Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

🤖 test sysextension on uki #2617

Merged
merged 4 commits into from
Jun 25, 2024
Merged

🤖 test sysextension on uki #2617

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
9f24c81
:robot: Test sysext on uki
Itxaka Jun 10, 2024
dcdc739
Update tests/assets/sysext/README.md
Itxaka Jun 17, 2024
ae33c4d
Update tests/assets/sysext/README.md
Itxaka Jun 17, 2024
6d0643a
Update tests/assets/sysext/README.md
Itxaka Jun 17, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/reusable-uki-test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -72,7 +72,7 @@ jobs:
run: |
earthly +uki-iso \
--BASE_IMAGE=ttl.sh/${{ inputs.flavor }}-${{ inputs.flavor_release }}-${{ github.head_ref || github.ref }}:24h \
--ENKI_CREATE_CI_KEYS=true
--ENKI_OVERLAY_DIR=tests/assets/sysext/ --ENKI_KEYS_DIR=tests/assets/keys/
- name: Create datasource iso 🔧
run: |
earthly +datasource-iso --CLOUD_CONFIG=tests/assets/uki-install.yaml
Expand Down
19 changes: 16 additions & 3 deletions Earthfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ ARG LUET_VERSION=0.35.2
# renovate: datasource=docker depName=aquasec/trivy
ARG TRIVY_VERSION=0.51.4
# renovate: datasource=github-releases depName=kairos-io/kairos-framework
ARG KAIROS_FRAMEWORK_VERSION=v2.8.4
ARG KAIROS_FRAMEWORK_VERSION=v2.8.5
ARG COSIGN_SKIP=".*quay.io/kairos/.*"
# TODO: rename ISO_NAME to something like ARTIFACT_NAME because there are place where we use ISO_NAME to refer to the artifact name

Expand Down Expand Up @@ -331,15 +331,28 @@ uki-iso:
ARG ENKI_FLAGS
ARG ENKI_CREATE_CI_KEYS # If set, it will create keys for the UKI image. Good for testing
ARG ENKI_OUTPUT_TYPE=iso # Set output type, iso, container, uki file
ARG ENKI_OVERLAY_DIR # Overlay directory to be copied to the image
ARG ENKI_KEYS_DIR # Directory where the keys are stored
FROM $OSBUILDER_IMAGE
WORKDIR /build
RUN mkdir -p /keys
IF [ "$ENKI_CREATE_CI_KEYS" != "" ]
RUN enki genkey -e 7 --output /keys Test
ELSE IF [ "$ENKI_KEYS_DIR" != "" ]
COPY $ENKI_KEYS_DIR /keys
ELSE
COPY keys/ /keys
RUN echo "No keys provided, using the test ones"
COPY tests/keys/* /keys
END
RUN --no-cache enki build-uki $BASE_IMAGE --output-dir /build/ -k /keys --output-type ${ENKI_OUTPUT_TYPE} ${ENKI_FLAGS}

IF [ "$ENKI_OVERLAY_DIR" != "" ]
COPY $ENKI_OVERLAY_DIR /overlay-iso
RUN --no-cache enki build-uki $BASE_IMAGE --output-dir /build/ -k /keys --output-type ${ENKI_OUTPUT_TYPE} --overlay-iso /overlay-iso ${ENKI_FLAGS}
ELSE
RUN --no-cache enki build-uki $BASE_IMAGE --output-dir /build/ -k /keys --output-type ${ENKI_OUTPUT_TYPE} ${ENKI_FLAGS}
END


