Convert sepgsql tests to TAP
The sepgsql tests have not been integrated into the Meson build system
yet. I propose to fix that here.
One problem there was that the tests use a very custom construction
where a top-level shell script internally calls make. I have converted
this to a TAP script that does the preliminary checks and then calls
pg_regress directly, without make. This seems to get the job done.
Also, once you have your SELinux environment set up as required, the
test now works fully automatically; you don't have to do any manual prep
work. The whole thing is guarded by PG_TEST_EXTRA=sepgsql now.
Some comments and questions:
- Do we want to keep the old way to run the test? I don't know all the
testing scenarios that people might be interested in, but of course it
would also be good to cut down on the duplication in the test files.
- Strangely, there was apparently so far no way to get to the build
directory from a TAP script. They only ever want to read files from the
source directory. So I had to add that.
- If you go through the pre-test checks in contrib/sepgsql/test_sepgsql,
I have converted most of these checks to the Perl script. Some of the
checks are obsolete, because they check whether the database has been
correctly initialized, which is now done by the TAP script anyway. One
check that I wasn't sure about is the
# 'psql' command must be executable from test domain
The old test was checking the installation tree, which I guess could be
set up in random ways. But do we need this kind of check if we are
using a temporary installation?
As mentioned in the patch, the documentation needs to be updated. This
depends on the outcome of the question above whether we want to keep the
old tests in some way.
Attachments:
v1-0001-Convert-sepgsql-tests-to-TAP.patchtext/plain; charset=UTF-8; name=v1-0001-Convert-sepgsql-tests-to-TAP.patchDownload+279-2
I took a quick look at the patch and I like that we standardize things a
bit. But one thing I am not a fan of are all the use of sed and awk in
the Perl script. I would prefer if that logic happened all in Perl,
especially since we have some of it in Perl (e.g. chomp). Also I wonder
if we should not use IPC::Run to do the tests since we already depend on
it for the other TAP tests.
I have not yet set up an VM with selinux to try the patch out for real
but will do so later.
On 5/13/24 8:16 AM, Peter Eisentraut wrote:
- Do we want to keep the old way to run the test? I don't know all the
testing scenarios that people might be interested in, but of course it
would also be good to cut down on the duplication in the test files.
I cannot see why. Having two ways to run the tests seems only like a bad
thing to me.
- If you go through the pre-test checks in contrib/sepgsql/test_sepgsql,
I have converted most of these checks to the Perl script. Some of the
checks are obsolete, because they check whether the database has been
correctly initialized, which is now done by the TAP script anyway. One
check that I wasn't sure about is the# 'psql' command must be executable from test domain
The old test was checking the installation tree, which I guess could be
set up in random ways. But do we need this kind of check if we are
using a temporary installation?
Yeah, that does not seem necessary.
Andreas
On 7/24/24 4:31 PM, Andreas Karlsson wrote:
I have not yet set up an VM with selinux to try the patch out for real
but will do so later.
I almost got the tests running but it required way too many manual steps
to just get there and I gave up after just getting segfaults. I had to
edit sepgsql-regtest.te because sepgsql-regtest.pp would not build
otherwise on Debian bookworm, but after I had done that instead of
getting test failures as I expected I just got segfaults. Maybe those
are caused by an incorrect sepgsql-regtest.pp but this was not nice at
all to try to get running for someone like me who does not know selinux
well.
Peter, what did you do to get the tests running? And should we fix these
tests to make them more user friendly?
Andreas
On 24.07.24 18:29, Andreas Karlsson wrote:
On 7/24/24 4:31 PM, Andreas Karlsson wrote:
I have not yet set up an VM with selinux to try the patch out for real
but will do so later.I almost got the tests running but it required way too many manual steps
to just get there and I gave up after just getting segfaults. I had to
edit sepgsql-regtest.te because sepgsql-regtest.pp would not build
otherwise on Debian bookworm, but after I had done that instead of
getting test failures as I expected I just got segfaults. Maybe those
are caused by an incorrect sepgsql-regtest.pp but this was not nice at
all to try to get running for someone like me who does not know selinux
well.Peter, what did you do to get the tests running? And should we fix these
tests to make them more user friendly?
