ROX-30259: Add a basic integration test framework

.containerignore

@@ -4,5 +4,6 @@ target/
 
 # Python stuff
 mock-server/
+tests/
 __pycache__/
 .venv/

.github/workflows/ci.yml

@@ -1,4 +1,4 @@
-name: Rust CI
+name: Main CI
 
 on:
   push:
@@ -17,7 +17,7 @@ concurrency:
 
 jobs:
   basic:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     strategy:
       fail-fast: false
       matrix:
@@ -61,9 +61,113 @@ jobs:
     - run: cargo ${{ matrix.args }}
 
   container:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     steps:
     - uses: actions/checkout@v4
       with:
         submodules: true
-    - run: podman build -t fact:latest .
+    - run: make image
+    - name: Login to quay.io/rhacs-eng
+      uses: docker/login-action@v3
+      with:
+        registry: quay.io
+        username: ${{ secrets.QUAY_RHACS_ENG_RW_USERNAME }}
+        password: ${{ secrets.QUAY_RHACS_ENG_RW_PASSWORD }}
+    - run: docker push "$(make image-name)"
+
+  integration-tests:
+    runs-on: ubuntu-24.04
+    needs:
+      - container
+    steps:
+    - uses: actions/checkout@v4
+      with:
+        path: fact
+    - uses: actions/checkout@v4
+      with:
+        repository: stackrox/collector
+        path: collector
+        ref: mauro/fact/adjust-workflows
+    - uses: actions/setup-python@v5
+      with:
+        python-version: "3.10"
+
+    - name: Authenticate with GCP
+      uses: 'google-github-actions/auth@v2'
+      with:
+        credentials_json: '${{ secrets.GOOGLE_CREDENTIALS_COLLECTOR_CI_VM_SVC_ACCT }}'
+
+    - name: Setup GCP
+      uses: 'google-github-actions/setup-gcloud@v2'
+
+    - uses: ./collector/.github/actions/setup-vm-creds
+      with:
+        gcp-ssh-key: ${{ secrets.GCP_SSH_KEY }}
+        gcp-ssh-key-pub: ${{ secrets.GCP_SSH_KEY_PUB }}
+        s390x-ssh-key: ${{ secrets.IBM_CLOUD_S390X_SSH_PRIVATE_KEY }}
+        ppc64le-ssh-key: ${{ secrets.IBM_CLOUD_POWER_SSH_PRIVATE_KEY }}
+        ppc64le-ssh-key-pub: ${{ secrets.IBM_CLOUD_POWER_SSH_PUBLIC_KEY }}
+        s390x-key: ${{ secrets.IBM_CLOUD_S390x_API_KEY }}
+        ppc64le-key: ${{ secrets.IBM_CLOUD_POWER_API_KEY }}
+        redhat-username: ${{ secrets.REDHAT_USERNAME }}
+        redhat-password: ${{ secrets.REDHAT_PASSWORD }}
+        vm-type: fedora-coreos
+        job-tag: ''
+        workspace: ${{ github.workspace }}/collector
+
+    - name: Create vars.yml
+      env:
+        FACT_VERSION: ${{ github.head_ref || github.ref_name }}
+      run: |
+        FACT_TAG="$(make -sC "${GITHUB_WORKSPACE}/fact")"
+        cat << EOF > vars.yml
+        ---
+        job_id: ${JOB_ID}
+        fact:
+          tag: ${FACT_TAG}
+          version: ${FACT_VERSION}
+        quay:
+          username: ${{ secrets.QUAY_RHACS_ENG_RW_USERNAME }}
+          password: ${{ secrets.QUAY_RHACS_ENG_RW_PASSWORD }}
+        EOF
+
+    - name: Create Test VMs
+      run: |
+        make -C "./collector/ansible" create-ci-vms
+
+    - name: Run the tests
+      run: |
+        ansible-playbook \
+          -i "${GITHUB_WORKSPACE}/collector/ansible/ci" \
+          -e @vars.yml \
+          "${GITHUB_WORKSPACE}/fact/ansible/run-tests.yml"
+
+    - name: Teardown VMs
+      if: always()
+      run: |
+        make -C "./collector/ansible" destroy-vms
+
+    - name: Unarchive logs
+      if: always()
+      run: |
+        cd "${GITHUB_WORKSPACE}/fact/tests"
+        if [[ -f "logs.tar.gz" ]]; then
+          tar xzf "logs.tar.gz"
+          rm -f "logs.tar.gz"
+        fi
+
+    - name: Test summary
+      uses: test-summary/action@v2
+      if: always()
+      with:
+        paths: ${{ github.workspace }}/fact/tests/results.xml
+
+    - name: Store artifacts
+      if: always()
+      uses: actions/upload-artifact@v4
+      with:
+        name: test-logs
+        path: |
+          ${{ github.workspace }}/fact/tests/logs
+          ${{ github.workspace }}/fact/tests/results.xml
+        if-no-files-found: ignore

