Merge branch 'main' into feat/secure-communication

Author: markus-hentsch

Standards/scs-0003-v1-sovereign-cloud-standards-yaml.md

@@ -14,6 +14,19 @@ description: |
 
 ## Introduction
 
+This is v1.1 of the standard, which lifts the following restriction regarding the property `scs:name-vN`:
+this property may now be used on any flavor, rather than standard flavors only. In addition, the "vN" is
+now interpreted as "name variant N" instead of "version N of the naming standard". Note that this change
+indeed preserves compliance, i.e., compliance with v1.0 implies compliance with v1.1.
+
+## Terminology
+
+extra_specs
+  Additional properties on an OpenStack flavor, see
+  [OpenStack Nova user documentation](https://docs.openstack.org/nova/2024.1/user/flavors.html#extra-specs)
+  and
+  [OpenStack Nova configuration documentation](https://docs.openstack.org/nova/2024.1/configuration/extra-specs.html).
+
 ## Motivation
 
 In OpenStack environments there is a need to define different flavors for instances.
@@ -23,13 +36,13 @@ OpenStack providers thus typically offer a large selection of flavors.
 While flavors can be discovered (`openstack flavor list`), it is helpful for users (DevOps teams),
 to have a guaranteed set of flavors available on all SCS clouds, so these need not be discovered.
 
-## Properties (extra specs)
+## Properties (extra_specs)
 
-The following extra specs are recognized, together with the respective semantics:
+The following extra_specs are recognized, together with the respective semantics:
 
-- `scs:name-vN=NAME` (where `N` is `1` or `2`, and `NAME` is some string) means that the
-  flavor is one of the
-  standard SCS flavors, and the requirements of Section "Standard SCS flavors" below apply.
+- `scs:name-vN=NAME` (where `N` is a positive integer, and `NAME` is some string) means that
+  `NAME` is a valid name for this flavor according to any major version of the [SCS standard on
+  flavor naming](https://docs.scs.community/standards/iaas/scs-0100).
 - `scs:cpu-type=shared-core` means that _at least 20% of a core in >99% of the time_,
   measured over the course of one month (1% is 7,2 h/month). The `cpu-type=shared-core`
   corresponds to the `V` cpu modifier in the [flavor-naming spec](./scs-0100-v3-flavor-naming.md),
@@ -43,6 +56,24 @@ The following extra specs are recognized, together with the respective semantics
 
 Whenever ANY of these are present on ANY flavor, the corresponding semantics must be satisfied.
 
+The extra_spec `scs:name-vN` is to be interpreted as "name variant N". This name scheme is designed to be
+backwards compatible with v1.0 of this standard, where `scs:name-vN` is interpreted as
+"name according to naming standard vN". We abandon this former interpretation for two reasons:
+
+1. the naming standards admit multiple (even many) names for the same flavor, and we want to provide a means
+   of advertising more than one of them (said standards recommend using two: a short one and a long one),
+2. the same flavor name may be valid according to multiple versions at the same time, which would lead to
+   a pollution of the extra_specs with redundant properties; for instance, the name
+   `SCS-4V-16` is valid for both [scs-0100-v2](scs-0100-v2-flavor-naming.md) and
+   [scs-0100-v3](scs-0100-v3-flavor-naming.md), and, since it does not use any extension, it will be valid
+   for any future version that only changes the extensions, such as the GPU vendor and architecture.
+
+Note that it is not required to use consecutive numbers to number the name variants.
+This way, it becomes easier to remove a single variant (no "closing the gap" required).
+
+If extra_specs of the form `scs:name-vN` are used to specify SCS flavor names, it is RECOMMENDED to include
+names for the latest stable major version of the standard on flavor naming.
+
 ## Standard SCS flavors
 
 Following are flavors that must exist on standard SCS clouds (x86-64).
@@ -127,14 +158,19 @@ instance life cycle.)
 
