Rebase on upstream

README

@@ -1,4 +1,4 @@
-OpenQA Tests for Qubes OS 
+OpenQA Tests for Qubes OS
 
 To install, clone this repo to /var/lib/openqa/tests/qubesos
 
@@ -35,7 +35,7 @@ Variables:
 
 Variables used in tests:
  - `INSTALL_TEMPLATES` - space separated list of template groups (`debian`, `whonix`), or `all`; can include also specific template versions (`debian-11`) - they they will be installed/reinstalled from online repo after the initial install process
- - `USBVM` - USB VM configuration: `none`, `sys-usb` (default), `sys-net` (combined with Net VM)
+ - `USBVM` - USB VM configuration: `none` (assert that already disabled by default), `disable` (disable explicitly), `sys-usb` (default), `sys-net` (combined with Net VM)
  - `KEYBOARD_LAYOUT` - install with non-default keyboard layout; currently only `us-colemak` value is supported
  - `LOCALE` - install with non-default locale; currently only `en_DK.utf8` value is supported
  - `SYSTEM_TESTS` - run system tests from those (space separated) modules, each module can be suffixed with ":TIMEOUT" (in seconds); tests are run using nose2
@@ -45,13 +45,16 @@ Variables used in tests:
  - `SALT_SYSTEM_TESTS` - run salt formula preparing for system tests (mostly install extra packages)
  - `UPDATE_TEMPLATES` - update listed template packages as a whole (space separated list of templates to update)
  - `TEST_TEMPLATES` - limit tests to listed templates only (space separated list of templates to test)
+ - `DEFAULT_TEMPLATE` - choose default template - on install jobs it's chosen in initial-setup, on update jobs all qubes that used default template are switched to this one
  - `UPDATE` - install updates in dom0 and all templates
  - `QUBES_TEST_EXTRA_INCLUDE`, `QUBES_TEST_EXTRA_EXCLUDE` - passed directly to the test environment
  - `TEST_GUI_INTERACTIVE` - simple GUI interactive tests (start application from menu etc)
  - `TEST_WINDOWS_GUI_INTERACTIVE` - simple GUI interactive tests for Windows with QWT installed
  - `WINDOWS_VERSION` - create Windows VM of specific version and install QWT inside (argument as for qvm-create-windows-qube)
  - `QWT_DOWNLOAD` - download specific QWT build (can be URL to iso or rpm file); otherwise qubes-windows-tools dom0 packages is installed from standard repositories
- - `GUIVM` - create GUI VM
+ - `GUIVM` - create GUI VM (sys-gui)
+ - `GUIVM_VNC` - create GUI VM (sys-gui-vnc)
+ - `GUIVM_GPU` - create GUI VM (sys-gui-gpu)
  - `KEEP_SCREENLOCKER` - do not disable xscreensaver (or whatever screenlocker is there)
  - `PARTITIONING` - partition layout ('standard', 'xfs', 'btrfs', 'default', 'unencrypted'); on install - set via installer options, later - created manually on sdb, and all templates are migrated there
  - `HEADS` - when set to `1`, the test will handle Heads boot menu. Currently relevant only with `BACKEND=generalhw`. It's supposed to be sed in "machine" definition.
@@ -61,3 +64,11 @@ Variables used in tests:
  - `KERNEL_VERSION` - which kernel flavor should be used - currently supported value is 'latest', which will switch to kernel-latest and kernel-latest-qubes-vm during update
  - `PIPEWIRE` - when set to `1`, VMs are set to use pipewire instead of
    pulseaudio, including switching native pulseaudio to pipewire-pulse.
+ - `SUSPEND_MODE` - what suspend mode should be used; default is `S3`, set to `S0ix` to use S0ix suspend
+ - `INSTALL_OEM` - do fully automated OEM installation
+ - `INSTALL_OEM_STARTUP` - start OEM installation, but still expect interactive prompts during installation
+ - `HID` - for generalhw tests, tell it whether `USB` hid is used (default) or `PS2` one; in the latter case, sys-usb is not supposed to have input-proxy allowed by default
+
+SecureDrop variables used in tests:
+ - `SECUREDROP_INSTALL` - when set to `1`, SecureDrop Workstation is installed
+ - `SECUREDROP_TEST` - when set with a value, SecureDrop tests are run on top of an existing installation

