Skip to content

Commit

Permalink
Add test case for new_PVC scenario of selinux relabeling solution (#8240
Browse files Browse the repository at this point in the history 
)

Signed-off-by: Vishakha Kathole <[email protected]>
  • Loading branch information
@vkathole
vkathole authored Jan 11, 2024
1 parent 10008ec commit b2b9bac
Show file tree
Hide file tree
Showing 3 changed files with 156 additions and 22 deletions.
25 changes: 25 additions & 0 deletions ocs_ci/helpers/helpers.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -708,6 +708,7 @@ def create_storage_class(
fs_name=None,
volume_binding_mode="Immediate",
allow_volume_expansion=True,
kernelMountOptions=None,
):
"""
Create a storage class
Expand All @@ -730,6 +731,7 @@ def create_storage_class(
volume_binding_mode (str): Can be "Immediate" or "WaitForFirstConsumer" which the PVC will be in pending till
pod attachment.
allow_volume_expansion(bool): True to create sc with volume expansion
kernelMountOptions (str): Mount option for security context
Returns:
OCS: An OCS instance for the storage class
"""
Expand Down Expand Up @@ -771,6 +773,8 @@ def create_storage_class(
if sc_name
else create_unique_resource_name(f"test-{interface}", "storageclass")
)
if kernelMountOptions:
sc_data["parameters"]["kernelMountOptions"] = kernelMountOptions
sc_data["metadata"]["namespace"] = config.ENV_DATA["cluster_namespace"]
for key in ["node-stage", "provisioner", "controller-expand"]:
sc_data["parameters"][f"csi.storage.k8s.io/{key}-secret-name"] = secret_name
Expand Down Expand Up @@ -4414,3 +4418,24 @@ def verify_pvc_size(pod_obj, expected_size):
f"Checking again."
)
return False


def check_selinux_relabeling(pod_obj):
"""
Check SeLinux Relabeling is set to false.
Args:
pod_obj (Pod object): App pod
"""
# Get the node on which pod is running
node_name = pod.get_pod_node(pod_obj=pod_obj).name

# Check SeLinux Relabeling is set to false
logger.info("checking for crictl logs")
oc_cmd = ocp.OCP(namespace=config.ENV_DATA["cluster_namespace"])
cmd1 = "crictl inspect $(crictl ps --name perf -q)"
output = oc_cmd.exec_oc_debug_cmd(node=node_name, cmd_list=[cmd1])
key = '"selinuxRelabel": false'
assert key in output, f"{key} is not present in inspect logs"
logger.info(f"{key} is present in inspect logs of application pod running node")
5 changes: 4 additions & 1 deletion tests/conftest.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -819,6 +819,7 @@ def factory(
encryption_kms_id=None,
volume_binding_mode="Immediate",
allow_volume_expansion=True,
kernelMountOptions=None,
):
"""
Args:
Expand All @@ -842,7 +843,8 @@ def factory(
csi-kms-connection-details configmap
volume_binding_mode (str): Can be "Immediate" or "WaitForFirstConsumer" which the PVC will be in pending
till pod attachment.
allow_volume_expansion (bool)= True to Allows volume expansion
allow_volume_expansion (bool): True to Allows volume expansion
kernelMountOptions (str): Mount option for security context
Returns:
object: helpers.create_storage_class instance with links to
Expand Down Expand Up @@ -880,6 +882,7 @@ def factory(
encryption_kms_id=encryption_kms_id,
volume_binding_mode=volume_binding_mode,
allow_volume_expansion=allow_volume_expansion,
kernelMountOptions=kernelMountOptions,
)
assert sc_obj, f"Failed to create {interface} storage class"
sc_obj.secret = secret
Expand Down
148 changes: 127 additions & 21 deletions tests/cross_functional/kcs/test_selinux_relabel_solution.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@

from ocs_ci.framework import config
from ocs_ci.helpers import helpers
from ocs_ci.helpers.helpers import check_selinux_relabeling
from ocs_ci.ocs import ocp, constants
from ocs_ci.framework.testlib import E2ETest
from ocs_ci.ocs.exceptions import PodNotCreated, CommandFailed
Expand All @@ -26,6 +27,7 @@


@magenta_squad
@tier1
class TestSelinuxrelabel(E2ETest):
def create_deploymentconfig_pod(self, **kwargs):
"""
Expand Down Expand Up @@ -189,13 +191,36 @@ def get_pod_start_time(self, pod_name):

return None

def get_random_files(self, pod_obj):
"""
Get random files list.
Args:
pod_obj (Pod object): App pod
Returns:
list : list of random files
"""
# Get random files
data_path = f"{constants.FLEXY_MNT_CONTAINER_DIR}"
num_of_files = random.randint(3, 9)
ocp_obj = ocp.OCP(kind=constants.OPENSHIFT_STORAGE_NAMESPACE)
random_files = ocp_obj.exec_oc_cmd(
f"exec -n {constants.OPENSHIFT_STORAGE_NAMESPACE} -it {pod_obj.name} -- /bin/bash"
f' -c "find {data_path} -type f | "shuf" -n {num_of_files}"',
timeout=300,
)
random_files = random_files.split()
log.info(f"files are {random_files}")
return random_files

def teardown(self):
"""
Cleanup the test environment
"""
res_pod.delete_deploymentconfig_pods(self.pod_obj)

@tier1
@bugzilla("1988284")
@polarion_id("OCS-5132")
@pytest.mark.parametrize("copies", [5])
Expand Down Expand Up @@ -247,16 +272,7 @@ def test_selinux_relabel_for_existing_pvc(
time.sleep(120)

