QA (public) » openQA Project (public) » openQA Tests (public)

Are there any details available why it fails in QA currently? FWICT there's just a massive hack to deal with selinux relabelling which will cause major issues later:

From main_common.pm:

        # SELinux relabel reboots, so grub needs to timeout
        set_var('KEEP_GRUB_TIMEOUT', 1) if check_var('VIRSH_VMM_TYPE', 'linux') || get_var('SELINUX');

Which means that openQA currently relies on the system booting automatically after a needed autorelabel which won't work if e.g. disk encryption is enabled

Would it be possible to perform relabelling in the initrd and not reboot? That way QA wouldn't need such hacks and enabling it would be trivial.

I also noticed that it tries to relabel /.snapshots ATM which is not great (https://openqa.opensuse.org/tests/4456186#step/first_boot/4)

Would it be possible to perform relabelling in the initrd and not reboot? That way QA wouldn't need such hacks and enabling it would be trivial.

PoC for using the microos-tools relabelling mechanism on TW as well: https://github.com/openSUSE/microos-tools/pull/33

favogt wrote in #note-3:

Would it be possible to perform relabelling in the initrd and not reboot? That way QA wouldn't need such hacks and enabling it would be trivial.

PoC for using the microos-tools relabelling mechanism on TW as well: https://github.com/openSUSE/microos-tools/pull/33

Looks like that works, cryptlvm passes! https://openqa.opensuse.org/tests/overview?version=Staging%3AD&build=D.638.3&distri=opensuse&groupid=2

The autoyast_mini failure looks like a SELinux issue, maybe the policy doesn't work for YaST2-Second-Stage.service.

The yast2_users-staging failure should disappear with https://github.com/os-autoinst/os-autoinst-distri-opensuse/pull/20125.

My proposal for the next steps:

1. Investigate and fix the autoyast_mini failure in Staging:D
2. Replace the selinux-autorelabel package with the microos-tools PR, independent of Staging:D
3. Drop the KEEP_GRUB_TIMEOUT hack for the SELINUX=1 case for Tumbleweed, no longer needed after step 2.
4. Add SELINUX=0 to TW upgrade tests
5. Build a TW product DVD to inject the new control.xml and start a TW test run with SELINUX=1 in openQA.
6. Once ^ looks good, merge the QA PR to set SELINUX=1 in TW (or maybe adjust the medium type?), then accept the green staging with the skelcd change.
7. Add some tests to TW that explicitly enable AppArmor

favogt wrote in #note-4:

favogt wrote in #note-3:

Would it be possible to perform relabelling in the initrd and not reboot? That way QA wouldn't need such hacks and enabling it would be trivial.

PoC for using the microos-tools relabelling mechanism on TW as well: https://github.com/openSUSE/microos-tools/pull/33

Looks like that works, cryptlvm passes! https://openqa.opensuse.org/tests/overview?version=Staging%3AD&build=D.638.3&distri=opensuse&groupid=2

The autoyast_mini failure looks like a SELinux issue, maybe the policy doesn't work for YaST2-Second-Stage.service.

Got fixed.

The yast2_users-staging failure should disappear with https://github.com/os-autoinst/os-autoinst-distri-opensuse/pull/20125.

Worked.

My proposal for the next steps:

1. Investigate and fix the autoyast_mini failure in Staging:D

Done.

1. Replace the selinux-autorelabel package with the microos-tools PR, independent of Staging:D

Done.

1. Drop the KEEP_GRUB_TIMEOUT hack for the SELINUX=1 case for Tumbleweed, no longer needed after step 2.
2. Add SELINUX=0 to TW upgrade tests

3+4 weren't necessary - with the different autorelabel design the tests don't actually need SELINUX=1, so no SELINUX=0 needed either.

1. Build a TW product DVD to inject the new control.xml and start a TW test run with SELINUX=1 in openQA.

Done: https://openqa.opensuse.org/tests/overview?distri=opensuse&version=Tumbleweed&build=20241008-SELinux&groupid=1.

@cahu went through the failures and added them as blockers to the tracker bug: https://bugzilla.suse.com/show_bug.cgi?id=1230118

1. Once ^ looks good, merge the QA PR to set SELINUX=1 in TW (or maybe adjust the medium type?), then accept the green staging with the skelcd change.

Change: Maybe SELINUX=1 isn't necessary.

1. Add some tests to TW that explicitly enable AppArmor

In https://confluence.suse.com/display/~ph03nix/Tumbleweed+SELinux+migration I tried to come up with a convention, which openQA settings we should use to differentiate between Apparmor and SELinux in use as MAC.

In essence there are two settings to be used: SECURITY_MAC and SECURITY_TEST. I selected those because they are already heavily used in the SELinux context and elsewhere as well.

SECURITY_MAC defines the default Linux kernel security module and can be either selinux or apparmor. SECURITY_TEST defines which openQA test modules to load and can be (among others) also apparmor and selinux.

The Tumbleweed test runs should be prepared in such a way, that apparmor test runs would also accept SECURITY_MAC=selinux and selinux test runs would also accept SECURITY_MAC=apparmor. In the case that e.g. SECURITY_MAC=selinux but SECURITY_TEST=apparmor, the test module should disable SELinux and install AppArmor instead.

Tumbleweed Snapshot 20250210 now with enabled SELinux by default.