Re: RFC: Test hook for nss_files testing

[Florian Weimer <fweimer at redhat dot com>]

On 12/07/2015 05:55 PM, Carlos O'Donell wrote:

> I have two concerns.
> 
> (1) Security.
> 
> What security implications are there in exposing this interface?

I added a function that has to be called instead of an environment
variable precisely so that there are no security concerns.  The function
is prefixed with _nss_files, which is what we use for namespacing the
NSS service modules.

> (2) Test what we ship.
> 
> We need to get away from build-tree testing and move to installed tree
> testing to verify that we are testing is what we are shipping.

My proposed tests do that, which is why there is a hook.  An alternative
would be to compile nss_files twice, with different settings.  But then
we aren't testing anymore what we are shipping.

> The testing would look like this:
> 
> - Setup an installed tree.
> - Setup the test.
> - Run the test in some kind of isolation with configuration changes
>   made to the sysroot that would otherwise be impossible on the host.
> - Return status.
> - Repeat for all tests that need a sysroot e.g. ldconfig, network, nss...

I agree that installed-tree testing is better.  At least the nss_files
tests should be straightforward to migrate when installed-tree testing
arrives.  You just omit the path override, and copy the test files to
/etc in the test environment.

> A more appealing alternative would be to run the test under a systemtap
> script which did all the work of updating the paths to the databases
> without the hook changes.

I think this would be far more brittle and difficult to implement
because the existing path names are just string literals.  Run-time
patching also means that it's not really what we ship.  At that point,
we may be better off with something like cwrap, or an xtest with chroot.

Florian