 ## Conformance Tests
 
-The script `flavors-openstack.py` will read the lists of mandatory and recommended flavors
+The script [`flavors-openstack.py`](https://github.com/SovereignCloudStack/standards/blob/main/Tests/iaas/standard-flavors/flavors-openstack.py)
+will read the lists of mandatory and recommended flavors
 from a yaml file provided as command-line argument, connect to an OpenStack installation,
-and check whether the flavors are present and their extra specs are correct. Missing
-flavors will be reported on various logging channels: error for mandatory, info for
-recommended flavors. Incorrect extra specs will be reported as error in any case.
+and check whether the flavors are present and their extra_specs are correct.
+
+Missing flavors will be reported on various logging channels: error for mandatory, warning for
+recommended flavors. Incorrect extra_specs will be reported as error in any case.
 The return code will be non-zero if the test could not be performed or if any error was
 reported.
 
+The script does not check whether a name given via the extra_spec `scs:name-vN` is indeed valid according
+to any major version of the SCS standard on flavor naming.
+
 ## Operational tooling
 
 The [openstack-flavor-manager](https://github.com/osism/openstack-flavor-manager) is able to

Standards/scs-0103-v1-standard-flavors.md

@@ -1,9 +1,8 @@
 # Testsuite for SCS standards
 
 The tool `scs-compliance-check.py` parses a
-[compliance definition file](https://github.com/SovereignCloudStack/standards/blob/main/Standards/scs-0003-v1-sovereign-cloud-standards-yaml.md)
-and executes the test executables referenced in there for
-the specified layer (`iaas` or `kaas`).
+[certificate scope specification](https://github.com/SovereignCloudStack/standards/blob/main/Standards/scs-0003-v1-sovereign-cloud-standards-yaml.md)
+and executes the test executables referenced in there.
 
 ## Local execution (Linux, BSD, ...)
 
@@ -26,7 +25,7 @@ With a cloud environment configured in your `~/.config/openstack/clouds.yaml`
 and `secure.yaml`, then run
 
 ```shell
-./scs-compliance-check.py  -a os_cloud=CLOUDNAME -s CLOUDNAME scs-compatible-iaas.yaml
+./scs-compliance-check.py -s CLOUDNAME -a os_cloud=CLOUDNAME scs-compatible-iaas.yaml
 ```
 
 Replace `CLOUDNAME` with the name of your cloud environment as
@@ -47,17 +46,23 @@ fail if it isn't set.
 ## Usage information (help output)
 
 ```text
-Usage: scs-compliance-check.py [options] compliance-spec.yaml
-Options: -v/--verbose: More verbose output
- -q/--quiet: Don't output anything but errors
- -d/--date YYYY-MM-DD: Check standards valid on specified date instead of today
- -V/--version VERS: Force version VERS of the standard (instead of deriving from date)
- -s/--subject SUBJECT: Name of the subject (cloud) under test, for the report
- -S/--sections SECTION_LIST: comma-separated list of sections to test (default: all sections)
- -t/--tests REGEX: regular expression to select individual tests
- -o/--output REPORT_PATH: Generate yaml report of compliance check under given path
- -C/--critical-only: Only return critical errors in return code
- -a/--assign KEY=VALUE: assign variable to be used for the run (as required by yaml file)
+Usage: scs-compliance-check.py [options] SPEC_YAML
+
+Arguments:
+  SPEC_YAML: yaml file specifying the certificate scope
+
+Options:
+  -v/--verbose: More verbose output
+  -q/--quiet: Don't output anything but errors
+     --debug: enables DEBUG logging channel
+  -d/--date YYYY-MM-DD: Check standards valid on specified date instead of today
+  -V/--version VERS: Force version VERS of the standard (instead of deriving from date)
+  -s/--subject SUBJECT: Name of the subject (cloud) under test, for the report
+  -S/--sections SECTION_LIST: comma-separated list of sections to test (default: all sections)
+  -t/--tests REGEX: regular expression to select individual testcases based on their ids
+  -o/--output REPORT_PATH: Generate yaml report of compliance check under given path
+  -C/--critical-only: Only return critical errors in return code
+  -a/--assign KEY=VALUE: assign variable to be used for the run (as required by yaml file)
 
 With -C, the return code will be nonzero precisely when the tests couldn't be run to completion.
 ```

