Newly added test cases : disable/enable audit_logging in libvirtd.log #4421
Conversation
|
DATA (filename=output.expected) => NOT FOUND (data sources: variant, test, file) cleaning libvirtd logs... |
chunfuwen
force-pushed
the
add_enable_disable_audit_log_cases
branch
from
0074887 to
279e69a
Compare
|
[xx-185265] [audit_logging] Disable/enable audit_logging in libvirtd.log |
|
@yafu-1 , please help take a review |
| vm.start() | ||
|
|
||
| # Check audit daemon service status | ||
| check_auditd_service() |
There was a problem hiding this comment.
How about mv 'check_auditd_service()' before start vm and can try to start auditd service if service is not running.
There was a problem hiding this comment.
@yafu-1
updated as suggested
chunfuwen
force-pushed
the
add_enable_disable_audit_log_cases
branch
from
279e69a to
1d207f7
Compare
|
@dzhengfy |
| :return: enable_audit_logging: bool indicating enable/disable audit_logging | ||
| """ | ||
| log_outputs = "1:file:%s" % log_config_path | ||
| libvirtd_config.log_outputs = log_outputs |
There was a problem hiding this comment.
Wouldn't it be sufficient to have libvirtd_config = "1:file:%s" % log_config_path instead of log_outputs var that is not used anywhere else?
| """ | ||
| Configure audit log level" | ||
|
|
||
| :param params: dict wrapped with params |
There was a problem hiding this comment.
There is no params parameter to this function. Remove this line.
| Configure audit log level" | ||
|
|
||
| :param params: dict wrapped with params | ||
| :return: enable_audit_logging: bool indicating enable/disable audit_logging |
There was a problem hiding this comment.
There is no return statement in this function. The return word here would be better as :param since enable_audit_logging is a parameter to this function.
There was a problem hiding this comment.
remove return statement since there is nothing returned
| status = service_mgr.status(service_name) | ||
| LOG.debug('Service status is %s', status) | ||
| if not status: | ||
| service_mgr.start(service_name) |
There was a problem hiding this comment.
Isn't the clean code rule of "Functions should do one thing. They should do it well. They should do it only." broken here since we're not only checking but also starting the service?
Wouldn't it be better to move lines 52 and 53 out of this function?
OR
Rename the function to "ensure_auditd_started()"
There was a problem hiding this comment.
rename the function name to ensure_auditd_started
| """ | ||
| Check audit message in libvirtd log file | ||
| """ | ||
| str_to_grep = "virDomainAudit" |
There was a problem hiding this comment.
Wouldn't this be better as a function argument?
There was a problem hiding this comment.
updated with str_to_grep as function parameter
| process.run(cmd, ignore_status=True, | ||
| shell=True) | ||
|
|
||
| def check_msg_in_libvirtd_log(): |
There was a problem hiding this comment.
Wouldn't it be better to move this function definition and well as all other function definitions outside of the run() function? It would make run() function a lot smaller.
There was a problem hiding this comment.
@vasekhodina
Before team members had some discussion about which is better whether function is outside run or inside run.
There is no conclusion for this, and it is decided by individual to trade off this.
1)Outside run, it may need pass more function parameter since those function can not share variables already in run method
2) Inside run, it may look like run is full busy code, but if functions are relative small, it sound ok, and it also can save parameter passing
There was a problem hiding this comment.
Ok, I understand. Thank you for the explanation.
| vm.start() | ||
| # Check virt type in audit.log | ||
| check_virt_type_from_audit_log() | ||
| # Check audit msg in libvirtd log |
There was a problem hiding this comment.
I think the comment here and on line 100 is redundant and should be deleted. It says the same thing as the function name.
There was a problem hiding this comment.
updated by removing comments
chunfuwen
force-pushed
the
add_enable_disable_audit_log_cases
branch
from
1d207f7 to
97aac82
Compare
chunfuwen
requested review from
vasekhodina and
yafu-1
and removed request for
vasekhodina and
yafu-1
|
@vasekhodina |
chunfuwen
force-pushed
the
add_enable_disable_audit_log_cases
branch
from
97aac82 to
74b702a
Compare
|
|
||
| def ensure_auditd_started(): | ||
| """ | ||
| Check audit service status" |
There was a problem hiding this comment.
I think it would be good to change the comment to Check audit service status and start it if it's not running.
There was a problem hiding this comment.
@vasekhodina updated as suggested
chunfuwen
force-pushed
the
add_enable_disable_audit_log_cases
branch
from
74b702a to
6c3dc7d
Compare
|
@dzhengfy , please help take a review also since there is coming cases, which depends on this |
chunfuwen
requested review from
vasekhodina and
yafu-1
and removed request for
vasekhodina
| @@ -0,0 +1,10 @@ | |||
| - conf_file.libvirtd_conf.set_audit_logging: | |||
There was a problem hiding this comment.
Refer to other naming style, we do not add verb in the fie name. So would you consider to change it like audit_log.cfg
There was a problem hiding this comment.
@dzhengfy
I have no idea why file name don't add verb, could you point to me the link?
In libvirt virtualization, update/attach/detach/set/enable/disable are fundamental features and API exposed by libvirt.