api/gitlab_api.py

@@ -9,10 +9,10 @@
 import subprocess
 import sys
 import os
+import re
 import json
 import time
 import requests
-import zipfile
 import tempfile
 import string
 import hmac
@@ -28,7 +28,7 @@
 # defaults
 config_defaults = {
     'owner_allowlist': 'QubesOS',
-    'repo_allowlist': 'qubes-continuous-integration qubes-installer-qubes-os qubes-linux-kernel qubes-vmm-xen qubes-vmm-xen-stubdom-linux',
+    'repo_allowlist': 'qubes-continuous-integration qubes-installer-qubes-os qubes-linux-kernel qubes-vmm-xen qubes-vmm-xen-stubdom-linux qubes-gui-agent-linux qubes-grub2',
     'repo_blocklist': None,
     'job_allowlist': '*',
     'user_allowlist': None,
@@ -128,7 +128,7 @@ def verify_webhook_obj():
 
     return webhook_obj
 
-def get_job_from_pr(pr_details):
+def get_job_from_pr(pr_details, job_name="publish:repo"):
     r = requests.get(pr_details['_links']['statuses']['href'])
     r.raise_for_status()
     for status in r.json():
@@ -142,7 +142,7 @@ def get_job_from_pr(pr_details):
         for job in r.json():
             if job['status'] != 'success':
                 continue
-            if 'publish:repo' not in job['name']:
+            if job_name not in job['name']:
                 continue
             return job['web_url']
     return None
@@ -159,7 +159,7 @@ def run_test():
 
     print(repr(req_values))
 
-    version = req_values.get('VERSION') or '4.2'
+    version = req_values.get('VERSION') or '4.3'
     buildid = time.strftime('%Y%m%d%H-') + version
     # cannot serve repo directly from gitlab, because it refuses connections via Tor :/
     repo_url = req_values['REPO_JOB'] + '/artifacts/raw/repo'
@@ -171,8 +171,8 @@ def run_test():
             f.flush()
             repo_dir = TARGET_REPO_DIR + '/' + buildid
             os.mkdir(repo_dir)
-            with zipfile.ZipFile(f.name, 'r') as repo_zip:
-                repo_zip.extractall(repo_dir)
+            subprocess.check_output(
+                ['unzip', '-q', f.name, '-d', repo_dir])
             # get rid of 'repo' dir nesting
             for subdir in os.listdir(repo_dir + '/repo'):
                 os.rename(repo_dir + '/repo/' + subdir, repo_dir + '/' + subdir)
@@ -193,6 +193,14 @@ def run_test():
         values['SELINUX_TEMPLATES'] = req_values['SELINUX_TEMPLATES']
     if 'TEST_TEMPLATES' in req_values:
         values['TEST_TEMPLATES'] = req_values['TEST_TEMPLATES']
+    if 'UPDATE_TEMPLATES' in req_values:
+        values['UPDATE_TEMPLATES'] = req_values['UPDATE_TEMPLATES']
+    if 'FLAVOR' in req_values and req_values['FLAVOR'] in ('pull-requests', 'kernel', 'whonix', 'templates'):
+        values['FLAVOR'] = req_values['FLAVOR']
+    if 'KERNEL_VERSION' in req_values and req_values['KERNEL_VERSION'] in ('stable', 'latest'):
+        values['KERNEL_VERSION'] = req_values['KERNEL_VERSION']
+    if 'QUBES_TEST_MGMT_TPL' in req_values:
+        values['QUBES_TEST_MGMT_TPL'] = req_values['QUBES_TEST_MGMT_TPL'];
 
     subprocess.check_call([
         'openqa-cli', 'api', '-X', 'POST',
@@ -213,12 +221,19 @@ def github_event():
             user = webhook_obj['comment']['user']['login']
             if user.lower() not in config['user_allowlist'].lower().split():
                 return respond(200, 'comment of this user ignored')
-        if webhook_obj['comment']['body'].lower() == 'openqarun':
+        if webhook_obj['comment']['body'].lower().startswith('openqarun'):
             return run_test_pr(webhook_obj['comment'])
 
     return respond(200, 'nothing to do')
 
 def run_test_pr(comment_details):
+    comment_body = comment_details['body'].strip()
+    comment_params = dict([
+        param.split("=", 1)
+        for param in comment_body.split(" ")
+        if "=" in param and param[0].isupper()
+    ])
+
     # get PR info
     issue_url = comment_details['issue_url']
     r = requests.get(issue_url)
@@ -228,13 +243,16 @@ def run_test_pr(comment_details):
     r.raise_for_status()
     pr_details = r.json()
 