.gitignore

@@ -11,3 +11,10 @@ target/
 # Python stuff
 __pycache__/
 .venv/
+
+# gRPC generated files
+internalapi/
+
+# Files generated by tests
+results.xml
+logs/

Cargo.toml

@@ -15,6 +15,8 @@ aya = { version = "0.13.1", default-features = false }
 anyhow = { version = "1", default-features = false, features = ["std", "backtrace"] }
 clap = { version = "4.5.41", features = ["derive", "env"] }
 env_logger = { version = "0.11.5", default-features = false }
+hyper = { version = "1.6.0", default-features = false }
+hyper-util = { version = "0.1.16", default-features = false }
 libc = { version = "0.2.159", default-features = false }
 log = { version = "0.4.22", default-features = false }
 prost = "0.13.5"
@@ -26,6 +28,7 @@ tokio = { version = "1.40.0", default-features = false, features = [
     "net",
     "signal",
 ] }
+tokio-stream = "0.1.17"
 tonic = { version = "0.13.1", features = ["tls-ring"] }
 tonic-build = "0.13.1"
 uuid = { version = "1.17.0", features = ["v4"] }

Containerfile

@@ -1,4 +1,4 @@
-FROM quay.io/centos/centos:stream9 as builder
+FROM quay.io/centos/centos:stream9 AS builder
 
 RUN dnf install --enablerepo=crb -y \
         clang-20.1.8-1.el9 \

Makefile

@@ -1,4 +1,24 @@
+include constants.mk
+
+tag:
+	@echo "$(FACT_TAG)"
+
+image-name:
+	@echo "$(FACT_IMAGE_NAME)"
+
 mock-server:
 	make -C mock-server
 
-.PHONY: mock-server
+image:
+	docker build \
+		-f Containerfile \
+		-t $(FACT_IMAGE_NAME) \
+		$(CURDIR)
+
+integration-tests:
+	make -C tests
+
+clean:
+	make -C tests clean
+
+.PHONY: tag mock-server integration-tests image image-name clean

ansible/group_vars/gcp.yml

@@ -0,0 +1,2 @@
+---
+ansible_ssh_private_key_file: "{{ lookup('env', 'GCP_SSH_KEY_FILE', default='~/.ssh/google_compute_engine') }}"

ansible/group_vars/platform_fedora_coreos.yml

@@ -0,0 +1,2 @@
+---
+ansible_user: core

ansible/run-tests.yml

@@ -0,0 +1,61 @@
+---
+- name: Run integration tests
+  hosts: "job_id_{{ job_id }}"
+  environment:
+    FACT_TAG: "{{ fact.tag | default(None) }}"
+
+  tasks:
+    - name: Install dependencies
+      become: true
+      community.general.rpm_ostree_pkg:
+        apply_live: true
+        name:
+          - make
+          - python3-packaging
+          - python3-requests
+        state: present
+
+    - name: Login to quay.io
+      community.docker.docker_login:
+        registry_url: quay.io
+        username: "{{ quay.username }}"
+        password: "{{ quay.password }}"
+
+    - name: Clone the repo
+      ansible.builtin.git:
+        repo: https://github.com/stackrox/fact
+        dest: ./fact
+        version: "{{ fact.version }}"
+        update: false
+
+    - name: Install python packages
+      ansible.builtin.pip:
+        requirements: ./fact/tests/requirements.txt
+        chdir: "{{ ansible_env.HOME }}"
+        virtualenv: ./fact/.venv
+        virtualenv_command: python3 -m venv
+
+    - block:
+      - name: Run tests
+        ansible.builtin.shell:
+          cmd: |
+            cd "${HOME}/fact"
+            source ".venv/bin/activate"
+            make integration-tests
+      always:
+      - name: Retrieve results
+        ansible.builtin.fetch:
+          src: "{{ ansible_env.HOME }}/fact/tests/results.xml"
+          dest: ../tests/
+          flat: true
+
+      - name: Compress log files
+        community.general.archive:
+          path: "{{ ansible_env.HOME }}/fact/tests/logs"
+          dest: "{{ ansible_env.HOME }}/fact/tests/logs.tar.gz"
+
+      - name: Fetch log files
+        ansible.builtin.fetch:
+          src: "{{ ansible_env.HOME }}/fact/tests/logs.tar.gz"
+          dest: ../tests/logs.tar.gz
+          flat: true

