integ tests: separate fixtures for building...

...auxiliary binaries.

* cloner_bin_path will build the binary that clones into jailer;
* vsock_bin_path will build the vsock client/server;
* seccomp_bin_paths will build the demo seccomp binaries.

This way, tests will only build the auxiliary binaries they need.

Fixes #1236

Signed-off-by: Alexandra Iordache <[email protected]>

Author: Alexandra Iordache

tests/conftest.py

@@ -143,8 +143,10 @@ def test_images_s3_bucket():
 MICROVM_S3_FETCHER = MicrovmImageS3Fetcher(test_images_s3_bucket())
 
 
-def init_microvm(root_path, aux_binary_paths, features=''):
+def init_microvm(root_path, bin_cloner_path, features=''):
     """Auxiliary function for instantiating a microvm and setting it up."""
+    # pylint: disable=redefined-outer-name
+    # The fixture pattern causes a pylint false positive for that rule.
     microvm_id = str(uuid.uuid4())
     fc_binary, jailer_binary = build_tools.get_firecracker_binaries(
         root_path,
@@ -156,7 +158,7 @@ def init_microvm(root_path, aux_binary_paths, features=''):
         jailer_binary_path=jailer_binary,
         build_feature=features,
         microvm_id=microvm_id,
-        aux_bin_paths=aux_binary_paths
+        bin_cloner_path=bin_cloner_path
     )
     vm.setup()
     return vm
@@ -211,16 +213,11 @@ def _gcc_compile(src_file, output_file):
 
 
 @pytest.fixture(scope='session')
-def aux_bin_paths(test_session_root_path):
-    """Build external tools.
-
-    They currently consist of:
+def bin_cloner_path(test_session_root_path):
+    """Build a binary that `clone`s into the jailer.
 
-    * a binary that can properly use the `clone()` syscall;
-    * a jailer with a simple syscall whitelist;
-    * a jailer with a (syscall, arguments) advanced whitelist;
-    * a jailed binary that follows the seccomp rules;
-    * a jailed binary that breaks the seccomp rules.
+    It's necessary because Python doesn't interface well with the `clone()`
+    syscall directly.
     """
     # pylint: disable=redefined-outer-name
     # The fixture pattern causes a pylint false positive for that rule.
@@ -229,7 +226,14 @@ def aux_bin_paths(test_session_root_path):
         'host_tools/newpid_cloner.c',
         cloner_bin_path
     )
+    yield cloner_bin_path
+
 
+@pytest.fixture(scope='session')
+def bin_vsock_path(test_session_root_path):
+    """Build a simple vsock client/server application."""
+    # pylint: disable=redefined-outer-name
+    # The fixture pattern causes a pylint false positive for that rule.
     vsock_helper_bin_path = os.path.join(
         test_session_root_path,
         'vsock_helper'
@@ -238,7 +242,22 @@ def aux_bin_paths(test_session_root_path):
         'host_tools/vsock_helper.c',
         vsock_helper_bin_path
     )
+    yield vsock_helper_bin_path
+
 
+@pytest.fixture(scope='session')
+def bin_seccomp_paths(test_session_root_path):
+    """Build jailers and jailed binaries to test seccomp.
+
+    They currently consist of:
+
+    * a jailer with a simple syscall whitelist;
+    * a jailer with a (syscall, arguments) advanced whitelist;
+    * a jailed binary that follows the seccomp rules;
+    * a jailed binary that breaks the seccomp rules.
+    """
+    # pylint: disable=redefined-outer-name
+    # The fixture pattern causes a pylint false positive for that rule.
     seccomp_build_path = os.path.join(
         test_session_root_path,
         build_tools.CARGO_RELEASE_REL_PATH
@@ -282,17 +301,15 @@ def aux_bin_paths(test_session_root_path):
     )
 
     yield {
-        'cloner': cloner_bin_path,
-        'vsock_helper': vsock_helper_bin_path,
         'demo_basic_jailer': demo_basic_jailer,
         'demo_advanced_jailer': demo_advanced_jailer,
         'demo_harmless': demo_harmless,
         'demo_malicious': demo_malicious
     }
 
 
-@pytest.fixture
-def microvm(test_session_root_path, aux_bin_paths):
+@pytest.fixture()
+def microvm(test_session_root_path, bin_cloner_path):
     """Instantiate a microvm."""
     # pylint: disable=redefined-outer-name
     # The fixture pattern causes a pylint false positive for that rule.
@@ -301,7 +318,7 @@ def microvm(test_session_root_path, aux_bin_paths):
     # microvm.
     vm = init_microvm(
         test_session_root_path,
-        aux_bin_paths,
+        bin_cloner_path,
         features=''
     )
     yield vm
@@ -345,7 +362,7 @@ def test_microvm_any(request, microvm):
 def test_multiple_microvms(
         test_session_root_path,
         context,
-        aux_bin_paths
+        bin_cloner_path
 ):
     """Yield one or more microvms based on the context provided.
 
