From 52829d7efacb8098c4a647cad72e43d1924540b1 Mon Sep 17 00:00:00 2001 From: Robie Basak Date: Fri, 14 Nov 2025 14:18:03 +0000 Subject: [PATCH 1/5] qemu_test: factor out vm fixture In a future change I want to pass around another value as well as the pexpect.spawn object, so make the fixture return a SimpleNamespace that has the spawn object under that instead of it being the direct value. Change the existing test accordingly. This should result in no functional change to the test suite. Signed-off-by: Robie Basak --- ci/qemu_test.py | 35 ++++++++++++++++++----------------- 1 file changed, 18 insertions(+), 17 deletions(-) diff --git a/ci/qemu_test.py b/ci/qemu_test.py index c03fbde8..89ed13a5 100644 --- a/ci/qemu_test.py +++ b/ci/qemu_test.py @@ -8,6 +8,7 @@ import subprocess import sys import tempfile +import types import pexpect import pytest @@ -33,7 +34,7 @@ def vm(): ], check=True, ) - child = pexpect.spawn( + spawn = pexpect.spawn( "qemu-system-aarch64", [ "-cpu", @@ -53,15 +54,15 @@ def vm(): "/usr/share/AAVMF/AAVMF_CODE.fd", ], ) - child.logfile = sys.stdout.buffer - yield child + spawn.logfile = sys.stdout.buffer + yield types.SimpleNamespace(spawn=spawn) # No need to be nice; that would take time - child.kill(signal.SIGKILL) + spawn.kill(signal.SIGKILL) # If this blocks then we have a problem. Better to hang than build up # excess qemu processes that won't die. - child.wait() + spawn.wait() def test_password_reset_required(vm): @@ -69,16 +70,16 @@ def test_password_reset_required(vm): # https://github.com/qualcomm-linux/qcom-deb-images/issues/69 # This takes a minute or two on a ThinkPad T14s Gen 6 Snapdragon - vm.expect_exact("debian login:", timeout=240) + vm.spawn.expect_exact("debian login:", timeout=240) - vm.send("debian\r\n") - vm.expect_exact("Password:") - vm.send("debian\r\n") - vm.expect_exact("You are required to change your password immediately") - vm.expect_exact("Current password:") - vm.send("debian\r\n") - vm.expect_exact("New password:") - vm.send("new password\r\n") - vm.expect_exact("Retype new password:") - vm.send("new password\r\n") - vm.expect_exact("debian@debian:~$") + vm.spawn.send("debian\r\n") + vm.spawn.expect_exact("Password:") + vm.spawn.send("debian\r\n") + vm.spawn.expect_exact("You are required to change your password immediately") + vm.spawn.expect_exact("Current password:") + vm.spawn.send("debian\r\n") + vm.spawn.expect_exact("New password:") + vm.spawn.send("new password\r\n") + vm.spawn.expect_exact("Retype new password:") + vm.spawn.send("new password\r\n") + vm.spawn.expect_exact("debian@debian:~$") From ba629bbc8e613a3a40069a0126d5b6e86860e4ed Mon Sep 17 00:00:00 2001 From: Robie Basak Date: Fri, 14 Nov 2025 14:22:30 +0000 Subject: [PATCH 2/5] qemu_test: re-use the same qemu vm fixture Since qemu booting is slow and we want fast developer iteration, we make the optimisation compromise that we will not reset the qemu vm test fixture from a fresh image for every test. Most tests should not collide with each other. If we think a new test will do that and we want to make the compromise of giving it an isolated environment for a slower test suite, we can deal with that then. Signed-off-by: Robie Basak --- ci/qemu_test.py | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/ci/qemu_test.py b/ci/qemu_test.py index 89ed13a5..73ddcf49 100644 --- a/ci/qemu_test.py +++ b/ci/qemu_test.py @@ -14,10 +14,16 @@ import pytest -@pytest.fixture +@pytest.fixture(scope="module") def vm(): """A pexpect.spawn object attached to the serial console of a VM freshly booting with a CoW base of disk-ufs.img""" + # Since qemu booting is slow and we want fast developer iteration, we make the + # optimisation compromise that we will not reset the qemu test fixture from a + # fresh image for every test. Most tests should not collide with each other. If + # we think a new test will do that and we want to make the compromise of giving + # it an isolated environment for a slower test suite, we can deal with that + # then. with tempfile.TemporaryDirectory() as tmpdir: qcow_path = os.path.join(tmpdir, "disk1.qcow") subprocess.run( From 8ec93a664f976a0124ec0202ee5821351cf701ff Mon Sep 17 00:00:00 2001 From: Robie Basak Date: Fri, 14 Nov 2025 14:28:01 +0000 Subject: [PATCH 3/5] ci: add and integrate qemu_guest_test.py This allows us to write tests that run natively on the guest, and qemu_test.py will invoke them using qemu. Signed-off-by: Robie Basak --- ci/qemu_guest_test.py | 22 +++++++++++++++++++ ci/qemu_test.py | 51 ++++++++++++++++++++++++++++++++++++++++++- pyproject.toml | 7 ++++++ 3 files changed, 79 insertions(+), 1 deletion(-) create mode 100644 ci/qemu_guest_test.py create mode 100644 pyproject.toml diff --git a/ci/qemu_guest_test.py b/ci/qemu_guest_test.py new file mode 100644 index 00000000..c1928722 --- /dev/null +++ b/ci/qemu_guest_test.py @@ -0,0 +1,22 @@ +"""qemu-based tests that are copied into the guest and run there""" + +# Copyright (c) Qualcomm Technologies, Inc. and/or its subsidiaries. +# SPDX-License-Identifier: BSD-3-Clause + +# These tests are run inside the qemu guest as root using its own pytest runner +# invocation. + +import pytest + +# Mark this module so that the main test runner can skip it when running from +# the host. However, the guest test runner does not use this mark but instead +# explicitly calls this file. Marks require test collection, and the guest test +# runner isn't going to have dependencies installed that are only needed for +# host tests, causing guest test collection to fail otherwise. +pytestmark = pytest.mark.guest + + +def test_empty(): + # The empty test. This is nevertheless useful as its presence ensures that + # the host is calling the guest test suite in this module correctly. + pass diff --git a/ci/qemu_test.py b/ci/qemu_test.py index 73ddcf49..7df77c21 100644 --- a/ci/qemu_test.py +++ b/ci/qemu_test.py @@ -13,6 +13,12 @@ import pexpect import pytest +# Since the first test checks for the mandatory password reset functionality +# that also prepares the VM for shell-based access, we make the additional +# optimisation that the fixture for a logged in VM re-uses that VM, so the +# ordering of [plain VM fixture, password reset test, logged-in VM fixture] +# matters here. + @pytest.fixture(scope="module") def vm(): @@ -58,10 +64,14 @@ def vm(): "-nographic", "-bios", "/usr/share/AAVMF/AAVMF_CODE.fd", + "-fsdev", + f"local,id=fsdev0,path={os.getcwd()},security_model=none", + "-device", + "virtio-9p-pci,fsdev=fsdev0,mount_tag=qcom-deb-images", ], ) spawn.logfile = sys.stdout.buffer - yield types.SimpleNamespace(spawn=spawn) + yield types.SimpleNamespace(spawn=spawn, logged_in=False) # No need to be nice; that would take time spawn.kill(signal.SIGKILL) @@ -89,3 +99,42 @@ def test_password_reset_required(vm): vm.spawn.expect_exact("Retype new password:") vm.spawn.send("new password\r\n") vm.spawn.expect_exact("debian@debian:~$") + + vm.logged_in = True + + +@pytest.fixture(scope="module") +def logged_in_vm(vm): + if not vm.logged_in: + pytest.skip("Password reset test did not run or failed") + return vm + + +def test_using_guest_tests(logged_in_vm): + """Run the tests in qemu_guest_test.py inside the qemu guest""" + # Statement of test success and failure that are unlikely to appear by + # accident + SUCCESS_NOTICE = "All ci/qemu_guest_test.py tests passed" + FAILURE_NOTICE = "Some ci/qemu_guest_test.py tests failed" + # We use apt-get -U here and the apt_dependencies fixture in + # qemu_guest_test.py relies on this. + SCRIPT = f"""sudo -i sh < Date: Fri, 14 Nov 2025 14:31:02 +0000 Subject: [PATCH 4/5] qemu_guest_test: add test for sudo fqdn issue If DNS is misconfigured in the deployment environment, sudo may hang while it times out on DNS requests, which is not desirable for the majority of our users. Add a test that identifies if sudo is using DNS. See: https://github.com/qualcomm-linux/qcom-deb-images/issues/193 There isn't an easy and obvious method of testing "did sudo use DNS" that (ideally) is independent of the DNS configuration in the test environment. This is hopefully unintrusive and reasonably flexible. The catch is that if we use sudo-rs in the future then it