self
ec044f24a3
Use wget's giga dot progress style for the kexec installer download fallback so SSH streaming logs stay compact. Update the deployment script unit assertion to match.
283 lines
13 KiB
TypeScript
283 lines
13 KiB
TypeScript
import assert from "node:assert/strict"
|
|
import { spawnSync } from "node:child_process"
|
|
import test from "node:test"
|
|
|
|
import {
|
|
buildRemoteKexecRunnerScript,
|
|
REMOTE_TRIBES_POST_INSTALL_SCRIPT,
|
|
REMOTE_GUIX_INSTALL_SCRIPT,
|
|
REMOTE_NBDE_SYNC_SCRIPT,
|
|
REMOTE_TRIBES_ADMIN_SCRIPT,
|
|
REMOTE_TRIBES_CERTIFICATE_SCRIPT
|
|
} from "../../src/main/deployment/scripts"
|
|
|
|
test("buildRemoteKexecRunnerScript can download and verify a pinned image URL", () => {
|
|
const script = buildRemoteKexecRunnerScript({
|
|
authorizedKey: "ssh-ed25519 AAAA test@example",
|
|
imageUrl: "https://mirror.tribe-one.org/tribes-1/guix-kexec-installer-x86_64-linux-pin.tar.gz",
|
|
imageSha256: "a".repeat(64)
|
|
})
|
|
|
|
assert.match(script, /kexec installer image source: download \$image_url/)
|
|
assert.match(script, /download_installer\(\) \{/)
|
|
assert.match(
|
|
script,
|
|
/curl --retry 10 --retry-delay 10 --retry-connrefused --retry-all-errors -fL --connect-timeout 20 -o guix-kexec-installer\.tar\.gz "\$image_url"/
|
|
)
|
|
assert.match(script, /wget --progress=dot:giga -O guix-kexec-installer\.tar\.gz "\$image_url"/)
|
|
assert.match(script, /kexec installer download requires curl or wget/)
|
|
assert.match(
|
|
script,
|
|
/printf '%s {2}%s\\n' "\$image_sha256" guix-kexec-installer\.tar\.gz \| sha256sum -c -/
|
|
)
|
|
assert.match(script, /kexec installer sha256 checksum: matches Legion pin/)
|
|
assert.match(script, /tar -xzf guix-kexec-installer\.tar\.gz/)
|
|
})
|
|
|
|
test("REMOTE_GUIX_INSTALL_SCRIPT builds the installed system from stable runtime inputs", () => {
|
|
assert.doesNotMatch(REMOTE_GUIX_INSTALL_SCRIPT, /'"'"'/)
|
|
assert.match(
|
|
REMOTE_GUIX_INSTALL_SCRIPT,
|
|
/runtime_system_facts="\$installer_tribes_dir\/system-facts\.json"/
|
|
)
|
|
assert.match(
|
|
REMOTE_GUIX_INSTALL_SCRIPT,
|
|
/install -m 600 \/root\/.ssh\/authorized_keys "\$runtime_authorized_keys"/
|
|
)
|
|
assert.match(REMOTE_GUIX_INSTALL_SCRIPT, /"bootloaderTargets": \["\$bootloader_target"\]/)
|
|
assert.match(REMOTE_GUIX_INSTALL_SCRIPT, /sort -k1,1rn -k2,2/)
|
|
assert.match(REMOTE_GUIX_INSTALL_SCRIPT, /prefer_efi_boot_entry\(\) \{/)
|
|
assert.match(REMOTE_GUIX_INSTALL_SCRIPT, /"\$efibootmgr_bin" -n "\$entry"/)
|
|
assert.match(REMOTE_GUIX_INSTALL_SCRIPT, /boot_mode="\$\{LEGION_BOOT_MODE:-auto\}"/)
|
|
assert.match(REMOTE_GUIX_INSTALL_SCRIPT, /\[ "\$boot_mode" = auto \]/)
|
|
assert.match(REMOTE_GUIX_INSTALL_SCRIPT, /\[ -d \/sys\/firmware\/efi \]/)
|
|