+    version = comment_params.get("VERSION", "4.3")
+    if not re.match(r"\A[0-9]\.[0-9]\Z", version):
+        return respond(400, "invalid VERSION value")
+
     # get associated gitlab job
-    repo_job = get_job_from_pr(pr_details)
+    repo_job = get_job_from_pr(pr_details, job_name=f"r{version}:publish:repo")
     if not repo_job:
         return respond(404, "build not found")
 
-    version = '4.2'
-    buildid = time.strftime('%Y%m%d%H-') + version
+    buildid = time.strftime('%Y%m%d%H%M-') + version
     # cannot serve repo directly from gitlab, because it refuses connections via Tor :/
     repo_url = repo_job + '/artifacts/raw/repo'
     with requests.get(repo_job + '/artifacts/download', stream=True) as r:
@@ -245,8 +263,8 @@ def run_test_pr(comment_details):
             f.flush()
             repo_dir = TARGET_REPO_DIR + '/' + buildid
             os.mkdir(repo_dir)
-            with zipfile.ZipFile(f.name, 'r') as repo_zip:
-                repo_zip.extractall(repo_dir)
+            subprocess.check_output(
+                ['unzip', '-q', f.name, '-d', repo_dir])
             # get rid of 'repo' dir nesting
             for subdir in os.listdir(repo_dir + '/repo'):
                 os.rename(repo_dir + '/repo/' + subdir, repo_dir + '/' + subdir)
@@ -256,6 +274,8 @@ def run_test_pr(comment_details):
     values['VERSION'] = version
     if pr_details['base']['repo']['name'] in (
             'qubes-linux-kernel',
+            'qubes-gui-agent-linux',
+            'qubes-grub2',
             'qubes-vmm-xen',
             'qubes-vmm-xen-stubdom-linux'):
         values['FLAVOR'] = 'kernel'

extra-files/qubesteststub/__init__.py

@@ -16,6 +16,7 @@ async def on_domain_pre_start(self, vm, event, **kwargs):
         pv_passthrough_available = (self.xeninfo['xen_minor'] < 13 or 
             'qubes.enable_insecure_pv_passthrough' in self.dom0_cmdline)
         if 'hvm_directio' not in self.physinfo['virt_caps'] and not pv_passthrough_available:
+            # FIXME: new devices API
             if vm.name in ('sys-net', 'sys-usb'):
                 for ass in list(vm.devices['pci'].assignments()):
                     await vm.devices['pci'].detach(ass)
@@ -28,18 +29,42 @@ async def on_domain_pre_start(self, vm, event, **kwargs):
             else:
                 missing = set()
 
-            for dev in vm.devices['pci'].persistent():
-                missing.discard(dev.ident.replace('_', ':'))
-            for dev in missing:
-                ass = DeviceAssignment(vm.app.domains[0], dev.replace(':', '_'),
-                        options={'no-strict-reset': 'True'},
-                        persistent=True)
-                await vm.devices['pci'].attach(ass)
+            if hasattr(vm.devices['pci'], 'get_assigned_devices'):
+                # new devices API
+                for dev in vm.devices['pci'].get_assigned_devices():
+                    if hasattr(dev, "port"):
+                        missing.discard(dev.port.port_id.replace('_', ':'))
+                    else:
+                        missing.discard(dev.ident.replace('_', ':'))
+                for dev in missing:
+                    if hasattr(DeviceAssignment, "new"):
+                        ass = DeviceAssignment.new(vm.app.domains[0], dev.replace(':', '_'), "pci",
+                                options={'no-strict-reset': 'True'},
+                                mode="required")
+                    else:
+                        ass = DeviceAssignment(vm.app.domains[0], dev.replace(':', '_'),
+                                options={'no-strict-reset': 'True'},
+                                required=True, attach_automatically=True)
+                    await vm.devices['pci'].assign(ass)
+            else:
+                # old devices API
+                for dev in vm.devices['pci'].persistent():
+                    missing.discard(dev.ident.replace('_', ':'))
+                for dev in missing:
+                    ass = DeviceAssignment(vm.app.domains[0], dev.replace(':', '_'),
+                            options={'no-strict-reset': 'True'},
+                            persistent=True)
+                    await vm.devices['pci'].attach(ass)
 