In my experience, the tests (both the old and the proposed new) only
work on Red Hat-like platforms. I had also tried on Debian but decided
that it won't work.
On 24.07.24 16:31, Andreas Karlsson wrote:
I took a quick look at the patch and I like that we standardize things a
bit. But one thing I am not a fan of are all the use of sed and awk in
the Perl script. I would prefer if that logic happened all in Perl,
especially since we have some of it in Perl (e.g. chomp). Also I wonder
if we should not use IPC::Run to do the tests since we already depend on
it for the other TAP tests.
In principle yes, but here I tried not rewriting the tests too much but
just port them to a newer environment. I think the adjustments you
describe could be done as a second step.
(I don't really have any expertise in sepgsql or selinux, I'm just doing
this to reduce the dependency on makefiles for testing. So I'm trying
to use as light a touch as possible.)
On 7/24/24 6:31 PM, Peter Eisentraut wrote:
On 24.07.24 18:29, Andreas Karlsson wrote:
Peter, what did you do to get the tests running? And should we fix
these tests to make them more user friendly?In my experience, the tests (both the old and the proposed new) only
work on Red Hat-like platforms. I had also tried on Debian but decided
that it won't work.
Thanks, will try to run them on Rocky Linux when I have calmed down a
bit. :)
Andreas
Peter Eisentraut <peter@eisentraut.org> writes:
In my experience, the tests (both the old and the proposed new) only
work on Red Hat-like platforms. I had also tried on Debian but decided
that it won't work.
Yeah, Red Hat is pretty much the only vendor that has pushed SELinux
far enough to be usable by non-wizards. I'm not surprised if there
are outright bugs in other distros' versions of it, as AFAIK
nobody else turns it on by default.
regards, tom lane
On 7/24/24 12:36, Tom Lane wrote:
Peter Eisentraut <peter@eisentraut.org> writes:
In my experience, the tests (both the old and the proposed new) only
work on Red Hat-like platforms. I had also tried on Debian but decided
that it won't work.Yeah, Red Hat is pretty much the only vendor that has pushed SELinux
far enough to be usable by non-wizards. I'm not surprised if there
are outright bugs in other distros' versions of it, as AFAIK
nobody else turns it on by default.
I tried some years ago to get it working on my Debian-derived Linux Mint
desktop and gave up. I think SELinux is a really good tool on RHEL
variants, but I don't think many people use it on anything else. As Tom
says, perhaps there are a few wizards out there though...
--
Joe Conway
PostgreSQL Contributors Team
RDS Open Source Databases
Amazon Web Services: https://aws.amazon.com
On 7/24/24 6:33 PM, Peter Eisentraut wrote:
On 24.07.24 16:31, Andreas Karlsson wrote:
I took a quick look at the patch and I like that we standardize things
a bit. But one thing I am not a fan of are all the use of sed and awk
in the Perl script. I would prefer if that logic happened all in Perl,
especially since we have some of it in Perl (e.g. chomp). Also I
wonder if we should not use IPC::Run to do the tests since we already
depend on it for the other TAP tests.In principle yes, but here I tried not rewriting the tests too much but
just port them to a newer environment. I think the adjustments you
describe could be done as a second step.
That reasoning makes a lot of sense and I am in agreement. Cleaning that
up is best for another patch.
And managed to get the tests running on Rocky Linux 9 with both
autotools and meson and everything work as it should.
So I have two comments:
1) As I said earlier I think we should remove the old code.
2) If we remove the old code I think the launcher script can be merged
into the TAP test instead of being a separate shell script. But I am
fine if you think that is also something for a separate commit.
I like this kind of clean up patch. Good work! :)
Andreas
Andreas Karlsson <andreas@proxel.se> writes:
1) As I said earlier I think we should remove the old code.
I agree that carrying two versions of the test doesn't seem great.
