From 5db88777c4f2febdaba8b964c7b3ec61e516d731 Mon Sep 17 00:00:00 2001 From: yaroslavborbat Date: Mon, 11 Nov 2024 12:22:34 +0300 Subject: [PATCH] change the CapExec value to false by default Signed-off-by: yaroslavborbat --- test/e2e/storage/drivers/in_tree.go | 51 ++++++++++++++++++++++------- 1 file changed, 39 insertions(+), 12 deletions(-) diff --git a/test/e2e/storage/drivers/in_tree.go b/test/e2e/storage/drivers/in_tree.go index 203a69c5989..7d34574e1ea 100644 --- a/test/e2e/storage/drivers/in_tree.go +++ b/test/e2e/storage/drivers/in_tree.go @@ -1139,19 +1139,54 @@ type localVolume struct { var ( // capabilities defaultLocalVolumeCapabilities = map[storageframework.Capability]bool{ - storageframework.CapPersistence: true, - storageframework.CapFsGroup: true, - storageframework.CapBlock: false, - storageframework.CapExec: true, + storageframework.CapPersistence: true, + storageframework.CapFsGroup: true, + storageframework.CapBlock: false, + // To test CapExec, we need a volume with a filesystem. + // During end-to-end (e2e) testing, we utilize the `/tmp` directory for volume creation. + // However, best practices recommend mounting `/tmp` with the `noexec`, `nodev`, and `nosuid` parameters. + // This security measure prevents the execution of scripts and binaries within the `/tmp` directory. + // This practice, while promoting security, creates a dependency on the infrastructure configuration during e2e tests. + // This can result in "Permission Denied" errors when attempting to execute files from `/tmp`. + // To address this, we intentionally skip exec tests for certain types of LocalVolumes, such as `dir` or `dir-link`. + // This allows us to conduct comprehensive testing without relying on potentially restrictive security configurations. + storageframework.CapExec: false, storageframework.CapMultiPODs: true, storageframework.CapSingleNodeVolume: true, storageframework.CapMultiplePVsSameID: true, } localVolumeCapabitilies = map[utils.LocalVolumeType]map[storageframework.Capability]bool{ + utils.LocalVolumeTmpfs: { + storageframework.CapPersistence: true, + storageframework.CapFsGroup: true, + storageframework.CapBlock: false, + storageframework.CapExec: true, + storageframework.CapMultiPODs: true, + storageframework.CapSingleNodeVolume: true, + storageframework.CapMultiplePVsSameID: true, + }, utils.LocalVolumeBlock: { storageframework.CapPersistence: true, storageframework.CapFsGroup: true, storageframework.CapBlock: true, + storageframework.CapExec: false, + storageframework.CapMultiPODs: true, + storageframework.CapSingleNodeVolume: true, + storageframework.CapMultiplePVsSameID: true, + }, + utils.LocalVolumeBlockFS: { + storageframework.CapPersistence: true, + storageframework.CapFsGroup: true, + storageframework.CapBlock: false, + storageframework.CapExec: true, + storageframework.CapMultiPODs: true, + storageframework.CapSingleNodeVolume: true, + storageframework.CapMultiplePVsSameID: true, + }, + utils.LocalVolumeGCELocalSSD: { + storageframework.CapPersistence: true, + storageframework.CapFsGroup: true, + storageframework.CapBlock: false, storageframework.CapExec: true, storageframework.CapMultiPODs: true, storageframework.CapSingleNodeVolume: true, @@ -1224,14 +1259,6 @@ func (l *localDriver) PrepareTest(ctx context.Context, f *framework.Framework) * framework.ExpectNoError(err) l.hostExec = utils.NewHostExec(f) - // It is recommended to mount /tmp with options noexec, nodev, nosuid. - // tmpfs on /tmp type tmpfs (rw,nosuid,nodev,noexec,relatime,seclabel,inode64) - // This prevents scripts and binaries from being executed from the /tmp directory. - // This can cause errors like "Permission denied" when executing files from `/tmp`. - // To pass the test that verifies the execution of files on a volume, we remount `/tmp` with the exec option. - remountCmd := `mount | awk '{if ($3 == "/tmp") print $0}' | grep -q "noexec" && mount -o remount,exec /tmp || true` - err = l.hostExec.IssueCommand(ctx, remountCmd, l.node) - framework.ExpectNoError(err) l.ltrMgr = utils.NewLocalResourceManager("local-driver", l.hostExec, "/tmp") // This can't be done in SkipUnsupportedTest because the test framework is not initialized yet