CVM: Add boot/reboot tests #3624
Conversation
trungams
force-pushed
the
tvuong/azl-cvm-boot-test
branch
from
39b6e6c to
b900463
Compare
|
@LiliDeng @squirrelsc - This PR is ready to review. Could you help me review it when you have time? Thank you. The |
|
could you provide the full cvm mariner image name? like this format: microsoftcblmariner azure-linux-3 azure-linux-3-gen2 latest |
| component is upgraded. | ||
| Steps: | ||
| 1. On first boot, check current PCR values for PCR4 and PCR7 |
There was a problem hiding this comment.
Add requirements on new environment, if it's needed.
There was a problem hiding this comment.
I have defined requirement for this test case below (CvmEnabled, AZURE). Does this suffice?
There was a problem hiding this comment.
Because the steps writes "on first boot". If some test coverage needs a fresh new environment, it needs a flag to make sure the test case runs first on a new deployed environment.
There was a problem hiding this comment.
I see. It looks like a new feature to add to Lisa. I was only thinking of controlling it inside a runbook via keep_environment = false. Do you have any suggestions on how I should approach it?
There was a problem hiding this comment.
I think it should be this one
https://github.com/microsoft/lisa/blob/main/microsoft/testsuites/core/azure_image_standard.py#L887
|
@LiliDeng The image I used to test this change is |
| security_profile_settings = cast( | ||
| SecurityProfileSettings, node.features[SecurityProfile].get_settings() | ||
| ) | ||
| if not security_profile_settings.encrypt_disk: |
There was a problem hiding this comment.
@squirrelsc @LiliDeng Ideally I want to be able to detect this setting earlier and specify it in the requirement above. I tried adding a function to lisa/features/security_profile.py as below:
DiskEncryptionEnabled = partial(
SecurityProfileSettings,
encrypt_disk=True
)and then use it similarly to how CvmEnabled is used. But it doesn't skip this test case if encrypt_disk is set to false in the runbook. Rather, it turns on that value for the running VM. That's why I had to resort to VM runtime check like this. Do you know how I can implement that kind of check to add to simple_requirement?
There was a problem hiding this comment.
I didn't think about this scenario. When is it needed? If a vm size supports CVM, and the test case need CVM enabled, it shouldn't be controlled by runbook. If you need to verify the CVM image on a non-CVM scenario, it needs another test case.
There was a problem hiding this comment.
I mean CVM can be deployed with different os disk encryption settings:
- VMGuestStateOnly: root partition is not encrypted, this equals encrypt_disk: false in runbook and is the default setting if not specified.
- DiskWithVMGuestState: root partition is encrypted, this equals encrypt_disk: true in runbook.
In my test, I want to skip this test case if encrypt_disk is false. I tried to define a new function DiskEncryptionEnabled as described above and pass it to simple_requirement.supported_features but it didn't work as I expected. Rather, it just turns on disk encryption for the deployed VM even though it has been explicitly set to false in my runbook.
There was a problem hiding this comment.
I'm not sure fully understand it. Please describe in below format, don't mix with other settings.
- What's the settings
- Expected behavior
- Actual behavior
- Why you think the expected behavior is right
There was a problem hiding this comment.
The scenario: I want to skip a test against CVM image if the CVM is not deployed with disk encryption enabled.
In lisa/features/security_profile.py. I add the following function:
DiskEncryptionEnabled = partial(
SecurityProfileSettings,
encrypt_disk=True
)- What's the settings:
- Test case:
requirement=simple_requirement(supported_features[CvmEnabled(), DiskEncryptionEnabled()]) - Runbook:
encrypt_disk: false
- Test case:
- Expected behaviour: Since
encrypt_diskis set to false in my runbook. I expect the CVM to be deployed without disk encryption, and the test case will then be skipped. - Actual behaviour: The CVM was deployed with disk encryption, and the test case still ran.
- Why you think the expected behaviour is right: That's my understanding of
requirementin Lisa - it should not alter a VM's deployment settings. A VM deployment settings should match what is specified in the runbook (or take default values if nothing is specified)
There was a problem hiding this comment.
I see. Please fix it in another PR, because this one is already big enough.
It caused by the encrypt_disk is a bool, not a SetSpace. And the current logic is to set it to true, if true and false meet.
- The definition should be SetSpace([True, False]). https://github.com/trungams/lisa/blob/83004c9fc5dcd09cafaa7a343c714dca13927e06/lisa/features/security_profile.py#L61
- The logic should be merge SetSpace. After that, this test case should be skipped, because it selects nothing. https://github.com/trungams/lisa/blob/83004c9fc5dcd09cafaa7a343c714dca13927e06/lisa/features/security_profile.py#L80
| def _get_version_info_from_named_regex_match( | ||
| self, package_name: str, named_matches: Match[str] | ||
| ) -> VersionInfo: | ||
| def _get_version_info_from_regex( |
There was a problem hiding this comment.
What's the new method is for? The package_name should be the same meaning for raw_version, and the package_name is not used.
There was a problem hiding this comment.
Just trying to extract similar code to a separate function, each os' _get_package_information was using similar logic, with only the regex being different
| @@ -1487,7 +1475,6 @@ class RPMDistro(Linux): | |||
|
|
|||
| # ex: dpdk-20.11-3.el8.x86_64 or dpdk-18.11.8-1.el7_8.x86_64 | |||
| _rpm_version_splitter_regex = re.compile( | |||
| r"(?P<package_name>[a-zA-Z0-9\-_]+)-" | |||
There was a problem hiding this comment.
The new rpm query being used will no longer return package name in the result, but I agree that refactor can get a bit risky. Do you think it's possible to trigger test cases that are affected by this change to catch errors?
There was a problem hiding this comment.
This it needs to be compatible with different distro versions from AzureLinux 2.0 to other RPM based Linux. So it needs to keep for old versions.
lisa/operating_system.py
Outdated
| ) -> LisaVersionInfo: | ||
| matches = regex.search(raw_version) | ||
| if not matches: | ||
| self._node.log.warning("") |
There was a problem hiding this comment.
Don't use warning log in LISA, it's not recommended.
tpm2-tools package provides the toolset to interact with TPM devices Signed-off-by: Thien Trung Vuong <[email protected]>
Signed-off-by: Thien Trung Vuong <[email protected]>
- Introduce LisaVersionInfo to wrap semver.VersionInfo - Update os._get_package_information to use distro's package manager to query a package version string directly, rather than using regex to extract version string from query output - Include the raw version string by default when getting a package version, resolves parsing error when the package does not follow semantic versioning, e.g. systemd Signed-off-by: Thien Trung Vuong <[email protected]>
Implement 2 new test cases: - verify_encrypted_root_partition: check that the root partition on an Azure Linux CVM is encrypted when deployed with "DiskWithVMGuestState" encryption setting - verify_boot_success_after_component_upgrade: check that a CVM can reboot after a boot component is upgraded, and PCR values are updated correctly Signed-off-by: Thien Trung Vuong <[email protected]>
trungams
force-pushed
the
tvuong/azl-cvm-boot-test
branch
from
5a3678c to
83004c9
Compare
| pcrs_after_reboot[4], | ||
| "PCR4 value is still the same even though a boot component changed", | ||
| ).is_not_equal_to(pcrs_before_reboot[4]) | ||
| assert_warn( |
There was a problem hiding this comment.
Why is it a warning? The warning means it's not important and should be an info level bug. If it's important, make the test case fail. The middle area is not a good practice.
DiskWithVMGuestStateencryption setting.