However, a large part of the purpose of test_sepgsql is to help
people debug their sepgsql setup, which is why it goes to great
lengths to print helpful error messages. I'm worried that making
it into a TAP test will degrade the usefulness of that, simply
because the TAP infrastructure is pretty damn unfriendly when it
comes to figuring out why a test failed. You have to know where
to even look for the test logfile, and then you have to ignore
a bunch of useless-to-you chatter. I'm not sure if there is much
we can do to improve that. (Although if we could, it would
yield benefits across the whole tree.)
OTOH, I suspect there are so few people using sepgsql that this
doesn't matter too much. Probably most of them will be advanced
hackers who won't blink at digging through a TAP log. We should
update the docs to explain that though.
regards, tom lane
On 7/24/24 10:35 PM, Tom Lane wrote:
Andreas Karlsson <andreas@proxel.se> writes:
1) As I said earlier I think we should remove the old code.
I agree that carrying two versions of the test doesn't seem great.
However, a large part of the purpose of test_sepgsql is to help
people debug their sepgsql setup, which is why it goes to great
lengths to print helpful error messages. I'm worried that making
it into a TAP test will degrade the usefulness of that, simply
because the TAP infrastructure is pretty damn unfriendly when it
comes to figuring out why a test failed. You have to know where
to even look for the test logfile, and then you have to ignore
a bunch of useless-to-you chatter. I'm not sure if there is much
we can do to improve that. (Although if we could, it would
yield benefits across the whole tree.)
For me personally the output from when running it with meson was good
enough while the output when running with autotools was usable but
annoying to work with. Meson's integration with TAP is pretty good. But
with that said I am a power user and developer used to both meson and
autotools. Unclear what skill we should expect from the target audience
of test_sepgsql.
Andreas
On 24.07.24 23:03, Andreas Karlsson wrote:
On 7/24/24 10:35 PM, Tom Lane wrote:
Andreas Karlsson <andreas@proxel.se> writes:
1) As I said earlier I think we should remove the old code.
I agree that carrying two versions of the test doesn't seem great.
However, a large part of the purpose of test_sepgsql is to help
people debug their sepgsql setup, which is why it goes to great
lengths to print helpful error messages. I'm worried that making
it into a TAP test will degrade the usefulness of that, simply
because the TAP infrastructure is pretty damn unfriendly when it
comes to figuring out why a test failed. You have to know where
to even look for the test logfile, and then you have to ignore
a bunch of useless-to-you chatter. I'm not sure if there is much
we can do to improve that. (Although if we could, it would
yield benefits across the whole tree.)For me personally the output from when running it with meson was good
enough while the output when running with autotools was usable but
annoying to work with. Meson's integration with TAP is pretty good. But
with that said I am a power user and developer used to both meson and
autotools. Unclear what skill we should expect from the target audience
of test_sepgsql.
Here is a new patch version.
I simplified the uses of sed and awk inside the Perl script. I also
fixed "make installcheck". I noticed that meson installs sepgsql.sql
into the wrong directory, so that's fixed also. (Many of the
complications in this patch set are because sepgsql is not an extension
but a loose SQL script, of which it is now the only one. Maybe
something to address separately.)
I did end up deciding to keep the old test_sepgsql script, because it
does have the documented purpose of testing existing installations. I
did change it so that it calls pg_regress directly, without going via
make, so that the dependency on make is removed.
The documentation is also updated a little bit, but I kept it to a
minimum, because I'm not really sure how up to date the existing
documentation was. It lists several steps in the test procedure that I
didn't need to do. Someone who knows more about the whole picture would
need to look at that in more detail.
On 27.08.24 10:12, Peter Eisentraut wrote:
Here is a new patch version.
I simplified the uses of sed and awk inside the Perl script. I also
fixed "make installcheck". I noticed that meson installs sepgsql.sql
into the wrong directory, so that's fixed also. (Many of the
complications in this patch set are because sepgsql is not an extension
but a loose SQL script, of which it is now the only one. Maybe
something to address separately.)I did end up deciding to keep the old test_sepgsql script, because it
does have the documented purpose of testing existing installations. I
did change it so that it calls pg_regress directly, without going via
make, so that the dependency on make is removed.