Tests/README.md

@@ -15,7 +15,6 @@
 from collections import Counter
 import getopt
 import logging
-from operator import attrgetter
 import os
 import re
 import sys
@@ -83,25 +82,33 @@ def print_usage(file=sys.stderr):
 
 
 def check_image_attributes(images, attributes=IMAGE_ATTRIBUTES):
-    for image in images:
-        wrong = [f"{key}={value}" for key, value in attributes.items() if image.get(key) != value]
-        if wrong:
-            logger.warning(f"Image '{image.name}' missing recommended attributes: {', '.join(wrong)}")
+    candidates = [
+        (image.name, [f"{key}={value}" for key, value in attributes.items() if image.get(key) != value])
+        for image in images
+    ]
+    # drop those candidates that are fine
+    offenders = [candidate for candidate in candidates if candidate[1]]
+    for name, wrong in offenders:
+        logger.warning(f"Image '{name}' missing recommended attributes: {', '.join(wrong)}")
+    return not offenders
 
 
 def check_flavor_attributes(flavors, attributes=FLAVOR_ATTRIBUTES, optional=FLAVOR_OPTIONAL):
+    offenses = 0
     for flavor in flavors:
         extra_specs = flavor['extra_specs']
         wrong = [f"{key}={value}" for key, value in attributes.items() if extra_specs.get(key) != value]
         miss_opt = [key for key in optional if extra_specs.get(key) is None]
         if wrong:
+            offenses += 1
             message = f"Flavor '{flavor.name}' missing recommended attributes: {', '.join(wrong)}"
             # only report missing optional attributes if recommended are missing as well
             # reasoning here is that these optional attributes are merely a hint for implementers
             # and if the recommended attributes are present, we assume that implementers have done their job already
             if miss_opt:
                 message += f"; additionally, missing optional attributes: {', '.join(miss_opt)}"
             logger.warning(message)
+    return not offenses
 
 
 def install_test_requirements(fconn):
@@ -132,47 +139,60 @@ def install_test_requirements(fconn):
     logger.debug("No package manager worked; proceeding anyway as rng-utils might be present nonetheless.")
 
 
-def check_vm_requirements(fconn, image_name):
-    try:
-        entropy_avail = fconn.run('cat /proc/sys/kernel/random/entropy_avail', hide=True).stdout.strip()
-        if entropy_avail != "256":
-            logger.error(
-                f"VM '{image_name}' didn't have a fixed amount of entropy available. "
-                f"Expected 256, got {entropy_avail}."
-            )
+def check_entropy_avail(fconn, image_name):
+    entropy_avail = fconn.run('cat /proc/sys/kernel/random/entropy_avail', hide=True).stdout.strip()
+    if entropy_avail != "256":
+        logger.error(
+            f"VM '{image_name}' didn't have a fixed amount of entropy available. "
+            f"Expected 256, got {entropy_avail}."
+        )
+        return False
+    return True
+
+
+def check_rngd(fconn, image_name):
+    result = fconn.run('sudo systemctl status rngd', hide=True, warn=True)
+    if "could not be found" in result.stdout or "could not be found" in result.stderr:
+        logger.warning(f"VM '{image_name}' doesn't provide the recommended service rngd")
+        return False
+    return True
+
 
