tree: import changes from testing-devel at 65f9b7d63c

tests/kola/files/alternatives

@@ -0,0 +1,89 @@
+#!/bin/bash
+## kola:
+##   description: Verify that the alternatives config is properly migrated and test the migration
+##   distros: fcos
+# See
+# - https://github.com/coreos/fedora-coreos-tracker/issues/1818
+
+set -xeuo pipefail
+
+# shellcheck disable=SC1091
+. "$KOLA_EXT_DATA/commonlib.sh"
+
+# This test is only valid in version 43 or later
+if [ "$(get_fedora_ver)" -le 43 ]; then
+    ok "Skipping test for versions before 43"
+    exit 0
+fi
+
+if [[ -e "/var/lib/alternatives" ]]; then
+    ls -al "/var/lib/alternatives"
+    fatal "Error: Found '/var/lib/alternatives' which should not exist"
+fi
+if [[ ! -d "/etc/alternatives" ]]; then
+    fatal "Error: '/etc/alternatives' is missing"
+fi
+if [[ ! -d "/etc/alternatives-admindir" ]]; then
+    fatal "Error: '/etc/alternatives-admindir' is missing"
+fi
+
+# To test the migration we will re-create the setup from an older FCOS node
+
+# We need to overlay iptables-legacy as it is not included in the base image
+# since 43.
+rpm-ostree install --apply-live iptables-legacy
+
+# First, reset iptables to the legacy backend
+alternatives --set iptables /usr/bin/iptables-legacy
+if [[ $(alternatives --display iptables | grep -c "link currently points to /usr/bin/iptables-legacy") != "1" ]]; then
+    fatal "Could not set iptables to legacy backend for testing"
+fi
+if [[ $(iptables --version | grep -c "legacy") != "1" ]]; then
+    fatal "Could not set iptables to legacy backend for testing"
+fi
+
+# Then re-create the broken alternatives folder in /var
+install -dm0755 /var/lib/alternatives
+
+# Do the migration
+/usr/libexec/coreos-alternatives-migration
+
+if [[ $(alternatives --admindir /etc/alternatives-admindir --display iptables | grep -c -E 'link currently points to /usr/(bin|sbin)/iptables-nft' ) != "1" ]]; then
+    fatal "Error: migration did not set iptables to nft backend"
+fi
+if [[ $(iptables --version | grep -c "nf_tables") != "1" ]]; then
+    fatal "Error: iptables not reset to nftables backend"
+fi
+if [[ -d "/var/lib/alternatives" ]]; then
+    fatal "Error: /var/lib/alternatives should not exist anymore"
+fi
+
+# Second case, if an admin set some config up for alternatives
+
+# First, reset iptables to the legacy backend
+alternatives --set iptables /usr/bin/iptables-legacy
+if [[ $(alternatives --display iptables | grep -c "link currently points to /usr/bin/iptables-legacy") != "1" ]]; then
+    fatal "Could not set iptables to legacy backend for testing"
+fi
+if [[ $(iptables --version | grep -c "legacy") != "1" ]]; then
+    fatal "Could not set iptables to legacy backend for testing"
+fi
+
+# Then re-create the broken alternatives folder in /var
+install -dm0755 /var/lib/alternatives
+
+# And add some fake config
+touch /var/lib/alternatives/foo
+
+# Do the migration
+/usr/libexec/coreos-alternatives-migration
+
+if [[ $(alternatives --admindir /etc/alternatives-admindir --display iptables | grep -c -E 'link currently points to /usr/(bin|sbin)/iptables-nft') != "1" ]]; then
+    fatal "Error: migration did not set iptables to nft backend"
+fi
+if [[ $(iptables --version | grep -c "nf_tables") != "1" ]]; then
+    fatal "Error: iptables not reset to nftables backend"
+fi
+if [[ ! -d "/var/lib/alternatives" ]]; then
+    fatal "Error: /var/lib/alternatives should still exist"
+fi

tests/kola/firewall/iptables-legacy/config.bu

@@ -1,28 +0,0 @@
-variant: fcos
-version: 1.4.0
-storage:
-  links:
-    - path: /etc/alternatives/iptables
-      target: /usr/sbin/iptables-legacy
-      overwrite: true
-      hard: false
-    - path: /etc/alternatives/iptables-restore
-      target: /usr/sbin/iptables-legacy-restore
-      overwrite: true
-      hard: false
-    - path: /etc/alternatives/iptables-save
-      target: /usr/sbin/iptables-legacy-save
-      overwrite: true
-      hard: false
-    - path: /etc/alternatives/ip6tables
-      target: /usr/sbin/ip6tables-legacy
-      overwrite: true
-      hard: false
-    - path: /etc/alternatives/ip6tables-restore
-      target: /usr/sbin/ip6tables-legacy-restore
-      overwrite: true
-      hard: false
-    - path: /etc/alternatives/ip6tables-save
-      target: /usr/sbin/ip6tables-legacy-save
-      overwrite: true
-      hard: false

tests/kola/firewall/iptables-legacy/data/commonlib.sh

@@ -1 +0,0 @@
-../../../data/commonlib.sh

tests/kola/firewall/iptables-legacy/test.sh

@@ -1,20 +0,0 @@
-#!/bin/bash
-## kola:
-##   distros: fcos
-##   exclusive: true
-##   description: Verify that one can configure a node to use the legacy
-##     iptables backend.
-
-# It is scoped to only FCOS because RHCOS only supports nft.
-
-set -xeuo pipefail
-
-# shellcheck disable=SC1091
-. "$KOLA_EXT_DATA/commonlib.sh"
-
-# Make sure we're on legacy iptables
-if ! iptables --version | grep legacy; then
-    iptables --version # output for logs
-    fatal "iptables version is not legacy"
-fi
-ok "iptables in legacy mode"

tests/kola/upgrade/extended/test.sh

@@ -244,6 +244,29 @@ selinux-sanity-check() {
 
 ok "Reached version: $version"
 
+verify-alternatives-migration() {
+    # Do verification only if version is 43 or later.
+    if [ "$(get_fedora_ver)" -le 43 ]; then
+        ok "Skipping alternatives migration verfication for versions before 43"
+        return 0
+    fi
+
+    # Verify /var/lib/alternatives dir is removed
+    if [[ -e /var/lib/alternatives ]]; then
+        fatal "Error: migration didn't remove /var/lib/alternatives"
+    fi
+
+    # Verify iptables migration
+    if [[ $(alternatives --display iptables | grep -c -E 'link currently points to /usr/(bin|sbin)/iptables-nft') != "1" ]]; then
+        fatal "Error: migration did not set iptables to nft backend"
+    fi
+    if [[ $(iptables --version | grep -c "nf_tables") != "1" ]]; then
+        fatal "Error: iptables not reset to nftables backend"
+    fi
+
+    ok "alternatives migration verification passed."
+}
+
 # Are we all the way at the desired target version?
 # If so then we can exit with success!
 if vereq $version $target_version; then
@@ -256,6 +279,8 @@ if vereq $version $target_version; then
     fi
     # One last check!
     selinux-sanity-check
+    # One more last check
+    verify-alternatives-migration
     exit 0
 fi