Configuring Fedora 18 to run VDSM functional tests

Dan Kenigsberg danken at redhat.com
Tue Mar 5 14:25:20 UTC 2013 

On Tue, Mar 05, 2013 at 02:30:05PM +0800, Zhou Zheng Sheng wrote:
> Hi all,
> 
> Recently I get a oVirt Jenkins power user account. Firstly, on my own
> machine, I have setup Jenkins in Fedora 18 to run VDSM functional tests,
> then now I would like to configure the oVirt Jenkins to run those tests.
> 
> VDSM is for managing the hosts so the tests need some root privilege.
> The system have to be properly configured to provide some dependencies.
> This can not be done solely in Jenkins. I would like to list these
> dependencies as follow and see if they can be setup with the help of the
> server admin.
> 
> Dependency packages for building VDSM:
> 
> yum -y install git autoconf automake gcc python-devel python-nose libvirt libvirt-python python-pthreading m2crypto python-pep8 pyflakes rpm-build python-rtslib
> 
> 
> Some configuration for the environment:
> 
> systemctl stop ksmtuned.service  # mom tests are conflicting with ksmtuned
> systemctl disable ksmtuned.service
> chmod a+r /boot/initramfs*
> mkdir /rhev
> restorecon -v -R /rhev
> yum -y downgrade pyflakes
> 
> 
> visudo:
> 
> jenkins ALL=    NOPASSWD: /usr/bin/make install, /usr/bin/yum, /usr/bin/systemctl, /usr/share/vdsm/tests/run_tests.sh
> jenkins ALL=    NOPASSWD: /usr/bin/rm -rf /home/jenkins/.jenkins/jobs/vdsmFunctionalTest/workspace/builder
> jenkins ALL=    NOPASSWD: /usr/bin/rm -rf /home/jenkins/.jenkins/jobs/vdsmFunctionalTest/workspace/rpmbuild
> jenkins ALL=    NOPASSWD: /usr/bin/rm -f /home/jenkins/.jenkins/jobs/vdsmFunctionalTest/workspace/nosetests.xml
> 
> On my machine, the Jenkins is run as user "jenkins". Its home is
> /home/jenkins/.jenkins and the job name is vdsmFunctionalTest. We have
> to change the sudo configuration to fit into the server.
> 
> 
> To run glusterfs storage domain related test cases, selinux must be
> turned to permissive mode, because there are some violations in the
> latest glusterfs. If we can not give up selinux for security
> considerations, I will skip those tests when configuring job in Jenkins.
> The following gluster configuration is from Deepak and it works on my
> machine.
> Turn off selinux:
> 
> vim /etc/selinux/config: SELINUX=permissive
> setenforce 0
> 
> Install glusterfs and setup the brick:
> 
> wget http://download.gluster.org/pub/gluster/glusterfs/qa-releases/3.4.0alpha/Fedora/glusterfs-alpha-fedora.repo
> yum -y install glusterfs
> systemctl start glusterd.service
> mkdir /var/lib/vdsm/myglusterbrick
> chmod 777 /var/lib/vdsm/myglusterbrick
> 
> Now start the gluster shell and issue the following commands:
> 
> gluster
> gluster> volume create testvol 192.168.X.X:/var/lib/vdsm/myglusterbrick
> gluster> volume start testvol
> gluster> volume set testvol server.allow-insecure on
> 
> vim /etc/glusterfs/glusterd.vol and enable the below option:
> 
> option rpc-auth-allow-insecure on
> 
> So glusterd.vol should look somethign like this...
> 
> volume management
>     type mgmt/glusterd
>     option working-directory /var/lib/glusterd
>     option transport-type socket,rdma
>     option transport.socket.keepalive-time 10
>     option transport.socket.keepalive-interval 2
>     option rpc-auth-allow-insecure on
> end-volume
> 
> If it's successful, we are able to see the glusterfsd process that owns
> the brick:
> 
> ps -ef| grep testvol
> root      2551     1  0 23:16 ?        00:00:00 /usr/sbin/glusterfsd -s localhost --volfile-id testvol.192.168.X.X.var-lib-vdsm-myglusterbrick -p /var/lib/glusterd/vols/testvol/run/192.168.X.X-var-lib-vdsm-myglusterbrick.pid -S /var/run/d5dd385ecebfdfc05ef54fa0b4d28960.socket --brick-name /var/lib/vdsm/myglusterbrick -l /var/log/glusterfs/bricks/var-lib-vdsm-myglusterbrick.log --xlator-option *-posix.glusterd-uuid=11bd6f47-a3ff-4969-a06b-e91e0f91a0e8 --brick-port 49152 --xlator-option testvol-server.listen-port=49152
> 
> 
> 
> I will run the following shell script as a build step in the Jenkins
> job. Though the script works fine in my Jenkins on Fedora 18, please
> give comments if you spot problems when it runs in oVirt Jenkins.
> 
> set -e
> set -v
> 
> # BUILD #
> # Make things clean.
> sudo -n rm -f "$(pwd)/nosetests.xml"
> 
> BUILDERDIR="$(pwd)/builder"
> RPMTOPDIR="$(pwd)/rpmbuild"
> 
> sudo -n rm -rf "$BUILDERDIR"
> sudo -n rm -rf "$RPMTOPDIR"
> 
> test -f Makefile && make -k distclean || :
> find . -name '*.pyc' | xargs rm -f
> find . -name '*.pyo' | xargs rm -f
> 
> ./autogen.sh --prefix="$BUILDERDIR"
> 
> # If the MAKEFLAGS envvar does not yet include a -j option,
> # add -jN where N depends on the number of processors.
> case $MAKEFLAGS in