IF [ "$ENKI_OUTPUT_TYPE" == "iso" ]
SAVE ARTIFACT /build/*.iso AS LOCAL build/
ELSE IF [ "$ENKI_OUTPUT_TYPE" == "container" ]
Expand Down
Binary file added tests/assets/keys/KEK.auth
View file
Open in desktop
Binary file not shown.
Binary file added tests/assets/keys/KEK.der
View file
Open in desktop
Binary file not shown.
Binary file added tests/assets/keys/KEK.esl
View file
Open in desktop
Binary file not shown.
28 changes: 28 additions & 0 deletions tests/assets/keys/KEK.key
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC8bFfSu9aD+m6/
Avjvo9U4YSgSJHxcDDd1Qb/6xSf6SjF7ZiK3/BysIPRMMCKvRn4L6Jx8T8pBCoKs
/kvAvtkMTjy8awQIFWIUKj5B5mwN9CbtGwuzbb/60YT7Y4NegLRDP/E+SQWOdmA9
DsXcS5wT+rYLG/iBQkXQN+isAaso2SSFunQqogvmbJwPgKcp8YFrF7brDBGeDmws
cYF29qu6DAVgP9wzZgm6yoSaMRu0zOCoCX7MQZadnPDj7iOu8vGXBQ84SW3XEpbb
o50FA+cRlHi2/KssX53ElQCtTlktIWDQGPY2j7GWDyAkjqbUoL5cDYiQLLSq8J0l
RkFmSOaDAgMBAAECggEAU2MRVNo7O8o7c74xhAB57ssUjD7oaGYhrvtrpmPVZu+p
yWYwjEL/P3AQHZ2Z4/7q7oNBqcQ4CqPHpB6gUMtFTCxdtbcYoCkycCEnz0tV27EG
/xzeh0hVU3+g/g4Sx+JmpHJqZbm0Q1GBEtR0XSN7Dd6A7RayWiYFtnnftyu/30HB
asHzD/TRVs/RQ4oxJDf1mlF2MJSI2XhBQ0OHaElOJEi9q5FiAUI8VTUG8bqNJrJV
D8wg5AmUPAfVQs/o6ehy1rxt8Gh8pNzgGm7wIwLtqFIjk6/l8U1t10YzdTIrO1wp
kTOirTJCNANmGQPrzXxlUXgi1r5a48c6diXpstuoMQKBgQD+SueHkzpkqYYeYHR9
zIFZ0cYVT51xchDJh6ghnCKNTQrEqz/tNZkAmpw3PXMdgqniRCTy7QiMaWJ73moh
NdgY1h1OLUcEymaRZ542ZfIQuUJUf3j/02LfTUCfQ2ivEOmzgE+teCryMPTEjuJ3
o0f252iwcDB4K+rSPW4p49SXEwKBgQC9sDfDrUqTe6WO2AMEBVFQ/0umt6PEMDxD
CN9UMlQT2vHVTr+Zz1BdWU/PjRtsOHzOQg8cUQcfnJ1WitNU5G6iekXp8lA/HtUV
I75Xo4fpnrNv5sGc2knCMGq+sFcpM/q7AvnhMCQ45N2u6qZWoEW4UJ+QMbvVGeRH
1TikX8Iw0QKBgDXpH2jIt8p7fimWfVvmLU4jgQEnndNdQV3YWra1aUXXnX7QZ38c
q9FK9e9oIa2R8/46QDMYOYW7Gdv07T8ZMTUiv5fBVZsYZeJRu2MA/e65t+w+EiL6
Z627rQWWvuzOgx1BCKNYJJKv+lRpjm2aujkIGlO9lSkE9oWX7HEJEhrtAoGAKKv0
CPzLFLxaTzp5yw7o1Jkou2J8tsAw656nZAI2jNtRJw9vfac58AoKVtJGovmpqP/5
BXVKNbj682do0Lb6EdRt0S+njSErRxEW6uuhZLImf0PXF66mSgDfomtlBOykQhzt
Px93ZMuNzMd7Su+qg06mJ+DCCXs3uz84meX+WUECgYEAwZM6yUPf6Mn5+CXYAByx
1SK+a03d0PrGTi6encdHv7USY0Rjc2G9Q9xGiFUnMKCGHXcDIBCJBIrSsdJ0ue8r
xwcHRf8fjhgYc/8jI1dMzjW8LGcHGwgpP0XCggWx/O8OIlB2wJ3llkB0VnKsI2Ja
nBcowQyqGpjvqczU5UgULlg=
-----END PRIVATE KEY-----
19 changes: 19 additions & 0 deletions tests/assets/keys/KEK.pem
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
-----BEGIN CERTIFICATE-----
MIIDETCCAfmgAwIBAgIUMUBDt54lTob8pbEBlB3I1KdZMfcwDQYJKoZIhvcNAQEL
