From f4ffb422eca5052d89b34152071f8c4a4850c177 Mon Sep 17 00:00:00 2001 From: Eero Kelly Date: Fri, 22 Nov 2024 20:34:40 +0000 Subject: [PATCH 1/3] Add HSM check to the bare metal tests --- .../dev-tools/bare_metal_deployment/deploy.py | 55 ++++++++++++++++--- 1 file changed, 48 insertions(+), 7 deletions(-) diff --git a/ic-os/dev-tools/bare_metal_deployment/deploy.py b/ic-os/dev-tools/bare_metal_deployment/deploy.py index 00255039e48..eec705da060 100755 --- a/ic-os/dev-tools/bare_metal_deployment/deploy.py +++ b/ic-os/dev-tools/bare_metal_deployment/deploy.py @@ -115,6 +115,9 @@ class Args: # Run benchmarks if True benchmark: bool = flag(default=False) + # Check HSM capability if True + hsm: bool = flag(default=False) + # Path to the benchmark_driver script. benchmark_driver_script: Optional[str] = "./benchmark_driver.sh" @@ -266,6 +269,21 @@ def check_guestos_metrics_version(ip_address: IPv6Address, timeout_secs: int) -> return True +def check_guestos_hsm_capability(ip_address: IPv6Address, ssh_key_file: Optional[str] = None) -> bool: + # Check that the HSM is working correctly, over an SSH session with the node. + ssh_key_arg = f"-i {ssh_key_file}" if ssh_key_file else "" + ssh_opts = "-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null" + result = invoke.run( + f"ssh {ssh_opts} {ssh_key_arg} admin@{ip_address} '/opt/ic/bin/vsock_guest --attach-hsm && sleep 5 && pkcs11-tool --list-slots | grep \"Nitrokey HSM\"'", + warn=True, + ) + if not result or not result.ok: + return False + + log.info("HSM check success.") + return True + + def wait(wait_secs: int) -> bool: time.sleep(wait_secs) return False @@ -323,7 +341,13 @@ def configure_process_local_log(server_id: str): log.add(sys.stderr, format=logger_format) -def deploy_server(bmc_info: BMCInfo, wait_time_mins: int, idrac_script_dir: Path): +def deploy_server( + bmc_info: BMCInfo, + wait_time_mins: int, + idrac_script_dir: Path, + file_share_ssh_key: Optional[str] = None, + check_hsm: bool = False, +): # Partially applied function for brevity run_func = functools.partial(run_script, idrac_script_dir, bmc_info) @@ -382,9 +406,14 @@ def wait_func() -> bool: def check_connectivity_func() -> bool: assert bmc_info.guestos_ipv6_address is not None, "Logic error" - return check_guestos_ping_connectivity( - bmc_info.guestos_ipv6_address, timeout_secs - ) and check_guestos_metrics_version(bmc_info.guestos_ipv6_address, timeout_secs) + + result = check_guestos_ping_connectivity(bmc_info.guestos_ipv6_address, timeout_secs) + result = result and check_guestos_metrics_version(bmc_info.guestos_ipv6_address, timeout_secs) + + if check_hsm: + result = result and check_guestos_hsm_capability(bmc_info.guestos_ipv6_address, file_share_ssh_key) + + return result iterate_func = check_connectivity_func if bmc_info.guestos_ipv6_address else wait_func @@ -420,10 +449,17 @@ def check_connectivity_func() -> bool: return e.args[0] -def boot_images(bmc_infos: List[BMCInfo], parallelism: int, wait_time_mins: int, idrac_script_dir: Path): +def boot_images( + bmc_infos: List[BMCInfo], + parallelism: int, + wait_time_mins: int, + idrac_script_dir: Path, + file_share_ssh_key: Optional[str] = None, + check_hsm: bool = False, +): results: List[OperationResult] = [] - arg_tuples = ((bmc_info, wait_time_mins, idrac_script_dir) for bmc_info in bmc_infos) + arg_tuples = ((bmc_info, wait_time_mins, idrac_script_dir, file_share_ssh_key, check_hsm) for bmc_info in bmc_infos) with Pool(parallelism) as p: results = p.starmap(deploy_server, arg_tuples) @@ -682,7 +718,12 @@ def main(): wait_time_mins = args.wait_time parallelism = args.parallel success = boot_images( - bmc_infos=bmc_infos, parallelism=parallelism, wait_time_mins=wait_time_mins, idrac_script_dir=idrac_script_dir + bmc_infos=bmc_infos, + parallelism=parallelism, + wait_time_mins=wait_time_mins, + idrac_script_dir=idrac_script_dir, + file_share_ssh_key=args.file_share_ssh_key, + check_hsm=args.hsm, ) if not success: From 2824c125cf9c0e469c699e296b4a04af36ee7ada Mon Sep 17 00:00:00 2001 From: Eero Kelly Date: Fri, 22 Nov 2024 20:35:35 +0000 Subject: [PATCH 2/3] Enable test on CI --- .github/workflows-source/schedule-daily.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows-source/schedule-daily.yml b/.github/workflows-source/schedule-daily.yml index 8f7b1bca5b6..710315506f9 100644 --- a/.github/workflows-source/schedule-daily.yml +++ b/.github/workflows-source/schedule-daily.yml @@ -83,6 +83,7 @@ jobs: --file_share_ssh_key "$(realpath file2)" \ --inject_image_pub_key "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK3gjE/2K5nxIBbk3ohgs8J5LW+XiObwA+kGtSaF5+4c" \ --file_share_username ci_interim \ + --hsm \ --ci_mode # Run bare metal node performance benchmarks From 24ac1d33c2e675e1d37799adff658475af890c9a Mon Sep 17 00:00:00 2001 From: IDX GitHub Automation Date: Fri, 22 Nov 2024 20:56:00 +0000 Subject: [PATCH 3/3] IDX GitHub Automation --- .github/workflows/schedule-daily.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/schedule-daily.yml b/.github/workflows/schedule-daily.yml index 0eb36e09d05..2e6b7de6672 100644 --- a/.github/workflows/schedule-daily.yml +++ b/.github/workflows/schedule-daily.yml @@ -49,6 +49,7 @@ jobs: --file_share_ssh_key "$(realpath file2)" \ --inject_image_pub_key "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK3gjE/2K5nxIBbk3ohgs8J5LW+XiObwA+kGtSaF5+4c" \ --file_share_username ci_interim \ + --hsm \ --ci_mode # Run bare metal node performance benchmarks