# Get the md5sum of some random files
data_path = f"{constants.FLEXY_MNT_CONTAINER_DIR}"
num_of_files = random.randint(3, 9)
pod = ocp.OCP(kind="pod", namespace=config.ENV_DATA["cluster_namespace"])
random_files = pod.exec_oc_cmd(
f"exec -it {self.pod_obj.name} -- /bin/bash"
f' -c "find {data_path} -type f | "shuf" -n {num_of_files}"',
timeout=300,
)
random_files = random_files.split()
log.info(f"files are {random_files}")
random_files = self.get_random_files(self.pod_obj)
initial_md5sum = []
for file_path in random_files:
md5sum = res_pod.cal_md5sum(
Expand Down Expand Up @@ -291,17 +307,8 @@ def test_selinux_relabel_for_existing_pvc(
pod_names=[self.pod_obj.name], timeout=600, sleep=15
), f"Pod {self.pod_obj.name} didn't reach to running state"

# Get the node of cephfs pod
self.pod_obj = self.get_app_pod_obj()
node_name = res_pod.get_pod_node(pod_obj=self.pod_obj).name

# Check SeLinux Relabeling is set to false
oc_cmd = ocp.OCP(namespace=config.ENV_DATA["cluster_namespace"])
cmd1 = "crictl inspect $(crictl ps --name perf -q)"
output = oc_cmd.exec_oc_debug_cmd(node=node_name, cmd_list=[cmd1])
key = '"selinuxRelabel": false'
assert key in output, f"{key} is not present in inspect logs"
log.info(f"{key} is present in inspect logs of application pod running node")
check_selinux_relabeling(pod_obj=self.pod_obj)
log.info(f"SeLinux Relabeling is not happening for the pvc {self.pvc_obj.name}")

# Restart pod after applying fix
Expand Down Expand Up @@ -332,3 +339,102 @@ def test_selinux_relabel_for_existing_pvc(
assert (
pod_restart_time_before_fix > pod_restart_time_after_fix
), "Time taken for pod restart after fix is more than before fix."

@polarion_id("OCS-5163")
@pytest.mark.parametrize("copies", [5])
def test_selinux_relabel_for_new_pvc(
self,
pvc_factory,
service_account_factory,
storageclass_factory,
copies,
teardown_factory,
):
"""
Steps:
1. Create storageclass with security context set.
2. Create cephfs pvcs and attach pod with more than 100K files across multiple nested directories
3. Take md5sum for them some random files and get pod restart time
4. Restart the pod which is hosting cephfs files in large numbers.
5. Check data integrity.
6. Check for relabeling - this should not be happening.
Args:
pvc_factory (function): A call to pvc_factory function
service_account_factory (function): A call to service_account_factory function
storageclass_factory ((function): A call to storageclass_factory function
copies (int): number of copies to write kernel files in pod
"""
# Create storageclass with security context
sc_name = "ocs-storagecluster-cephfs-selinux-relabel"
self.storage_class = storageclass_factory(
sc_name=sc_name,
interface=constants.CEPHFILESYSTEM,
kernelMountOptions='context="system_u:object_r:container_file_t:s0"',
)

# Create PVC using new storageclass
self.ocp_project = ocp.OCP(
kind=constants.NAMESPACE, namespace=config.ENV_DATA["cluster_namespace"]
)
self.pvc_obj = pvc_factory(
project=self.ocp_project,
storageclass=self.storage_class,
size="20",
)
log.info(f"PVC {self.pvc_obj.name} created")
teardown_factory(self.pvc_obj)

# Create service_account to get privilege for deployment pods
self.service_account_obj = service_account_factory(
project=self.ocp_project,
)

# Create deployment pod
self.pod_obj = self.create_deploymentconfig_pod(
command=["/opt/multiple_files.sh"],
command_args=[f"{copies}", "/mnt"],
)

log.info(f"pod {self.pod_obj.name} created")
self.pod_selector = self.pod_obj.labels.get(constants.DEPLOYMENTCONFIG)

# Get the md5sum of some random files
random_files = self.get_random_files(self.pod_obj)
initial_md5sum = []
for file_path in random_files:
md5sum = res_pod.cal_md5sum(
pod_obj=self.pod_obj,
file_name=file_path,
)
initial_md5sum.append(md5sum)

# Delete app pod and measure pod restart time
self.pod_obj.delete(wait=True)
self.pod_obj = self.get_app_pod_obj()
try:
wait_for_pods_to_be_running(
pod_names=[self.pod_obj.name], timeout=600, sleep=15
)
except CommandFailed:
log.exception(f"Pod {self.pod_obj.name} didn't reach to running state")

pod_restart_time_after_fix = self.get_pod_start_time(pod_name=self.pod_obj.name)
log.info(f"Time taken by pod to restart is {pod_restart_time_after_fix}")

# Check Data integrity
final_md5sum = []
for file_path in random_files:
md5sum = res_pod.cal_md5sum(
pod_obj=self.pod_obj,
file_name=file_path,
)
final_md5sum.append(md5sum)
assert (
initial_md5sum == final_md5sum
), f"Data integrity failed after for PVC: {self.pvc_obj.name}"

# Check SeLinux Relabeling is set to false
check_selinux_relabeling(pod_obj=self.pod_obj)
log.info(f"SeLinux Relabeling is skipped for the pvc {self.pvc_obj.name}")

0 comments on commit b2b9bac

Please sign in to comment.