BQAwGDEWMBQGA1UEAwwNS0FJUk9TX0NJLUtFSzAeFw0yNDA2MTAwOTU4MzNaFw0y
NTA2MTAwOTU4MzNaMBgxFjAUBgNVBAMMDUtBSVJPU19DSS1LRUswggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC8bFfSu9aD+m6/Avjvo9U4YSgSJHxcDDd1
Qb/6xSf6SjF7ZiK3/BysIPRMMCKvRn4L6Jx8T8pBCoKs/kvAvtkMTjy8awQIFWIU
Kj5B5mwN9CbtGwuzbb/60YT7Y4NegLRDP/E+SQWOdmA9DsXcS5wT+rYLG/iBQkXQ
N+isAaso2SSFunQqogvmbJwPgKcp8YFrF7brDBGeDmwscYF29qu6DAVgP9wzZgm6
yoSaMRu0zOCoCX7MQZadnPDj7iOu8vGXBQ84SW3XEpbbo50FA+cRlHi2/KssX53E
lQCtTlktIWDQGPY2j7GWDyAkjqbUoL5cDYiQLLSq8J0lRkFmSOaDAgMBAAGjUzBR
MB0GA1UdDgQWBBS3vGrB+78d2hPvFUqPdRDH5LJ92DAfBgNVHSMEGDAWgBS3vGrB
+78d2hPvFUqPdRDH5LJ92DAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUA
A4IBAQAOSagDcBl4iKRpdO8zPoyxFdS8LDzXGdjuerY0ZvjBn4AC7WWuXiBEWcef
0JqLFO+F5THlQyRmap/TlYV29IL5sndnGcHMY5eFOohZ8LGxF65hBtCArzx3XXgd
a2tF3B66ezv5c8zy/h4FQsstxcxnYhT9MbOTED8jDhk9QZ8W1SqJMcVgyM4G3dMK
qraDLcMOcRYG09gst45ztR8wopvfUivnQEKxEwBf++O701oNAm8tRdPoBGFp6RhH
y6yKuGZ/aHjhHgmEhBskeRYJ/Z6cycPoICOpwMCKFEivCthYAcWDCqvPLFMlCP5N
RIFEURjUHJIhE1lEnxWedMb2+sSI
-----END CERTIFICATE-----
Binary file added tests/assets/keys/PK.auth
View file
Open in desktop
Binary file not shown.
Binary file added tests/assets/keys/PK.der
View file
Open in desktop
Binary file not shown.
Binary file added tests/assets/keys/PK.esl
View file
Open in desktop
Binary file not shown.
28 changes: 28 additions & 0 deletions tests/assets/keys/PK.key
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCstLLWPl829fk4
sNSkB+QAeqTkMnFxuePdnuQeB8DNfP/b3MVNw/J34S5krIvza0LfsLru53T4Rt05
ybHqkxensAkFpB3cw22Lu0CfYazHjBdr4tt/0Jitcp+Rg1nLEBHMFmthc01Og6Lw
qun7EnAwmzcEtJkWiou+F2/gd1DnkORcMFxUxnfBi770o+P2kGHCSKtKxn36XnZ4
3FS+bDm/EV6mnk2jIn4n2Z+mOWvJgacHYReriguZ+XahH361lIT4x3skATcXTiKP
dWBv+Z0jTmesL/oXxM4T7ZaQUG0YifaO0hn15UeiBzpBVQJxm6NnaBKVM4HeQ9DO
K2H0fGhvAgMBAAECggEAIxPkiu1KK4CUKPaJifNsVMiUOyEft4iZBodiL9NFTrdH
xGE31c6prb2XzazaFAvCHmrn3OQ39sF152nW8B0GHfH8MyAdTJyI4Guc+YI+NJ14
mFoQWQqGKBxy2nxCPaM66ifXkYh4uCy2aIleUrdw//5Wk2cW/OQQ9AAQohe53/5R
aNwd1W2wi+XhCUmvz2uNXFv6NEUZkqO29IhCR8Xxwodl3A99gPY5KZtgcgN1qsHn
PZA9yO5/b8XMD6epNKPOu8BNb/yAbkda7sgEC0uuh/IDGI5weS9ERU7POs0Ci5b3
dyM+uJK3BlKn42XbFKaFs33aDcNsuRuPufaoJvzBoQKBgQDTj2GX74XQQeulvYs6
6CYgdT6ZlgTBRBUqPFgBlO29aIF/naAAcpygI69pndsl/wPxzVFkedXwOAHsmU2q
C3sJzZhHNA2ooQNgu5bXDXqYeLekB34Q2qvJKBKiCphMi1yEe4/U8g88eZsV64Z2
noZtEreVhp+ISwEOkGjppBTXPwKBgQDQ+++LdSqxC693X3hWuJz5gj+U4l6n43n7
eb+GdCsffsEZJWSCh/BG1ckgN0Iag6rE33L4T7g3L/CA3giMjp3PkXD+HrmtwdIv
