function `collect_cipherlist_data' in file test/security_tls_cipherlists.bats, line 154,
#  from function `check_ports' in file test/security_tls_cipherlists.bats, line 86,
#  in test file test/security_tls_cipherlists.bats, line 59)
#   `check_ports 'ecdsa' 'modern'' failed
# [ TASKLOG ]  mail.example.test is up and running
# 
# -- command failed --
# status : 1
# output : standard_init_linux.go:228: exec user process caused: permission denied
# --
# 
# tls_test_cipherlists
not ok 190 checking tls: cipher list - ecdsa intermediate, with rsa fallback
# (from function `assert_success' in file test/test_helper/bats-assert/src/assert.bash, line 114,
#  from function `collect_cipherlist_data' in file test/security_tls_cipherlists.bats, line 154,
#  from function `check_ports' in file test/security_tls_cipherlists.bats, line 86,
#  in test file test/security_tls_cipherlists.bats, line 66)
#   `check_ports 'ecdsa' 'intermediate' 'rsa'' failed
# [ TASKLOG ]  mail.example.test is up and running
# 
# -- command failed --
# status : 1
# output : standard_init_linux.go:228: exec user process caused: permission denied
# --
# 
# tls_test_cipherlists
not ok 191 checking tls: cipher list - ecdsa modern, with rsa fallback
# (from function `assert_success' in file test/test_helper/bats-assert/src/assert.bash, line 114,
#  from function `collect_cipherlist_data' in file test/security_tls_cipherlists.bats, line 154,
#  from function `check_ports' in file test/security_tls_cipherlists.bats, line 86,
#  in test file test/security_tls_cipherlists.bats, line 70)
#   `check_ports 'ecdsa' 'modern' 'rsa'' failed
# [ TASKLOG ]  mail.example.test is up and running
# 
# -- command failed --
# status : 1
# output : standard_init_linux.go:228: exec user process caused: permission denied
# --
# 
# tls_test_cipherlists

[polarathene]

I'm unable to reproduce the issue you and the CI are facing. Tested on Fedora 34 cloning the repo and building:

git clone https://github.com/docker-mailserver/docker-mailserver.git
cd docker-mailserver
git submodule update --init --recursive
apt-get install make
make build

No failures encountered 😕

I'm wondering if it's something to do with the CI on Github. Is the output path logged actually /results or is it trying to mask that value in the log due to other parts being vars? We can try temporary changing the location, without any vars involved, it might be that some change has happened that prevents us writing to /tmp and only within the runner directory.

[ap-wtioit]

Shouldn't we put the test artifacts somewhere in the test directory and also clean them up in make clean?

    export TLS_RESULTS_DIR="$(pwd)/test/tls/results"

and

clean:
...
	-@ sudo rm -rf ... test/tls/

[polarathene]

Explicitly writing to /tmp or CI ENV ${RUNNER_TEMP} both fail. Neither are outputting the error to fail making /results, so presumably a different error. I am guessing permissions in the CI image perhaps changed preventing the --user from working? 🤷‍♂️

standard_init_linux.go:228: exec user process caused: permission denied

Will try with the local working directory now.

Shouldn't we put the test artifacts somewhere in the test directory and also clean them up in make clean?

Pretty much every other test does that. I wrote this failing test and I think I had a reason (may have just been preference) to use /tmp, I'd have to look up the PR for it but I believe I explained why I chose that.

I know that I at one point did have it clean up the contents, but that was undesirable if I wanted to inspect the file content upon a test failure for insights.

The cleanup for bats tests is handled in the teardown_file(), having make clean remove anything not cleaned up from the tests is probably a good idea though 👍 It looks like we're already doing that?:

docker-mailserver/Makefile

Lines 24 to 29 in f333740

	clean:
	# remove running and stopped test containers
	-@ [[ -d config.bak ]] && { rm -rf config ; mv config.bak config ; } || :
	-@ [[ -d testconfig.bak ]] && { sudo rm -rf test/config ; mv testconfig.bak test/config ; } || :
	-@ for container in $$(docker ps -a --filter name='^/mail$$|^ldap_for_mail$$|^mail_override_hostname$$|^open-dkim$$|^hadolint$$|^eclint$$|^shellcheck$$' | sed 1d | cut -f 1-1 -d ' '); do docker rm -f $$container; done
	-@ sudo rm -rf test/onedir test/alias test/quota test/relay test/config/dovecot-lmtp/userdb test/config/key* test/config/opendkim/keys/domain.tld/ test/config/opendkim/keys/example.com/ test/config/opendkim/keys/localdomain2.com/ test/config/postfix-aliases.cf test/config/postfix-receive-access.cf test/config/postfix-receive-access.cfe test/config/dovecot-quotas.cf test/config/postfix-send-access.cf test/config/postfix-send-access.cfe test/config/relay-hosts/chksum test/config/relay-hosts/postfix-aliases.cf test/config/dhparams.pem test/config/dovecot-lmtp/dh.pem test/config/relay-hosts/dovecot-quotas.cf test/config/user-patches.sh test/alias/config/postfix-virtual.cf test/quota/config/dovecot-quotas.cf test/quota/config/postfix-accounts.cf test/relay/config/postfix-relaymap.cf test/relay/config/postfix-sasl-password.cf test/duplicate_configs/

