Jv integration tests for runtime config

[JoukoVirtanen]

Description

Integration tests for runtime configuration. The tests create various versions of the runtime configuration file and check that the configuration introspection endpoint returns the correct expected configuration.

Checklist

• Investigated and inspected CI test results
• Updated documentation accordingly

Automated testing

• Added unit tests
• Added integration tests
• Added regression tests

If any of these don't apply, please comment below.

Testing Performed

Ran the integration tests locally 2,000 times without a failure using the following script

#!/usr/bin/env bash
set -eou pipefail

for ((i = 0; i < 2000; i=i+1)); do
        echo "i= $i"
        sudo -E make -C integration-tests TestRuntimeConfigFile
done

[JoukoVirtanen]

Remove

[JoukoVirtanen]

Removed

[Molter73]

I'm less than half way through, I'll finish the review tomorrow.

[Molter73]

Please update this test name.

[JoukoVirtanen]

Done

[Molter73]

Consider creating a separate directory for this like /tmp/collector-test and use that instead of the full /tmp directory.

[JoukoVirtanen]

Done

[Molter73]

We probably want to move all assertions to a separate pkg/assert or similar.

[JoukoVirtanen]

Done

[Molter73]

I'm not 100% sold this is something we need, from a test we could just do:

body, err := IntrospectionQuery(s.Collector().IP(), "/state/config")
s.Require().NoError(err)

This is simple enough and you can add the logging if you deem it necessary.

[JoukoVirtanen]

Done

[JoukoVirtanen]

The changes in this file were made here https://github.com/stackrox/collector/pull/1902/files

[JoukoVirtanen]

The changes in this file were made here https://github.com/stackrox/collector/pull/1902/files

[Molter73]

We don't need to do this here, but the IntrospectionQuery method needs to be part of a collector manager object, it would change this to be a lot simpler/clearer:

func AssertExternalIps(t *testing.T, enable bool, collector *CollectorManager) {
	AssertRepeated(t, func() bool {
		body, err := collector.IntrospectionQuery("/state/config")

[JoukoVirtanen]

I think it can be done in another PR. Maybe we should have an Introspection struct that could be a member of a Collector interface. The introspection object would get the IP address from the collector object.

[Molter73]

Thanks for splitting the tests up, as silly as it may sound, it's a lot easier to understand what is going on now.

The comments I left now are mostly on moving some comments around to leave the code blocks on their own. This should help reduce clutter a bit more, since the description of what will be done is provided up front and the code is left as clean as possible.

[Molter73]

Suggested change

	// The runtime config file was deleted before starting collector so there should not be any config
	assert.AssertNoRuntimeConfig(s.T(), collectorIP)
	// Since there is no config the default is used, which means external IPs is disabled and we should
	// expect a normalized connection
	// The runtime config file was deleted before starting collector.
	// Default configuration is external IPs disabled.
	// We expect normalized connections.
	assert.AssertNoRuntimeConfig(s.T(), collectorIP)

[Molter73]

This same change can be applied to the other 2 tests.

[Molter73]

This was not applied to all tests.

[JoukoVirtanen]

It has now been applied to all tests.

[JoukoVirtanen]

CI results

Run 1
Many Konflux integration tests failed. rhcos failed with

=== RUN   TestProcfsScraperDisableFeatureFlag/TestProcfsScraper
    expect_conn.go:181: 
        	Error Trace:	/tests/pkg/mock_sensor/expect_conn.go:181
        	            				/tests/suites/procfs_scraper.go:72
        	Error:      	elements differ
        	            	
        	            	extra elements in list A:
        	            	([]interface ***) (len=1) ***
        	            	 (types.EndpointInfo) ***
        	            	  Protocol: (string) (len=15) "L4_PROTOCOL_TCP",
        	            	  Address: (types.ListenAddress) ***
        	            	   AddressData: (string) (len=4) "\x00\x00\x00\x00",
        	            	   Port: (int) 80,
        	            	   IpNetwork: (string) (len=5) "\x00\x00\x00\x00 "
        	            	  ***,
        	            	  CloseTimestamp: (string) (len=5) "<nil>",
        	            	  Originator: (types.ProcessOriginator) ***
        	            	   ProcessName: (string) "",
        	            	   ProcessExecFilePath: (string) "",
        	            	   ProcessArgs: (string) ""
        	            	  ***
        	            	 ***
        	            	***
        	            	
        	            	
        	            	listA:
        	            	([]types.EndpointInfo) (len=1) ***
        	            	 (types.EndpointInfo) ***
        	            	  Protocol: (string) (len=15) "L4_PROTOCOL_TCP",
        	            	  Address: (types.ListenAddress) ***
        	            	   AddressData: (string) (len=4) "\x00\x00\x00\x00",
        	            	   Port: (int) 80,
        	            	   IpNetwork: (string) (len=5) "\x00\x00\x00\x00 "
        	            	  ***,
        	            	  CloseTimestamp: (string) (len=5) "<nil>",
        	            	  Originator: (types.ProcessOriginator) ***
        	            	   ProcessName: (string) "",
        	            	   ProcessExecFilePath: (string) "",
        	            	   ProcessArgs: (string) ""
        	            	  ***
        	            	 ***
        	            	***
        	            	
        	            	
        	            	listB:
        	            	([]types.EndpointInfo) ***
        	            	***
        	Test:       	TestProcfsScraperDisableFeatureFlag/TestProcfsScraper
        	Messages:   	timed out waiting for endpoints

The other konflux integration tests failed with either problems pulling the image. Both konflux and non-konflux cos integration tests failed with verifier errors.

Run 2:
Similar errors as above. No procfs test error. Collector also fails for fedora coreos.