stk7X3Z2lgAAinOxveGy2K3iPXCiZVZ3hBSiXyRsLwZ1CFM9QE9r3380gE7iKM4U
ga4yblnS0QKBgGsBTp+GquwXK5V9NXrqCL7KDouocWc/hGUEeI70QPtYbIebtl4D
mmz1H7gP+9RQFDKtYsmrRiZmbbK6J6omfGkM8ESzc2Uja4310+maC7Qq+tegYocr
00+/UQ1cxoOQyY7I4IsYk9RGvcZshmpg7CUnHmwm13IcXcB8ElR6hYAJAoGBAJO/
Gaqxih4jEclGULCW0ju/7q2WoK73Lp0whMxMwtQAbAoYGogCDUg3CnthNbXDEm8f
Pov46Fbz6Idi8g5VIZLG02iFVmZWmf+o5NWJ9xl9kMDRIVwuzyr+72f8Ye4d0NSs
J15n/zsQv/LrkNXD6qJsHuWCNMLFcHSk/f+fbpeRAoGASaeebhUJGEFbj1Ug55X1
99rl61rOAaDsywou7YfYLOq4QbUh+170G/7u/DlrSxtaRWIl+KPwt0ssxxiAY3Mv
Y3WBtJgcJaaF8QkxG/ewG2tkJVaZArE7gJ91ej8lWXXbiYAdLr7Pqvxwjv4iml9l
WE80UL6y2ZskbhFSN31cjdQ=
-----END PRIVATE KEY-----
19 changes: 19 additions & 0 deletions tests/assets/keys/PK.pem
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
-----BEGIN CERTIFICATE-----
MIIDDzCCAfegAwIBAgIUU+cS7y3oMfE4GnzsP01js+VKHWIwDQYJKoZIhvcNAQEL
BQAwFzEVMBMGA1UEAwwMS0FJUk9TX0NJLVBLMB4XDTI0MDYxMDA5NTgzMloXDTI1
MDYxMDA5NTgzMlowFzEVMBMGA1UEAwwMS0FJUk9TX0NJLVBLMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEArLSy1j5fNvX5OLDUpAfkAHqk5DJxcbnj3Z7k
HgfAzXz/29zFTcPyd+EuZKyL82tC37C67ud0+EbdOcmx6pMXp7AJBaQd3MNti7tA
n2Gsx4wXa+Lbf9CYrXKfkYNZyxARzBZrYXNNToOi8Krp+xJwMJs3BLSZFoqLvhdv
4HdQ55DkXDBcVMZ3wYu+9KPj9pBhwkirSsZ9+l52eNxUvmw5vxFepp5NoyJ+J9mf
pjlryYGnB2EXq4oLmfl2oR9+tZSE+Md7JAE3F04ij3Vgb/mdI05nrC/6F8TOE+2W
kFBtGIn2jtIZ9eVHogc6QVUCcZujZ2gSlTOB3kPQzith9HxobwIDAQABo1MwUTAd
BgNVHQ4EFgQUtmAkIdYJrjZlfKaZOAenYbMwA3YwHwYDVR0jBBgwFoAUtmAkIdYJ
rjZlfKaZOAenYbMwA3YwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOC
AQEAInJofnWsIUqYVgfBelOdLMxSLECV4R7t4TaSZSq/4YtrqlUh5SM9yvAP/5aZ
E0Pn+VTQkkT3xSJW1aaKBn1lAq61GSK1OwnQp1bhO3gzLUR9cmzYvuoebKpHgU+B
U2NU34lb4Q/p5pezBYKve/5jTTYNrqX3CgrWYSgnVXzadbJAcNS09O/Hswp6bBEQ
j1Hr0BiMsX6EFeMI667VgRSjI1qoU+ApKMy3mMnzK7ZF37caLu2f3ed6ndXnmE71
31j5bPptM7SKcd0el4qwgurcKZ9Uy5N0CwtKelcMaD0LvkzBwpvUEUkXF//dcPxb
46CM613xNzOHsfhZ1xvi7E0duQ==
-----END CERTIFICATE-----
Binary file added tests/assets/keys/db.auth
View file
Open in desktop
Binary file not shown.
Binary file added tests/assets/keys/db.der
View file
Open in desktop
Binary file not shown.
Binary file added tests/assets/keys/db.esl
View file
Open in desktop
Binary file not shown.
28 changes: 28 additions & 0 deletions tests/assets/keys/db.key
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
-----BEGIN PRIVATE KEY-----
MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCVDleYrfrGEHF0
