tests/sysexts: Rework to build sysext locally #3966
Conversation
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request reworks the systemd sysext test to build the extension from RPMs locally, rather than downloading pre-built ones. This is a great improvement for test reliability and independence. My review includes several suggestions to enhance the robustness, security, and efficiency of the new build script. Key areas for improvement include proper temporary directory management, safer package repository handling, correct version sorting, and more robust file operations.
| dnf download --resolve --arch=noarch --arch="$(arch)" "${rpm}" | ||
|
|
||
| # Figure out version to use | ||
| pkg="$(ls ${rpm}-*.rpm | sort -h | head -1)" |
There was a problem hiding this comment.
The sort -h command is for sorting human-readable numbers (e.g., 2K, 1G), not version strings. For correct version sorting, you should use sort -V. To get the latest version, you should select the last item after sorting, not the first. Using ls -1 is also recommended in scripts to ensure one file per line.
| pkg="$(ls ${rpm}-*.rpm | sort -h | head -1)" | |
| pkg="$(ls -1 ${rpm}-*.rpm | sort -V | tail -n 1)" |
| tmpdir="/tmp/sysext-${rpm}" | ||
| mkdir "${tmpdir}" |
There was a problem hiding this comment.
Using a fixed temporary directory name can lead to conflicts and is a security risk. It's better to use mktemp -d to create a unique and secure temporary directory.
| tmpdir="/tmp/sysext-${rpm}" | |
| mkdir "${tmpdir}" | |
| tmpdir=$(mktemp -d "/tmp/sysext-${rpm}.XXXXXX") |
| mkfs.erofs -zlz4 "${name}" rootfs | ||
| mv "${name}" /tmp | ||
|
|
||
| popd > /dev/null |
There was a problem hiding this comment.
The temporary directory created for the build is not removed, which will leave files in /tmp. It's important to clean up this directory after it's no longer needed.
| popd > /dev/null | |
| popd > /dev/null | |
| rm -rf "${tmpdir}" |
| mv "/tmp/${name}"*".raw" "/var/lib/extensions.d" | ||
| ln -snf "/var/lib/extensions.d/${name}"*".raw" "/var/lib/extensions/${name}.raw" |
There was a problem hiding this comment.
Using globs (*) with mv and ln can be risky. If the glob expands to zero, or more than one file, these commands can fail or have unintended consequences. It's safer to verify that the glob matches exactly one file before proceeding.
For example:
local files=(/path/to/"${name}"*.raw)
if [ "${#files[@]}" -ne 1 ]; then
fatal "Expected 1 file, found ${#files[@]}"
fi
# Now use "${files[0]}"
safelyPlease apply this pattern to both the mv and ln commands.
| # Create the EROFS image | ||
| name="${rpm}-${version}-${version_id}-${arch}.raw" | ||
| mkfs.erofs -zlz4 "${name}" rootfs | ||
| mv "${name}" /tmp |
There was a problem hiding this comment.
I think you don't have to make it a .raw image (it can just be a directory/fs tree of files.
I think you know this and your intent here was to test the .raw because that's more like what users are going to be using (i.e. downloading a .raw and using that extension), but just in case wanted to point it out that this step may not be needed if you didn't have testing that use case specifically in mind.
There was a problem hiding this comment.
Good point. Maybe I should test both. I'll do that in a followup.
Build the sysext from Fedora RPMs and from scratch as part of the test to make this work on all releases and independently of the unofficial sysext project. Only test on x86_64 & aarch64 for now.
travier
force-pushed
the
testing-devel-sysexts-fix
branch
from
fdb8add to
1705544
Compare
| --resolve \ | ||
| --arch="noarch" \ | ||
| --arch="$(arch)" \ | ||
| -disablerepo=fedora-cisco-openh264 \ |
There was a problem hiding this comment.
| -disablerepo=fedora-cisco-openh264 \ | |
| --disablerepo=fedora-cisco-openh264 \ |
|
as part of this PR you should drop the denylist entry added in 5d5b319 |
2 participants
Build the sysext from Fedora RPMs and from scratch as part of the test to make this work on all releases and independently of the unofficial sysext project.
Only test on x86_64 & aarch64 for now.
Fixes: coreos/fedora-coreos-tracker#1940