Run 3:
rhcos had the following error

=== RUN   TestUdpNetworkFlow/TestUdpNetorkflow/sendto_recvmmsg
    udp_networkflow.go:274: 
        	Error Trace:	/tests/suites/udp_networkflow.go:274
        	            				/tests/suites/udp_networkflow.go:244
        	            				/tests/suites/udp_networkflow.go:105
        	            				/tests/suites/udp_networkflow.go:96
        	            				/go/pkg/mod/github.com/stretchr/[email protected]/suite/suite.go:115
        	Error:      	Received unexpected error:
        	            	Error response from daemon: container create: creating container storage: the container name "udp-server" is already in use by 0b88d4d870e77d5fed05bd5bad8a1dd1e5391d4e229d7ffb3d92a5bd57d0febf. You have to remove that container to be able to reuse that name: that name is already in use
        	            	create udp-server

I did not see a previous failure that caused this error. There were other failures unrelated to the changes in the PR.

[Molter73]

Changes look ok, but #1902 still has comments on it that haven't been addressed, if your intent is to merge the changes from that PR with this one, please close it so I can move my comments to this PR.

[Stringy]

Can these timeouts be configurable via some parameters?

[JoukoVirtanen]

Done

[JoukoVirtanen]

Changes look ok, but #1902 still has comments on it that haven't been addressed, if your intent is to merge the changes from that PR with this one, please close it so I can move my comments to this PR.

I have addressed the PR review comments in the other PR.

[Molter73]

LGTM, but holding approval until #1902 is merged, so this can be rebased on top of that.

[Molter73]

LGTM!

Just a small comment on a TODO that I think we could solve quickly before merging, but we can also address it on the next PR that needs to use the helper function.

[Molter73]

This TODO should be relatively simple to solve, add a format and args parameter to the function like this:

func AssertRepeated(t *testing.T, tickTime time.Duration, timeout time.Duration, condition func() bool, msg string, args ...interface{}) {

Then here you can just call log.Error like this:

log.Error("Timeout reached: " + msg, args...)

If this ends up being too verbose on the call sites with the function being defined inline, you can always define the function and assign it to a variable, then pass that in.

[Molter73]

Also, there are some tests on the multiarch for konflux, but those are due to the integration test image not being rebuilt for those archs, this is not a blocker for this PR and I'm trying to address it here: #1974

[Stringy]

[nit] should probably be enabled rather than enable (the latter implies we're turning it on)

[JoukoVirtanen]

Done

[Stringy]

just a note that we'll need to add PerContainerRateLimit (probably in a follow up PR)

[JoukoVirtanen]

We should not be defining a RuntimeConfig struct here. We should be importing the go code generated from the protobuf definitions. The same for EndpointInfo, NetworkInfo and other similar structs. That should be done in a different PR.

[Stringy]

Can't we do this via the standard library? same for deleteFile, setRuntimeConfig

[JoukoVirtanen]

This way we get the logging that comes with execShellCommand. Also if there are changes to how commands need to be executed, using the standard library might not be the best method. E.g we might want to run the commands in a VM, locally, in a container, or somewhere else and changes to those things might result in the standard library not working. However, you did remind me that this is not the correct place for these functions and I have moved them to base.go.

[Stringy]

We've gone to great lengths to remove the various contexts in which things run, and today we're always running on the same host with the test containers so I don't think we should care about how commands run, or whether to restrict ourselves to using the shell instead of the stdlib. If this ever changes, then we'd have to overhaul the way the tests work again, so a few file system operations would be the least of our worries.

If these specific operations need to run in various contexts, then execShellCommand is still inappropriate because it is intended for running a local shell command (via exec.Command) and we'd have to change these functions anyway.

It's just that a shell command feels very expensive for an operation as simple as making a directory or deleting a file, and if we need logging then we can add logging here.

[Stringy]

Also, we would have a better handle on the errors if we do it via the stdlib. We wouldn't need to worry about failures in exec'ing the shell or the command, for example.

we're also just suppressing all errors at the moment -- we should probably return them to the caller

[JoukoVirtanen]

Done

[Stringy]

It would be better for to construct the object and serialize it to a string, and in fact it may be best to have the caller pass the structure directly to setRuntimeConfig

func (s *RuntimeConfigFileTestSuite) setRuntimeConfig(path string, config types.RuntimeConfig) error

[JoukoVirtanen]

Done

[Stringy]

This might sound like a nit, but from a separation of concerns perspective, this function shouldn't do the marshalling - it should be handled by setRuntimeConfig

This function should just construct types.RuntimeConfig object and pass it to setRuntimeConfig. Otherwise, when we inevitably come to adding another field to these tests, we'll have to duplicate the marshaling logic.

[JoukoVirtanen]

Done

[Stringy]

We've gone to great lengths to remove the various contexts in which things run, and today we're always running on the same host with the test containers so I don't think we should care about how commands run, or whether to restrict ourselves to using the shell instead of the stdlib. If this ever changes, then we'd have to overhaul the way the tests work again, so a few file system operations would be the least of our worries.

If these specific operations need to run in various contexts, then execShellCommand is still inappropriate because it is intended for running a local shell command (via exec.Command) and we'd have to change these functions anyway.

It's just that a shell command feels very expensive for an operation as simple as making a directory or deleting a file, and if we need logging then we can add logging here.

[Stringy]

Also, we would have a better handle on the errors if we do it via the stdlib. We wouldn't need to worry about failures in exec'ing the shell or the command, for example.

we're also just suppressing all errors at the moment -- we should probably return them to the caller

[JoukoVirtanen]

Use os.write.

[Stringy]

https://pkg.go.dev/os#example-WriteFile

[Stringy]

As discussed, there's a last couple of minor changes but otherwise LGTM!