josh/Vetting
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
19608bef1bcac4fa901680e1e1b8fd428d2f3c9f
Vetting/internal/orchestrator/statemachine_test.go
T
josh 27098fc7ed
CI / Lint + build + test (push) Successful in 1m23s
Details
Release / release (push) Successful in 6m2s
Details
cpustress+orchestrator: serial CPU/RAM passes + silent-skip guard 
Orion's run (log 20:49 → 20:54) shipped GREEN while silently skipping
CPUStress. Two compounding bugs:

1. CPUStress ran --cpu N AND --vm N --vm-bytes 90% concurrently.
   On a 4-core 8 GiB N95, that's 360% RAM overcommit; the OOM-killer
   fired, usually on the agent itself. Replaced with two sequential
   passes — CPU (all methods, --verify) for 3 min, then RAM (--vm 1,
   --vm-bytes capped to MemAvailable − 1.5 GiB, floor 256 MiB, --verify)
   for 3 min. Each pass now also asserts elapsed ≥ target − 2s so a
   premature clean exit counts as failure instead of a silent pass.

2. On systemd-restart after the OOM, the agent hardcoded nextStage :=
   "Inventory" and re-ran it. The orchestrator's /result handler
   advances run state via TriggerStageCompleted against the *current*
   RunState, not against body.Stage — so an Inventory result posted
   while the run was in StateCPUStress silently advanced CPUStress →
   Storage and marked CPUStress passed without it ever running.

Two-layer defense for #2:
- agent-side: /claim response now carries current_state; agent resumes
  at the matching stage on a re-claim (happy path).
- server-side: new TriggerStageMismatch + StageNameForState helper
  backstop. If body.Stage doesn't match the run's current stage, /result
  parks the run in FailedHolding with failed_stage labeled
  "<got> (expected <expected>)" and returns 409.

Other stages audited for similar unbounded concurrency — none found;
only CPUStress was unsafe.

Tests:
- cpustress_test.go — parseMemAvailable parses real meminfo, errors on
  missing/malformed; cap calc hits floor on tiny boxes, uses 1.5 GiB
  headroom on normal/huge boxes.
- statemachine_test.go — TriggerStageMismatch lands at FailedHolding
  from every stage state and is rejected from pre-stage/terminal
  states; StageNameForState round-trips the stageStates map.
- agent_handlers_test.go — TestResult_RejectsMismatchedStage proves
  the Orion scenario now 409s + FailedHolding; TestResult_AcceptsMatchingStage
  proves the guard doesn't break the happy path.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-18 17:29:13 -04:00