@@ -361,7 +378,7 @@ def test_multiple_microvms(
 
     # When the context specifies multiple microvms, we use the first vm to
     # populate the other ones by hardlinking its resources.
-    first_vm = init_microvm(test_session_root_path, aux_bin_paths)
+    first_vm = init_microvm(test_session_root_path, bin_cloner_path)
     MICROVM_S3_FETCHER.init_vm_resources(
         microvm_resources,
         first_vm
@@ -372,7 +389,7 @@ def test_multiple_microvms(
     # asserts that the `how_many` parameter is always positive
     # (i.e strictly greater than 0).
     for _ in range(how_many - 1):
-        vm = init_microvm(test_session_root_path, aux_bin_paths)
+        vm = init_microvm(test_session_root_path, bin_cloner_path)
         MICROVM_S3_FETCHER.hardlink_vm_resources(
             microvm_resources,
             first_vm,

tests/framework/microvm.py

@@ -45,7 +45,7 @@ def __init__(
         microvm_id,
         build_feature='',
         monitor_memory=True,
-        aux_bin_paths=None
+        bin_cloner_path=None
     ):
         """Set up microVM attributes, paths, and data structures."""
         # Unique identifier for this machine.
@@ -111,7 +111,7 @@ def __init__(
             self._memory_events_queue = None
 
         # External clone/exec tool, because Python can't into clone
-        self.aux_bin_paths = aux_bin_paths
+        self.bin_cloner_path = bin_cloner_path
 
     def kill(self):
         """All clean up associated with this microVM should go here."""
@@ -272,8 +272,8 @@ def spawn(self):
         # 2) Python's ctypes libc interface appears to be broken, causing
         # our clone / exec to deadlock at some point.
         if self._jailer.daemonize:
-            if self.aux_bin_paths:
-                cmd = [self.aux_bin_paths['cloner']] + \
+            if self.bin_cloner_path:
+                cmd = [self.bin_cloner_path] + \
                       [self._jailer_binary_path] + \
                       jailer_param_list
                 _p = run(cmd, stdout=PIPE, stderr=PIPE, check=True)

tests/integration_tests/functional/test_vsock.py

@@ -159,7 +159,7 @@ def _run(self):
 def test_vsock(
         test_microvm_with_ssh,
         network_config,
-        aux_bin_paths,
+        bin_vsock_path,
         test_session_root_path
 ):
     """Vsock tests. See the module docstring for a high-level description."""
@@ -191,7 +191,8 @@ def test_vsock(
     assert ecode == 0
 
     # Copy `vsock_helper` and the random blob to the guest.
-    conn.scp_file(aux_bin_paths['vsock_helper'], '/bin/vsock_helper')
+    vsock_helper = bin_vsock_path
+    conn.scp_file(vsock_helper, '/bin/vsock_helper')
     conn.scp_file(blob_path, vm_blob_path)
 
     # Test guest-initiated connections.

tests/integration_tests/security/demo_seccomp/Cargo.lock

@@ -7,15 +7,15 @@
 from subprocess import run, PIPE
 
 
-def test_seccomp_ls(aux_bin_paths):
+def test_seccomp_ls(bin_seccomp_paths):
     """Assert that the seccomp filters deny a blacklisted syscall."""
     # pylint: disable=redefined-outer-name
     # The fixture pattern causes a pylint false positive for that rule.
 
     # Path to the `ls` binary, which attempts to execute the blacklisted
     # `SYS_access`.
     ls_command_path = '/bin/ls'
-    demo_jailer = aux_bin_paths['demo_basic_jailer']
+    demo_jailer = bin_seccomp_paths['demo_basic_jailer']
 
     assert os.path.exists(demo_jailer)
 
@@ -27,7 +27,7 @@ def test_seccomp_ls(aux_bin_paths):
     assert outcome.returncode != 0
 
 
-def test_advanced_seccomp_harmless(aux_bin_paths):
+def test_advanced_seccomp_harmless(bin_seccomp_paths):
     """
     Test `demo_harmless`.
 
@@ -36,8 +36,8 @@ def test_advanced_seccomp_harmless(aux_bin_paths):
     # pylint: disable=redefined-outer-name
     # The fixture pattern causes a pylint false positive for that rule.
 
-    demo_advanced_jailer = aux_bin_paths['demo_advanced_jailer']
-    demo_harmless = aux_bin_paths['demo_harmless']
+    demo_advanced_jailer = bin_seccomp_paths['demo_advanced_jailer']
+    demo_harmless = bin_seccomp_paths['demo_harmless']
 
     assert os.path.exists(demo_advanced_jailer)
     assert os.path.exists(demo_harmless)
@@ -48,7 +48,7 @@ def test_advanced_seccomp_harmless(aux_bin_paths):
     assert outcome.returncode == 0
 
 
-def test_advanced_seccomp_malicious(aux_bin_paths):
+def test_advanced_seccomp_malicious(bin_seccomp_paths):
     """
     Test `demo_malicious`.
 
@@ -57,8 +57,8 @@ def test_advanced_seccomp_malicious(aux_bin_paths):
     # pylint: disable=redefined-outer-name
     # The fixture pattern causes a pylint false positive for that rule.
 
-    demo_advanced_jailer = aux_bin_paths['demo_advanced_jailer']
-    demo_malicious = aux_bin_paths['demo_malicious']
+    demo_advanced_jailer = bin_seccomp_paths['demo_advanced_jailer']
+    demo_malicious = bin_seccomp_paths['demo_malicious']
 
     assert os.path.exists(demo_advanced_jailer)
     assert os.path.exists(demo_malicious)