might stop working if Rust doesn't use libc. But this seems better than nothing. To make it easier to ensure that this test is correctly testing what we need, I've separated the test from the fix using xfail. This way, before the issue is fixed, the test suite passing means that the test is correctly detecting the issue. I'll then introduce the fix in the next change. Signed-off-by: Robie Basak --- ci/qemu_guest_test.py | 69 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 69 insertions(+) diff --git a/ci/qemu_guest_test.py b/ci/qemu_guest_test.py index c1928722..dde66847 100644 --- a/ci/qemu_guest_test.py +++ b/ci/qemu_guest_test.py @@ -6,6 +6,9 @@ # These tests are run inside the qemu guest as root using its own pytest runner # invocation. +import subprocess +import tempfile + import pytest # Mark this module so that the main test runner can skip it when running from @@ -20,3 +23,69 @@ def test_empty(): # The empty test. This is nevertheless useful as its presence ensures that # the host is calling the guest test suite in this module correctly. pass + + +# To keep tests fast for developer iteration, just install all the test +# dependencies together once for all tests defined here. It is likely that our +# tests here are not going to interact. If they do, then we can decide whether +# to compromise on this at that time. +@pytest.fixture(scope="module") +def apt_dependencies(): + # To speed things up, we deliberately skip the apt-get update here on the + # assumption that it was arranged by whatever is running the test. This is + # arranged from qemu_test.py::test_using_guest_tests() instead. + subprocess.run( + ["apt-get", "install", "-y", "--no-install-recommends", "sudo", "gdb"], + check=True, + ) + + +@pytest.mark.xfail( + reason="https://github.com/qualcomm-linux/qcom-deb-images/issues/193", + strict=True, +) +def test_sudo_no_fqdn(apt_dependencies): + """sudo should not call FQDN lookup functions + + See: https://github.com/qualcomm-linux/qcom-deb-images/issues/193 + """ + with tempfile.NamedTemporaryFile( + mode="w", delete_on_close=False + ) as gdb_commands_file: + print( + "catch load", + "run", + "del 1", + sep="\n", + file=gdb_commands_file, + ) + for fn_name in [ + "gethostbyaddr", + "getnameinfo", + "getaddrinfo", + "gethostbyname", + ]: + print( + f"break {fn_name}", + f"commands", + f' print "{fn_name} called\\n"', + f" quit 1", + f"end", + sep="\n", + file=gdb_commands_file, + ) + print("continue", file=gdb_commands_file) + gdb_commands_file.close() + + subprocess.run( + [ + "gdb", + "--batch", + "-x", + gdb_commands_file.name, + "--args", + "sudo", + "true", + ], + check=True, + ) From deddc35c4ed37e270e6ba6b950b24b8654b7a5f8 Mon Sep 17 00:00:00 2001 From: Robie Basak Date: Fri, 14 Nov 2025 14:32:26 +0000 Subject: [PATCH 5/5] Do not use sudo FQDN lookups Fixes: #193 Signed-off-by: Robie Basak --- ci/qemu_guest_test.py | 4 ---- debos-recipes/qualcomm-linux-debian-rootfs.yaml | 7 +++++++ 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/ci/qemu_guest_test.py b/ci/qemu_guest_test.py index dde66847..7720873c 100644 --- a/ci/qemu_guest_test.py +++ b/ci/qemu_guest_test.py @@ -40,10 +40,6 @@ def apt_dependencies(): ) -@pytest.mark.xfail( - reason="https://github.com/qualcomm-linux/qcom-deb-images/issues/193", - strict=True, -) def test_sudo_no_fqdn(apt_dependencies): """sudo should not call FQDN lookup functions diff --git a/debos-recipes/qualcomm-linux-debian-rootfs.yaml b/debos-recipes/qualcomm-linux-debian-rootfs.yaml index 910f34be..601d32b5 100644 --- a/debos-recipes/qualcomm-linux-debian-rootfs.yaml +++ b/debos-recipes/qualcomm-linux-debian-rootfs.yaml @@ -146,6 +146,13 @@ actions: echo "debian ALL=(ALL) NOPASSWD:ALL" >/etc/sudoers.d/90-debos ) + # See: https://github.com/qualcomm-linux/qcom-deb-images/issues/193 + - action: run + description: Configure sudo to use !fqdn + command: | + set -eux + echo "Defaults !fqdn" > ${ROOTDIR}/etc/sudoers.d/disable-fqdn + # NB: Recommends pull in way too many packages, and we don't need to follow # Recommends reaching outside of this Priority level - action: apt