Merge pull request #599 from influxdata/BNP_race_checks

bnpfeife · web-flow · commit efd37de36766 · 2022-06-21T13:49:18.000-04:00
feat: implement race and static-binary checks
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -9,6 +9,11 @@ master_filter: &master_filter
       only:
         - master
 
+ubuntu_machine: &ubuntu_machine
+  machine:
+    image: ubuntu-2004:202111-02
+    docker_layer_caching: true
+
 workflows:
   version: 2
   ci:
@@ -20,6 +25,12 @@ workflows:
               version: ["2.0", "2.1", "2.2", "2.3"]
       - publish_docker_images:
           <<: *master_filter
+      - test-influxdb-binaries:
+          matrix:
+            parameters:
+              product:
+                - "influxdb/1.9/data"
+                - "influxdb/1.9/meta"
 
 jobs:
   build:
@@ -31,15 +42,16 @@ jobs:
       - run: bash circle-test.sh
 
   test-influxdb:
-    machine:
-      image: ubuntu-2004:202111-01
+    <<: *ubuntu_machine
     parameters:
       version:
         type: string
         enum: ["2.0", "2.1", "2.2", "2.3"]
     steps:
       - checkout
-      - run: sudo apt-get update && sudo apt-get install -y jq
+      - run: |
+          sudo apt-get update &&
+          sudo apt-get install -y jq
       - run: bash influxdb/test/test-2x-e2e.sh << parameters.version >>
       - store_artifacts:
           path: influxdb/test/logs
@@ -74,3 +86,14 @@ jobs:
           name: Do Enterprise Release
           command: |
             .circleci/scripts/do-enterprise-release
+
+  test-influxdb-binaries:
+    <<: *ubuntu_machine
+    parameters:
+      product:
+        type: string
+    steps:
+      - checkout
+      - run:
+          name: Validate Docker Image Binaries
+          command: influxdb/test/test-binaries << parameters.product >>
diff --git a/influxdb/test/test-binaries b/influxdb/test/test-binaries
@@ -0,0 +1,68 @@
+#!/bin/bash
+set -o errexit  \
+    -o nounset  \
+    -o pipefail
+
+function build_local_image()
+{
+  # ${1} -> directory
+  # ${2} -> tag
+  pushd "${1}"
+
+  docker build -t "${2}" .
+
+  popd
+}
+
+# ${1} -> product
+build_local_image "${1}" "influxdb-test"
+
+read -d '' -r PROGRAM <<'EOF' || true
+set -o errexit  \
+    -o nounset  \
+    -o pipefail \
+    -o xtrace
+
+export DEBIAN_FRONTEND=noninteractive
+apt-get update
+apt-get install --yes binutils
+
+function test_race()
+{
+  # ${1} -> target
+  if grep --quiet 'WARNING\: DATA RACE' <<<"$(strings "${1}")"
+  then
+    printf 'Race-enabled binary detected: %s\n' "${1}" >&2 ; exit 1
+  fi
+}
+
+function test_static()
+{
+  # ${1} -> target
+
+  # `ldd` has the disadavantage that it cannot differentiate between a binary
+  # without a dynamic section and garbage. `file` requires somewhat brittle
+  # string parsing. `readelf` + `grep` circumvents both of these problems.
+  if ! readelf --dynamic "${1}" | \
+    grep --silent 'There is no dynamic section in this file.'
+  then
+    printf 'Non-static binary detected: %s\n' "${1}" >&2 ; exit 1
+  fi
+}
+
+for target in             \
+  /usr/bin/influx         \
+  /usr/bin/influx_inspect \
+  /usr/bin/influxd        \
+  /usr/bin/influxd-ctl    \
+  /usr/bin/influxd-meta
+do
+  if [[ -x "${target}" ]]
+  then
+    test_race "${target}"
+    test_static "${target}"
+  fi
+done
+EOF
+
+docker run -it "influxdb-test" bash -c "${PROGRAM}"