XZEEcp+hcAthfF3FRb42oed+S8ztCDtYScbV2/zNqo8a8/St4Ovt0w/6YjoEQEjp
NS2ODOhWuS/7rlr/sKH5MzGAvv1E2ftS/uoxMer/pOLtTYyil86f1oKR4vOCmkFi
JNbDjB0qX9IRYUR6sXY70lqg16VSWkG5mvHcHojITwmb858ZZzWQZbDBo3126GNG
PRspznGqut6bwVzU7zVXqjQu7zl1gQRe7oRVSnWG+aPaWpSMRx54pl59TtlYPHN3
uBuX1XnQD4klTNcHGgv7TBkX23R7uHXD2EP1BDwBjHWITEoGdvzXnUueuPR2mpy6
223ppYojAgMBAAECggEAOLOQgf2o+GB38EbJrDH4ZJ6tTaPUPf+WaMz1NXebWI35
mU/TajY5uHkJ4DxuVxjJVxqjqOFl5YkY01IN5swlNBxVUv4UEtE8BILDcZD14pOz
hfJ/3z/4f9BXHOOTvKRYDzi4ScvWS1fnyHBwHEo4LA7wZ/ki5jOM4RvXqvjtpGIp
no/FtAw4Ef157cQfsf6fg9TwKEY023aC49Mtw6OwxrnxeNemAWq15qXCwQ9bMNjn
zigsdpizrX9IyG1xYQMCTlI0v2W9dm2H6oaH8QzwSfuLDaBIVOe1QpxNoUxdfWdh
1z9iWu+bzt4SomOMYN2feuaDuYptqd49dqjfl+NvRQKBgQDFgDeJb0Y8JAyLAXBX
VLhDm6mvRlaR9JCz/d7RyTBVs5uAGhbQFmnFT9QRctvd6ugvbIcu/JobYR+i0PaE
rak3/P45w1Pu6vDVyJpyM4/VMvFoJ5FWBtYspB9o3kmtbYROlsfDXn2mlg1Ag1wn
CpaXFKfoXOs4kPwziWg4uzwpzwKBgQDBNLo9vExwyOcPIYCpif7QVQSVgCS7jvVy
cCcwmJzKZJFNQe7ouAtxq36x4+vsfXe5dmVQe0Q6BprS7cGB/AL8W1YgvHCIeTo8
8DgP/TFFmYUxo81cgTOkK33T9VhjikzocbPGuVjDTh6sJ8WvCZhms21rrTtKyS5Y
y5pmcnSzbQKBgCQqe4EGSGVA8K8Pv2OuluOCgMsg5T9q+oiLR59A6UH4VtRZcq3+
PLYuDRZ44vw7RPNSO1sGVK4I1gM5orrfFiqzgFZRh3Arw5hSWL3q5T7USlKZVErd
i6C3GS1Z70H72QuPHtuO1RGJTrnulBRuIu9dj/XD9irwmc5SLiydVMIPAoGAdPp3
yOk5XxBE1eRzAjOLFJhlLh9oHidwdNly4PmF9QTu9Nf2zvCf/TLYgtx8+7L7yk7l
CNWZeYiGNS+++fSb2i9y9l8hw3+iw0Kurv+d1YYeHvAOZvPTUJMEnFDwM1SJPDOb
pbaTB61E5PcvucsVexkoJwm73Ivyg9DCq0ShZAECgYACNDEEm8nOIe0SBuJwnw6m
JoNsGRA/KZXf4UReCyF9wBPC8zJBT/SPAnTEbVT2KGJFf5Dyxtf7fzVcFQfwC0Zg
05+of1QM2ecYZU3+dVzH8sIMv8/12QK9RZRtYS8GHtHNT1Dcsf+KgAnOptIqAthl
M9kw7VPGa1tWmz95+hWipA==
-----END PRIVATE KEY-----
19 changes: 19 additions & 0 deletions tests/assets/keys/db.pem
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
-----BEGIN CERTIFICATE-----
MIIDDzCCAfegAwIBAgIUfqMek+uFdfZ70LkedVnY63e68okwDQYJKoZIhvcNAQEL
BQAwFzEVMBMGA1UEAwwMS0FJUk9TX0NJLWRiMB4XDTI0MDYxMDA5NTgzM1oXDTI1
MDYxMDA5NTgzM1owFzEVMBMGA1UEAwwMS0FJUk9TX0NJLWRiMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEAlQ5XmK36xhBxdF2RBHKfoXALYXxdxUW+NqHn
fkvM7Qg7WEnG1dv8zaqPGvP0reDr7dMP+mI6BEBI6TUtjgzoVrkv+65a/7Ch+TMx
gL79RNn7Uv7qMTHq/6Ti7U2MopfOn9aCkeLzgppBYiTWw4wdKl/SEWFEerF2O9Ja
oNelUlpBuZrx3B6IyE8Jm/OfGWc1kGWwwaN9duhjRj0bKc5xqrrem8Fc1O81V6o0
Lu85dYEEXu6EVUp1hvmj2lqUjEceeKZefU7ZWDxzd7gbl9V50A+JJUzXBxoL+0wZ
F9t0e7h1w9hD9QQ8AYx1iExKBnb8151Lnrj0dpqcuttt6aWKIwIDAQABo1MwUTAd
