diff options
author | Patrick Steinhardt <psteinhardt@gitlab.com> | 2022-01-18 13:50:14 +0300 |
---|---|---|
committer | Patrick Steinhardt <psteinhardt@gitlab.com> | 2022-01-18 13:50:14 +0300 |
commit | 7cd8ef212eccee3ffd388f1b88ccdeca15971435 (patch) | |
tree | 52bdc0456fa4cb99f7d8ebe9412aa5072e9d5391 | |
parent | c275ce42bff89cf6930e603aa2cc9f75e1b0d309 (diff) | |
parent | 10a89fc4cfa5e1601276e7fe31aa3155953dd24b (diff) |
Merge branch 'pks-ci-run-tests-unprivileged' into 'master'
ci: Run tests as unprivileged user
See merge request gitlab-org/gitaly!4254
-rw-r--r-- | .gitlab-ci.yml | 17 | ||||
-rw-r--r-- | Makefile | 12 | ||||
-rw-r--r-- | internal/git/command_factory_cgroup_test.go | 2 |
3 files changed, 21 insertions, 10 deletions
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index b996c16dd..38a6a4133 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -75,6 +75,7 @@ include: PGUSER: postgres POSTGRES_DB: praefect_test POSTGRES_HOST_AUTH_METHOD: trust + TEST_REPORT: /tmp/go-tests-report.xml before_script: &test_before_script - go version - while ! psql -h $PGHOST -U $PGUSER -c 'SELECT 1' > /dev/null; do echo "awaiting Postgres service to be ready..." && sleep 1 ; done && echo "Postgres service is ready!" @@ -82,7 +83,7 @@ include: paths: - ruby/tmp/gitaly-rspec-test.log reports: - junit: _build/reports/go-tests-report.xml + junit: ${TEST_REPORT} when: on_failure expire_in: 1 week @@ -156,16 +157,17 @@ build:binaries: test: <<: *test_definition script: - # This command will make all directories except of our build directory and Ruby code unwritable. - # The purpose is to verify that there is no test which writes into those directories anymore, as - # they should all instead use a temporary directory for runtime data. - - find . -type d \( -path ./_build -o -path ./ruby \) -prune -o -type d -exec chmod a-w {} \; # If we're testing with bundled Git, then we don't want to have the Git # installation around. Otherwise, Git would be able to resolve its binaries # by just looking at its own GIT_PREFIX and then pick binaries from that # installation directory. - if test -n "${WITH_BUNDLED_GIT}"; then rm -rf _build/deps/git/install; fi - - make ${TARGET} + # We need to prepare test dependencies as privileged user. + - make build prepare-tests + # But the actual tests should run unprivileged. This assures that we pay + # proper attention to permission bits and that we don't modify the source + # directory. + - setpriv --reuid=9999 --regid=9999 --clear-groups --no-new-privs env HOME=/dev/null make ${TARGET} SKIP_RSPEC_BUILD=YesPlease parallel: matrix: # These definitions are for the non-default Git versions. @@ -233,7 +235,8 @@ test:nightly: <<: *test_definition script: - go version - - make all ${TARGET} + - make build prepare-tests + - setpriv --reuid=9999 --regid=9999 --clear-groups --no-new-privs env HOME=/dev/null make ${TARGET} SKIP_RSPEC_BUILD=YesPlease parallel: matrix: - GIT_VERSION: [ "master", "next" ] @@ -356,7 +356,7 @@ prepare-test-repos: ${TEST_REPO} ${TEST_REPO_GIT} test: test-go test-ruby .PHONY: test-ruby -test-ruby: prepare-tests rspec +test-ruby: rspec .PHONY: test-go ## Run Go tests. @@ -391,9 +391,17 @@ race-go: test-go .PHONY: rspec ## Run Ruby tests. -rspec: build prepare-tests +rspec: prepare-tests ${Q}cd ${GITALY_RUBY_DIR} && PATH='${SOURCE_DIR}/internal/testhelper/testdata/home/bin:${PATH}' bundle exec rspec +# This is a workaround for our unprivileged CI builds. We manually execute the +# build target as privileged user, but then run the rspec target unprivileged. +# We thus cannot rebuild binaries there given that we have no permissions to +# write into the build directory. +ifndef SKIP_RSPEC_BUILD +rspec: build +endif + .PHONY: verify ## Verify that various files conform to our expectations. verify: check-mod-tidy notice-up-to-date check-proto rubocop lint diff --git a/internal/git/command_factory_cgroup_test.go b/internal/git/command_factory_cgroup_test.go index dec22243f..fb470421d 100644 --- a/internal/git/command_factory_cgroup_test.go +++ b/internal/git/command_factory_cgroup_test.go @@ -50,7 +50,7 @@ func TestNewCommandAddsToCgroup(t *testing.T) { BinDir: filepath.Join(root, "bin.d"), } - require.NoError(t, os.MkdirAll(cfg.BinDir, 0o644)) + require.NoError(t, os.MkdirAll(cfg.BinDir, 0o755)) require.NoError(t, cfg.SetGitPath()) gitCmdFactory := newCommandFactory(t, cfg, WithSkipHooks()) |