Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Conflicting single_process_type and specialized_init_system checks #2038

Closed
sysarch-repo opened this issue May 17, 2024 · 1 comment
Closed

Conflicting single_process_type and specialized_init_system checks #2038

sysarch-repo opened this issue May 17, 2024 · 1 comment
Assignees
@horecoli
Labels
bug Something isn't working

Comments

@sysarch-repo
Copy link

Describe the bug
The single_process_type and specialized_init_system checks cannot be passed both in the same (e.g. cert essential) run

To Reproduce
Steps to reproduce the behavior:

$ cnf-testsuite version
CNF TestSuite version: v1.2.0

  1. Execute the cert essential tests
  2. See one of the tests failing. Examples for tiny and dumb-init:

🎬 Testing: [single_process_type]
resource: {kind: "Deployment", name: "dns-dserver", namespace: "default"}, pod dns-dserver-b447b56ff-4nmtx and container: dserver has more than one process type (/sbin/tini--/usr/local/bin/dns-app, /usr/local/bin/dns-app)
✖️ 🏆FAILED: [single_process_type] More than one process type used ⚖👀

🎬 Testing: [single_process_type]
resource: {kind: "StatefulSet", name: "dns-drouter", namespace: "default"}, pod dns-drouter-0 and container: drouter has more than one process type (/usr/local/bin/dumb-init--/usr/local/bin/dns-app, /usr/local/bin/dns-app)
✖️ 🏆FAILED: [single_process_type] More than one process type used ⚖👀

Expected behavior
The single process type check shall be made tolerant to the specialized init systems (dumb-init, tiny, s6-overlay) so that both tests can be passed in the same run.

Device (please complete the following information):
Linux ip-10-0-33-150 6.5.0-1020-aws #20 SMP Wed May 1 16:10:50 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux

Additional context
Note, the s6-overlay init system seems to be starting multiple processes.
@sysarch-repo sysarch-repo added the bug Something isn't working label May 17, 2024
@martin-mat
Copy link
Collaborator

There seems to be unfinished implementation in k8s_kernel_introspection's verify_single_proc_tree
https://github.com/cnf-testsuite/k8s_kernel_introspection/blob/main/src/kernel_introspection/k8s.cr#L41

         if current_pid == original_parent_pid && ppid != "" && 
            status_name != name
            # todo exclude tini, init, dumbinit?, from violations
            Log.info { "top level parent (i.e. superviser -- first parent with different name): #{status_name}" }
            verified = false

This was referenced May 23, 2024
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@horecoli horecoli

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@martin-mat @sysarch-repo @horecoli