This has been committed. And I understand there is a buildfarm client
update available for the affected buildfarm members.
On 2025-01-24 Fr 7:25 AM, Peter Eisentraut wrote:
On 27.08.24 10:12, Peter Eisentraut wrote:
Here is a new patch version.
I simplified the uses of sed and awk inside the Perl script. I also
fixed "make installcheck". I noticed that meson installs sepgsql.sql
into the wrong directory, so that's fixed also. (Many of the
complications in this patch set are because sepgsql is not an
extension but a loose SQL script, of which it is now the only one.
Maybe something to address separately.)I did end up deciding to keep the old test_sepgsql script, because it
does have the documented purpose of testing existing installations.
I did change it so that it calls pg_regress directly, without going
via make, so that the dependency on make is removed.This has been committed. And I understand there is a buildfarm client
update available for the affected buildfarm members.
This should only be rhinoceros. Joe can pull this fix:
https://github.com/PGBuildFarm/client-code/commit/60b72787036090c6bf829f5cef2b0b3e60f2a2db
(or just copy the whole file from
https://raw.githubusercontent.com/PGBuildFarm/client-code/refs/heads/main/PGBuild/Modules/TestSepgsql.pm)
cheers
andrew
--
Andrew Dunstan
EDB: https://www.enterprisedb.com
On 1/24/25 09:00, Andrew Dunstan wrote:
On 2025-01-24 Fr 7:25 AM, Peter Eisentraut wrote:
On 27.08.24 10:12, Peter Eisentraut wrote:
Here is a new patch version.
I simplified the uses of sed and awk inside the Perl script. I also
fixed "make installcheck". I noticed that meson installs sepgsql.sql
into the wrong directory, so that's fixed also. (Many of the
complications in this patch set are because sepgsql is not an
extension but a loose SQL script, of which it is now the only one.
Maybe something to address separately.)I did end up deciding to keep the old test_sepgsql script, because it
does have the documented purpose of testing existing installations.
I did change it so that it calls pg_regress directly, without going
via make, so that the dependency on make is removed.This has been committed. And I understand there is a buildfarm client
update available for the affected buildfarm members.This should only be rhinoceros. Joe can pull this fix:
https://github.com/PGBuildFarm/client-code/commit/60b72787036090c6bf829f5cef2b0b3e60f2a2db
(or just copy the whole file from
https://raw.githubusercontent.com/PGBuildFarm/client-code/refs/heads/main/PGBuild/Modules/TestSepgsql.pm)
Sure, I am delinquent on updating my buildfarm client so will do that as
well as pull the fix. It might be the weekend before I have the time though.
This reminds me though that rhino is still running on CentOS 7 -- I need
to upgrade that one of these days...
--
Joe Conway
PostgreSQL Contributors Team
RDS Open Source Databases
Amazon Web Services: https://aws.amazon.com
Andrew Dunstan <andrew@dunslane.net> writes:
On 2025-01-24 Fr 7:25 AM, Peter Eisentraut wrote:
This has been committed. And I understand there is a buildfarm client
update available for the affected buildfarm members.
This should only be rhinoceros. Joe can pull this fix:
https://github.com/PGBuildFarm/client-code/commit/60b72787036090c6bf829f5cef2b0b3e60f2a2db
(or just copy the whole file from
https://raw.githubusercontent.com/PGBuildFarm/client-code/refs/heads/main/PGBuild/Modules/TestSepgsql.pm)
Looks like alligator needs some help here too.
regards, tom lane
On 2025-01-24 Fr 10:57 AM, Tom Lane wrote:
Andrew Dunstan <andrew@dunslane.net> writes:
On 2025-01-24 Fr 7:25 AM, Peter Eisentraut wrote:
This has been committed. And I understand there is a buildfarm client
update available for the affected buildfarm members.This should only be rhinoceros. Joe can pull this fix:
https://github.com/PGBuildFarm/client-code/commit/60b72787036090c6bf829f5cef2b0b3e60f2a2db
(or just copy the whole file from
https://raw.githubusercontent.com/PGBuildFarm/client-code/refs/heads/main/PGBuild/Modules/TestSepgsql.pm)Looks like alligator needs some help here too.
