Skip to content

feat: containerized fixture builder and cross-arch test coverage#338

Open
bartoszmajsak wants to merge 5 commits into
openshift:mainfrom
bartoszmajsak:fix-s390x-pclntab-review-followup
Open

feat: containerized fixture builder and cross-arch test coverage#338
bartoszmajsak wants to merge 5 commits into
openshift:mainfrom
bartoszmajsak:fix-s390x-pclntab-review-followup

Conversation

@bartoszmajsak

Copy link
Copy Markdown
Contributor

Summary

Follow-up to #337. Replaces ad-hoc per-fixture build scripts with a single parameterized builder backed by Red Hat's go-toolset container images and zig for cross-compilation. All test fixtures are now built from one main.go, producing consistent FIPS settings across Go versions.

Addresses #337 review feedback:

  • Fixture source/binary divergence - unified source, reproducible builds
  • Missing build scripts - single parameterized build_fixture.sh
  • No integration tests for new fixtures - added for all fixture variants
  • Swallowed tryParseTable errors - slog.Debug for rejected candidates
  • Test name inaccuracies - s390x fixture is CGO not PIE

Fills two coverage gaps:

  • ppc64le - quantum=4 + little-endian, previously untested
  • .data.rel.ro fallback - Go 1.24 external PIE exercises the magic scanning loop that no other fixture reaches

Adds fixture invariant assertions so rebuilt binaries can't silently change which code path they exercise.

Test plan

  • Rebuild from scratch: remove builder images, run build_fixture.sh per README, commit, make test verify
  • make test passes (135 tests across 9 packages)
  • Fixture invariant assertions catch wrong section/arch if a binary is rebuilt incorrectly

@openshift-ci openshift-ci Bot requested review from kolyshkin and smith-xyz May 20, 2026 17:08
@openshift-ci

openshift-ci Bot commented May 20, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: bartoszmajsak
Once this PR has been reviewed and has the lgtm label, please assign richardsonnick for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@bartoszmajsak bartoszmajsak force-pushed the fix-s390x-pclntab-review-followup branch from 20ff280 to bd62fba Compare May 20, 2026 17:17
@bartoszmajsak

Copy link
Copy Markdown
Contributor Author

@smith-xyz PTAL when you find some time.

@smith-xyz

Copy link
Copy Markdown
Contributor

@bartoszmajsak LGTM. Before merge, can we add rejectSections for go124_external_pie_amd64_app so we don’t regress the .data.rel.ro scan path silently; consider TestReadTable for go-native-fips-app and t.Fatal in assertFixtureInvariants.

Replaces per-fixture build scripts with a parameterized
build_fixture.sh backed by a Containerfile that layers zig onto
Red Hat's go-toolset images. Supports --goarch (amd64, s390x,
arm64, ppc64le), --buildmode, --cgo, --fips, and --go-image.

Red Hat Go provides fips140=auto in GODEBUG, which the scanner
requires for native FIPS detection. Source main.go now includes
//go:debug fips140=auto (ignored by Go < 1.26).

Adds test/resources/README.md documenting the rebuild workflow
and fixture matrix.

Signed-off-by: Bartosz Majsak <bartosz.majsak@gmail.com>
All fixtures rebuilt from unified main.go using the containerized
builder with Red Hat go-toolset images.

New fixtures:
- go124_ppc64le_app: quantum=4 little-endian, previously untested
- go124_external_pie_amd64_app: .data.rel.ro fallback path
- go-native-fips-app: Go 1.26 native FIPS (fips140=auto)

Changed fixtures:
- fips_compliant_app: now amd64 (was arm64), Go 1.20 boringcrypto
- All others: rebuilt with Red Hat Go for consistent FIPS settings

Mock directories added for new fixtures (symlinked binaries).
Existing mock dir copies updated.

Signed-off-by: Bartosz Majsak <bartosz.majsak@gmail.com>
Addresses PR openshift#337 review feedback:
- slog.Debug in tryParseTable for rejected pclntab candidates
- Fix test names (s390x fixture is CGO not PIE, fips is amd64)
- Fixture invariant assertions: each test case declares expected
  ELF section and machine type, with rejectSections to ensure
  fallback paths are actually exercised
- Integration tests for all new fixtures in TestRunLocalScan
- ppc64le unit test (quantum=4 LE)
- .data.rel.ro fallback unit test (magic scanning loop)

Signed-off-by: Bartosz Majsak <bartosz.majsak@gmail.com>
Adds rejectSections to the external PIE test case so a fixture rebuild
that introduces a dedicated .gopclntab section will fail loudly instead
of silently skipping the .data.rel.ro magic-scanning fallback.

Switches assertFixtureInvariants to t.Fatalf so broken fixtures stop
immediately rather than producing misleading downstream failures.

Adds go-native-fips-app to TestReadTable for crypto/fips140 coverage.

Signed-off-by: Bartosz Majsak <bartosz.majsak@gmail.com>
@bartoszmajsak bartoszmajsak force-pushed the fix-s390x-pclntab-review-followup branch from bd62fba to 309c7a7 Compare June 2, 2026 07:54
@bartoszmajsak

Copy link
Copy Markdown
Contributor Author

@bartoszmajsak LGTM. Before merge, can we add rejectSections for go124_external_pie_amd64_app so we don’t regress the .data.rel.ro scan path silently; consider TestReadTable for go-native-fips-app and t.Fatal in assertFixtureInvariants.

@smith-xyz Good feedback, thanks! Adressed in 309c7a7

consider TestReadTable for go-native-fips-app

IIUC ReadTable doesn't care about the crypto stack - it parses pclntab, which is the same format regardless of whether the binary uses boringcrypto or crypto/fips140. It's a bit of a redundant test, but cheap, so I added it.

Signed-off-by: Bartosz Majsak <bartosz.majsak@gmail.com>
@openshift-ci

openshift-ci Bot commented Jun 2, 2026

Copy link
Copy Markdown
Contributor

@bartoszmajsak: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/verify 56cc953 link true /test verify

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@smith-xyz

Copy link
Copy Markdown
Contributor

@bartoszmajsak can you rebase and resolve the conflict so we can merge this in?

@openshift-ci openshift-ci Bot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jun 30, 2026
@openshift-ci

openshift-ci Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

PR needs rebase.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants