From 4423bcac998937fb1cebe32a009c8142106ebf41 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pablo=20Barb=C3=A1chano?= Date: Sat, 28 Oct 2023 00:58:31 +0200 Subject: [PATCH 1/5] fix(test): correct expected aarch64 CPU features MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit In ddd98367 a mistake was introduced for `DEFAULT_G3_FEATURES_NO_SSBS_4_14`. Correct it here. Fixes: ddd983672af7d5312f77be3e69433cdac15726a4 Signed-off-by: Pablo Barbáchano --- .../integration_tests/functional/test_cpu_features_aarch64.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/integration_tests/functional/test_cpu_features_aarch64.py b/tests/integration_tests/functional/test_cpu_features_aarch64.py index 2779be98d31..11d80d2bb77 100644 --- a/tests/integration_tests/functional/test_cpu_features_aarch64.py +++ b/tests/integration_tests/functional/test_cpu_features_aarch64.py @@ -30,8 +30,8 @@ "dcpodp i8mm bf16 dgh rng".split(" ") ) -DEFAULT_G3_FEATURES_NO_SSBS_4_14 = DEFAULT_G3_FEATURES_5_10 - {"ssbs"} -DEFAULT_G3_FEATURES_NO_SSBS_5_10 = DEFAULT_G3_FEATURES_NO_SSBS_4_14 +DEFAULT_G3_FEATURES_NO_SSBS_4_14 = DEFAULT_G3_FEATURES_4_14 - {"ssbs"} +DEFAULT_G3_FEATURES_NO_SSBS_5_10 = DEFAULT_G3_FEATURES_5_10 - {"ssbs"} DEFAULT_G3_FEATURES_WITH_SVE_AND_PAC_4_14 = DEFAULT_G3_FEATURES_4_14 DEFAULT_G3_FEATURES_WITH_SVE_AND_PAC_5_10 = DEFAULT_G3_FEATURES_5_10 | set( From 1232b2a83c8a3aaa4fce56726407bf097ec6b07e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pablo=20Barb=C3=A1chano?= Date: Sat, 28 Oct 2023 00:32:49 +0200 Subject: [PATCH 2/5] fix(test): use the name of the CPU template to find exceptions MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Commit c44b0c63 was refactored in such a way that we could not find an exception for custom CPU templates. It was probably not noticed since the it requires a specific CPU in m5d. Fixes: c44b0c63bdaed617f1b578060f3a3da016798eda Signed-off-by: Pablo Barbáchano --- tests/integration_tests/security/test_vulnerabilities.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/tests/integration_tests/security/test_vulnerabilities.py b/tests/integration_tests/security/test_vulnerabilities.py index a5ca3433c30..5f3949551e5 100644 --- a/tests/integration_tests/security/test_vulnerabilities.py +++ b/tests/integration_tests/security/test_vulnerabilities.py @@ -56,7 +56,9 @@ def configure_microvm( microvm.basic_config(vcpu_count=2, mem_size_mib=256, cpu_template=cpu_template) if custom_cpu_template: microvm.api.cpu_config.put(**custom_cpu_template["template"]) - microvm.cpu_template = cpu_template or custom_cpu_template + microvm.cpu_template = cpu_template + if cpu_template is None and custom_cpu_template is not None: + microvm.cpu_template = custom_cpu_template["name"] microvm.add_net_iface() microvm.start() return microvm From 74a2b6aebf11ec882b0004b492c21c1c70473ce1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pablo=20Barb=C3=A1chano?= Date: Sat, 28 Oct 2023 00:08:41 +0200 Subject: [PATCH 3/5] test: avoid recompiling examples for every agent MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit We compile the UFFD and seccomp example programs as a session fixture. If we run the tests in parallel, there is one session per worker and we end up downloading and compiling the examples for each worker (worst case). Instead, use the same approach as the Firecracker and jailer binaries. Signed-off-by: Pablo Barbáchano --- tests/conftest.py | 53 ++++++++------------------------- tests/host_tools/cargo_build.py | 13 ++++++-- 2 files changed, 23 insertions(+), 43 deletions(-) diff --git a/tests/conftest.py b/tests/conftest.py index 7c0ac0b721c..904d4f6ce2d 100644 --- a/tests/conftest.py +++ b/tests/conftest.py @@ -24,7 +24,6 @@ import inspect import os -import platform import re import shutil import sys @@ -196,8 +195,8 @@ def change_net_config_space_bin(test_fc_session_root_path): yield change_net_config_space_bin -@pytest.fixture(scope="session") -def bin_seccomp_paths(test_fc_session_root_path): +@pytest.fixture +def bin_seccomp_paths(): """Build jailers and jailed binaries to test seccomp. They currently consist of: @@ -206,48 +205,20 @@ def bin_seccomp_paths(test_fc_session_root_path): * a jailed binary that follows the seccomp rules; * a jailed binary that breaks the seccomp rules. """ - seccomp_build_path = ( - Path(test_fc_session_root_path) / build_tools.CARGO_RELEASE_REL_PATH - ) - release_binaries_path = seccomp_build_path / build_tools.RELEASE_BINARIES_REL_PATH - - seccomp_examples = ["jailer", "harmless", "malicious", "panic"] - - demos = {} - - for example in seccomp_examples: - build_tools.cargo_build( - seccomp_build_path, - f"--release --target {platform.machine()}-unknown-linux-musl --example seccomp_{example}", - ) - - demos[f"demo_{example}"] = release_binaries_path / f"examples/seccomp_{example}" - + demos = { + f"demo_{example}": build_tools.get_example(f"seccomp_{example}") + for example in ["jailer", "harmless", "malicious", "panic"] + } yield demos -@pytest.fixture(scope="session") -def