assert.match(REMOTE_GUIX_INSTALL_SCRIPT, /"rootLuksUuid": "\$luks_uuid"/)
|
|
assert.match(REMOTE_GUIX_INSTALL_SCRIPT, /LEGION_NBDE_TANG_THRESHOLD/)
|
|
assert.match(REMOTE_GUIX_INSTALL_SCRIPT, /clevis luks bind -f -k - -d "\$device" sss/)
|
|
assert.match(REMOTE_GUIX_INSTALL_SCRIPT, /\(use-modules \(guix gexp\)/)
|
|
assert.match(REMOTE_GUIX_INSTALL_SCRIPT, /\(gnu system\)/)
|
|
assert.match(REMOTE_GUIX_INSTALL_SCRIPT, /%legion-initrd-network-modules/)
|
|
assert.match(REMOTE_GUIX_INSTALL_SCRIPT, /"ixgbe"/)
|
|
assert.match(REMOTE_GUIX_INSTALL_SCRIPT, /"i40e"/)
|
|
assert.match(REMOTE_GUIX_INSTALL_SCRIPT, /\(with-extensions \(list guile-json-4\)/)
|
|
assert.match(REMOTE_GUIX_INSTALL_SCRIPT, /\(use-modules \(tribes system materialize\)\)/)
|
|
assert.match(
|
|
REMOTE_GUIX_INSTALL_SCRIPT,
|
|
/\(tribes-operating-system-from-json-files\s+#:host-config-file "\$runtime_host_config"\s+#:system-facts-file "\$runtime_system_facts"\)/s
|
|
)
|
|
assert.match(REMOTE_GUIX_INSTALL_SCRIPT, /\(operating-system\s+\(inherit base-system\)/)
|
|
assert.match(
|
|
REMOTE_GUIX_INSTALL_SCRIPT,
|
|
/\(append %legion-initrd-network-modules\s+\(operating-system-initrd-modules base-system\)\)/s
|
|
)
|
|
assert.match(
|
|
REMOTE_GUIX_INSTALL_SCRIPT,
|
|
/install -m 600 "\$runtime_system_facts" "\$target_tribes_dir\/system-facts\.json"/
|
|
)
|
|
assert.match(
|
|
REMOTE_GUIX_INSTALL_SCRIPT,
|
|
/install -m 600 "\$runtime_authorized_keys" "\$target_tribes_dir\/root-authorized_keys"/
|
|
)
|
|
assert.match(REMOTE_GUIX_INSTALL_SCRIPT, /Guix channel seed: pinned commit=/)
|
|
assert.match(
|
|
REMOTE_GUIX_INSTALL_SCRIPT,
|
|
/LEGION_GUIX_MIRROR_URL:-https:\/\/mirror\.tribe-one\.org\/tribes-1/
|
|
)
|
|
assert.match(REMOTE_GUIX_INSTALL_SCRIPT, /guix-channel-\$\{guix_pin_commit\}\.tar\.zst/)
|
|
assert.match(REMOTE_GUIX_INSTALL_SCRIPT, /guix-channel-latest\.tar\.zst/)
|
|
assert.match(
|
|
REMOTE_GUIX_INSTALL_SCRIPT,
|
|
/Guix channel seed: existing checkout cache at \$guix_cache_dir; skipping snapshot/
|
|
)
|
|
assert.match(
|
|
REMOTE_GUIX_INSTALL_SCRIPT,
|
|
/Guix channel seed: probing commit snapshot \$snapshot_url/
|
|
)
|
|
assert.match(
|
|
REMOTE_GUIX_INSTALL_SCRIPT,
|
|
/Guix channel seed: probing chosen snapshot \$snapshot_url/
|
|
)
|
|
assert.match(REMOTE_GUIX_INSTALL_SCRIPT, /Guix channel seed: probe error: /)
|
|
assert.match(
|
|
REMOTE_GUIX_INSTALL_SCRIPT,
|
|
/Guix channel seed: no usable mirror snapshot found; falling back to direct channel fetch/
|
|
)
|
|
assert.match(REMOTE_GUIX_INSTALL_SCRIPT, /describe_guix_checkout_cache\(\) \{/)
|
|
assert.match(REMOTE_GUIX_INSTALL_SCRIPT, /repo=\$\{repo%\.git\}/)
|
|
assert.match(
|
|
REMOTE_GUIX_INSTALL_SCRIPT,
|
|
/"\$guix_daemon" --discover=no --disable-chroot --build-users-group=guixbuild/
|
|
)
|
|
assert.match(
|
|