-        if len(vm.devices['pci'].persistent()):
+        has_pci_devices = (len(list(vm.devices['pci'].get_assigned_devices()))
+                           if hasattr(vm.devices['pci'], 'get_assigned_devices')
+                           else len(vm.devices['pci'].persistent()))
+        if has_pci_devices:
             # IOMMU missing
             if 'hvm_directio' not in self.physinfo['virt_caps'] and vm.virt_mode != 'pv':
                 vm.virt_mode = 'pv'
+            elif 'hvm_directio' in self.physinfo['virt_caps'] and vm.virt_mode != 'hvm':
+                vm.virt_mode = 'hvm'
             if os.path.exists('/sys/firmware/efi') and vm.virt_mode == 'pv':
                 # on UEFI (OVMF) disable e820_host, otherwise guest crashes;
                 # but then, force swiotlb as without e820_host automatic detection
@@ -49,7 +74,10 @@ async def on_domain_pre_start(self, vm, event, **kwargs):
 
     @qubes.ext.handler('domain-start')
     async def on_domain_start(self, vm, event, **kwargs):
-        if vm.name == 'sys-net' and not len(vm.devices['pci'].persistent()):
+        has_pci_devices = (len(list(vm.devices['pci'].get_assigned_devices()))
+                           if hasattr(vm.devices['pci'], 'get_assigned_devices')
+                           else len(vm.devices['pci'].persistent()))
+        if vm.name == 'sys-net' and not has_pci_devices:
             for dev in self.netdevs:
                 subprocess.call('echo 0000:{} > /sys/bus/pci/drivers/pciback/unbind'.format(dev), shell=True)
                 subprocess.call('echo 0000:{} > /sys/bus/pci/drivers/e1000e/bind'.format(dev), shell=True)
@@ -64,7 +92,7 @@ async def on_domain_start(self, vm, event, **kwargs):
             subprocess.call('ip l s {} up'.format(iface), shell=True)
             subprocess.call('ip l s xenbr0 up', shell=True)
             subprocess.call('xl network-attach sys-net bridge=xenbr0', shell=True)
-        if vm.name == 'sys-usb' and not len(vm.devices['pci'].persistent()):
+        if vm.name == 'sys-usb' and not has_pci_devices:
             for dev in self.usbdevs:
                 subprocess.call('echo 0000:{} > /sys/bus/pci/drivers/pciback/unbind'.format(dev), shell=True)
                 subprocess.call('echo 0000:{} > /sys/bus/pci/drivers/ehci-pci/bind'.format(dev), shell=True)
@@ -96,8 +124,8 @@ def __init__(self):
             qubes.config.defaults['kernelopts'] += ' xen_scrub_pages=0'
             qubes.config.defaults['kernelopts_pcidevs'] += ' xen_scrub_pages=0'
         if 'journald' not in qubes.config.defaults['kernelopts']:
-            qubes.config.defaults['kernelopts'] += ' systemd.journald.forward_to_console=1'
-            qubes.config.defaults['kernelopts_pcidevs'] += ' systemd.journald.forward_to_console=1'
+            qubes.config.defaults['kernelopts'] += ' systemd.journald.forward_to_console=1 systemd.journald.max_level_console=debug'
+            qubes.config.defaults['kernelopts_pcidevs'] += ' systemd.journald.forward_to_console=1 systemd.journald.max_level_console=debug'
 
         self.dom0_cmdline = pathlib.Path('/proc/cmdline').read_bytes().decode()
 

extra-files/system-tests/dom0.sls

@@ -10,12 +10,16 @@ dom0-packages:
       - qubes-usb-proxy-dom0
       - syslinux
       - genisoimage
+      - grub2-pc-modules
+      # for mkefiboot
+      - lorax
       - pulseaudio-utils
       - btrfs-progs
       - python3-nose2
       - python3-objgraph
       - patch
-{% if grains['osrelease'] == '4.2' %}
+      - qubes-video-companion-dom0
+{% if grains['osrelease'] != '4.1' %}
       - xinput
 {% endif %}
       - openssl

