Enforce SELinux in acceptance tests #2187
Conversation
|
This PR has been marked as stale because it has been open for a while and has had no recent activity. If this PR is still important to you please drop a comment below and we will add this to our backlog to complete. Otherwise, it will be closed in 7 days. |
|
@ekohl Apologies for the late review. |
|
I'm unable to run tests locally, so I pushed this to see the results. They are red but rotated by now. I'll rebase to see if that's still the case. |
ekohl
force-pushed
the
fix-selinux-in-tests
branch
from
ec3cc7a
to
f6bce28
Compare
|
Hello! 👋 This pull request has been open for a while and has had no recent activity. We've labelled it with If you are waiting on a response from us we will try and address your comments on a future Community Day. Alternatively, if it is no longer relevant to you please close the PR with a comment. Please note that if a pull request receives no update for 7 after it has been labelled, it will be closed. We are always happy to re-open pull request if they have been closed in error. |
ekohl
force-pushed
the
fix-selinux-in-tests
branch
from
f6bce28
to
34facc3
Compare
|
I've rebased it and split it into two commits. First one that cleans things up (which I think should already be good to merge), then one that makes it enforcing. If the enforcing one fails and we can't quickly figure out why it fails I think we should merge the first commit for now. |
|
@ekohl Look's like your getting some failures across the Redhat OSs |
|
To properly debug this I need the logs from |
|
There's not really an easy answer for that. Since the environment is cleaned up at the end of every run, the machines and any log's are all wiped from existence. Off the top of my head, you could comment out the unnecessary test's and then add a If that doesn't work, you could disable the cleanup and I could manually retrieve the log's for you. We would need to coordinate though. |
|
Hello! 👋 This pull request has been open for a while and has had no recent activity. We've labelled it with If you are waiting on a response from us we will try and address your comments on a future Community Day. Alternatively, if it is no longer relevant to you please close the PR with a comment. Please note that if a pull request receives no update for 7 after it has been labelled, it will be closed. We are always happy to re-open pull request if they have been closed in error. |
|
I split off #2320 which at least cleans some things up. Let's try to get that merged since I don't have time to finish this for now. |
ekohl
force-pushed
the
fix-selinux-in-tests
branch
from
34facc3
to
4adb586
Compare
|
Hello! 👋 This pull request has been open for a while and has had no recent activity. We've labelled it with If you are waiting on a response from us we will try and address your comments on a future Community Day. Alternatively, if it is no longer relevant to you please close the PR with a comment. Please note that if a pull request receives no update for 7 after it has been labelled, it will be closed. We are always happy to re-open pull request if they have been closed in error. |
ekohl
force-pushed
the
fix-selinux-in-tests
branch
from
4adb586
to
f5dbd6e
Compare
|
Rebased to resolve conflicts. Includes #2320 so that should be merged first. |
ekohl
force-pushed
the
fix-selinux-in-tests
branch
from
f5dbd6e
to
0c96ba6
Compare
|
@ekohl Hey, sorry to bother but just checking in on how this is proceeding so I can update our records? |
|
@david22swan I need to do some work on this, but I really struggle to find the time for it. Luckily all the preparation work went in, so I'll rebase this to show that. |
ekohl
force-pushed
the
fix-selinux-in-tests
branch
from
0c96ba6
to
6f3b124
Compare
|
Hey @ekohl, are you still interested in working on this project? Perhaps this PR should be closed until work is resumed. Mostly to avoid stale PRs. |
|
I don't have time for it right now. Perhaps convert it to an issue so it isn't lost? |
This attempts to unify SELinux handling in the tests. It moves the package installation to the acceptance spec helper to reduce duplication. It then makes the set_apache_defaults line idempotent and restorecon_apache correctly chained. This works around PUP-10548 which is that Puppet doesn't reload file contexts within a run. That means it must first create the file(s) and then run restorecon to get correct contexts.
I'm not entirely sure if this will work.