REMOTE_GUIX_INSTALL_SCRIPT,
|
|
/install_log="\$\{LEGION_INSTALL_LOG:-\/root\/legion\/guix-install\.log\}"/
|
|
)
|
|
assert.match(REMOTE_GUIX_INSTALL_SCRIPT, /start_install_log\(\) \{/)
|
|
assert.match(REMOTE_GUIX_INSTALL_SCRIPT, /tee -a "\$install_log" <"\$fifo" >&2 &/)
|
|
assert.match(REMOTE_GUIX_INSTALL_SCRIPT, /legion_status\(\) \{/)
|
|
assert.match(REMOTE_GUIX_INSTALL_SCRIPT, /@LEGION_STATUS v=1 phase=%s step=%s state=%s/)
|
|
assert.match(REMOTE_GUIX_INSTALL_SCRIPT, /legion_failed_status\(\) \{/)
|
|
assert.match(REMOTE_GUIX_INSTALL_SCRIPT, /@LEGION_STATUS v=1 phase=%s step=%s state=failed/)
|
|
assert.match(REMOTE_GUIX_INSTALL_SCRIPT, /retry_command\(\) \{/)
|
|
assert.match(REMOTE_GUIX_INSTALL_SCRIPT, /curl_retry\(\) \{/)
|
|
assert.match(REMOTE_GUIX_INSTALL_SCRIPT, /curl_retry_probe\(\) \{/)
|
|
assert.match(
|
|
REMOTE_GUIX_INSTALL_SCRIPT,
|
|
/curl --retry 10 --retry-delay 10 --retry-connrefused --retry-all-errors "\$@"/
|
|
)
|
|
assert.match(
|
|
REMOTE_GUIX_INSTALL_SCRIPT,
|
|
/curl --retry 3 --retry-delay 2 --retry-connrefused --retry-all-errors "\$@"/
|
|
)
|
|
assert.match(REMOTE_GUIX_INSTALL_SCRIPT, /LEGION_GUIX_TIME_MACHINE_ATTEMPTS:-5/)
|
|
assert.match(REMOTE_GUIX_INSTALL_SCRIPT, /LEGION_GUIX_TIME_MACHINE_RETRY_DELAY:-20/)
|
|
assert.match(REMOTE_GUIX_INSTALL_SCRIPT, /\$description failed on attempt \$attempt\/\$attempts/)
|
|
assert.match(REMOTE_GUIX_INSTALL_SCRIPT, /legion_status guix-install system-init started/)
|
|
assert.match(REMOTE_GUIX_INSTALL_SCRIPT, /legion_status guix-install script completed/)
|
|
assert.match(REMOTE_GUIX_INSTALL_SCRIPT, /LEGION_GUIX_SUBSTITUTE_HEALTH_TIMEOUT:-3/)
|
|
assert.match(REMOTE_GUIX_INSTALL_SCRIPT, /substitute_cache_info_url\(\) \{/)
|
|
assert.match(REMOTE_GUIX_INSTALL_SCRIPT, /filter_healthy_substitute_urls\(\) \{/)
|
|
assert.match(
|
|
REMOTE_GUIX_INSTALL_SCRIPT,
|
|
/curl_retry_probe -fsS\s+--connect-timeout "\$substitute_health_timeout" --max-time "\$substitute_health_timeout"/s
|
|
)
|
|
assert.match(REMOTE_GUIX_INSTALL_SCRIPT, /StoreDir:\[\[:space:\]\]\*\/gnu\/store/)
|
|
assert.match(
|
|
REMOTE_GUIX_INSTALL_SCRIPT,
|
|
/no healthy Guix substitute servers remain after probing \/nix-cache-info/
|
|
)
|
|
assert.match(
|
|
REMOTE_GUIX_INSTALL_SCRIPT,
|
|
/substitute_urls=\$\(filter_healthy_substitute_urls "\$substitute_urls"\)/
|
|
)
|
|
assert.match(
|
|
REMOTE_GUIX_INSTALL_SCRIPT,
|
|
/Guix channel seed: transplanting checkout \$name \[\$description\]/
|
|
)
|
|
assert.match(REMOTE_GUIX_INSTALL_SCRIPT, /seed_target_guix_checkout_cache\(\) \{/)
|
|
assert.match(REMOTE_GUIX_INSTALL_SCRIPT, /target_parent="\$mnt\/root\/.cache\/guix\/checkouts"/)
|
|
assert.match(
|
|
REMOTE_GUIX_INSTALL_SCRIPT,
|
|
/Guix channel seed: transplanting installer checkout cache into target root/
