forked from psycopg/psycopg
-
Notifications
You must be signed in to change notification settings - Fork 5
266 lines (233 loc) · 10.3 KB
/
tests-ssl.yml
File metadata and controls
266 lines (233 loc) · 10.3 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
name: Tests with SSL
on:
push:
branches:
- "*"
pull_request:
workflow_dispatch:
concurrency:
group: ${{ github.workflow }}-${{ github.ref_name }}
cancel-in-progress: true
jobs:
test:
runs-on: ubuntu-22.04
services:
opengauss:
image: opengauss/opengauss-server:latest
ports:
- 5432:5432
env:
GS_USERNAME: root
GS_USER_PASSWORD: Passwd@123
GS_PASSWORD: Passwd@123
options: >-
--privileged=true
--name opengauss-custom
steps:
- name: Reset permissions for checkout
run: |
sudo chmod -R u+rwX certs || true
if: always()
- name: Checkout code
uses: actions/checkout@v4
with:
fetch-depth: 1
- name: Set up Python 3.9
uses: actions/setup-python@v5
with:
python-version: "3.9"
cache: pip
- name: Create and activate virtual environment
run: |
python -m venv venv
echo "VENV_PATH=$GITHUB_WORKSPACE/venv/bin" >> $GITHUB_ENV
source venv/bin/activate
- name: Create omm user
run: |
sudo useradd -m -s /bin/bash omm || true
sudo usermod -aG docker omm || true
- name: Create configuration directories
run: |
mkdir -p ${{ github.workspace }}/opengauss/conf
sudo chown omm:omm ${{ github.workspace }}/certs || true
sudo chmod 755 ${{ github.workspace }}/opengauss/conf ${{ github.workspace }}/certs || true
- name: Set certificate permissions
run: |
sudo chown -R omm:omm ${{ github.workspace }}/certs
sudo chmod 644 ${{ github.workspace }}/certs/*key || true
sudo chmod 644 ${{ github.workspace }}/certs/*.crt || true
- name: Create postgresql.conf with SSL
run: |
sudo cat > ${{ github.workspace }}/opengauss/conf/postgresql.conf <<'EOF'
max_connections = 200
session_timeout = 10min
bulk_write_ring_size = 2GB
max_prepared_transactions = 200
cstore_buffers = 512MB
enable_incremental_checkpoint = on
incremental_checkpoint_timeout = 60s
enable_double_write = on
wal_keep_segments = 16
enable_slot_log = off
synchronous_standby_names = '*'
walsender_max_send_size = 8MB
hot_standby = on
enable_kill_query = off
logging_collector = on
log_filename = 'postgresql-%Y-%m-%d_%H%M%S.log'
log_file_mode = 0600
log_rotation_size = 20MB
log_min_duration_statement = 1800000
log_connections = off
log_disconnections = off
log_duration = off
log_hostname = off
log_line_prefix = '%m %u %d %h %p %S '
log_timezone = 'UTC'
enable_alarm = on
connection_alarm_rate = 0.9
alarm_report_interval = 10
alarm_component = '/opt/snas/bin/snas_cm_cmd'
use_workload_manager = on
datestyle = 'iso, mdy'
timezone = 'UTC'
lc_messages = 'en_US.utf8'
lc_monetary = 'en_US.utf8'
lc_numeric = 'en_US.utf8'
lc_time = 'en_US.utf8'
default_text_search_config = 'pg_catalog.english'
lockwait_timeout = 1200s
pgxc_node_name = 'gaussdb'
audit_enabled = on
job_queue_processes = 10
dolphin.nulls_minimal_policy = on
password_encryption_type = 0
wal_level = logical
application_name = ''
listen_addresses = '*'
max_replication_slots = 10
max_wal_senders = 10
shared_buffers = 512MB
ssl = on
ssl_cert_file = '/var/lib/opengauss/certs/server.crt'
ssl_key_file = '/var/lib/opengauss/certs/server.key'
ssl_ca_file = '/var/lib/opengauss/certs/ca.crt'
EOF
- name: Create pg_hba.conf with SSL
run: |
sudo cat >${{ github.workspace }}/opengauss/conf/pg_hba.conf <<'EOF'
local all all trust
host all all 127.0.0.1/32 trust
host all all ::1/128 trust
hostssl all all 0.0.0.0/0 cert
host all all 0.0.0.0/0 md5
host replication gaussdb 0.0.0.0/0 md5
EOF
- name: Fix ownership
run: |
sudo chown -R omm:omm ${{ github.workspace }}/opengauss
sudo chmod 644 ${{ github.workspace }}/opengauss/conf/*
- name: Debug file permissions
run: |
ls -l ${{ github.workspace }}/opengauss/conf/
whoami
docker info --format '{{.ServerVersion}}'
docker ps -a
- name: Copy configuration files to container data directory
run: |
docker exec opengauss-custom mkdir -p /var/lib/opengauss/data
docker cp ${{ github.workspace }}/opengauss/conf/postgresql.conf opengauss-custom:/var/lib/opengauss/data/postgresql.conf
docker cp ${{ github.workspace }}/opengauss/conf/pg_hba.conf opengauss-custom:/var/lib/opengauss/data/pg_hba.conf
docker exec opengauss-custom mkdir -p /var/lib/opengauss/certs