[NorseGaud]

@polarathene , thanks for the help with this!

I am guessing permissions in the CI image perhaps changed preventing the --user from working? 🤷‍♂️

That's what I'm thinking too.

[NorseGaud]

Just tested the changes in e2b3370 locally and see:

❯ test/bats/bin/bats --verbose test/security_tls_cipherlists.bats
 - first (skipped: This version natively supports setup/teardown_file)
   Error: No such container: tls_test_cipherlists
 ✗ checking tls: cipher list - rsa intermediate
   (from function `assert_success' in file test/test_helper/bats-assert/src/assert.bash, line 114,
    from function `collect_cipherlist_data' in file test/security_tls_cipherlists.bats, line 154,
    from function `check_ports' in file test/security_tls_cipherlists.bats, line 86,
    in test file test/security_tls_cipherlists.bats, line 47)
     `check_ports 'rsa' 'intermediate'' failed
   $ docker run -d --name tls_test_cipherlists --volume /Users/norsegaud/docker-mailserver/test/duplicate_configs/security_tls_cipherlists.bats/:/tmp/docker-mailserver/ --volume /Users/norsegaud/docker-mailserver/test/test-files/ssl/example.test/:/config/ssl/:ro --env DMS_DEBUG=0 --env ENABLE_POP3=1 --env SSL_TYPE=manual --env SSL_CERT_PATH=/config/ssl/cert.rsa.pem --env SSL_KEY_PATH=/config/ssl/key.rsa.pem --env TLS_LEVEL=intermediate --network test-network --network-alias example.test --hostname mail.example.test --tty mailserver-testing:ci
     6fada0a5faee525a5f23e7582b83b64cbcb42a7090c6fd8943861c0c949425b0
   [ TASKLOG ]  mail.example.test is up and running
   $ docker run --rm --user 501:20 --network test-network --volume /Users/norsegaud/docker-mailserver/test/test-files/ssl/example.test/:/config/ssl/:ro --volume /Users/norsegaud/docker-mailserver/results/rsa/intermediate/:/output --workdir /output drwetter/testssl.sh:3.1dev --quiet --file /config/ssl/testssl.txt --mode parallel --overwrite --preference
     standard_init_linux.go:228: exec user process caused: permission denied
   
   -- command failed --
   status : 1
   output : standard_init_linux.go:228: exec user process caused: permission denied
   --

I'm going to try cleaning up some of my environment and trying again

[ap-wtioit]

hm, the uid seems to be the problem.
running locally:

user@host:~$ docker run --rm drwetter/testssl.sh:3.1dev | head -n 5

     "testssl.sh [options] <URI>"    or    "testssl.sh <options>"

"testssl.sh <option>", where <option> is mostly standalone and one of:

write /dev/stdout: broken pipe
user@host:~$ docker run --user=1001:1001 --rm drwetter/testssl.sh:3.1dev | head -n 5
standard_init_linux.go:228: exec user process caused: permission denied
user@host:~$ docker run --user=1000:1000 --rm drwetter/testssl.sh:3.1dev | head -n 5

     "testssl.sh [options] <URI>"    or    "testssl.sh <options>"

"testssl.sh <option>", where <option> is mostly standalone and one of:

user@host:~$ docker run --user=999:999 --rm drwetter/testssl.sh:3.1dev | head -n 5
standard_init_linux.go:228: exec user process caused: permission denied

seems drwetter/testssl.sh:3.1dev is only able to run with uid 1000 now. maybe it includes something in $HOME/.. (that belongs to user 1000) that is not readable by other users

[NorseGaud]

@polarathene @ap-wtioit , can you please send me your docker versions? I'd like to rule that out

❯ docker --version
Docker version 20.10.7, build f0df350

[NorseGaud]

seems drwetter/testssl.sh:3.1dev is only able to run with uid 1000 now. maybe it includes something in $HOME/.. (that belongs to user 1000) that is not readable by other users

Great find! I too was poking at that earlier. I tried 3.0 of the testssl.sh project and it still failed though

[polarathene]

That's what I'm thinking too.

The only recent commit in default branch that would have run the failing test workflow is your bats update from 8 days ago. It just so happens the Ubuntu 20.04 image was updated 7 days ago. Nothing stands out as a culprit though :/

Just tested the changes in e2b3370 locally and see

Is this local environment macOS? Just curious about your uid:gid mapping.

seems drwetter/testssl.sh:3.1dev is only able to run with uid 1000 now

Oh great catch!

can you please send me your docker versions?

docker --version
Docker version 20.10.7, build f0df350

[NorseGaud]

Is this local environment macOS? Just curious about your uid:gid mapping.

Correct :) I run

docker run --rm --user $(id -u):$(id -g) --network test-network --volume /Users/norsegaud/docker-mailserver/test/test-files/ssl/example.test/:/config/ssl/:ro --volume /Users/norsegaud/docker-mailserver/results/rsa/intermediate/:/output --workdir /output drwetter/testssl.sh:3.1dev --quiet --file /config/ssl/testssl.txt --mode parallel --overwrite --preference

standard_init_linux.go:228: exec user process caused: permission denied

[ap-wtioit]

I tested with a local Dockerfile and patched

FROM drwetter/testssl.sh:3.1dev
RUN chmod o+rx /home/testssl/testssl.sh

docker build -t drwetter/testssl.sh:3.1dev-fixed .
docker run --rm --user=1001:1001 drwetter/testssl.sh:3.1dev-fixed | head -n 5

now it works also with non 1000 users. I'll create a merge request for drwetter/testssl.sh

[NorseGaud]

I tested with a local Dockerfile and patched

FROM drwetter/testssl.sh:3.1dev
RUN chmod o+rx /home/testssl/testssl.sh

docker build -t drwetter/testssl.sh:3.1dev-fixed .
docker run --rm --user=1001:1001 drwetter/testssl.sh:3.1dev-fixed | head -n 5

now it works also with non 1000 users. I'll create a merge request for drwetter/testssl.sh

Not 100% that solves it for me. Built using your Dockerfile, updated the tests to target the new tag name, and see:

❯ test/bats/bin/bats --verbose test/security_tls_cipherlists.bats - first (skipped: This version natively supports setup/teardown_file)   Error: No such container: tls_test_cipherlists ✗ checking tls: cipher list - rsa intermediate   (from function `assert_success' in file test/test_helper/bats-assert/src/assert.bash, line 114,
    from function `collect_cipherlist_data' in file test/security_tls_cipherlists.bats, line 154,
    from function `check_ports' in file test/security_tls_cipherlists.bats, line 86,
    in test file test/security_tls_cipherlists.bats, line 47)
     `check_ports 'rsa' 'intermediate'' failed
   $ docker run -d --name tls_test_cipherlists --volume /Users/norsegaud/docker-mailserver/test/duplicate_configs/security_tls_cipherlists.bats/:/tmp/docker-mailserver/ --volume /Users/norsegaud/docker-mailserver/test/test-files/ssl/example.test/:/config/ssl/:ro --env DMS_DEBUG=0 --env ENABLE_POP3=1 --env SSL_TYPE=manual --env SSL_CERT_PATH=/config/ssl/cert.rsa.pem --env SSL_KEY_PATH=/config/ssl/key.rsa.pem --env TLS_LEVEL=intermediate --network test-network --network-alias example.test --hostname mail.example.test --tty mailserver-testing:ci
     04a0fcb1b743ae6633cbc1cb085a2fd48f243fc9d6d3670442d91412dbc925d9
   [ TASKLOG ]  mail.example.test is up and running
   $ docker run --rm --user 501:20 --network test-network --volume /Users/norsegaud/docker-mailserver/test/test-files/ssl/example.test/:/config/ssl/:ro --volume /Users/norsegaud/docker-mailserver/results/rsa/intermediate/:/output --workdir /output drwetter/testssl.sh:3.1dev2 --quiet --file /config/ssl/testssl.txt --mode parallel --overwrite --preference
     
     ATTENTION: No cipher mapping file found!
     Please note from 2.9 on testssl.sh needs files in "$TESTSSL_INSTALL_DIR/etc/" to function correctly.
   
   -- command failed --
   status : 244
   output (3 lines):
     
     ATTENTION: No cipher mapping file found!
     Please note from 2.9 on testssl.sh needs files in "$TESTSSL_INSTALL_DIR/etc/" to function correctly.
   --

To be fair, it did fix the permissions issue. Maybe we need to add something now to the tests to get this to work?