constants.mk

@@ -0,0 +1,2 @@
+FACT_TAG ?= $(shell git describe --always --tags --abbrev=10 --dirty)
+FACT_IMAGE_NAME ?= quay.io/rhacs-eng/fact:$(FACT_TAG)

fact-ebpf/file.h

@@ -30,6 +30,7 @@ __always_inline static bool has_prefix(const char* s, const char* prefix, uint64
     }
 
     prefix_len -= 8;
+    offset += 8;
   }
 
   for (int i = 0; i < prefix_len; i++) {

fact-ebpf/main.c

@@ -40,9 +40,11 @@ int BPF_PROG(trace_file_open, struct file* file) {
     goto end;
   }
 
+  /* TODO: ROX-30438 This causes a verifier issue with long paths
   if (!is_monitored(event->filename)) {
     goto end;
   }
+  */
 
   event->timestamp = bpf_ktime_get_boot_ns();
 

fact-ebpf/process.h

@@ -25,7 +25,14 @@ __always_inline static const char* get_cpu_cgroup(struct helper_t* helper) {
   int i = 0;
   for (; i < 16; i++) {
     helper->array[i] = (const unsigned char*)BPF_CORE_READ(kn, name);
-    kn = BPF_CORE_READ(kn, __parent);
+    if (bpf_core_field_exists(kn->__parent)) {
+      kn = BPF_CORE_READ(kn, __parent);
+    } else {
+      struct {
+        struct kernfs_node* parent;
+      }* kn_old = (void*)kn;
+      kn = BPF_CORE_READ(kn_old, parent);
+    }
     if (kn == NULL) {
       break;
     }

fact/Cargo.toml

@@ -10,16 +10,19 @@ anyhow = { workspace = true }
 aya = { workspace = true }
 clap = { workspace = true }
 env_logger = { workspace = true }
+hyper = { workspace = true }
+hyper-util = { workspace = true }
 libc = { workspace = true }
 log = { workspace = true }
 tonic = { workspace = true }
 tokio = { workspace = true }
+tokio-stream = { workspace = true }
 prost = { workspace = true }
 prost-types = { workspace = true }
 uuid = { workspace = true }
 
 fact-api = { path = "../fact-api" }
-tokio-stream = "0.1.17"
+http-body-util = "0.1.3"
 
 [build-dependencies]
 anyhow = { workspace = true }

fact/src/config.rs

@@ -16,4 +16,8 @@ pub struct FactConfig {
     /// Directory holding the mTLS certificates and keys
     #[arg(short, long, env = "FACT_CERTS")]
     pub certs: Option<PathBuf>,
+
+    /// Whether a small health_check probe should be run
+    #[arg(long)]
+    pub health_check: bool,
 }

fact/src/event.rs

@@ -1,4 +1,4 @@
-use std::ffi::CStr;
+use std::{ffi::CStr, path::PathBuf};
 
 use uuid::Uuid;
 
@@ -181,17 +181,17 @@ pub struct Event {
     hostname: &'static str,
     process: Process,
     is_external_mount: bool,
-    filename: String,
-    host_file: String,
+    pub filename: PathBuf,
+    host_file: PathBuf,
 }
 
 impl TryFrom<&event_t> for Event {
     type Error = anyhow::Error;
 
     fn try_from(value: &event_t) -> Result<Self, Self::Error> {
         let timestamp = host_info::get_boot_time() + value.timestamp;
-        let filename = slice_to_string(value.filename.as_slice())?;
-        let host_file = slice_to_string(value.host_file.as_slice())?;
+        let filename = slice_to_string(value.filename.as_slice())?.into();
+        let host_file = slice_to_string(value.host_file.as_slice())?.into();
         let process = value.process.try_into()?;
         let is_external_mount = value.is_external_mount != 0;
 
@@ -217,8 +217,8 @@ impl From<Event> for fact_api::FileActivity {
             host_file,
         } = value;
         let activity = fact_api::FileActivityBase {
-            path: filename,
-            host_path: host_file,
+            path: filename.into_os_string().into_string().unwrap(),
+            host_path: host_file.into_os_string().into_string().unwrap(),
             is_external_mount,
         };
         let f_act = fact_api::FileOpen {