Add mariner 1.0 to DCR v2 #2517
Conversation
kevinclark19a
requested review from
narrieta,
larohra,
ZhidongPeng,
dhivyaganesan and
nagworld9
as code owners
| # The firewall is enabled by default. | ||
| return True | ||
| # The firewall is disabled by default. | ||
| return False |
There was a problem hiding this comment.
As seen with mariner 1.0, when there is no entry in the config file, the agent disables the firewall.
| @@ -48,7 +48,7 @@ def check_root_login(): | |||
| print(root_passwd_line) | |||
| root_passwd = root_passwd_line.split(":")[1] | |||
|
|
|||
| if "!" in root_passwd or "*" in root_passwd: | |||
| if any(val in root_passwd for val in ("!", "*", "x")): | |||
There was a problem hiding this comment.
Mariner 1.0 uses a different syntax to mean the same thing; x is not the result of a hash and therefore root password is disabled. Maybe we want to have a less explicit check here, so that we don't need to keep updating this code? Something to the effect of checking the length of the entry might work (i.e. anything a single character long is not a hash), but I'm not sure. Thoughts?
There was a problem hiding this comment.
why do we need this test at all? what is its equivalent in DCR v1?
There was a problem hiding this comment.
There was a problem hiding this comment.
My first impression is that we can drop this test. Before doing so, though, could you check if the agent disables root login (maybe during provisioning)?
There was a problem hiding this comment.
Sure, will do
Codecov Report
@@ Coverage Diff @@
## develop #2517 +/- ##
===========================================
+ Coverage 71.91% 71.94% +0.03%
===========================================
Files 101 101
Lines 15147 15147
Branches 2401 2401
===========================================
+ Hits 10893 10898 +5
+ Misses 3773 3771 -2
+ Partials 481 478 -3
Continue to review full report at Codecov.
|
| @@ -234,7 +234,8 @@ | |||
| "createOption": "FromImage", | |||
| "managedDisk": { | |||
| "storageAccountType": "[variables('osDiskType')]" | |||
| } | |||
| }, | |||
| "diskSizeGB": 32 | |||
There was a problem hiding this comment.
Mariner 1.0 specifies a minimum OS disk as 1GB, which causes our testing to crash with "no space left on disk" if we leave this property blank. This approach does lock in all other distros to the same size; i.e., I believe ubuntu lets you create an 16GB OS disk, so we'd be doubling that size with this. 32GB is the largest minimum of the distros we test, so I went with that.
dcr/scripts/test-vm/harvest.sh
Outdated
| @@ -11,6 +11,8 @@ | |||
| set -euxo pipefail | |||
|
|
|||
| ssh -o "StrictHostKeyChecking no" "$1"@"$2" "sudo tar --exclude='journal/*' --exclude='omsbundle' --exclude='omsagent' --exclude='mdsd' --exclude='scx*' --exclude='*.so' --exclude='*__LinuxDiagnostic__*' --exclude='*.zip' --exclude='*.deb' --exclude='*.rpm' -czf logs-$2.tgz /var/log /var/lib/waagent/ /etc/waagent.conf" | |||
| # Some distros do not have "other" permissions (e.g., mariner1.0), add them here. | |||
| ssh -o "StrictHostKeyChecking no" "$1"@"$2" "sudo chmod o+rwx logs-$2.tgz" | |||
There was a problem hiding this comment.
why do we need the "other" permission?
There was a problem hiding this comment.
The harvest scripts fail without them on mariner; I assume we're using a different user for harvest, but I'm not sure; I'll check and update here.
There was a problem hiding this comment.
we are creating the file using sudo, so the owner would be root... what user is harvest running under? "edp"?
if that is the case, i would just update the comment on line 14 to mention that (or, maybe better, chown the file)
There was a problem hiding this comment.
Yep, I think you're right; the difference is that mariner defaults new files to more restrictive permissions than other distros. (The call to copy the tar over is the last line of this file).
The equivalent of adding sudo to the harvest command would be using root as the user instead of dcr in the scp command. I think using the root user directly would be less ideal than this chmod, though.
There was a problem hiding this comment.
ah, ok, then $1 is the user... yes, probably the chown would be slightly better than a blanket all permissions to all users
|
@kevinclark19a can you post a link to a sample run? |
|
@narrieta, here's the sample run. It has the ETP failures that are on develop. |
|
@kevinclark19a run looks good, thanks |
| @@ -12,7 +12,7 @@ set -euxo pipefail | |||
|
|
|||
| ssh -o "StrictHostKeyChecking no" "$1"@"$2" "sudo tar --exclude='journal/*' --exclude='omsbundle' --exclude='omsagent' --exclude='mdsd' --exclude='scx*' --exclude='*.so' --exclude='*__LinuxDiagnostic__*' --exclude='*.zip' --exclude='*.deb' --exclude='*.rpm' -czf logs-$2.tgz /var/log /var/lib/waagent/ /etc/waagent.conf" | |||
| # Some distros do not have "other" permissions (e.g., mariner1.0), add them here. | |||
| ssh -o "StrictHostKeyChecking no" "$1"@"$2" "sudo chmod o+rwx logs-$2.tgz" | |||
| ssh -o "StrictHostKeyChecking no" "$1"@"$2" "sudo chown $1 logs-$2.tgz" | |||
There was a problem hiding this comment.
comment on previous line needs updating
Description
This PR adds end-to-end testing for the mariner 1.0 image on the marketplace.
PR information
Quality of Code and Contribution Guidelines