uffd_handler_paths(test_fc_session_root_path): +@pytest.fixture +def uffd_handler_paths(): """Build UFFD handler binaries.""" - uffd_build_path = ( - Path(test_fc_session_root_path) / build_tools.CARGO_RELEASE_REL_PATH - ) - release_binaries_path = uffd_build_path / build_tools.RELEASE_BINARIES_REL_PATH - - uffd_handlers = ["malicious", "valid"] - - handlers = {} - - for handler in uffd_handlers: - build_tools.cargo_build( - uffd_build_path, - f"--release --target {platform.machine()}-unknown-linux-musl --example uffd_{handler}_handler", - ) - - handlers[f"{handler}_handler"] = ( - release_binaries_path / f"examples/uffd_{handler}_handler" - ) - + handlers = { + f"{handler}_handler": build_tools.get_example(f"uffd_{handler}_handler") + for handler in ["malicious", "valid"] + } yield handlers diff --git a/tests/host_tools/cargo_build.py b/tests/host_tools/cargo_build.py index 2b3dd11c491..3dd91feac94 100644 --- a/tests/host_tools/cargo_build.py +++ b/tests/host_tools/cargo_build.py @@ -66,16 +66,20 @@ def cargo_test(path, extra_args=""): @with_filelock -def get_binary(name, *, workspace_dir=FC_WORKSPACE_DIR): +def get_binary(name, *, workspace_dir=FC_WORKSPACE_DIR, example=False): """Build a binary""" target = DEFAULT_BUILD_TARGET target_dir = workspace_dir / "build" / "cargo_target" bin_path = target_dir / target / "release" / name + cmd = f"-p {name}" + if example: + bin_path = target_dir / target / "release" / "examples" / name + cmd = f"--example {name}" if not bin_path.exists(): env = {"RUSTFLAGS": get_rustflags()} cargo( "build", - f"-p {name} --release --target {target}", + f"--release --target {target} {cmd}", env=env, cwd=workspace_dir, ) @@ -95,6 +99,11 @@ def get_firecracker_binaries(*, workspace_dir=FC_WORKSPACE_DIR): ) +def get_example(name, *args, **kwargs): + """Build an example binary""" + return get_binary(name, *args, **kwargs, example=True) + + @with_filelock def run_seccompiler_bin(bpf_path, json_path=defs.SECCOMP_JSON_DIR, basic=False): """ From 435a850d1dde9b76f95f7d0888eef192d35c49ec Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pablo=20Barb=C3=A1chano?= Date: Sat, 28 Oct 2023 11:28:24 +0200 Subject: [PATCH 4/5] fix(test): test_spectre_meltdown_checker_on_host when not running on PRs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Currently the test fails when running it outside of a PR, because the checker returns an exit code of 2. Fixes: f79d301794ee33d9c75747882f71a73af7f01d44 Signed-off-by: Pablo Barbáchano --- tests/framework/ab_test.py | 3 ++- tests/integration_tests/security/test_vulnerabilities.py | 1 + 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/tests/framework/ab_test.py b/tests/framework/ab_test.py index 6c4e2089163..fd89658c547 100644 --- a/tests/framework/ab_test.py +++ b/tests/framework/ab_test.py @@ -115,6 +115,7 @@ def git_ab_test_host_command_if_pr( command: str, *, comparator: Callable[[CommandReturn, CommandReturn], bool] = default_comparator, + **kwargs, ): """Runs the given bash command as an A/B-Test if we're in a pull request context (asserting that its stdout and stderr did not change across the PR). Otherwise runs the command, asserting it returns a zero exit code @@ -122,7 +123,7 @@ def git_ab_test_host_command_if_pr( if is_pr(): git_ab_test_host_command(command, comparator=comparator) else: - utils.run_cmd(command) + utils.run_cmd(command, **kwargs) def git_ab_test_host_command( diff --git a/tests/integration_tests/security/test_vulnerabilities.py b/tests/integration_tests/security/test_vulnerabilities.py index 5f3949551e5..3d8e5178711 100644 --- a/tests/integration_tests/security/test_vulnerabilities.py +++ b/tests/integration_tests/security/test_vulnerabilities.py @@ -180,6 +180,7 @@ def test_spectre_meltdown_checker_on_host(spectre_meltdown_checker): comparator=set_did_not_grow_comparator( spectre_meltdown_reported_vulnerablities ), + ignore_return_code=True, ) From 9ebada5f272f6526dbfe00a67ff36c95a4289168 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pablo=20Barb=C3=A1chano?= Date: Sat, 28 Oct 2023 11:49:12 +0200 Subject: [PATCH 5/5] fix(test): test_cargo_audit fails on nightly MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The test fails when not run as part of PR tests. The issue is that these tests behave differently when running as part of a PR or independently. This makes testing and troubleshooting more difficult. Workaround the issue by changing the directory so the command runs at the right place. Fixes: 8297c8f3a5cddc3b709f3ee26db913cf66fbcbb6 Signed-off-by: Pablo Barbáchano --- tests/framework/ab_test.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/framework/ab_test.py b/tests/framework/ab_test.py index fd89658c547..1e2025b13e5 100644 --- a/tests/framework/ab_test.py +++ b/tests/framework/ab_test.py @@ -123,7 +123,7 @@ def git_ab_test_host_command_if_pr( if is_pr(): git_ab_test_host_command(command, comparator=comparator) else: - utils.run_cmd(command, **kwargs) + utils.run_cmd(command, **kwargs, cwd=Path.cwd().parent) def git_ab_test_host_command(