BgNVHQ4EFgQU23PcavDaK0WtTBTe5LGSptTbrEAwHwYDVR0jBBgwFoAU23PcavDa
K0WtTBTe5LGSptTbrEAwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOC
AQEAWyB/Wjhj86VOJV+wDGzkr7aN9QikCOJWP6nU65D/5eWuqPJv/pQLCh6LG9tH
bS2UFT38gr/7/eiWWi+Gg39jG9Tk6BSMsmVf6tgXdx+HbkR09HlI1sz2BZZjYLME
W1ogZiV18tC0D84qY9uknRmPLwWvRg+Y7iekOqlIRxwbZKw2Xvb2rV87cxCKRheG
PZODgNiwXxMoQDibqjFSGm5xEKKhYt34K5HkIwYMX1+TtKiE7jhKPQuREy5iNXUk
faJR1tUxIfS/Ha3XVjDtjTdbFfp1TRXb397xHwFQmmrHgioD5DTLp6ETuevQy8aV
EbG606xkcgNeAIPlORjC6tfLng==
-----END CERTIFICATE-----
28 changes: 28 additions & 0 deletions tests/assets/keys/tpm2-pcr-private.pem
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDQ04ekTiLTJila
VIaen8f1oJQVI9LLAt3FKzd5sd8LIJg4GZmZ2axz4Y9N3cNKbW5vom9gxYzk+oWt
MFZ1Y68RcK+mIoFDAKKIe4U/mASnAd9i7mHq4rXfdEBiTLYrERRKWcLEwcsYkRln
Sm2gWDilMh8cQXsFSAOdEIvqey2dCO5qnfljVce/NHuFshfHVMvR9u2YcCSrhfOO
perMYkIQjhhvBZ/x+flVLGd6dI1uyFsLwyAQDRajl0Fy5TnlZehUcejXplFj6fqi
QsnsjSlym71TdYdBHH1ppPhvPoF4ixdcDxe420cAYNFBL4kfs3SgwD/vTye5+8PD
E/K1iD2tAgMBAAECggEABtHVpO3BUOR25sKKZ+0/ZjvhgiQ6mtMj42/DHsgKiO4+
UlyxqbbUXS9xUuFqYoia2e3z1bT14jd1PJ/uvuQrwDXOIq6PSp0fcbYY9qf0BPE4
dp5i170iI+NDxAIN0++5mij+xZavl4SLkBY76Mfgx7JQlkdkKVq99XfoHdb6eR2V
smIs821YSqEbFLN7BbZAMTVk4n8loqEC7zba3bpk4LoVoaPqMAILRjAun9xHXoAi
LBLwajdkUz9IU+8/jgg07+u5C1cQO9Q+i5KAcQDoUgozaembWsvQofgSwyKlm8sx
4gDzqoDbf1xmakyHbD8DH8pMexEuVsfybUMaP6LKuQKBgQDtHu6izdqdI/RDjo1I
I1YKYaji3KK2fC2kDBVr1KRTif3Kz66rD4Lk9AM7tcoGL1cAQIFsAfoKJie59Mt6
5ZNM8Sdxg+3f0YzA59j2U2HrKaDquvhInzjikGMyaLa/C/5PW0Q3ZhJ47z2RZoMY
+m0liV3APLBP7Rqwy10X/r8itQKBgQDhc+PO13i/fy8mE5qphWbMvzVrqZZz7Fg2
moq+tgswRJog3E50biylppIu19h2Or9pLrNtC+oi7jeSWfBNPpZ5wvYkyX7mvqc4
foMQJr9+Z0yF+HIWuTFzdlfIz7qYatbM0tntVikfYIrj6I4mT91Gacbhfyr62emh
o9UsvUyyGQKBgQCz3/og8E29VM/wC4xrQ7r6RxkpdzvLeKnavvvk/7rkUFKA7kjP
JQYjjmOBgSbOyEyUOVq0R0+ZMVaDfwp4oPy7qlhEiVMCrWC72WTBf4FRNhQG3GyK
EpbBb8yAKeUvSfbR1icKa1jp+npW+U/Lu/TeO7UtphwNlYzgvnRRRoNR3QKBgCzL
+DH7QnTacqXgM1UHurtoKtcvpUN3bLe80WC/j02R9AYfgD9GPPzVMiq4nLwxRCNE
MkaynV0/dC9SS5stmnyrLnl0yBBVRajGCojFCju1jtD34sN9HMRSeXLfQ7ZRVEjy
hHbSLe2cIzzR0pzuNYtuLSRVPlcFwZRql0sCeiDRAoGAEQOkDE1OuLtyVUeD6oDy
UYfM3/R+5z6I+o+tgt1cAs5XjMtgqd+jcADmmf1m9hiIhfh4dvmROivGplDpbvCp
mMRCVUSsUwfF30OkMZRsL4ENeE1VZHIXpd+Xkyfvu2T1FXzFH/Au90WwtaSzaQkq
NW993CKDQcPF6mXlYRheMHQ=
-----END PRIVATE KEY-----
35 changes: 35 additions & 0 deletions tests/assets/sysext/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
This folder contains 2 sysextensions

