Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add patch installation verification tests #873

Open
mthalman opened this issue Jan 11, 2022 · 0 comments
Open

Add patch installation verification tests #873

mthalman opened this issue Jan 11, 2022 · 0 comments

Comments

@mthalman
Copy link
Member

We should be able to define some simple unit tests which verify that patches that are installed in the images correspond to the KB numbers listed in the manifest.versions.json file. This ensures that the Dockerfiles have been generated correctly from that metadata.

This is particularly useful due to the patching strategy of 4.8 runtime Dockerfiles. We keep the 4.8 runtime Dockerfiles updated with the latest patch even if it's not security-related. But when there is a security patch for 4.8, we need to configure the 4.8-is-security-release variable to true. This causes the generated Dockerfiles to not install the patch. They don't need to install the patch because it'll already be installed by the base Windows image. However, consider that the next release following the security patch is a non-security release. In that case, we must set the variable back to false to ensure that the patch gets applied by the Dockerfile. If switching it back to false was mistakenly forgotten, a unit test which verified that the patch is installed in the image would catch this.

Another variant of this type of test would be to verify the 4.8-is-security-release variable is correctly set to true. Not setting it to true when it should would cause unnecessary installation of a patch that already exists in the base Windows image, leading to layer bloat in the image. To guard against this, a test could read the KB number from the manifest.versions.json file and compare it to the patches installed in the base Windows image. If the patch exists in the base Windows image, then 4.8-is-security-release should be set to true.

For implementation purposes, the way to check which patches are installed is the following PowerShell command: Get-HotFix.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
Status: On Deck
Development

No branches or pull requests

1 participant