Get tests running in FIPS environment #17096
Open
+55
−30
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
donoghuc
force-pushed
the
integration-tests-setup
branch
from
773d794 to
872cc99
Compare
|
Tracking with https://github.com/elastic/ingest-dev/issues/5074 |
|
Need to sort out what is hanging in CI, but for FIPS part one locally on commit 71a886b i'm down to just these failures! Failures:
1) Beat Input Without TLS successfully send events
Failure/Error: @fixture = Fixture.new(__FILE__)
RuntimeError:
/logstash/qa/integration/services/filebeat_setup.sh FAILED with exit status pid 952 exit 127
Shared Example Group: "send events" called from ./specs/beats_input_spec.rb:98
# ./services/service.rb:36:in `setup'
# ./framework/fixture.rb:82:in `block in setup_services'
# ./framework/fixture.rb:81:in `setup_services'
# ./framework/fixture.rb:47:in `initialize'
# ./specs/beats_input_spec.rb:28:in `block in <main>'
# ./rspec.rb:36:in `<main>'
2) Beat Input With TLS Server auth successfully send events
Failure/Error: @fixture = Fixture.new(__FILE__)
RuntimeError:
/logstash/qa/integration/services/filebeat_setup.sh FAILED with exit status pid 952 exit 127
Shared Example Group: "send events" called from ./specs/beats_input_spec.rb:131
# ./services/service.rb:36:in `setup'
# ./framework/fixture.rb:82:in `block in setup_services'
# ./framework/fixture.rb:81:in `setup_services'
# ./framework/fixture.rb:47:in `initialize'
# ./specs/beats_input_spec.rb:28:in `block in <main>'
# ./rspec.rb:36:in `<main>'
3) Beat Input With TLS Mutual auth successfully send events
Failure/Error: @fixture = Fixture.new(__FILE__)
RuntimeError:
/logstash/qa/integration/services/filebeat_setup.sh FAILED with exit status pid 952 exit 127
Shared Example Group: "send events" called from ./specs/beats_input_spec.rb:162
# ./services/service.rb:36:in `setup'
# ./framework/fixture.rb:82:in `block in setup_services'
# ./framework/fixture.rb:81:in `setup_services'
# ./framework/fixture.rb:47:in `initialize'
# ./specs/beats_input_spec.rb:28:in `block in <main>'
# ./rspec.rb:36:in `<main>'
4) Install and run java plugin successfully runs a pipeline with an installed Java plugins
Got 2 failures:
4.1) Failure/Error: expect(execute.stderr_and_stdout).to match(/Installation successful/)
expected "Using bundled JDK: /logstash/build/logstash-8.18.0-SNAPSHOT/jdk\nERROR: Something went wrong when installing logstash-input-java_input_example, message: Received fatal alert: handshake_failure\n" to match /Installation successful/
Diff:
@@ -1 +1,2 @@
-/Installation successful/
+Using bundled JDK: /logstash/build/logstash-8.18.0-SNAPSHOT/jdk
+ERROR: Something went wrong when installing logstash-input-java_input_example, message: Received fatal alert: handshake_failure
# ./specs/install_java_plugin_spec.rb:53:in `block in <main>'
# /logstash/build/qa/integration/vendor/jruby/3.1.0/gems/logstash-devutils-2.6.2-java/lib/logstash/devutils/rspec/spec_helper.rb:47:in `block in <main>'
# ./rspec.rb:36:in `<main>'
4.2) Failure/Error: expect(removal.stderr_and_stdout).to match(/Successfully removed #{plugin_name}/)
expected "Using bundled JDK: /logstash/build/logstash-8.18.0-SNAPSHOT/jdk\nERROR: Operation aborted, cannot remove plugin, message: This plugin has not been previously installed\n" to match /Successfully removed logstash-input-java_input_example/
Diff:
@@ -1 +1,2 @@
-/Successfully removed logstash-input-java_input_example/
+Using bundled JDK: /logstash/build/logstash-8.18.0-SNAPSHOT/jdk
+ERROR: Operation aborted, cannot remove plugin, message: This plugin has not been previously installed
# ./specs/install_java_plugin_spec.rb:41:in `block in <main>'
# /logstash/build/qa/integration/vendor/jruby/3.1.0/gems/logstash-devutils-2.6.2-java/lib/logstash/devutils/rspec/spec_helper.rb:47:in `block in <main>'
# ./rspec.rb:36:in `<main>'
Finished in 5 minutes 12 seconds (files took 1.02 seconds to load)
33 examples, 4 failures
Failed examples:
rspec './specs/beats_input_spec.rb[1:1:1]' # Beat Input Without TLS successfully send events
rspec './specs/beats_input_spec.rb[1:2:1:1]' # Beat Input With TLS Server auth successfully send events
rspec './specs/beats_input_spec.rb[1:2:2:1]' # Beat Input With TLS Mutual auth successfully send events
