Project

General

Profile

Actions
Copy link

Bug #23225

closed

Crunch Singularity TestInject doesn't run

Added by Brett Smith 5 months ago. Updated about 2 months ago.

Status:
Resolved
Priority:
Normal
Assigned To:
Tom Clegg
Category:
Tests
Target version:
Development 2026-01-21
Story points:
-
Release:
Arvados 3.2.1
Release relationship:
Auto

Description

TestInject in source:lib/crunchrun/singularity_test.go looks like this:

func (s *singularitySuite) TestInject(c *C) {
    path, err := exec.LookPath("nsenter")
    if err != nil || path != "/var/lib/arvados/bin/nsenter" {
        c.Skip("looks like /var/lib/arvados/bin/nsenter is not installed -- re-run `arvados-server install`?")
    }
    s.executorSuite.TestInject(c)
}

As we've gotten away from arvados-server install, this test basically doesn't run. It's not running on Jenkins as of October 2025. And if you just remove the path condition, the test fails like this:

----------------------------------------------------------------------
FAIL: singularity_test.go:62: singularitySuite.TestInject

building singularity image
[singularity build /tmp/crunch-run-singularity-3405259366/image.sif docker-archive:///tmp/crunch-run-singularity-3405259366/image.tar]
INFO:    Starting build...
Getting image source signatures
Copying blob sha256:67f770da229bf16d0c280f232629b0c1f1243a884df09f6b940a1c7288535a6d
Copying config sha256:a11e762410a6fb4e925d1ea535fecc177d983bdf0dba3261d244fb3c7ee18865
Writing manifest to image destination
Storing signatures
2025/10/15 21:24:08  info unpack layer: sha256:378e3b9fb50c743e1daa7a79dc2cf7c18aa0ac8137a1ca0d51a3b909c80e7d48
INFO:    Creating SIF file...
INFO:    Build complete: /tmp/crunch-run-singularity-3405259366/image.sif

inject [cat /injecttest-33196/testfile] => "nsenter: reassociate to namespace 'ns/cgroup' failed: Operation not permitted\n" 
singularity_test.go:67:
    s.executorSuite.TestInject(c)
executor_test.go:289:
    c.Check(err, IsNil)
... value *exec.ExitError = &exec.ExitError{ProcessState:(*os.ProcessState)(0xc0028c0540), Stderr:[]uint8(nil)} ("exit status 1")

singularity_test.go:67:
    s.executorSuite.TestInject(c)
executor_test.go:290:
    c.Check(string(out), Equals, "first tube")
... obtained string = "nsenter: reassociate to namespace 'ns/cgroup' failed: Operation not permitted\n" 
... expected string = "first tube" 

container ran for 268.882353ms
OOPS: 118 passed, 2 skipped, 1 FAILED
--- FAIL: TestCrunchExec (96.86s)

I'm guessing arvados-server install either built Singularity with particular options or configured the system in some way to allow this to work. What was that way? Should we do the same thing on Jenkins? Is there another way we can implement this test?

Subtasks 1 (0 open1 closed)

Task #23394: Review 23225-remove-nsenterResolvedTom Clegg01/14/2026Actions
Actions
Copy link
 #1

Updated by Tom Clegg 5 months ago

This is how arvados-server install did it

install /usr/bin/nsenter /var/lib/arvados/bin/nsenter
setcap "cap_sys_admin+pei cap_sys_chroot+pei" /var/lib/arvados/bin/nsenter
Actions
Copy link
 #2

Updated by Brett Smith 5 months ago

Tom Clegg wrote in #note-1:

This is how arvados-server install did it

Ah yes, the thinking man's chmod 777.

Would it make sense to port this test to use ARVADOS_TEST_PRIVESC rather than relying on static capabilities?

Actions
Copy link
 #3

Updated by Tom Clegg 5 months ago

Would it make sense to port this test to use ARVADOS_TEST_PRIVESC rather than relying on static capabilities?

Yes, that would be closer to real usage.

Actions
Copy link
 #5

Updated by Tom Clegg 2 months ago

  • Target version set to Development 2026-01-21
  • Assigned To set to Tom Clegg
  • Status changed from New to In Progress
Actions
Copy link
 #6

Updated by Tom Clegg 2 months ago

  • Subtask #23394 added
Actions
Copy link
 #7

Updated by Brett Smith 2 months ago · Edited

Tom Clegg wrote in #note-4:

23225-remove-nsenter @ dc7134eeff669c0a498dc61704f5caf47e8effba -- developer-run-tests: #5005

Stupid question, is there a way to be sure the test is actually running on Jenkins now? The diff LGTM but I would appreciate more confidence that the change achieves its goal.

Actions
Copy link
 #8

Updated by Tom Clegg 2 months ago

(Unlike previously) the test does run without the special nsenter permissions provided ARVADOS_TEST_PRIVESC=sudo.

$ ./build/run-tests.sh --interactive --temp `pwd`/tmp --interactive ARVADOS_TEST_PRIVESC=sudo
...
What next? test lib/crunchrun -check.v -check.f=TestInject
...
PASS: <autogenerated>:1: dockerSuite.TestInject 0.600s
PASS: singularity_test.go:69: singularitySuite.TestInject       0.392s
OK: 2 passed

But does Jenkins have ARVADOS_TEST_PRIVESC=sudo?

It would be useful here to have a build parameter on our Jenkins jobs to enable verbose output for the Go tests via -check.v ...

Actions
Copy link
 #9

Updated by Tom Clegg 2 months ago · Edited

We do have that build parameter: test_opts. (edit: because Brett just added it)

--only lib/crunchrun lib/crunchrun_test=-check.v

run-tests-remainder: #5774

then, after adding ARVADOS_TEST_PRIVESC=sudo to jenkins config:

run-tests-remainder: #5776

Actions
Copy link
 #10

Updated by Tom Clegg 2 months ago

run-tests-remainder: #5776 

PASS: singularity_test.go:69: singularitySuite.TestInject    10.132s
Actions
Copy link
 #11

Updated by Brett Smith 2 months ago

Tom Clegg wrote in #note-10:

run-tests-remainder: #5776

LGTM, thanks.

For posterity in the ticket: I added test_opts, and tried to add setting ARVADOS_TEST_PRIVESC, in response to Tom's earlier comment. test_opts works fine. My first try at ARVADOS_TEST_PRIVESC didn't work with the environment cleaning in run-tests.sh but Tom spotted and fixed that. I'm adding those changes to the other test subjobs.

Actions
Copy link
 #12

Updated by Tom Clegg 2 months ago

  • Status changed from In Progress to Resolved
Actions
Copy link
 #13

Updated by Brett Smith about 2 months ago

  • Release changed from 82 to 84
Actions
Copy link

Also available in: Atom PDF