docker cp ${{ github.workspace }}/certs/server.crt opengauss-custom:/var/lib/opengauss/certs/
docker cp ${{ github.workspace }}/certs/server.key opengauss-custom:/var/lib/opengauss/certs/
docker cp ${{ github.workspace }}/certs/ca.crt opengauss-custom:/var/lib/opengauss/certs/
- name: Fix SSL cert permissions
run: |
sudo chown -R $(whoami):$(whoami) ${{ github.workspace }}/certs
sudo chmod 600 ${{ github.workspace }}/certs/*
- name: Set permissions inside container
run: |
docker exec opengauss-custom chown omm:omm /var/lib/opengauss/data/postgresql.conf /var/lib/opengauss/data/pg_hba.conf /var/lib/opengauss/certs/server.crt /var/lib/opengauss/certs/server.key /var/lib/opengauss/certs/ca.crt
docker exec opengauss-custom chmod 600 /var/lib/opengauss/data/postgresql.conf /var/lib/opengauss/data/pg_hba.conf /var/lib/opengauss/certs/server.crt /var/lib/opengauss/certs/server.key /var/lib/opengauss/certs/ca.crt
- name: Restart openGauss to apply configuration
run: |
docker restart opengauss-custom
- name: Install GaussDB libpq driver
run: |
sudo apt update
sudo apt install -y wget unzip
wget -O /tmp/GaussDB_driver.zip https://dbs-download.obs.cn-north-1.myhuaweicloud.com/GaussDB/1730887196055/GaussDB_driver.zip
unzip /tmp/GaussDB_driver.zip -d /tmp/ && rm -rf /tmp/GaussDB_driver.zip
\cp /tmp/GaussDB_driver/Centralized/Hce2_X86_64/GaussDB-Kernel*64bit_Python.tar.gz /tmp/
tar -zxvf /tmp/GaussDB-Kernel*64bit_Python.tar.gz -C /tmp/ && rm -rf /tmp/GaussDB-Kernel*64bit_Python.tar.gz && rm -rf /tmp/_GaussDB && rm -rf /tmp/GaussDB_driver
echo /tmp/lib | sudo tee /etc/ld.so.conf.d/gauss-libpq.conf
sudo sed -i '1s|^|/tmp/lib\n|' /etc/ld.so.conf
sudo ldconfig
ldconfig -p | grep pq
- name: Install dependencies
run: |
source venv/bin/activate
python -m pip install --upgrade pip
pip install -r requirements.txt
pip install ./tools/isort-gaussdb/
pip install "./gaussdb[dev,test]"
pip install ./gaussdb_pool
- name: Wait for openGauss to be ready
env:
GSQL_PASSWORD: Passwd@123
run: |
source venv/bin/activate
for i in {1..30}; do
pg_isready -h localhost -p 5432 -U root && break
sleep 10
done
if ! pg_isready -h localhost -p 5432 -U root; then
echo "openGauss is not ready"
exit 1
fi
- name: Verify SSL configuration
run: |
docker exec opengauss-custom bash -c "su - omm -c 'gsql -d postgres -c \"SHOW ssl;\"'" | grep -q "on" || { echo "ERROR: ssl is not set to 'on'"; exit 1; }
docker exec opengauss-custom bash -c "su - omm -c 'gsql -d postgres -c \"SHOW ssl_cert_file;\"'" | grep -q "/var/lib/opengauss/certs/server.crt" || { echo "ERROR: ssl_cert_file is not set to '/var/lib/opengauss/certs/server.crt'"; exit 1; }
docker exec opengauss-custom bash -c "su - omm -c 'gsql -d postgres -c \"SHOW ssl_key_file;\"'" | grep -q "/var/lib/opengauss/certs/server.key" || { echo "ERROR: ssl_key_file is not set to '/var/lib/opengauss/certs/server.key'"; exit 1; }
docker exec opengauss-custom bash -c "su - omm -c 'gsql -d postgres -c \"SHOW ssl_ca_file;\"'" | grep -q "/var/lib/opengauss/certs/ca.crt" || { echo "ERROR: ssl_ca_file is not set to '/var/lib/opengauss/certs/ca.crt'"; exit 1; }
echo "SSL configuration verified successfully"
- name: Create test database
run: |
docker exec opengauss-custom bash -c "su - omm -c 'gsql -d postgres -c \"CREATE DATABASE test ;\"'"
- name: Create report directory
run: |
mkdir -p reports
- name: Print DNS and Python environment
run: |
source venv/bin/activate
python - << 'EOF'
import asyncio
import dns
import dns.version
import dns.asyncresolver
print("Python version:")
import sys; print(sys.version)
print("\nEvent loop policy:")
print(asyncio.get_event_loop_policy())
print("\nDnspython version:")
print(dns.version.version)
print("\nAsync resolver instance:")
r = dns.asyncresolver.Resolver()
print(r)
EOF
- name: Run tests
env:
PYTHONPATH: ./gaussdb:./gaussdb_pool
GAUSSDB_IMPL: python
GAUSSDB_TEST_DSN: "host=127.0.0.1 port=5432 dbname=test user=root password=Passwd@123 sslmode=verify-ca sslrootcert=${{ github.workspace }}/certs/ca.crt sslcert=${{ github.workspace }}/certs/client.crt sslkey=${{ github.workspace }}/certs/client.key"
run: |
export PGSSLDEBUG=1
source venv/bin/activate
pytest -s -v
- name: Cleanup
if: always()
run: |
docker stop opengauss-custom
docker rm opengauss-custom