166 lines
5.3 KiB
Go
Raw Blame History

package orchestrator_test
import (
"testing"
"vetting/internal/model"
"vetting/internal/orchestrator"
)
func TestNextForOverride(t *testing.T) {
tests := []struct {
name string
from model.RunState
failedStage string
want model.RunState
wantErr bool
}{
{"storage override", model.StateFailedHolding, "Storage", model.StateStorage, false},
{"smart override", model.StateFailedHolding, "SMART", model.StateSMART, false},
{"inventory override", model.StateFailedHolding, "Inventory", model.StateInventoryCheck, false},
{"unknown stage", model.StateFailedHolding, "NotAStage", "", true},
{"not holding", model.StateStorage, "Storage", "", true},
}
for _, tc := range tests {
t.Run(tc.name, func(t *testing.T) {
got, err := orchestrator.NextForOverride(tc.from, tc.failedStage)
if tc.wantErr {
if err == nil {
t.Fatalf("expected error, got %q", got)
}
return
}
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
if got != tc.want {
t.Fatalf("got %q, want %q", got, tc.want)
}
})
}
}
// TestTriggerRebootCommanded exercises the new heartbeat-first trigger:
// Queued → WaitingReboot, and any other current state is an error.
func TestTriggerRebootCommanded(t *testing.T) {
got, err := orchestrator.Next(model.StateQueued, orchestrator.TriggerRebootCommanded)
if err != nil {
t.Fatalf("Queued + RebootCommanded: %v", err)
}
if got != model.StateWaitingReboot {
t.Fatalf("got %q, want %q", got, model.StateWaitingReboot)
}
for _, bad := range []model.RunState{
model.StateRegistered, model.StateBooting, model.StateInventoryCheck, model.StateCompleted,
} {
if _, err := orchestrator.Next(bad, orchestrator.TriggerRebootCommanded); err == nil {
t.Fatalf("RebootCommanded from %q: expected error", bad)
}
}
}
// TestTriggerAgentClaimedFromWaitingReboot: the agent's /claim must
// advance the run out of WaitingReboot (new happy path) AND out of
// legacy WaitingWoL, otherwise live boots wouldn't be recognised.
func TestTriggerAgentClaimedFromWaitingReboot(t *testing.T) {
for _, from := range []model.RunState{model.StateWaitingReboot, model.StateWaitingWoL, model.StateBooting} {
got, err := orchestrator.Next(from, orchestrator.TriggerAgentClaimed)
if err != nil {
t.Fatalf("AgentClaimed from %q: %v", from, err)
}
if got != model.StateInventoryCheck {
t.Fatalf("AgentClaimed from %q = %q, want InventoryCheck", from, got)
}
}
}
// TestTriggerStageMismatch asserts the silent-skip guard: from every
// stage-execution state, a mismatch lands the run in FailedHolding, and
// from non-stage states (pre-stages, terminals) the trigger is rejected.
func TestTriggerStageMismatch(t *testing.T) {
stageStates := []model.RunState{
model.StateInventoryCheck,
model.StateSpecValidate,
model.StateSMART,
model.StateCPUStress,
model.StateStorage,
model.StateNetwork,
model.StateGPU,
model.StatePSU,
model.StateReporting,
}
for _, from := range stageStates {
got, err := orchestrator.Next(from, orchestrator.TriggerStageMismatch)
if err != nil {
t.Fatalf("StageMismatch from %q: %v", from, err)
}
if got != model.StateFailedHolding {
t.Fatalf("StageMismatch from %q = %q, want FailedHolding", from, got)
}
}
for _, bad := range []model.RunState{
model.StateRegistered, model.StateQueued, model.StateBooting,
model.StateWaitingReboot, model.StateCompleted, model.StateFailedHolding,
} {
if _, err := orchestrator.Next(bad, orchestrator.TriggerStageMismatch); err == nil {
t.Fatalf("StageMismatch from %q: expected error", bad)
}
}
}
// TestStageNameForState round-trips the stageStates map: every name in
// StateForStage must come back from StageNameForState, and non-stage
// run states return empty.
func TestStageNameForState(t *testing.T) {
pairs := map[string]model.RunState{
"Inventory": model.StateInventoryCheck,
"SpecValidate": model.StateSpecValidate,
"SMART": model.StateSMART,
"CPUStress": model.StateCPUStress,
"Storage": model.StateStorage,
"Network": model.StateNetwork,
"GPU": model.StateGPU,
"PSU": model.StatePSU,
"Reporting": model.StateReporting,
}
for name, state := range pairs {
if got := orchestrator.StageNameForState(state); got != name {
t.Errorf("StageNameForState(%q) = %q, want %q", state, got, name)
}
}
for _, s := range []model.RunState{
model.StateRegistered, model.StateQueued, model.StateBooting,
model.StateWaitingReboot, model.StateCompleted, model.StateFailedHolding,
} {
if got := orchestrator.StageNameForState(s); got != "" {
t.Errorf("StageNameForState(%q) = %q, want empty", s, got)
}
}
}
func TestNextStageWalk(t *testing.T) {
// Walking StageCompleted from each stage should land on the next
// one in the canonical order, and from Reporting onto Completed.
chain := []model.RunState{
model.StateInventoryCheck,
model.StateSpecValidate,
model.StateSMART,
model.StateCPUStress,
model.StateStorage,
model.StateNetwork,
model.StateGPU,
model.StatePSU,
model.StateReporting,
model.StateCompleted,
}
for i := 0; i < len(chain)-1; i++ {
got, err := orchestrator.Next(chain[i], orchestrator.TriggerStageCompleted)
if err != nil {
t.Fatalf("Next(%q): %v", chain[i], err)
}
if got != chain[i+1] {
t.Fatalf("Next(%q) = %q, want %q", chain[i], got, chain[i+1])
}
}
}
Reference in New Issue View Git Blame Copy Permalink