Page MenuHomeFreeBSD

tests: Switch sys/kern/sysctl_security_jail_children to execenv=jail
ClosedPublic

Authored by igoro on Oct 14 2024, 1:43 PM.
Tags
None
Referenced Files
Unknown Object (File)
Fri, Nov 15, 1:56 PM
Unknown Object (File)
Wed, Nov 13, 12:18 AM
Unknown Object (File)
Sat, Nov 9, 9:59 PM
Unknown Object (File)
Thu, Nov 7, 2:27 AM
Unknown Object (File)
Wed, Nov 6, 10:35 PM
Unknown Object (File)
Wed, Nov 6, 4:37 PM
Unknown Object (File)
Wed, Nov 6, 4:35 PM
Unknown Object (File)
Wed, Nov 6, 4:29 PM
Subscribers

Details

Summary
Kyua skips tests based on the jail execution environment if a system is
built WITHOUT_JAIL. Thus, the test case does not need to handle it.

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

igoro requested review of this revision.Oct 14 2024, 1:43 PM

@olivier , I remember this test was like a stumbling block for you in the past. I hope this patch does not impact your workflow. It's already based on jail usage and it seems logical to make it being jailed to avoid adding another exclusive test and not to do manual check & skip for the jail feature.

More patches like this may appear in the future with migration of jail-based tests to execenv=jail.

Why exactly did this test need to be run in exclusive mode before? Some comments would be more useful.

I wonder if it's possible to select the execenv in the test header, rather than having it in the makefile? Here it seems a bit cleaner if we can keep all of the test metadata in one file.

tests/sys/kern/sysctl_security_jail_children.sh
41

Isn't this check still needed? The test uses jail(8).

Why exactly did this test need to be run in exclusive mode before? Some comments would be more useful.

Thanks for raising this. It seems I made it exclusive due to it counts number of jails and it will easily fail if another test is spawning jails in parallel, because of they share the same "origin" parent jail (the name from this test), which is the prison0 typically. This reasoning is kind of documented, but it's not very explicit and is within the test code, actually it covers another aspect -- that it still can fail if something else spawns jails during the test run. This is really a good idea to make it explicit and provide the comment along with the metadata property itself.

It's expected to be truly isolated if that "origin" parent jail is tests's personal temporary jail, which can be provided by execenv=jail.

I wonder if it's possible to select the execenv in the test header, rather than having it in the makefile? Here it seems a bit cleaner if we can keep all of the test metadata in one file.

Indeed. And it will be inlaid with the explicit explanation why.

tests/sys/kern/sysctl_security_jail_children.sh
41

The execenv=jail feature works such way that a test case will be skipped with the respective message if the OS instance is built WITHOUT_JAIL. Thus, we already have a mechanism for this and a test case based on execenv=jail does not need to handle it manually.

igoro marked an inline comment as done.

Move metadata from Kyuafile to the test itself

Now it looks like it does not require an extra comment, it runs in a jail to isolate from others and that's it. What do you think?

This looks ok to me. Approved.

In the commit log message, please explain why we're removing the test -s jail check, as it's not very obvious.

This revision is now accepted and ready to land.Oct 17 2024, 3:05 PM
This revision now requires review to proceed.Oct 18 2024, 7:17 PM
This revision is now accepted and ready to land.Oct 19 2024, 12:48 PM