runtime: Fix TestCheckHostIsVMContainerCapable unstablity issue #8389
Conversation
justxuewei
force-pushed
the
vm-capable-test
branch
3 times, most recently
from
2f2709d
to
558780d
Compare
justxuewei
changed the title
justxuewei
force-pushed
the
vm-capable-test
branch
from
558780d
to
3ff16a4
Compare
justxuewei
force-pushed
the
vm-capable-test
branch
from
3ff16a4
to
3d7ec4b
Compare
justxuewei
force-pushed
the
vm-capable-test
branch
from
3d7ec4b
to
0712455
Compare
|
/test |
| @@ -322,6 +325,30 @@ func TestCheckHostIsVMContainerCapable(t *testing.T) { | |||
| err = hostIsVMContainerCapable(details) | |||
| assert.Nil(err) | |||
|
|
|||
| // Remove required kernel modules and add them to denylist | |||
There was a problem hiding this comment.
I have two remarks here :
- the "failure" test already removes the files on disk. This means they won't be loadable anymore and that we don't need to bother with a deny list,
- making sure that the modules are unloaded from memory is rather a requirement of the "failure" test. For clarity, I'd move this block under the
// remove the modules to force a failurecomment.
There was a problem hiding this comment.
Removing those simulated module files is not enough for passing the "failure" test. Let me give a more details about that:
sysModuleDiris replaced with a temp dir, e.g. "/tmp/tmp.xxGmSePqj2".- Call
createModules(). The function just creates regular files to simulate system modules.kata-containers/src/runtime/cmd/kata-runtime/kata-check_test.go
Lines 68 to 71 in 3b2fb6a
- Remove
sysModuleDirunder the "// remove the modules to force a failure" comment. - Call
haveKernelModule(). This function checks existence of a kernel module. Three steps are involved:- If a kernel module exists at
sysModuleDir, return true. In this case, it won't return as the dir was removed.kata-containers/src/runtime/cmd/kata-runtime/kata-check.go
Lines 139 to 142 in 3b2fb6a
- Check if the current user is root. (Our test is started with
sudo, it won't return here.) - Try to load the module. Returns false if it fails. Please note that if a module was loaded in the memory or wasn't added to blacklist, loading module will be succeed.
kata-containers/src/runtime/cmd/kata-runtime/kata-check.go
Lines 152 to 156 in 3b2fb6a
- Return true.
- If a kernel module exists at
I admit this patch introduces dirty works. But I have no idea how to pass the test without this. Wdyt? @gkurz
There was a problem hiding this comment.
Plus, the blacklist file is restored after the function is completed. It won't poison environment.
|
@justxuewei any idea how this test can even pass without your fix ? |
|
Things are getting complicated now. Commit dd530ba removes the failure test. Runtime's CI tests, |
justxuewei
force-pushed
the
vm-capable-test
branch
from
0712455
to
57a55ec
Compare
|
Folks, right now we have all the PRs being blocked on this issue.
I'm fine with both options, but I'd like to unblock |
Sorry for the delay. @justxuewei's clarifications are enough for now. Let's go with option 1 for the sake of unblocking everyone, but I really want this to be reworked again afterwards. |
|
/test |
TestCheckHostIsVMContainerCapable removes sysModuleDir to simulate a case that the kernel modules are not loaded. However, checkKernelModules() executes modprobe <module> if a module not found in that directory. Loading those modules is required to be denied temporarily. Fixes: kata-containers#8390 Signed-off-by: Xuewei Niu <niuxuewei.nxw@antgroup.com>
justxuewei
force-pushed
the
vm-capable-test
branch
from
57a55ec
to
acd9057
Compare
|
/test |
TestCheckHostIsVMContainerCapableremovessysModuleDirto simulate acase that the kernel modules are not loaded. However,
checkKernelModules()executesmodprobe <module>if a module notfound in that directory. Loading those modules is required to be denied
temporarily.
Fixes: #8390
Signed-off-by: Xuewei Niu niuxuewei.nxw@antgroup.com