That's an issue with the new TAP test - alligator isn't running the
TestSepgsql module. lapwing has also had a TAP test failure.
cheers
andrew
--
Andrew Dunstan
EDB: https://www.enterprisedb.com
Andrew Dunstan <andrew@dunslane.net> writes:
On 2025-01-24 Fr 10:57 AM, Tom Lane wrote:
Looks like alligator needs some help here too.
That's an issue with the new TAP test - alligator isn't running the
TestSepgsql module. lapwing has also had a TAP test failure.
Hmm. Neither of those animals should be trying to run the sepgsql
test; they are not configured --with-selinux, and probably don't
even have libselinux installed.
Looking at the buildfarm client script, it looks to me like it
will unconditionally try to run TAP tests in every contrib directory
that has a "t" subdirectory. Up to now, none of those needed to
be conditional ... but now we need some more awareness. However,
if this theory is right, then pretty much every BF animal except
rhinoceros should be failing. So there's some additional moving
part that I'm not seeing. In any case, I think there's a BF
client script bug here somewhere, or else these animals are
running an old script version that does the wrong thing.
regards, tom lane
On 2025-01-24 Fr 4:07 PM, Tom Lane wrote:
Andrew Dunstan<andrew@dunslane.net> writes:
On 2025-01-24 Fr 10:57 AM, Tom Lane wrote:
Looks like alligator needs some help here too.
That's an issue with the new TAP test - alligator isn't running the
TestSepgsql module. lapwing has also had a TAP test failure.Hmm. Neither of those animals should be trying to run the sepgsql
test; they are not configured --with-selinux, and probably don't
even have libselinux installed.Looking at the buildfarm client script, it looks to me like it
will unconditionally try to run TAP tests in every contrib directory
that has a "t" subdirectory. Up to now, none of those needed to
be conditional ... but now we need some more awareness. However,
if this theory is right, then pretty much every BF animal except
rhinoceros should be failing. So there's some additional moving
part that I'm not seeing. In any case, I think there's a BF
client script bug here somewhere, or else these animals are
running an old script version that does the wrong thing.
The new TAP test has:
+if (!$ENV{PG_TEST_EXTRA} || $ENV{PG_TEST_EXTRA} !~ /\bsepgsql\b/)
+{
+ plan skip_all =>
+ 'Potentially unsafe test sepgsql not enabled in PG_TEST_EXTRA';
+}It looks like the error on alligator is coming from a NON TAP test:
rm -rf '/home/postgres/proj/build-farm-17/buildroot/HEAD/pgsql.build'/tmp_install
/usr/bin/mkdir -p '/home/postgres/proj/build-farm-17/buildroot/HEAD/pgsql.build'/tmp_install/log
make -C '../..' DESTDIR='/home/postgres/proj/build-farm-17/buildroot/HEAD/pgsql.build'/tmp_install install >'/home/postgres/proj/build-farm-17/buildroot/HEAD/pgsql.build'/tmp_install/log/install.log 2>&1
make -j1 checkprep >>'/home/postgres/proj/build-farm-17/buildroot/HEAD/pgsql.build'/tmp_install/log/install.log 2>&1
make: *** [../../src/Makefile.global:424: temp-install] Error 2
But why is it doing that? On my Ubuntu 22.04 dev instance, this test shows this as expected:
echo "# +++ tap check in contrib/sepgsql +++" && rm -rf '/home/andrew/pgl/pg_head/root/HEAD/pgsql.build/contrib/sepgsql'/tmp_check && /usr/bin/mkdir -p '/home/andrew/pgl/pg_head/root/HEAD/pgsql.build/contrib/sepgsql'/tmp_check && cd /home/andrew/pgl/pg_head/contrib/sepgsql && TESTLOGDIR='/home/andrew/pgl/pg_head/root/HEAD/pgsql.build/contrib/sepgsql/tmp_check/log' TESTDATADIR='/home/andrew/pgl/pg_head/root/HEAD/pgsql.build/contrib/sepgsql/tmp_check' PATH="/home/andrew/pgl/pg_head/root/HEAD/pgsql.build/tmp_install/home/andrew/pgl/pg_head/root/HEAD/inst/bin:/home/andrew/pgl/pg_head/root/HEAD/pgsql.build/contrib/sepgsql:$PATH" LD_LIBRARY_PATH="/home/andrew/pgl/pg_head/root/HEAD/pgsql.build/tmp_install/home/andrew/pgl/pg_head/root/HEAD/inst/lib:$LD_LIBRARY_PATH" INITDB_TEMPLATE='/home/andrew/pgl/pg_head/root/HEAD/pgsql.build'/tmp_install/initdb-template PGPORT='65678' top_builddir='/home/andrew/pgl/pg_head/root/HEAD/pgsql.build/contrib/sepgsql/../..' PG_REGRESS='/home/andrew/pgl/pg_head/root/HEAD/pgsql.build/contrib/sepgsql/../../src/test/regress/pg_regress' share_contrib_dir='/home/andrew/pgl/pg_head/root/HEAD/pgsql.build/tmp_install/home/andrew/pgl/pg_head/root/HEAD/inst/share/postgresql/contrib' /usr/bin/prove -I /home/andrew/pgl/pg_head/src/test/perl/ -I /home/andrew/pgl/pg_head/contrib/sepgsql --timer t/*.pl
# +++ tap check in contrib/sepgsql +++
[17:06:18] t/001_sepgsql.pl .. skipped: Potentially unsafe test sepgsql not enabled in PG_TEST_EXTRA
[17:06:18]
Files=1, Tests=0, 0 wallclock secs ( 0.00 usr 0.00 sys + 0.03 cusr 0.00 csys = 0.03 CPU)
Result: NOTESTS
log files for step contrib-sepgsqlCheck:
==~_~===-=-===~_~== /home/andrew/pgl/pg_head/root/HEAD/pgsql.build/contrib/sepgsql/tmp_check/log/regress_log_001_sepgsql ==~_~===-=-===~_~==
[17:06:18.231](0.004s) 1..0 # SKIP Potentially unsafe test sepgsql not enabled in PG_TEST_EXTRA
As of now I'm confused ...
cheers
andrew
--
Andrew Dunstan
EDB:https://www.enterprisedb.com
Andrew Dunstan <andrew@dunslane.net> writes:
On 2025-01-24 Fr 4:07 PM, Tom Lane wrote:
Looking at the buildfarm client script, it looks to me like it
will unconditionally try to run TAP tests in every contrib directory
that has a "t" subdirectory. Up to now, none of those needed to
be conditional ... but now we need some more awareness.
The new TAP test has:
+if (!$ENV{PG_TEST_EXTRA} || $ENV{PG_TEST_EXTRA} !~ /\bsepgsql\b/) +{ + plan skip_all => + 'Potentially unsafe test sepgsql not enabled in PG_TEST_EXTRA'; +}
Yeah, but to get to that point you have to get past "make install",
which requires compiling the code, which will absolutely not work
on these platforms. alligator and lapwing are not reporting the
relevant log file, but what we do see is an install failure that
could well be down to a compile failure.
But why is it doing that? On my Ubuntu 22.04 dev instance, this test shows this as expected:
I don't understand how you're compiling on Ubuntu ... does it
have selinux installed? On a Mac for instance,
$ cd pgsql/contrib/sepgsql/
$ make install
...
In file included from database.c:21:
./sepgsql.h:17:10: fatal error: 'selinux/selinux.h' file not found
17 | #include <selinux/selinux.h>
| ^~~~~~~~~~~~~~~~~~~
1 error generated.
As of now I'm confused ...
Me too. The way it looks from here, the farm should be all red,
but it isn't.
regards, tom lane
