Opened 7 months ago

Closed 6 months ago

#5566 closed task (fixed)

Add CI testing under sandboxed system

Reported by: strk Owned by: robe
Priority: medium Milestone: Website Management, Bots
Component: QA/buildbots Version:
Keywords: pgextwlist Cc:


We have a few bugs reported in sandboxed systems, like #5212, #5550 and likely #5545 so having proper CI coverage under those condition would be useful.

I've already pgextwlist in the build-test docker image, next we'll need a recipe to make use of that by CI.

Change History (11)

comment:1 by strk, 6 months ago

I've added preconfiguration of pgextwlist in the docker image, and granted postgis_reg_unprivileged_user user db creation privileges with

Once the image build completes ( ) we can experiment with using the unprivileged user for testing.

comment:2 by strk, 6 months ago

Docker image is ready, work in progress pull request to use an non-superuser account to run tests is in

comment:3 by strk, 6 months ago

As I found out empirically, "test using non-superuser account" is too generic: only EXTENSION based tests can run as non-superuser when using pgextwlist (and maybe in the future "trusted" extension - see #5567)

So we need SUPERUSER for script based and can use another role for extension based (if the target database setup allows for that). Maybe a switch could request using a special role for extension via a --extension-test-role or something along those lines.

comment:4 by strk, 6 months ago

I've settled for a POSTGIS_REGRESS_ROLE_EXT_CREATOR environment variable support in which landed in the master branch with [52bfcd5faa3a7577292814d0a5a17c5698a9032f/git]

In I'm experimenting with that.

comment:5 by Sandro Santilli <strk@…>, 6 months ago

In 5739cacd/git: add POSTGIS_REGRESS_DB_OWNER env support

Allows specifying a DB role to be given ownership of the regress
database and be used to create extension of POSTGIS_REGRESS_EXT_CREATOR
is not also provided to override that.

References #5212
References #5566
References #5567

comment:6 by Sandro Santilli <strk@…>, 6 months ago

In b2ee709/git: add —after-create-db-script support

This can be used to configure target database, for example to
enable/configure pgextwlist

References #5566

comment:7 by strk, 6 months ago

CI is failing due to our own script refusing to package functions owned by a different owner than the extension owner:

Should we relax that check and accept mixed ownership as long as the owner of existing function is a superuser ?

comment:8 by strk, 6 months ago

The ownership check was implemented in commit [06f49e8dc83cfd7319709518ba479a3fd95e5000/git] referencing #4648

comment:9 by Sandro Santilli <strk@…>, 6 months ago

In 85395aa/git: use db ext creator for upgrading too

References #5566

comment:10 by Sandro Santilli <strk@…>, 6 months ago

In e2bf40c/git:

Set ownership of packaged functions to extension owner

Still check that the functions were owned by a superuser.

References #4648
References #5545
References #5566

comment:11 by Sandro Santilli <strk@…>, 6 months ago

Resolution: fixed
Status: newclosed

In 5c37f97/git:

[woodie] Test with unprivileged user under pgextwlist

Closes #5566

Note: See TracTickets for help on using tickets.