So I am confused why not those key actions can be not in filename
| variants: | ||
| - positive_test: | ||
| variants: | ||
| - disable_audit_log: |
There was a problem hiding this comment.
- disable: is clear enough
There was a problem hiding this comment.
@dzhengfy
variants name will become part of test case
In this specific situation, the test case is related short, it looks like libvirtd_conf.set_audit_logging.positive_test.enable_audit_log is
not worse than libvirtd_conf.set_audit_logging.positive_test.enable in human friendly and human readable ways
| variants: | ||
| - disable_audit_log: | ||
| enable_audit = no | ||
| - enable_audit_log: |
There was a problem hiding this comment.
@dzhengfy
see previous replied comment
| Check whether virt type: VIRT_CONTROL|VIRT_MACHINE_ID|VIRT_RESOURCE in audit.log | ||
| """ | ||
| cmd = 'cat /var/log/audit/audit.log |grep -E "type=VIRT_CONTROL|VIRT_MACHINE_ID|VIRT_RESOURCE"' | ||
| process.system_output(cmd, shell=True, verbose=True) |
There was a problem hiding this comment.
It seems this line is duplicated. Remove it?
There was a problem hiding this comment.
Good catch, remove it
| cmd = 'cat /var/log/audit/audit.log |grep -E "type=VIRT_CONTROL|VIRT_MACHINE_ID|VIRT_RESOURCE"' | ||
| process.system_output(cmd, shell=True, verbose=True) | ||
| if process.system(cmd, ignore_status=True, shell=True): | ||
| test.fail("Check virt type failed with %s" % cmd) |
There was a problem hiding this comment.
Before test.fail(), we'd better to log the content of 'cat /var/log/audit/audit.log'
There was a problem hiding this comment.
@dzhengfy
/var/log/audit/audit.log' has large numbers of logs, which may distract troubleshooter's mind if all dump into output console
By the way, the command : /var/log/audit/audit.log clearly indicate if you want all log, just cat existed log file:/var/log/audit/audit.log
| Clean up audit message in log file. | ||
| """ | ||
| cmd = "> /var/log/audit/audit.log; > %s" % log_config_path | ||
| process.run(cmd, ignore_status=True, |
There was a problem hiding this comment.
ignore_status=True should be False because there is no code to check the return result.
There was a problem hiding this comment.
@dzhengfy
if this is called at the beginning of test case, log_config_path may not exist at that time, so it may not be proper to check process.run
,in other situation, for example at end of test case, it is proper to check that.
Personally thinking,whether clean up succeed or not has no direct impact on test case itself
By the way, I also met similar situation during my review, see avocado-framework/avocado-vt#3521
| enable_audit_logging = "yes" == params.get("enable_audit", "no") | ||
|
|
||
| # Get LibvirtdConfig or VirtQemuConfig | ||
| log_config_path = os.path.join(data_dir.get_data_dir(), "libvirtd.log") |
There was a problem hiding this comment.
log file could be put into get_tmp_dir() where you need not to clean it by yourself.
| :param enable_audit_logging: bool indicating enable/disable audit_logging | ||
| """ | ||
| libvirtd_config.log_outputs = "1:file:%s" % log_config_path | ||
| libvirtd_config.log_level = 1 |
There was a problem hiding this comment.
Above two lines are unnecessary because the avocado-vt env_process.py has enabled the debug log by default and you could get the default log file path via utils_misc.get_path(test.debugdir, "libvirtd.log") easily. And you need to define libvirtd_debug_level = '1' in your cfg. That is all.
There was a problem hiding this comment.
@dzhengfy
I think we can think of libvirtd enable in specific context.
In this specific test case,
Here libvirtd config is critical part of this case itself, so put each necessary libvirtd config in one block will give reader one whole picture what are needed, rather than distributed the config by define libvirtd_debug_level = '1' in your cfg and utils_misc.get_path(test.debugdir, "libvirtd.log").
In general case, e.g where it just search message from libvirtd.log, it is proper to just use utils_misc.get_path(test.debugdir, "libvirtd.log") to get the path of libvirtd log file, and then grep it from this libvirtd log file
There was a problem hiding this comment.
@vasekhodina , what's your opinion ? since I noticed you have some thoughts about clean code
There was a problem hiding this comment.
I agree with Chunfu.
I think we can apply one sentence from the Zen of Python: Explicit is better than implicit. So the way I understand it if it's important for the test to have the specific log location, then having it in one block and one var is better.
Anyone reading the code later can see the var log_config_path, but they might not know they can call the function utils_misc.get_path(test.debugdir, "libvirtd.log") to get the log.
Plus the log location is already configured on line 83, so if I would do any changes I would do them there.
audit_logging = 1 to let audit messages also be sent via libvirt logging infrastructure as well as the auditd logging Signed-off-by: chunfuwen <chwen@redhat.com>
chunfuwen
force-pushed
the
add_enable_disable_audit_log_cases
branch
from
6c3dc7d to
1ebf2a5
Compare
Newly added test cases : disable/enable audit_logging in libvirtd.log
audit_logging = 1 to let audit messages also be sent via libvirt logging infrastructure as well as the auditd logging
Signed-off-by: chunfuwen chwen@redhat.com