tests/sysexts: Rework to build sysext locally #3966
Conversation
Build the sysext from Fedora RPMs and from scratch as part of the test to make this work on all releases and independently of the unofficial sysext project. Only test on x86_64 & aarch64 for now.
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request reworks the systemd sysext test to build the extension from RPMs locally, rather than downloading pre-built ones. This is a great improvement for test reliability and independence. My review includes several suggestions to enhance the robustness, security, and efficiency of the new build script. Key areas for improvement include proper temporary directory management, safer package repository handling, correct version sorting, and more robust file operations.
| dnf download --resolve --arch=noarch --arch="$(arch)" "${rpm}" | ||
|
|
||
| # Figure out version to use | ||
| pkg="$(ls ${rpm}-*.rpm | sort -h | head -1)" |
There was a problem hiding this comment.
The sort -h command is for sorting human-readable numbers (e.g., 2K, 1G), not version strings. For correct version sorting, you should use sort -V. To get the latest version, you should select the last item after sorting, not the first. Using ls -1 is also recommended in scripts to ensure one file per line.
| pkg="$(ls ${rpm}-*.rpm | sort -h | head -1)" | |
| pkg="$(ls -1 ${rpm}-*.rpm | sort -V | tail -n 1)" |
| tmpdir="/tmp/sysext-${rpm}" | ||
| mkdir "${tmpdir}" |
There was a problem hiding this comment.
Using a fixed temporary directory name can lead to conflicts and is a security risk. It's better to use mktemp -d to create a unique and secure temporary directory.
| tmpdir="/tmp/sysext-${rpm}" | |
| mkdir "${tmpdir}" | |
| tmpdir=$(mktemp -d "/tmp/sysext-${rpm}.XXXXXX") |
| rm -rf /etc/yum.repos.d/fedora-cisco-openh264.repo | ||
| dnf download --resolve --arch=noarch --arch="$(arch)" "${rpm}" |
There was a problem hiding this comment.
Removing the repository file is a destructive action that modifies system state. A safer approach is to temporarily disable the repository for the dnf command using the --disablerepo flag.
| rm -rf /etc/yum.repos.d/fedora-cisco-openh264.repo | |
| dnf download --resolve --arch=noarch --arch="$(arch)" "${rpm}" | |
| dnf download --resolve --arch=noarch --arch="$(arch)" --disablerepo=fedora-cisco-openh264 "${rpm}" |
| mkfs.erofs -zlz4 "${name}" rootfs | ||
| mv "${name}" /tmp | ||
|
|
||
| popd > /dev/null |
There was a problem hiding this comment.
The temporary directory created for the build is not removed, which will leave files in /tmp. It's important to clean up this directory after it's no longer needed.
| popd > /dev/null | |
| popd > /dev/null | |
| rm -rf "${tmpdir}" |
| mv "/tmp/${name}"*".raw" "/var/lib/extensions.d" | ||
| ln -snf "/var/lib/extensions.d/${name}"*".raw" "/var/lib/extensions/${name}.raw" |
There was a problem hiding this comment.
Using globs (*) with mv and ln can be risky. If the glob expands to zero, or more than one file, these commands can fail or have unintended consequences. It's safer to verify that the glob matches exactly one file before proceeding.
For example:
local files=(/path/to/"${name}"*.raw)
if [ "${#files[@]}" -ne 1 ]; then
fatal "Expected 1 file, found ${#files[@]}"
fi
# Now use "${files[0]}"
safelyPlease apply this pattern to both the mv and ln commands.
1 participant
Build the sysext from Fedora RPMs and from scratch as part of the test to make this work on all releases and independently of the unofficial sysext project.
Only test on x86_64 & aarch64 for now.
Fixes: coreos/fedora-coreos-tracker#1940