|
|
)
|
|
const initIndex = REMOTE_GUIX_INSTALL_SCRIPT.indexOf(
|
|
'retry_command "${LEGION_GUIX_TIME_MACHINE_ATTEMPTS:-5}"'
|
|
)
|
|
const transplantIndex = REMOTE_GUIX_INSTALL_SCRIPT.indexOf(
|
|
"seed_target_guix_checkout_cache\n\ninstall -d -m 755",
|
|
initIndex
|
|
)
|
|
assert.ok(initIndex >= 0)
|
|
assert.match(
|
|
REMOTE_GUIX_INSTALL_SCRIPT,
|
|
/env GUILE_AUTO_COMPILE=0 guix time-machine -C "\$LEGION_CHANNELS_FILE" --/
|
|
)
|
|
assert.ok(transplantIndex > initIndex)
|
|
})
|
|
|
|
test("REMOTE_GUIX_INSTALL_SCRIPT retry_command preserves final failure status", () => {
|
|
const start = REMOTE_GUIX_INSTALL_SCRIPT.indexOf("retry_command() {")
|
|
const end = REMOTE_GUIX_INSTALL_SCRIPT.indexOf("\n\ncurl_retry() {", start)
|
|
assert.ok(start >= 0)
|
|
assert.ok(end > start)
|
|
|
|
const retryFunction = REMOTE_GUIX_INSTALL_SCRIPT.slice(start, end)
|
|
const result = spawnSync("sh", ["-s"], {
|
|
input: `${retryFunction}\nretry_command 2 0 "expected failure" sh -c 'exit 7'\n`,
|
|
encoding: "utf8"
|
|
})
|
|
|
|
assert.equal(result.status, 7)
|
|
assert.match(result.stderr, /expected failure failed on attempt 1\/2/)
|
|
assert.match(result.stderr, /expected failure failed after 2 attempt\(s\)/)
|
|
})
|
|
|
|
test("REMOTE_NBDE_SYNC_SCRIPT reconciles NBDE policy instead of only adding Tang pins", () => {
|
|
assert.match(REMOTE_NBDE_SYNC_SCRIPT, /legion_status nbde-sync script started/)
|
|
assert.match(REMOTE_NBDE_SYNC_SCRIPT, /legion_status nbde-sync script completed/)
|
|
assert.match(REMOTE_NBDE_SYNC_SCRIPT, /nbde_mode="\$\{LEGION_NBDE_MODE:-degraded\}"/)
|
|
assert.match(
|
|
REMOTE_NBDE_SYNC_SCRIPT,
|
|
/local_boot_key_path="\$\{LEGION_NBDE_LOCAL_BOOT_KEY_PATH:-\/boot\/nbde\/local-boot.key\}"/
|
|
)
|
|
assert.match(REMOTE_NBDE_SYNC_SCRIPT, /remove_all_clevis_bindings\(\) \{/)
|
|
assert.match(REMOTE_NBDE_SYNC_SCRIPT, /bind_quorum_tang_urls\(\) \{/)
|
|
assert.match(REMOTE_NBDE_SYNC_SCRIPT, /curl_retry\(\) \{/)
|
|
assert.match(REMOTE_NBDE_SYNC_SCRIPT, /curl_retry -fsS "\$tang_url\/adv" -o "\$adv_file"/)
|
|
assert.match(REMOTE_NBDE_SYNC_SCRIPT, /ensure_local_boot_key\(\) \{/)
|
|
assert.match(REMOTE_NBDE_SYNC_SCRIPT, /secure_remove_local_boot_key_file\(\) \{/)
|
|
assert.match(
|
|
REMOTE_NBDE_SYNC_SCRIPT,
|
|
/cryptsetup luksRemoveKey "\$device" "\$local_boot_key_path"/
|
|
)
|
|
assert.match(REMOTE_NBDE_SYNC_SCRIPT, /dd if=\/dev\/zero of="\$path"/)
|
|
})
|
|
|
|
test("REMOTE_GUIX_INSTALL_SCRIPT stores local NBDE boot keys under /boot", () => {
|
|
assert.match(
|
|
REMOTE_GUIX_INSTALL_SCRIPT,
|
|
/boot_local_boot_key_path="\$boot_nbde_dir\/local-boot.key"/
|
|
)
|
|
assert.match(REMOTE_GUIX_INSTALL_SCRIPT, /"localBootKeyFile": "\/boot\/nbde\/local-boot.key"/)
|
|
assert.doesNotMatch(
|
|
REMOTE_GUIX_INSTALL_SCRIPT,