rspec ./specs/install_java_plugin_spec.rb:50 # Install and run java plugin successfully runs a pipeline with an installed Java plugins
Randomized with seed 48078 |
donoghuc
force-pushed
the
integration-tests-setup
branch
3 times, most recently
from
143eab7 to
c5c188e
Compare
donoghuc
changed the title
donoghuc
force-pushed
the
feature/fedramp-high-8.x
branch
from
18b3e6d to
6b8b56b
Compare
|
This pull request is now in conflicts. Could you fix it @donoghuc? 🙏 |
This commit makes two small changes to the dockerfile used to define the fips test environment. Specifically it adds curl (which is required by integration tests), make (which is required by test setup), adds a c compiler (gcc and glibc for integration tests which compile a small c program) and turns off debug ssl logging as it is extremely noisy in logs and breaking some assumptions in tests about logfile content. Closes elastic/ingest-dev#5074
The elastic stack is not meant to be run as root. This commit updates the test environment to provision a non root user and have the container context execute under that providioned user. Closes elastic/ingest-dev#5088
The `update` test setup reaches out to rubygems with net/http which is incompatible with our use of openssl in fips mode. This commit skips those tests when running under fips. See elastic/ingest-dev#5071
This commit changes test setup to make chunked calls to random data generation in order to work around a limit in fips mode. See elastic/ingest-dev#5072 for details.
Openssl will not be used when running under FIPS mode. The test setup and tests themselves were failing when running in FIPS mode. This commit skips the tests that are covering behavior that will be disabled. See elastic/ingest-dev#5069
This commit skips tests that rely on using the pluginmanager to install plugins during tests which require reaching out to rubygems. See elastic/ingest-dev#5108
The offline pack tests require on pluginmanager to use net-http library for resolving deps. This will not operate under fips mode. Skip when running in fips mode. See elastic/ingest-dev#5109
This commit modifies the generate-gems script to ensure that a `gem` executable is on the path. If there is not one on the test runner, then use the one bundled with vendored jruby.
donoghuc
force-pushed
the
integration-tests-setup
branch
from
9b161d4 to
ae29698
Compare
This commit skips the existing webserver tests. We have some options and need to understand some requirements for the webserver functionality for fips mode. The elastic/ingest-dev#5110 issue has a ton of details.
This commit skips tests that are running `remove` action for the pluginmanager. These require reaching out to rubygems which is not available in FIPS mode. These tests were added post initial integration tests scoping work but are clearly requiring skips for FIPS mode.
The setup script for filebeats requires an openssl executable. This commit updates the testing container with this tool. See elastic/ingest-dev#5107
|
💛 Build succeeded, but was flaky
Failed CI StepsHistory
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Release notes
[rn:skip]
What does this PR do?
This PR is broken up into commits that track the sub tasks in https://github.com/elastic/ingest-dev/issues/5048. Many of the test failures in the integration test suite for running under fips mode are actually due to tools required by tests being missing in the runtime. Similarly the tests assume they are not run as root user. This PR fixes those issues by adding required packages and configuring a non root user. By fixing those issues some of the other more test specific failures can be seen. By collecting the modifications in a single PR we can show incremental progress on total test failures and eventually get to fully green.
Related issues
Closes https://github.com/elastic/ingest-dev/issues/5074
Closes https://github.com/elastic/ingest-dev/issues/5088
Closes https://github.com/elastic/ingest-dev/issues/5071
Closes https://github.com/elastic/ingest-dev/issues/5072
Closes https://github.com/elastic/ingest-dev/issues/5069
Closes https://github.com/elastic/ingest-dev/issues/5073 (fixed in e825357 by disabling debug logging)
Closes https://github.com/elastic/ingest-dev/issues/5107