work.raw contains a simple script called `hello.sh` that prints "Hello World" to the console.
hello-broke.raw contains a simple script called `hello.sh` that prints "Hello World" to the console, but it is NOT signed or verity checked.

Both extensions need to have a `extension-release.NAME` with `ID=_any` for it to be identified as a sysextension.
Full path on the image should be `usr/lib/extension-release.d/extension-release.NAME`

work.raw is verity+signed with the db.key and db.crt test keys found under tests/assets/keys

The idea is to copy them into the Kairos iso overlay folder and test the verity+signed sysextension loading.

immucore should only copy the valid ones and ignore the invalid ones. A warning should be logged in the immucore log.

The test idea is as follows:
1. Copy the sysextensions to the overlay folder on test preparation
2. Build the uki iso with the overlay files on it and sign it with the same test keys
3. Boot the uki iso and check if the sysextensions are loaded correctly
4. Check if we got a warning for hello-broke.raw
5. Check if the work.raw extension was moved onto /run/extensions and loaded correctly
6. Check if the hello.sh script is executed correctly, as it should be loaded
7. Check if the sysext service is running with the override from kairos with the policy



The sysextensions are really stupid, its just a /usr/local/bin/ dir with a hello.sh script on them.
work.raw was built with systemd-repart so it would be verity+signed
```bash
systemd-repart -S -s SOURCE_DIR OUTPUT_FILE --private-key=tests/assets/keys/db.key --certificate=tests/assets/keys/db.pem
```