|
|
/"localBootKeyFile": "\/etc\/legion\/nbde\/local-boot.key"/
|
|
)
|
|
})
|
|
|
|
test("REMOTE_TRIBES_ADMIN_SCRIPT checks bootstrap readiness without starting a second release", () => {
|
|
assert.match(
|
|
REMOTE_TRIBES_ADMIN_SCRIPT,
|
|
/internal_status_url="http:\/\/\$local_probe_host:\$local_probe_port\/__internal\/status"/
|
|
)
|
|
assert.match(REMOTE_TRIBES_ADMIN_SCRIPT, /curl_retry\(\) \{/)
|
|
assert.match(REMOTE_TRIBES_ADMIN_SCRIPT, /curl_retry -fsS "\$internal_status_url"/)
|
|
assert.doesNotMatch(REMOTE_TRIBES_ADMIN_SCRIPT, /bootstrap\/wait/)
|
|
assert.doesNotMatch(REMOTE_TRIBES_ADMIN_SCRIPT, /tribes-app eval/)
|
|
assert.doesNotMatch(REMOTE_TRIBES_ADMIN_SCRIPT, /LEGION_EVAL_EXPR/)
|
|
assert.doesNotMatch(REMOTE_TRIBES_ADMIN_SCRIPT, /RELEASE_DISTRIBUTION=none/)
|
|
assert.doesNotMatch(REMOTE_TRIBES_ADMIN_SCRIPT, /herd start tribes/)
|
|
})
|
|
|
|
test("REMOTE_TRIBES_CERTIFICATE_SCRIPT triggers lego after DNS is ready", () => {
|
|
assert.match(REMOTE_TRIBES_CERTIFICATE_SCRIPT, /TRIBES_PUBLIC_HOST/)
|
|
assert.match(REMOTE_TRIBES_CERTIFICATE_SCRIPT, /service_name="lego-bootstrap-\$cert_name"/)
|
|
assert.match(REMOTE_TRIBES_CERTIFICATE_SCRIPT, /herd start haproxy/)
|
|
assert.match(REMOTE_TRIBES_CERTIFICATE_SCRIPT, /herd start "\$service_name"/)
|
|
assert.match(REMOTE_TRIBES_CERTIFICATE_SCRIPT, /expected certificate service \$service_name/)
|
|
assert.match(REMOTE_TRIBES_CERTIFICATE_SCRIPT, /legion_status tribes-certificate lego completed/)
|
|
})
|
|
|
|
test("REMOTE_TRIBES_POST_INSTALL_SCRIPT installs sync TLS material when enabled", () => {
|
|
assert.match(
|
|
REMOTE_TRIBES_POST_INSTALL_SCRIPT,
|
|
/legion_status tribes-post-install secrets started/
|
|
)
|
|
assert.match(
|
|
REMOTE_TRIBES_POST_INSTALL_SCRIPT,
|
|
/legion_status tribes-post-install script completed/
|
|
)
|
|
assert.match(REMOTE_TRIBES_POST_INSTALL_SCRIPT, /TRIBES_SYNC_LISTENER_ENABLED/)
|
|
assert.match(REMOTE_TRIBES_POST_INSTALL_SCRIPT, /sync_secret_dir="\$\{TRIBES_SYNC_SECRET_DIR/)
|
|
assert.match(
|
|
REMOTE_TRIBES_POST_INSTALL_SCRIPT,
|
|
/install -m 600 -o "\$service_user" -g "\$service_group" "\$sync_ca_source" "\$sync_ca_target"/
|
|
)
|
|
assert.match(
|
|
REMOTE_TRIBES_POST_INSTALL_SCRIPT,
|
|
/install -m 600 -o "\$service_user" -g "\$service_group" "\$sync_cert_source" "\$sync_cert_target"/
|
|
)
|
|
assert.match(
|
|
REMOTE_TRIBES_POST_INSTALL_SCRIPT,
|
|
/install -m 600 -o "\$service_user" -g "\$service_group" "\$sync_key_source" "\$sync_key_target"/
|
|
)
|
|
assert.match(
|
|
REMOTE_TRIBES_POST_INSTALL_SCRIPT,
|
|
/install -m 600 "\$host_config_source" "\$host_config_target"/
|
|
)
|
|
assert.match(
|
|
REMOTE_TRIBES_POST_INSTALL_SCRIPT,
|
|
/install -m 600 "\$channels_source" "\$channels_target"/
|
|
)
|
|
})
|