From 6eeec896ef62f60ad4eb17884de5181841348f15 Mon Sep 17 00:00:00 2001 From: Tom Krizek Date: Mon, 26 Jun 2023 16:40:03 +0200 Subject: [PATCH 1/4] Disable delv tests under TSAN Since delv can occasionally hang in system tests when running with TSAN (see GL#4119), disable these tests as a workaround. Otherwise, the hung delv process will just waste CI resources and prevent any meaningful output from the rest of the test suite. (cherry picked from commit fbcf37f914ed83cab374e01d13e0ce302c87ab52) --- bin/tests/system/conf.sh.in | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/bin/tests/system/conf.sh.in b/bin/tests/system/conf.sh.in index 0ef94436e3..0e7431ff6d 100644 --- a/bin/tests/system/conf.sh.in +++ b/bin/tests/system/conf.sh.in @@ -27,7 +27,11 @@ export ARPANAME=$TOP_BUILDDIR/bin/tools/arpaname export CDS=$TOP_BUILDDIR/bin/dnssec/dnssec-cds export CHECKCONF=$TOP_BUILDDIR/bin/check/named-checkconf export CHECKZONE=$TOP_BUILDDIR/bin/check/named-checkzone -export DELV=$TOP_BUILDDIR/bin/delv/delv +if [ -z "$TSAN_OPTIONS" ]; then # workaround for GL#4119 + export DELV=$TOP_BUILDDIR/bin/delv/delv +else + export DELV=: +fi export DIG=$TOP_BUILDDIR/bin/dig/dig export DNSTAPREAD=$TOP_BUILDDIR/bin/tools/dnstap-read export DSFROMKEY=$TOP_BUILDDIR/bin/dnssec/dnssec-dsfromkey From cfada0f62e0aad2fe019f017ecee5e215f84dc3d Mon Sep 17 00:00:00 2001 From: Tom Krizek Date: Mon, 26 Jun 2023 16:46:27 +0200 Subject: [PATCH 2/4] Only use delv if available in mkeys test Check that $DELV is an executable before using it in a test. (cherry picked from commit 384339dbba6e262e734095f7ea2c39ab7771fedb) --- bin/tests/system/mkeys/tests.sh | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/bin/tests/system/mkeys/tests.sh b/bin/tests/system/mkeys/tests.sh index 062149602c..a82cff8a78 100644 --- a/bin/tests/system/mkeys/tests.sh +++ b/bin/tests/system/mkeys/tests.sh @@ -111,15 +111,17 @@ grep "example..*.RRSIG..*TXT" dig.out.ns2.test$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status+ret)) -n=$((n+1)) -ret=0 -echo_i "check positive validation using delv ($n)" -delv_with_opts @10.53.0.1 txt example > delv.out$n || ret=1 -grep "; fully validated" delv.out$n > /dev/null || ret=1 # redundant -grep "example..*TXT.*This is a test" delv.out$n > /dev/null || ret=1 -grep "example..*.RRSIG..*TXT" delv.out$n > /dev/null || ret=1 -if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +if [ -x "$DELV" ]; then + n=$((n+1)) + ret=0 + echo_i "check positive validation using delv ($n)" + delv_with_opts @10.53.0.1 txt example > delv.out$n || ret=1 + grep "; fully validated" delv.out$n > /dev/null || ret=1 # redundant + grep "example..*TXT.*This is a test" delv.out$n > /dev/null || ret=1 + grep "example..*.RRSIG..*TXT" delv.out$n > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) +fi n=$((n+1)) echo_i "check for failed validation due to wrong key in managed-keys ($n)" From b94f5146a1a051c49cc8a68777c00b34488d3946 Mon Sep 17 00:00:00 2001 From: Tom Krizek Date: Mon, 26 Jun 2023 17:14:16 +0200 Subject: [PATCH 3/4] Fix checking for executables in shell conditions in tests Surround the variables which are checked whether they're executable in double quotes. Without them, empty paths won't be properly interpreted as not executable. (manually picked from commit 06056c44a7bebc50b6e32ca5baa3c396ae4e948f) --- bin/tests/system/ckdnsrps.sh | 2 +- bin/tests/system/dnssec/tests.sh | 48 +++++++++++++++--------------- bin/tests/system/resolver/tests.sh | 20 ++++++------- bin/tests/system/rpz/qperf.sh | 2 +- bin/tests/system/rpz/tests.sh | 2 +- 5 files changed, 37 insertions(+), 37 deletions(-) diff --git a/bin/tests/system/ckdnsrps.sh b/bin/tests/system/ckdnsrps.sh index 846c95f100..3063adb00f 100644 --- a/bin/tests/system/ckdnsrps.sh +++ b/bin/tests/system/ckdnsrps.sh @@ -69,7 +69,7 @@ else add_conf "## testing with DNSRPS" fi -if [ ! -x $DNSRPS_CMD ]; then +if [ ! -x "$DNSRPS_CMD" ]; then add_conf "## make $DNSRPS_CMD to test DNSRPS" add_conf '#skip' exit 0 diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh index 966c891e2a..18d0d7577b 100644 --- a/bin/tests/system/dnssec/tests.sh +++ b/bin/tests/system/dnssec/tests.sh @@ -197,7 +197,7 @@ n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) -if [ -x ${DELV} ] ; then +if [ -x "${DELV}" ] ; then ret=0 echo_i "checking positive validation NSEC using dns_client ($n)" delv_with_opts @10.53.0.4 a a.example > delv.out$n || ret=1 @@ -229,7 +229,7 @@ n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) -if [ -x ${DELV} ] ; then +if [ -x "${DELV}" ] ; then ret=0 echo_i "checking positive validation NSEC3 using dns_client ($n)" delv_with_opts @10.53.0.4 a a.nsec3.example > delv.out$n || ret=1 @@ -254,7 +254,7 @@ status=$((status+ret)) SP="[[:space:]]+" -if [ -x ${DELV} ] ; then +if [ -x "${DELV}" ] ; then ret=0 echo_i "checking positive validation OPTOUT using dns_client ($n)" delv_with_opts @10.53.0.4 a a.optout.example > delv.out$n || ret=1 @@ -280,7 +280,7 @@ n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) -if [ -x ${DELV} ] ; then +if [ -x "${DELV}" ] ; then ret=0 echo_i "checking positive wildcard validation NSEC using dns_client ($n)" delv_with_opts @10.53.0.4 a a.wild.example > delv.out$n || ret=1 @@ -322,7 +322,7 @@ n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) -if [ -x ${DELV} ] ; then +if [ -x "${DELV}" ] ; then ret=0 echo_i "checking positive wildcard validation NSEC3 using dns_client ($n)" delv_with_opts @10.53.0.4 a a.wild.nsec3.example > delv.out$n || ret=1 @@ -348,7 +348,7 @@ n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) -if [ -x ${DELV} ] ; then +if [ -x "${DELV}" ] ; then ret=0 echo_i "checking positive wildcard validation OPTOUT using dns_client ($n)" delv_with_opts @10.53.0.4 a a.wild.optout.example > delv.out$n || ret=1 @@ -370,7 +370,7 @@ n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) -if [ -x ${DELV} ] ; then +if [ -x "${DELV}" ] ; then ret=0 echo_i "checking negative validation NXDOMAIN NSEC using dns_client ($n)" delv_with_opts @10.53.0.4 a q.example > delv.out$n 2>&1 || ret=1 @@ -393,7 +393,7 @@ n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) -if [ -x ${DELV} ] ; then +if [ -x "${DELV}" ] ; then ret=0 echo_i "checking negative validation NXDOMAIN NSEC3 using dns_client ($n)" delv_with_opts @10.53.0.4 a q.nsec3.example > delv.out$n 2>&1 || ret=1 @@ -417,7 +417,7 @@ n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) -if [ -x ${DELV} ] ; then +if [ -x "${DELV}" ] ; then ret=0 echo_i "checking negative validation NXDOMAIN OPTOUT using dns_client ($n)" delv_with_opts @10.53.0.4 a q.optout.example > delv.out$n 2>&1 || ret=1 @@ -439,7 +439,7 @@ n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) -if [ -x ${DELV} ] ; then +if [ -x "${DELV}" ] ; then ret=0 echo_i "checking negative validation NODATA OPTOUT using dns_client ($n)" delv_with_opts @10.53.0.4 txt a.example > delv.out$n 2>&1 || ret=1 @@ -463,7 +463,7 @@ n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) -if [ -x ${DELV} ] ; then +if [ -x "${DELV}" ] ; then ret=0 echo_i "checking negative validation NODATA NSEC3 using dns_client ($n)" delv_with_opts @10.53.0.4 txt a.nsec3.example > delv.out$n 2>&1 || ret=1 @@ -487,7 +487,7 @@ n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) -if [ -x ${DELV} ] ; then +if [ -x "${DELV}" ] ; then ret=0 echo_i "checking negative validation NODATA OPTOUT using dns_client ($n)" delv_with_opts @10.53.0.4 txt a.optout.example > delv.out$n 2>&1 || ret=1 @@ -508,7 +508,7 @@ n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) -if [ -x ${DELV} ] ; then +if [ -x "${DELV}" ] ; then ret=0 echo_i "checking negative wildcard validation NSEC using dns_client ($n)" delv_with_opts @10.53.0.4 txt b.wild.example > delv.out$n 2>&1 || ret=1 @@ -528,7 +528,7 @@ n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) -if [ -x ${DELV} ] ; then +if [ -x "${DELV}" ] ; then ret=0 echo_i "checking negative wildcard validation NSEC3 using dns_client ($n)" delv_with_opts @10.53.0.4 txt b.wild.nsec3.example > delv.out$n 2>&1 || ret=1 @@ -552,7 +552,7 @@ n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) -if [ -x ${DELV} ] ; then +if [ -x "${DELV}" ] ; then ret=0 echo_i "checking negative wildcard validation OPTOUT using dns_client ($n)" delv_with_opts @10.53.0.4 txt b.optout.nsec3.example > delv.out$n 2>&1 || ret=1 @@ -576,7 +576,7 @@ n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) -if [ -x ${DELV} ] ; then +if [ -x "${DELV}" ] ; then ret=0 echo_i "checking 1-server insecurity proof NSEC using dns_client ($n)" delv_with_opts @10.53.0.4 a a.insecure.example > delv.out$n || ret=1 @@ -598,7 +598,7 @@ n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) -if [ -x ${DELV} ] ; then +if [ -x "${DELV}" ] ; then ret=0 echo_i "checking 1-server insecurity proof NSEC3 using dns_client ($n)" delv_with_opts @10.53.0.4 a a.insecure.nsec3.example > delv.out$n || ret=1 @@ -620,7 +620,7 @@ n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) -if [ -x ${DELV} ] ; then +if [ -x "${DELV}" ] ; then ret=0 echo_i "checking 1-server insecurity proof OPTOUT using dns_client ($n)" delv_with_opts @10.53.0.4 a a.insecure.optout.example > delv.out$n || ret=1 @@ -644,7 +644,7 @@ n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) -if [ -x ${DELV} ] ; then +if [ -x "${DELV}" ] ; then ret=0 echo_i "checking 1-server negative insecurity proof NSEC using dns_client ($n)" delv_with_opts @10.53.0.4 a q.insecure.example > delv.out$n 2>&1 || ret=1 @@ -668,7 +668,7 @@ n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) -if [ -x ${DELV} ] ; then +if [ -x "${DELV}" ] ; then ret=0 echo_i "checking 1-server negative insecurity proof NSEC3 using dns_client ($n)" delv_with_opts @10.53.0.4 a q.insecure.nsec3.example > delv.out$n 2>&1 || ret=1 @@ -692,7 +692,7 @@ n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) -if [ -x ${DELV} ] ; then +if [ -x "${DELV}" ] ; then ret=0 echo_i "checking 1-server negative insecurity proof OPTOUT using dns_client ($n)" delv_with_opts @10.53.0.4 a q.insecure.optout.example > delv.out$n 2>&1 || ret=1 @@ -889,7 +889,7 @@ n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) -if [ -x ${DELV} ] ; then +if [ -x "${DELV}" ] ; then ret=0 echo_i "checking failed validation using dns_client ($n)" delv_with_opts +cd @10.53.0.4 a a.bogus.example > delv.out$n 2>&1 || ret=1 @@ -934,7 +934,7 @@ n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) -if [ -x ${DELV} ] ; then +if [ -x "${DELV}" ] ; then ret=0 echo_i "checking that validation fails when key record is missing using dns_client ($n)" delv_with_opts +cd @10.53.0.4 a a.b.keyless.example > delv.out$n 2>&1 || ret=1 @@ -953,7 +953,7 @@ n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) -if [ -x ${DELV} ] ; then +if [ -x "${DELV}" ] ; then ret=0 echo_i "checking that validation succeeds when a revoked key is encountered using dns_client ($n)" delv_with_opts +cd @10.53.0.4 soa revkey.example > delv.out$n 2>&1 || ret=1 diff --git a/bin/tests/system/resolver/tests.sh b/bin/tests/system/resolver/tests.sh index 5f8bd01bda..ddad687641 100755 --- a/bin/tests/system/resolver/tests.sh +++ b/bin/tests/system/resolver/tests.sh @@ -37,7 +37,7 @@ grep "status: NXDOMAIN" dig.out.ns1.test${n} > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -if [ -x ${RESOLVE} ] ; then +if [ -x "${RESOLVE}" ] ; then n=$((n+1)) echo_i "checking non-cachable NXDOMAIN response handling using dns_client ($n)" ret=0 @@ -47,7 +47,7 @@ if [ -x ${RESOLVE} ] ; then status=$((status + ret)) fi -if [ -x ${RESOLVE} ] ; then +if [ -x "${RESOLVE}" ] ; then n=$((n+1)) echo_i "checking that local bound address can be set (Can't query from a denied address) ($n)" ret=0 @@ -73,7 +73,7 @@ grep "status: NOERROR" dig.out.ns1.test${n} > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -if [ -x ${RESOLVE} ] ; then +if [ -x "${RESOLVE}" ] ; then n=$((n+1)) echo_i "checking non-cachable NODATA response handling using dns_client ($n)" ret=0 @@ -88,7 +88,7 @@ echo_i "checking handling of bogus referrals ($n)" # If the server has the "INSIST(!external)" bug, this query will kill it. dig_with_opts +tcp www.example.com. a @10.53.0.1 >/dev/null || { echo_i "failed"; status=$((status + 1)); } -if [ -x ${RESOLVE} ] ; then +if [ -x "${RESOLVE}" ] ; then n=$((n+1)) echo_i "checking handling of bogus referrals using dns_client ($n)" ret=0 @@ -135,7 +135,7 @@ if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -if [ -x ${RESOLVE} ] ; then +if [ -x "${RESOLVE}" ] ; then n=$((n+1)) echo_i "checking answer IPv4 address filtering using dns_client (accept) ($n)" ret=0 @@ -153,7 +153,7 @@ grep "status: NOERROR" dig.out.ns1.test${n} > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -if [ -x ${RESOLVE} ] ; then +if [ -x "${RESOLVE}" ] ; then n=$((n+1)) echo_i "checking answer IPv6 address filtering using dns_client (accept) ($n)" ret=0 @@ -179,7 +179,7 @@ grep "status: NOERROR" dig.out.ns1.test${n} > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -if [ -x ${RESOLVE} ] ; then +if [ -x "${RESOLVE}" ] ; then n=$((n+1)) echo_i "checking CNAME target filtering using dns_client (accept) ($n)" ret=0 @@ -198,7 +198,7 @@ grep "status: NOERROR" dig.out.ns1.test${n} > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -if [ -x ${RESOLVE} ] ; then +if [ -x "${RESOLVE}" ] ; then n=$((n+1)) echo_i "checking CNAME target filtering using dns_client (accept due to subdomain) ($n)" ret=0 @@ -226,7 +226,7 @@ grep "status: NOERROR" dig.out.ns1.test${n} > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -if [ -x ${RESOLVE} ] ; then +if [ -x "${RESOLVE}" ] ; then n=$((n+1)) echo_i "checking DNAME target filtering using dns_client (accept) ($n)" ret=0 @@ -245,7 +245,7 @@ grep "status: NOERROR" dig.out.ns1.test${n} > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -if [ -x ${RESOLVE} ] ; then +if [ -x "${RESOLVE}" ] ; then n=$((n+1)) echo_i "checking DNAME target filtering using dns_client (accept due to subdomain) ($n)" ret=0 diff --git a/bin/tests/system/rpz/qperf.sh b/bin/tests/system/rpz/qperf.sh index 0b1d3fff1a..dc79de9311 100644 --- a/bin/tests/system/rpz/qperf.sh +++ b/bin/tests/system/rpz/qperf.sh @@ -13,7 +13,7 @@ for QDIR in `echo "$PATH" | tr : ' '` ../../../../contrib/queryperf; do QPERF=$QDIR/queryperf - if test -f $QPERF -a -x $QPERF; then + if test -f "$QPERF" -a -x "$QPERF"; then echo $QPERF exit 0 fi diff --git a/bin/tests/system/rpz/tests.sh b/bin/tests/system/rpz/tests.sh index 1400b5c657..0d2dea57e0 100644 --- a/bin/tests/system/rpz/tests.sh +++ b/bin/tests/system/rpz/tests.sh @@ -66,7 +66,7 @@ comment () { DNSRPSCMD=./dnsrps RNDCCMD="$RNDC -c ../common/rndc.conf -p ${CONTROLPORT} -s" -if test -x $DNSRPSCMD; then +if test -x "$DNSRPSCMD"; then # speed up the many delays for dnsrpzd by waiting only 0.1 seconds WAIT_CMD="$DNSRPSCMD -w 0.1" TEN_SECS=100 From 4dcb0c67d34d58d69ca978f719252ce53a9e5579 Mon Sep 17 00:00:00 2001 From: Tom Krizek Date: Mon, 26 Jun 2023 18:59:32 +0200 Subject: [PATCH 4/4] Check for unset variables only after conf.sh is loaded Make the cds/setup.sh compatible with the workaround which relies on testing the TSAN_OPTIONS variable which may not be set. (cherry picked from commit 76d9873ef6dd00eb6bd16cfe19d9972e89a9d846) --- bin/tests/system/cds/setup.sh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/bin/tests/system/cds/setup.sh b/bin/tests/system/cds/setup.sh index c3ec8a23fe..6de5de5acb 100644 --- a/bin/tests/system/cds/setup.sh +++ b/bin/tests/system/cds/setup.sh @@ -11,10 +11,12 @@ # See the COPYRIGHT file distributed with this work for additional # information regarding copyright ownership. -set -eu +set -e . ../conf.sh +set -u + touch empty Z=cds.test