You know what I feel about unquoted shell variables..

>   *-j*) ;;
>   *) n=$(getconf _NPROCESSORS_ONLN 2> /dev/null)
>     test "$n" -gt 0 || n=1
>     n=$(expr $n + 1)
>     MAKEFLAGS="$MAKEFLAGS -j$n"
>     export MAKEFLAGS
>     ;;
> esac
> 
> make
> sudo -n make install
> 
> rm -f *.tar.gz
> make dist
> 
> if [ -n "$AUTOBUILD_COUNTER" ]; then
>   EXTRA_RELEASE=".auto$AUTOBUILD_COUNTER"
> else
>   NOW=`date +"%s"`
>   EXTRA_RELEASE=".$USER$NOW"
> fi
> 
> NOSE_EXCLUDE=.* rpmbuild --nodeps \
>    --define "extra_release $EXTRA_RELEASE" \
>    --define "_sourcedir `pwd`" \
>    --define "_topdir $RPMTOPDIR" \
>    -ba --clean vdsm.spec
> 
> 
> # INSTALL #
> joinlines() {
>     local lines="$1"
>     local line=""
>     local sep="$2"
>     local joined=""
>     for line in "$lines"; do
>         joined="${joined}${sep}${line}"
>     done
>     printf "$joined"
> }
> 
> ( cd "$RPMTOPDIR"
> packages=$(find . -name "*.rpm" | grep -v "\.src\.rpm")
> sudo -n yum -y remove "vdsm*"
> sudo -n yum -y localinstall $(joinlines "$packages" " ") )

is "joinlines"" really needed? I think $() does this on its own.

> 
> 
> # START SERVICE #
> sudo -n systemctl start vdsmd.service
> sleep 20
> sudo -n systemctl status vdsmd.service
> 
> 
> # RUN TESTS #
> OLDDIR="$(pwd)"
> ( cd /usr/share/vdsm/tests
> sudo -n ./run_tests.sh --with-xunit --xunit-file "$OLDDIR/nosetests.xml" functional/*.py )
> 
> 
> # STOP SERVICE #
> sudo -n systemctl stop vdsmd.service
> 
> 
> 
> The above setup may not be acceptable for security concerns. So I have
> another setup plan.

yes, this is quite frightening.  `sudo make install` is just begging for
an exploit by a lazy attacker.

> 
> I setup a virtual machine running in QEMU snapshot mode. Then add it to
> Jenkins as a slave. There is a plugin for Jenkins to start and stop
> slave using libvirt. So I configure Jenkins to start the VM slave to
> build, install and run VDSM tests, then shutdown. Jenkins slave gets the
> root privileges of the guest OS and do whatever it needs to. Since the
> VM slave is in snapshot mode, it restores the original state after
> shutdown. I also make a small script to switch snapshot mode on/off when
> I needs to manage the configuration and packages for the guest OS.

This approach would make it easier to clean after a botched test (say, a
vdsm version with a broken /etc/sudoers.d/vdsm, which renders "sudo"
useless).

> 
> Which plan do you prefer? Could someone help me setup this environment?
> (I only get access to Jenkins.)
> 

I vote for the virtualized approach.

More information about the Infra mailing list