extra-files/update/atestrepo.py

@@ -0,0 +1,77 @@
+import subprocess
+import os
+from pathlib import Path
+
+UPDATE_REPO_URL = "@REPO_URL@"
+UPDATE_REPO_KEY = """@REPO_KEY@"""
+ENABLE_TESTING = True
+QUBES_VER = "@QUBES_VER@"
+WHONIX_REPO = "@WHONIX_REPO@"
+
+def atestrepo(os_data, log, **kwargs):
+    if os.path.exists("/usr/share/whonix/marker"):
+        # Whonix randomizes time, sometimes setting it in the future, which breaks
+        # at least Debian fasttrack
+        subprocess.call(["date", "-s", "+5min"])
+
+    if os_data["os_family"] == "Debian":
+        with open('/etc/apt/sources.list.d/qubes-testing.list', 'w') as f:
+            if ENABLE_TESTING:
+                f.write(f"deb [arch=amd64 signed-by=/usr/share/keyrings/qubes-archive-keyring.gpg] https://deb.qubes-os.org/r{QUBES_VER}/vm {os_data['codename']}-testing main\n")
+            if UPDATE_REPO_URL:
+                f.write(f"deb [arch=amd64 signed-by=/usr/share/keyrings/test.gpg] {UPDATE_REPO_URL}/vm {os_data['codename']} main\n")
+                subprocess.run(
+                    ["gpg",
+                     "--no-default-keyring",
+                     "--keyring", "/usr/share/keyrings/test.gpg",
+                     "--import"],
+                    input=UPDATE_REPO_KEY.encode(),
+                    check=True, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)
+    elif os_data["os_family"] == "RedHat":
+        with open('/etc/yum.repos.d/qubes-testing.repo', 'w') as f:
+            if ENABLE_TESTING:
+                f.write("[qubes-testing]\n")
+                f.write("name=qubes testing\n")
+                f.write(f"baseurl=https://yum.qubes-os.org/r{QUBES_VER}/current-testing/vm/fc$releasever\n")
+                f.write(f"gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-qubes-{QUBES_VER}-primary\n")
+                f.write("gpgcheck = 1\n")
+                f.write("repo_gpgcheck = 1\n")
+            if UPDATE_REPO_URL:
+                f.write("[test-repo]\n")
+                f.write("name=test repo\n")
+                f.write(f"baseurl={UPDATE_REPO_URL}/vm/fc$releasever\n")
+                f.write(f"gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-test\n")
+                f.write("gpgcheck = 1\n")
+                f.write("repo_gpgcheck = 1\n")
+                with open("/etc/pki/rpm-gpg/RPM-GPG-KEY-test", "w") as key_f:
+                    key_f.write(UPDATE_REPO_KEY)
+    elif os_data["os_family"] == "ArchLinux":
+        with open('/etc/pacman.d/80-qubes-testing.conf', 'w') as f:
+            if UPDATE_REPO_URL:
+                f.write("[qubes-test]\n")
+                f.write(f"Server = {UPDATE_REPO_URL}/vm/archlinux/pkgs\n")
+                with open("/usr/share/pacman/keyrings/qubes-test.gpg", "w") as fk:
+                    fk.write(UPDATE_REPO_KEY)
+                list_output = subprocess.check_output([
+                    "gpg", "--show-keys", "--with-colons", "--with-fingerprint",
+                    "/usr/share/pacman/keyrings/qubes-test.gpg"
+                ]).decode()
+                key_fpr = [l for l in list_output.splitlines() if l.startswith("fpr:")][0].split(":")[9]
+                with open("/usr/share/pacman/keyrings/qubes-test-trusted", "w") as fk:
+                    fk.write(key_fpr + ":4:\n")
+                with open("/usr/share/pacman/keyrings/qubes-test-revoked", "w") as fk:
+                    pass
+                if not os.listdir('/etc/pacman.d/gnupg/private-keys-v1.d'):
+                    subprocess.run(["pacman-key", "--init"], check=True)
+                    subprocess.run(["pacman-key", "--populate"], check=True)
+                else:
+                    subprocess.run(["pacman-key", "--populate", "qubes-test"], check=True)
+            if ENABLE_TESTING:
+                f.write(f"[qubes-r{QUBES_VER}-current-testing]\n")
+                f.write(f"Server = https://archlinux.qubes-os.org/r{QUBES_VER}/current-testing/vm/archlinux/pkgs\n")
+    if Path('/usr/share/whonix/marker').exists():
+        subprocess.check_call([
+            "repository-dist",
+            "--enable",
+            "--repository", 
+            WHONIX_REPO])

extra-files/update/dom0.sls

@@ -4,6 +4,8 @@
 {% set basedist = 'fc32' %}
 {% elif grains['osrelease'] == '4.2' %}
 {% set basedist = 'fc37' %}
+{% elif grains['osrelease'] == '4.3' %}
+{% set basedist = 'fc41' %}
 {% else %}
 {% set basedist = 'unknown' %}
 {% endif %}

extra-files/update/qubes-testing-dom0.repo

@@ -1,6 +1,6 @@
 [qubes-testing]
 name = Qubes updates testing
-baseurl = http://yum.qubes-os.org/r{{grains['osrelease']}}/current-testing/dom0/{{basedist}}
+baseurl = http://yum.qubes-os.org/r{{grains['osrelease']}}/current-testing/host/{{basedist}}
 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-qubes-{{grains['osrelease']}}-primary
 gpgcheck = 1