New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
runtime: Fix TestCheckHostIsVMContainerCapable unstablity issue #8389
Conversation
2f2709d
to
558780d
Compare
558780d
to
3ff16a4
Compare
3ff16a4
to
3d7ec4b
Compare
3d7ec4b
to
0712455
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm, thanks @justxuewei!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
/test |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Blocking this temporarily as it already has two approvals.
@@ -322,6 +325,30 @@ func TestCheckHostIsVMContainerCapable(t *testing.T) { | |||
err = hostIsVMContainerCapable(details) | |||
assert.Nil(err) | |||
|
|||
// Remove required kernel modules and add them to denylist |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have two remarks here :
- the "failure" test already removes the files on disk. This means they won't be loadable anymore and that we don't need to bother with a deny list,
- making sure that the modules are unloaded from memory is rather a requirement of the "failure" test. For clarity, I'd move this block under the
// remove the modules to force a failure
comment.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Removing those simulated module files is not enough for passing the "failure" test. Let me give a more details about that:
sysModuleDir
is replaced with a temp dir, e.g. "/tmp/tmp.xxGmSePqj2".- Call
createModules()
. The function just creates regular files to simulate system modules.kata-containers/src/runtime/cmd/kata-runtime/kata-check_test.go
Lines 68 to 71 in 3b2fb6a
if !d.isDir { err = createFile(d.path, d.contents) assert.NoError(err) } - Remove
sysModuleDir
under the "// remove the modules to force a failure" comment. - Call
haveKernelModule()
. This function checks existence of a kernel module. Three steps are involved:- If a kernel module exists at
sysModuleDir
, return true. In this case, it won't return as the dir was removed.kata-containers/src/runtime/cmd/kata-runtime/kata-check.go
Lines 139 to 142 in 3b2fb6a
path := filepath.Join(sysModuleDir, module) if katautils.FileExists(path) { return true } - Check if the current user is root. (Our test is started with
sudo
, it won't return here.) - Try to load the module. Returns false if it fails. Please note that if a module was loaded in the memory or wasn't added to blacklist, loading module will be succeed.
kata-containers/src/runtime/cmd/kata-runtime/kata-check.go
Lines 152 to 156 in 3b2fb6a
cmd := exec.Command(modProbeCmd, module) if output, err := cmd.CombinedOutput(); err != nil { kmodLog.WithError(err).WithField("output", string(output)).Warnf("modprobe insert module failed") return false } - Return true.
- If a kernel module exists at
I admit this patch introduces dirty works. But I have no idea how to pass the test without this. Wdyt? @gkurz
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Plus, the blacklist file is restored after the function is completed. It won't poison environment.
@justxuewei any idea how this test can even pass without your fix ? |
Things are getting complicated now. Commit dd530ba removes the failure test. Runtime's CI tests, |
0712455
to
57a55ec
Compare
Folks, right now we have all the PRs being blocked on this issue.
I'm fine with both options, but I'd like to unblock |
Sorry for the delay. @justxuewei's clarifications are enough for now. Let's go with option 1 for the sake of unblocking everyone, but I really want this to be reworked again afterwards. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for unblocking the CI @justxuewei !
/test |
TestCheckHostIsVMContainerCapable removes sysModuleDir to simulate a case that the kernel modules are not loaded. However, checkKernelModules() executes modprobe <module> if a module not found in that directory. Loading those modules is required to be denied temporarily. Fixes: kata-containers#8390 Signed-off-by: Xuewei Niu <niuxuewei.nxw@antgroup.com>
57a55ec
to
acd9057
Compare
/test |
TestCheckHostIsVMContainerCapable
removessysModuleDir
to simulate acase that the kernel modules are not loaded. However,
checkKernelModules()
executesmodprobe <module>
if a module notfound in that directory. Loading those modules is required to be denied
temporarily.
Fixes: #8390
Signed-off-by: Xuewei Niu niuxuewei.nxw@antgroup.com