From be3855a5ceb7c22b4aeb2aaca5379c676ccad16a Mon Sep 17 00:00:00 2001 From: Radostin Stoyanov Date: Sat, 9 Sep 2023 18:16:16 +0100 Subject: [PATCH] zdtm: enable tests with encrypted images This patch extends ZDTM to run `criu dump` with the `--encrypt` option to test the encryption functionality of CRIU images. Signed-off-by: Radostin Stoyanov --- .github/workflows/encrypted-images.yml | 17 +++++++++++ scripts/ci/run-ci-tests.sh | 41 ++++++++++++++++++++++++++ test/zdtm.py | 22 ++++++++------ 3 files changed, 71 insertions(+), 9 deletions(-) create mode 100644 .github/workflows/encrypted-images.yml diff --git a/.github/workflows/encrypted-images.yml b/.github/workflows/encrypted-images.yml new file mode 100644 index 0000000000..3f78e8f4c0 --- /dev/null +++ b/.github/workflows/encrypted-images.yml @@ -0,0 +1,17 @@ +name: Encrypted Images Test + +on: [push, pull_request] + +# Cancel any preceding run on the pull request. +concurrency: + group: encrypted-images-test-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: ${{ github.ref != 'refs/heads/criu-dev' }} + +jobs: + build: + runs-on: ubuntu-22.04 + + steps: + - uses: actions/checkout@v2 + - name: Run CRIU Encrypted Images Test + run: sudo -E make -C scripts/ci local ENCRYPTED_IMAGES_TEST=1 diff --git a/scripts/ci/run-ci-tests.sh b/scripts/ci/run-ci-tests.sh index 1aae555f76..3e797199f5 100755 --- a/scripts/ci/run-ci-tests.sh +++ b/scripts/ci/run-ci-tests.sh @@ -72,6 +72,42 @@ test_stream() { ./test/zdtm.py run --stream -p 2 --keep-going -a "${STREAM_TEST_EXCLUDE[@]}" "${ZDTM_OPTS[@]}" } +test_encrypted_images() { + # Running tests with encrypted images + TEST_EXCLUDE=( + -x zdtm/static/cgroup01 \ + -x zdtm/static/cgroup02 \ + -x zdtm/static/file_lease00 \ + -x zdtm/static/file_lease01 \ + -x zdtm/static/mountpoints \ + -x zdtm/static/autofs \ + -x zdtm/static/bind-mount \ + -x zdtm/static/cr_veth \ + -x zdtm/static/dumpable02 \ + -x zdtm/static/ghost_on_rofs \ + -x zdtm/static/inotify00 \ + -x zdtm/static/mntns_overmount \ + -x zdtm/static/mntns_shared_bind \ + -x zdtm/static/mntns_shared_bind02 \ + -x zdtm/static/mntns_shared_vs_private \ + -x zdtm/static/non_uniform_share_propagation \ + -x zdtm/static/overmount_sock \ + -x zdtm/static/overmount_with_shared_parent \ + -x zdtm/static/pipe01 \ + -x zdtm/static/private_bind_propagation \ + -x zdtm/static/pty00 \ + -x zdtm/static/shared_mount_propagation \ + -x zdtm/static/shared_slave_mount_children \ + -x zdtm/static/socket-tcp-reuseport \ + -x zdtm/static/tempfs \ + -x zdtm/static/tempfs_overmounted \ + -x zdtm/static/unbindable \ + -x zdtm/static/unlink_regular00 \ + -x zdtm/static/session01 \ + ) + ./test/zdtm.py run -a --keep-going --encrypt "${TEST_EXCLUDE[@]}" "${ZDTM_OPTS[@]}" +} + print_header() { echo "############### $1 ###############" } @@ -213,6 +249,11 @@ if [ "${STREAM_TEST}" = "1" ]; then exit 0 fi +if [ "${ENCRYPTED_IMAGES_TEST}" = "1" ]; then + test_encrypted_images + exit 0 +fi + ./test/zdtm.py run -a -p 2 --keep-going "${ZDTM_OPTS[@]}" if criu/criu check --feature move_mount_set_group; then ./test/zdtm.py run -a -p 2 --mntns-compat-mode --keep-going "${ZDTM_OPTS[@]}" diff --git a/test/zdtm.py b/test/zdtm.py index 7a7cdfd3b6..0630efbdf8 100755 --- a/test/zdtm.py +++ b/test/zdtm.py @@ -1061,7 +1061,8 @@ def __init__(self, opts): self.__page_server_p = None self.__dump_process = None self.__img_streamer_process = None - self.__tls = self.__tls_options() if opts['tls'] else [] + self.__tls = ['--tls'] + self.__tls_options() if opts['tls'] else [] + self.__encrypt = ['--encrypt'] + self.__tls_options() if opts['encrypt'] else [] self.__criu_bin = opts['criu_bin'] self.__crit_bin = opts['crit_bin'] self.__pre_dump_mode = opts['pre_dump_mode'] @@ -1127,11 +1128,13 @@ def cleanup(self): def __tls_options(self): pki_dir = os.path.dirname(os.path.abspath(__file__)) + "/pki" - return [ - "--tls", "--tls-no-cn-verify", "--tls-key", pki_dir + "/key.pem", - "--tls-cert", pki_dir + "/cert.pem", "--tls-cacert", - pki_dir + "/cacert.pem" + output = [ + "--tls-no-cn-verify", + "--tls-key", pki_dir + "/key.pem", + "--tls-cert", pki_dir + "/cert.pem", + "--tls-cacert", pki_dir + "/cacert.pem" ] + return output def __ddir(self): return os.path.join(self.__dump_path, "%d" % self.__iter) @@ -1350,7 +1353,7 @@ def dump(self, action, opts=[]): os.mkdir(self.__ddir()) os.chmod(self.__ddir(), 0o777) - a_opts = ["--tree", self.__test.getpid()] + a_opts = ["--tree", self.__test.getpid()] + self.__encrypt if self.__prev_dump_iter: a_opts += [ "--prev-images-dir", @@ -1425,7 +1428,7 @@ def dump(self, action, opts=[]): raise test_fail_exc("criu page-server exited with %d" % ret) def restore(self): - r_opts = [] + r_opts = self.__encrypt if self.__restore_sibling: r_opts = ["--restore-sibling"] self.__test.auto_reap = False @@ -2082,8 +2085,8 @@ def run_test(self, name, desc, flavor): 'sat', 'script', 'rpc', 'criu_config', 'lazy_pages', 'join_ns', 'dedup', 'sbs', 'freezecg', 'user', 'dry_run', 'noauto_dedup', 'remote_lazy_pages', 'show_stats', 'lazy_migrate', 'stream', - 'tls', 'criu_bin', 'crit_bin', 'pre_dump_mode', 'mntns_compat_mode', - 'rootless') + 'tls', 'encrypt', 'criu_bin', 'crit_bin', 'pre_dump_mode', + 'mntns_compat_mode', 'rootless') arg = repr((name, desc, flavor, {d: self.__opts[d] for d in nd})) if self.__use_log: @@ -2764,6 +2767,7 @@ def get_cli_args(): help="simulate lazy migration", action='store_true') rp.add_argument("--tls", help="use TLS for migration", action='store_true') + rp.add_argument("--encrypt", help="encrypt images", action='store_true') rp.add_argument("--title", help="A test suite title", default="criu") rp.add_argument("--show-stats", help="Show criu statistics",