The other one was built with [sysext-bakery](https://github.com/flatcar/sysext-bakery) which makes it easy to build sysextensions, but doesn't have support for signing or verity yet. So its simple to generate images with it but they wont work on UKI.
```bash
bake.sh SOURCE_DIR
```
Binary file added tests/assets/sysext/hello-broke.sysext.raw
View file
Open in desktop
Binary file not shown.
Binary file added tests/assets/sysext/work.sysext.raw
View file
Open in desktop
Binary file not shown.
57 changes: 56 additions & 1 deletion tests/uki_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
package mos_test

import (
"encoding/json"
"fmt"
"os"
"path/filepath"
Expand Down Expand Up @@ -39,7 +40,7 @@ var _ = Describe("kairos UKI test", Label("uki"), Ordered, func() {
if CurrentSpecReport().Failed() {
gatherLogs(vm)
}

err := vm.Destroy(nil)
Expect(err).ToNot(HaveOccurred())
})
Expand Down Expand Up @@ -168,12 +169,66 @@ var _ = Describe("kairos UKI test", Label("uki"), Ordered, func() {
stateContains(vm, "kairos.flavor", "alpine", "opensuse", "ubuntu", "debian", "fedora")
})

By("Checking sysext was copied during install", func() {
out, err := vm.Sudo("ls /.extra/sysext")
Expect(err).ToNot(HaveOccurred(), out)
Expect(out).To(MatchRegexp("hello-broke.sysext.raw"))
Expect(out).To(MatchRegexp("work.sysext.raw"))
})

By("Checking sysext was copied during boot", func() {
out, err := vm.Sudo("ls /run/extensions")
Expect(err).ToNot(HaveOccurred(), out)
// Should not contain hello-broke.sysext.raw as it didn't pass validation
Expect(out).ToNot(MatchRegexp("hello-broke.sysext.raw"))
// Should contain work.sysext.raw as it passed validation
Expect(out).To(MatchRegexp("work.sysext.raw"))
})

By("Checking that sysext was loaded", func() {
type sysextStatus []struct {
Hierarchy string `json:"hierarchy"`
Extensions any `json:"extensions"`
}

// when calling the status we need to set the hierarchy env variable so it can find them
env := "SYSTEMD_SYSEXT_HIERARCHIES=\"/usr/local/bin:/usr/local/sbin:/usr/local/include:/usr/local/lib:/usr/local/share:/usr/local/src:/usr/bin:/usr/share:/usr/lib:/usr/include:/usr/src:/usr/sbin\""
out, err := vm.Sudo(fmt.Sprintf("%s systemd-sysext --json=short", env))
Expect(err).ToNot(HaveOccurred(), out)
// marshall output to struct
var sysexts sysextStatus
err = json.Unmarshal([]byte(out), &sysexts)
Expect(err).ToNot(HaveOccurred())
// check if sysexts are loaded
for _, sysext := range sysexts {
if sysext.Hierarchy == "/usr" {
Expect(sysext.Extensions).To(ContainElement("work"))
}
}
})

By("Checking that we can run a command from a sysext", func() {
out, err := vm.Sudo("hello.sh")
Expect(err).ToNot(HaveOccurred(), out)
Expect(out).To(ContainSubstring("Hello world"))
})

By("rebooting to recovery")
out, err := vm.Sudo("kairos-agent bootentry --select recovery")
Expect(err).ToNot(HaveOccurred(), out)
vm.Reboot()
vm.EventuallyConnects(1200)

By("Checking the boot mode (recovery)", func() {
out, err := vm.Sudo("stat /run/cos/recovery_mode")
Expect(err).ToNot(HaveOccurred(), out)
})

By("Checking sysext was not copied during boot", func() {
out, err := vm.Sudo("stat /.extra/sysext")
Expect(err).To(HaveOccurred(), out)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Or match the error explicitly (to make sure we got the expected one): https://github.com/onsi/gomega/blob/0e69083804979327b6008a5c7aaab402cd589c5a/matchers/match_error_matcher_test.go#L71

})

By("resetting")
out, err = vm.Sudo("kairos-agent --debug reset --unattended")
Expect(err).ToNot(HaveOccurred(), out)
Expand Down
Loading