syscall: TestGroupCleanupUserNamespace failure on linux-s390x-ibm

[bcmills]

--- FAIL: TestGroupCleanupUserNamespace (0.00s)
    exec_linux_test.go:311: id command output: "uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:unconfined_service_t:s0", expected one of ["uid=0(root) gid=0(root) groups=0(root)" "uid=0(root) gid=0(root) groups=0(root),65534(nobody)" "uid=0(root) gid=0(root) groups=0(root),65534(nogroup)" "uid=0(root) gid=0(root) groups=0(root),65534" "uid=0(root) gid=0(root) groups=0(root),65534(nobody),65534(nobody),65534(nobody),65534(nobody),65534(nobody),65534(nobody),65534(nobody),65534(nobody),65534(nobody),65534(nobody)" "uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023" "uid=0(root) gid=0(root) groups=0(root),65534(nobody) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023"]
FAIL
FAIL	syscall	0.924s

greplogs --dashboard -md -l -e 'FAIL: TestGroupCleanupUserNamespace'

2022-03-31T20:02:55-f990b0f/linux-s390x-ibm

This test is empirically fragile and non-portable: it has broken (and had to be updated) in at least #16224, #16303, #19938, #34547, and #46752. With that many hard-coded special cases, it is all but certain that we have missed some.

It isn't clear to me from reading the test what property it is actually testing or what invariants it expects (it is quite sparse on commentary). Given the empirical fragility of the test, and given that the syscall package is essentially frozen at this point anyway, I suggest that we delete the test outright. Barring that, if someone feels strongly enough about keeping the test to make it more robust, perhaps it would be reasonable for the test to actually parse the output string, strip the context field, and ensure that the groups in the reported list are all identical to nobody or nogroup.

[gopherbot]

Change https://go.dev/cl/397316 mentions this issue: syscall: relax output check in TestGroupCleanupUserNamespace

[jonathan-albrecht-ibm]

Thanks @bcmills for fixing this. I was adding a new builder on Thurs which caused the failure only when run from systemd. I've figured out how to reproduce the error locally on the new builder so I can confirm it fixes the problem. The new builder is at a newer version of RHEL 8 but I haven't figured out why the selinux info is different on the old builders vs new new one. All have selinux enabled and are run from systemd.

Could this be backported to 1.18 and 1.17 so those branches will also be fixed? Would older release branches need it as well or are they guaranteed not to be built anymore? If it can't be backported everywhere its needed I'll probably disable selinux because I don't think I'll find a fix.

[bcmills]

@gopherbot, please backport to Go 1.17 and 1.18. This is a test-only fix for an issue exposed by a builder upgrade.

[gopherbot]

Backport issue(s) opened: #52148 (for 1.17), #52149 (for 1.18).

Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases.

[bcmills]

We won't need to backport to branches before 1.17 because they're no longer running tests. It's ultimately up to the release team to decide on the 1.17 and 1.18 backports but TBH I think it's a shoo-in.

[gopherbot]

Change https://go.dev/cl/398234 mentions this issue: [release-branch.go1.18] syscall: relax output check in TestGroupCleanupUserNamespace

[gopherbot]

Change https://go.dev/cl/398235 mentions this issue: [release-branch.go1.17] syscall: relax output check in TestGroupCleanupUserNamespace