action #124251
[qe-core] Implement userspace livepatching tests for openssl
0%
Description
- Adapt existing
openssltests for livepatching - Bot has to be updated to schedule
SLE-Module-Live-Patching:15-SP4 - It needs to run tests with "older openssl" packages
LD_PRELOAD=libpulp.soneeds to injected into the tested packages, otherwise livepatching does not get activetests/kernel/ulp_openposix.pmhas quite some wrapper baseline code already for glibc, but similar can be done for openssl
Related ticket: https://progress.opensuse.org/issues/112004 (ULP tests implemented by mdoucha for glibc-livepatches and libpulp0)
History
Updated by #2
Updated by msmeissn 4 months ago
Sample manual testprocedure:
- install all updates
- configure apache2 for SSL support
- configure apache2 for livepatch support, add in the [Service] section:
Environment="LD_PRELOAD=libpulp.so.0"
- start apache2 and verify SSL access works.
- verify libpulp.so is loaded in httpd using "lsof"
lsof |grep http.*pulp
Then we need to test all variants that get livepatched:
LOOP over all released openssl-1_1 versions (GA, 1st Update, 2nd Update, ... last update)
- install the selected libopenssl1_1 version
- restart apache2 to use this version
- test https access to the apache2 server
- apply the openssl-livepatches RPM. it SHOULD report something like:
ulp: patches reverse-all failed in libpulp.so: Target library not loaded
httpd-prefork (pid: 22685): SUCCESS /usr/lib64/openssl-1_1-livepatches/0.1/libcrypto_1.1.1l-150400.7.10.5_livepatch1.so
ulp: patches reverse-all failed in libpulp.so: Target library not loaded
httpd-prefork (pid: 22691): SUCCESS /usr/lib64/openssl-1_1-livepatches/0.1/libcrypto_1.1.1l-150400.7.10.5_livepatch1.so
ulp: patches reverse-all failed in libpulp.so: Target library not loaded
httpd-prefork (pid: 22692): SUCCESS /usr/lib64/openssl-1_1-livepatches/0.1/libcrypto_1.1.1l-150400.7.10.5_livepatch1.so
ulp: patches reverse-all failed in libpulp.so: Target library not loaded
httpd-prefork (pid: 22693): SUCCESS /usr/lib64/openssl-1_1-livepatches/0.1/libcrypto_1.1.1l-150400.7.10.5_livepatch1.so
ulp: patches reverse-all failed in libpulp.so: Target library not loaded
httpd-prefork (pid: 22694): SUCCESS /usr/lib64/openssl-1_1-livepatches/0.1/libcrypto_1.1.1l-150400.7.10.5_livepatch1.so
ulp: patches reverse-all failed in libpulp.so: Target library not loaded
httpd-prefork (pid: 22695): SUCCESS /usr/lib64/openssl-1_1-livepatches/0.1/libcrypto_1.1.1l-150400.7.10.5_livepatch1.so
ulp: Processes patched: 0, Skipped: 6, Failed: 0.
(output is weird ... not sure if this is 100% ok)
- test https access to the apache2 server again , if not FAIL
- test if lp is really loaded ( it loads the shared module from the package), if not FAIL lsof |grep http.*livepatches httpd-pre 22685 root mem REG 253,2 6760 242393 /usr/lib64/openssl-1_1-livepatches/0.1/libcrypto_1.1.1l-150400.7.10.5_livepatch1.so
Updated by 
Updated by #5
Updated by pluskalm 3 months ago
- Assignee deleted (
dzedro) - Target version deleted (
QE-Core: Ready)
See also https://qam.suse.de/reports/SUSE:Maintenance:27706:289566/log for ssh used for testing
Updated by