[ap-wtioit]

@NorseGaud i will run a "full" test on our CI now, my guess is that we need to patch some more (e.g. permissions for /home/testssl/etc)

[ap-wtioit]

new Dockerfile:

FROM drwetter/testssl.sh:3.1dev
RUN chmod o+rx /home/testssl/testssl.sh \
    && chmod o+r /home/testssl/etc/* \
    && chmod o+r /home/testssl/bin/* \
    && chmod o+x /home/testssl/bin/openssl.Linux.*

now the tests on our CI pass (we usually build and version used images daily (in case someone changes something and we are not able to fix it fast))
on our version i

• added the Dockerfile in test/testssl/Dockerfile
• changed test/security_tls_cipherlists.bats to use docker build instead of pull

  docker build -t drwetter/testssl.sh:3.1dev-patched "$(pwd)/test/testssl/"
  

• and use the image in docker run

      run docker run --rm \
        --user "$(id -u):$(id -g)" \
        --network "${NETWORK}" \
        --volume "${TLS_CONFIG_VOLUME}" \
        --volume "${TLS_RESULTS_DIR}/${RESULTS_PATH}/:/output" \
        --workdir "/output" \
        drwetter/testssl.sh:3.1dev-patched "${TESTSSL_CMD[@]}"
  

[NorseGaud]

I guess the question is: Do we update the CI to perform the steps provided by @ap-wtioit , or just wait for test-ssl.sh to release something with fixes?

[ap-wtioit]

@NorseGaud i'm not sure if it's needed in the short term. Long term should be the fix in drwetter/testssl.sh.

But as i already enabled the patches on our CI i could easily create another pull request so you could use it if you need to.

[polarathene]

Do we update the CI to perform the steps

I'm confused why CI broke. There aren't any notes about uid or gid changing, the fix doesn't seem like it'd have been an issue for the CI thus far unless some recent push to DockerHub for testssl image introduced something that broke that.

Do we have information on what version of Docker the CI is running? I'm curious if the upgrade to Alpine 3.13 for testssl had anything to do with it, it fits into the time window since the last passing test.

---

EDIT:

Tried out my suspicion with the CI and the testssl alpine update based on another user noting the issue recently, but doesn't seem to be related 😅 Ubuntu 20.04 environment for the CI has packages and versions here(links PR for recent update diff).

[ap-wtioit]

@polarathene my guess would be that the image before upgrading to 3.12 took the permissions from the build directory of whoever buildt the image. And either alpine:3.13 became stricter when copying files or the person/system that built the newer image changed the permissions in their build directory. But as i don't have an old version of drwetter/testssl.sh:3.1dev i cannot check if that's the real reason.

[polarathene]

now the tests on our CI pass

Can you confirm that your CI is same as ours with Github Workflow and Ubuntu 20.04 environment?

I was thinking of signing up to Azure to create a VHD of the previous Ubunutu 20.04 environment as documented here, but I'm not sure if it's worth the time, especially if your CI is the same environment we have failing atm.

If your CI environment is the same as ours and now passes, then I think it's safe to assume that the likely cause for failure was some change in how the testssl image was built (where permissions for whatever reason changed as you mentioned). Since we can't easily access prior image releases due to testssl release management, I can't reliably bisect the cause I think?

[NorseGaud]

now the tests on our CI pass

Can you confirm that your CI is same as ours with Github Workflow and Ubuntu 20.04 environment?

I was thinking of signing up to Azure to create a VHD of the previous Ubunutu 20.04 environment as documented here, but I'm not sure if it's worth the time, especially if your CI is the same environment we have failing atm.

If your CI environment is the same as ours and now passes, then I think it's safe to assume that the likely cause for failure was some change in how the testssl image was built (where permissions for whatever reason changed as you mentioned). Since we can't easily access prior image releases due to testssl release management, I can't reliably bisect the cause I think?

Not sure if it helps but I manually built back a month or so of commits for the 3.1dev branch and the tests kept failing

[ap-wtioit]

@NorseGaud i added a bit more explanation on what i think happened here: drwetter/testssl.sh#1955

Basically i think the author / maintainer / build person for drwetter/testssl.sh changed the system the image was built on removing the permissions for others on testssl.sh, bin and etc locally, then building those permissions into the image and publishing it without permissions for others.

Ubuntu 18.04 LTS with git clone checks out everything with permissions for others. I know that not all systems are set up this way (many removing permissions for others either by UMASK or ACLs on the home directories)

[NorseGaud]

It's working now that drwtter has updated dockerhub. Thanks for the help y'all!