+def check_fips_test(fconn, image_name):
+    try:
         install_test_requirements(fconn)
         fips_data = fconn.run('cat /dev/random | rngtest -c 1000', hide=True, warn=True).stderr
         failure_re = re.search(r'failures:\s\d+', fips_data, flags=re.MULTILINE)
         if failure_re:
             fips_failures = failure_re.string[failure_re.regs[0][0]:failure_re.regs[0][1]].split(" ")[1]
-            if int(fips_failures) > 3:
-                logger.error(
-                    f"VM '{image_name}' didn't pass the FIPS 140-2 testing. "
-                    f"Expected a maximum of 3 failures, got {fips_failures}."
-                )
+            if int(fips_failures) <= 3:
+                return True  # this is the single 'successful' code path
+            logger.error(
+                f"VM '{image_name}' didn't pass the FIPS 140-2 testing. "
+                f"Expected a maximum of 3 failures, got {fips_failures}."
+            )
         else:
             logger.error(f"VM '{image_name}': failed to determine fips failures")
             logger.debug(f"stderr following:\n{fips_data}")
     except BaseException:
         logger.critical(f"Couldn't check VM '{image_name}' requirements", exc_info=True)
+    return False  # any unsuccessful path should end up here
 
 
-def check_vm_recommends(fconn, image, flavor):
+def check_virtio_rng(fconn, image, flavor):
     try:
-        result = fconn.run('sudo systemctl status rngd', hide=True, warn=True)
-        if "could not be found" in result.stdout or "could not be found" in result.stderr:
-            logger.warning(f"VM '{image.name}' doesn't provide the recommended service rngd")
         # Check the existence of the HRNG -- can actually be skipped if the flavor
         # or the image doesn't have the corresponding attributes anyway!
         if image.hw_rng_model != "virtio" or flavor.extra_specs.get("hw_rng:allowed") != "True":
             logger.debug("Not looking for virtio-rng because required attributes are missing")
-        else:
-            # `cat` can fail with return code 1 if special file does not exist
-            hw_device = fconn.run('cat /sys/devices/virtual/misc/hw_random/rng_available', hide=True, warn=True).stdout
-            result = fconn.run("sudo su -c 'od -vAn -N2 -tu2 < /dev/hwrng'", hide=True, warn=True)
-            if not hw_device.strip() or "No such device" in result.stdout or "No such " in result.stderr:
-                logger.warning(f"VM '{image.name}' doesn't provide a hardware device.")
+            return False
+        # `cat` can fail with return code 1 if special file does not exist
+        hw_device = fconn.run('cat /sys/devices/virtual/misc/hw_random/rng_available', hide=True, warn=True).stdout
+        result = fconn.run("sudo su -c 'od -vAn -N2 -tu2 < /dev/hwrng'", hide=True, warn=True)
+        if not hw_device.strip() or "No such device" in result.stdout or "No such " in result.stderr:
+            logger.warning(f"VM '{image.name}' doesn't provide a hardware device.")
+            return False
+        return True
     except BaseException:
         logger.critical(f"Couldn't check VM '{image.name}' recommends", exc_info=True)
 
@@ -334,7 +354,12 @@ def create_vm(env, all_flavors, image, server_name=SERVER_NAME):
         boot_from_volume=True, terminate_volume=True, volume_size=volume_size,
     )
     logger.debug(f"Server '{server_name}' ('{server.id}') has been created")
-    return server
+    # next, do an explicit get_server because, beginning with version 3.2.0, the openstacksdk no longer
+    # sets the interface attributes such as `public_v4`
+    # I (mbuechse) consider this a bug in openstacksdk; it was introduced with
+    # https://opendev.org/openstack/openstacksdk/commit/a8adbadf0c4cdf1539019177fb1be08e04d98e82
+    # I also consider openstacksdk architecture with the Mixins etc. smelly to say the least
+    return env.conn.get_server(server.id)
 
 
 def delete_vm(conn, server_name=SERVER_NAME):
@@ -377,19 +402,56 @@ def handle(self, record):
         self.bylevel[record.levelno] += 1
 
