From 3f43be72e6aa5386163e89c9be5d1b58274a3145 Mon Sep 17 00:00:00 2001 From: robin2008 Date: Fri, 22 Jun 2018 15:24:41 +0800 Subject: [PATCH 1/2] UT testcase for secureroot --- xCAT-test/autotest/testcase/nodeset/cases0 | 12 ++++++ .../testcase/packimg/cases_secure_protect | 42 +++++++++++++++++++ 2 files changed, 54 insertions(+) create mode 100644 xCAT-test/autotest/testcase/packimg/cases_secure_protect diff --git a/xCAT-test/autotest/testcase/nodeset/cases0 b/xCAT-test/autotest/testcase/nodeset/cases0 index c95fbec9c..62d53b4e4 100644 --- a/xCAT-test/autotest/testcase/nodeset/cases0 +++ b/xCAT-test/autotest/testcase/nodeset/cases0 @@ -473,3 +473,15 @@ check:output=~$$CN:\s*install cmd:imagename=`cat /tmp/imagename`;osversion=`lsdef -t osimage -o $imagename |grep osvers|awk -F= '{print $2}'`;versionnum=`echo $osversion |sed 's:[a-zA-Z]::g'`;grep -w -A10 "$$CN" /var/lib/dhcpd/dhcpd.leases | grep "/install/$osversion/armel/cumulus-linux-$versionnum-bcm-armel.bin" check:rc==0 end + +start:nodeset_secureroot +os: rhels +description: Test nodeset could generate right installation files when site.secureroot=1 +label: others,security +cmd: chdef -t site secureroot=1 +cmd: nodeset $$CN osimage=__GETNODEATTR($$CN,os)__-__GETNODEATTR($$CN,arch)__-install-compute +check:rc==0 +cmd: cat /install/autoinst/$$CN | grep '^rootpw --iscrypted \*' > /dev/null +check:rc==0 +cmd: chdef -t site secureroot= +end diff --git a/xCAT-test/autotest/testcase/packimg/cases_secure_protect b/xCAT-test/autotest/testcase/packimg/cases_secure_protect new file mode 100644 index 000000000..0b4bd2c8d --- /dev/null +++ b/xCAT-test/autotest/testcase/packimg/cases_secure_protect @@ -0,0 +1,42 @@ +start:packimage_nosyncfiles +os:Linux +description: Test packimage with --nosyncfiles +label: others,security +cmd: myimage=$$OSIMAGE +lsdef -t osimage -o $myimage -z > /tmp/packimage_nosyncfiles.osimage && \ +chdef -t osimage -o "$myimage" rootimgdir=/tmp/packimage_nosyncfiles/rootimgdir && \ +chdef -t osimage -o "$myimage" synclists=/tmp/packimage_nosyncfiles.sensitive.$$ && \ +touch /tmp/packimage_nosyncfiles.sensitive && \ +echo "/tmp/packimage_nosyncfiles.sensitive -> /etc/sensitive.xcattesting" > /tmp/packimage_nosyncfiles.sensitive.$$ && \ +genimage "$myimage" && \ +packimage "$myimage" --nosyncfiles +if [ $? = 0 ]; then + test ! -e /tmp/packimage_nosyncfiles/rootimgdir/rootimg/etc/sensitive.xcattesting +else + false +fi +check:rc==0 +cmd: test -e /tmp/packimage_nosyncfiles.osimage && cat /tmp/packimage_nosyncfiles.osimage | mkdef -t osimage $$OSIMAGE -f +cmd: rm -rf /tmp/packimage_nosyncfiles* +end + +start:packimage_secureroot +os:Linux +description: Test packimage with site.secureroot=1 +label: others,security +cmd: chdef -t site secureroot=1 +cmd: myimage=$$OSIMAGE +lsdef -t osimage $myimage -z > /tmp/packimage_secureroot.osimage && \ +chdef -t osimage -o "$myimage" rootimgdir=/tmp/packimage_secureroot/rootimgdir && \ +genimage "$myimage" && \ +packimage "$myimage" --nosyncfiles +if [ $? = 0 ]; then + grep '^root\:\*\:' /tmp/packimage_secureroot/rootimgdir/rootimg/etc/shadow +else + false +fi +check:rc==0 +cmd: test -e /tmp/packimage_secureroot.osimage && cat /tmp/packimage_secureroot.osimage | mkdef -t osimage $$OSIMAGE -f +cmd: rm -rf /tmp/packimage_secureroot* +cmd: chdef -t site secureroot= +end From f2c0727bcf16e2997b05b334089a70a4bd71ad27 Mon Sep 17 00:00:00 2001 From: robin2008 Date: Mon, 25 Jun 2018 22:18:04 +0800 Subject: [PATCH 2/2] backup/recover the osimage for node in nodeset_secureroot --- xCAT-test/autotest/testcase/nodeset/cases0 | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/xCAT-test/autotest/testcase/nodeset/cases0 b/xCAT-test/autotest/testcase/nodeset/cases0 index 62d53b4e4..ae13c016f 100644 --- a/xCAT-test/autotest/testcase/nodeset/cases0 +++ b/xCAT-test/autotest/testcase/nodeset/cases0 @@ -479,9 +479,15 @@ os: rhels description: Test nodeset could generate right installation files when site.secureroot=1 label: others,security cmd: chdef -t site secureroot=1 -cmd: nodeset $$CN osimage=__GETNODEATTR($$CN,os)__-__GETNODEATTR($$CN,arch)__-install-compute +cmd: myimage=__GETNODEATTR($$CN,provmethod)__; osimage=__GETNODEATTR($$CN,os)__-__GETNODEATTR($$CN,arch)__-install-compute; cn=$$CN +test -f /install/autoinst/$cn && mv -f /install/autoinst/$cn /install/autoinst/$cn.secureroot +nodeset $cn osimage=$osimage +myresult=$? +chdef $cn provmethod=$myimage +test $myresult -eq 0 check:rc==0 cmd: cat /install/autoinst/$$CN | grep '^rootpw --iscrypted \*' > /dev/null check:rc==0 cmd: chdef -t site secureroot= +cmd: test -f /install/autoinst/$$CN.secureroot && mv -f /install/autoinst/$$CN.secureroot /install/autoinst/$$CN end