 
+# the following functions are used to map any OpenStack Image to a pair of integers
+# used for sorting the images according to fitness for our test
+# - debian take precedence over ubuntu
+# - higher versions take precedence over lower ones
+
+# only list stable versions here
+DEBIAN_CODENAMES = {
+    "buster": 10,
+    "bullseye": 11,
+    "bookworm": 12,
+}
+
+
+def _deduce_sort_debian(os_version, debian_ver=re.compile(r"\d+\Z")):
+    if debian_ver.match(os_version):
+        return 2, int(os_version)
+    return 2, DEBIAN_CODENAMES.get(os_version, 0)
+
+
+def _deduce_sort_ubuntu(os_version, ubuntu_ver=re.compile(r"\d\d\.\d\d\Z")):
+    if ubuntu_ver.match(os_version):
+        return 1, int(os_version.replace(".", ""))
+    return 1, 0
+
+
+# map lower-case distro name to version deducing function
+DISTROS = {
+    "ubuntu": _deduce_sort_ubuntu,
+    "debian": _deduce_sort_debian,
+}
+
+
+def _deduce_sort(img):
+    # avoid private images here
+    # (note that with SCS, public images MUST have os_distro and os_version, but we check nonetheless)
+    if img.visibility != 'public' or not img.os_distro or not img.os_version:
+        return 0, 0
+    deducer = DISTROS.get(img.os_distro.strip().lower())
+    if deducer is None:
+        return 0, 0
+    return deducer(img.os_version.strip().lower())
+
+
 def select_deb_image(images):
-    """From a list of OpenStack image objects, select a recent Debian derivative.
-
-    Try Debian first, then Ubuntu.
-    """
-    for prefix in ("Debian ", "Ubuntu "):
-        imgs = sorted(
-            [img for img in images if img.name.startswith(prefix)],
-            key=attrgetter("name"),
-        )
-        if imgs:
-            return imgs[-1]
-    return None
+    """From a list of OpenStack image objects, select a recent Debian derivative."""
+    return max(images, key=_deduce_sort, default=None)
+
+
+def print_result(check_id, passed):
+    print(check_id + ": " + ('FAIL', 'PASS')[bool(passed)])
 
 
 def main(argv):
@@ -448,8 +510,8 @@ def main(argv):
                 logger.debug(f"Selected image: {images[0].name} ({images[0].id})")
 
             logger.debug("Checking images and flavors for recommended attributes")
-            check_image_attributes(all_images)
-            check_flavor_attributes(all_flavors)
+            print_result('entropy-check-image-properties', check_image_attributes(all_images))
+            print_result('entropy-check-flavor-properties', check_flavor_attributes(all_flavors))
 
             logger.debug("Checking dynamic instance properties")
             with TestEnvironment(conn) as env:
@@ -467,8 +529,12 @@ def main(argv):
                         ) as fconn:
                             # need to retry because it takes time for sshd to come up
                             retry(fconn.open, exc_type="NoValidConnectionsError,TimeoutError")
-                            check_vm_recommends(fconn, image, server.flavor)
-                            check_vm_requirements(fconn, image.name)
+                            # virtio-rng is not an official test case according to testing notes,
+                            # but for some reason we check it nonetheless (call it informative)
+                            check_virtio_rng(fconn, image, server.flavor)
+                            print_result('entropy-check-entropy-avail', check_entropy_avail(fconn, image.name))
+                            print_result('entropy-check-rngd', check_rngd(fconn, image.name))
+                            print_result('entropy-check-fips-test', check_fips_test(fconn, image.name))
                     finally:
                         delete_vm(conn)
     except BaseException as e:
@@ -480,6 +546,9 @@ def main(argv):
         "Total critical / error / warning: "
         f"{c[logging.CRITICAL]} / {c[logging.ERROR]} / {c[logging.WARNING]}"
     )
+    # include this one for backwards compatibility
+    if not c[logging.CRITICAL]:
+        print("entropy-check: " + ('PASS', 'FAIL')[min(1, c[logging.ERROR])])
     return min(127, c[logging.CRITICAL] + c[logging.ERROR])  # cap at 127 due to OS restrictions