Merge pull request #6673 from grondo/downgrade-flux-security

configure: relax flux-security version check
flux-framework · Mar 1, 2025 · ff486ca · ff486ca
2 parents f15140e + 8d61172
commit ff486ca
Show file tree

Hide file tree

Showing 6 changed files with 64 additions and 1 deletion.
diff --git a/configure.ac b/configure.ac
@@ -433,7 +433,7 @@ AS_IF([test x$enable_code_coverage = xyes], [
 AC_ARG_WITH([flux-security], AS_HELP_STRING([--with-flux-security],
              [Build with flux-security]))
 AS_IF([test "x$with_flux_security" = "xyes"], [
-    PKG_CHECK_MODULES([FLUX_SECURITY], [flux-security >= 0.14.0],
+    PKG_CHECK_MODULES([FLUX_SECURITY], [flux-security >= 0.13.0],
       [flux_sec_incdir=`$PKG_CONFIG --variable=includedir flux-security`])
     AS_IF([test "x$flux_sec_incdir" = x],
           [AC_MSG_ERROR([couldn't find flux-security include directory])])

diff --git a/src/modules/sdexec/sdexec.c b/src/modules/sdexec/sdexec.c
@@ -29,6 +29,9 @@
 #define UUID_STR_LEN 37     // defined in later libuuid headers
 #endif
 #include <flux/core.h>
+#if HAVE_FLUX_SECURITY
+#include <flux/security/version.h>
+#endif
 
 
 #include "src/common/libsubprocess/client.h"
@@ -1326,12 +1329,37 @@ static int sdbus_is_loaded (flux_t *h, uint32_t rank, flux_error_t *error)
     return 0;
 }
 
+static int check_security_version (void)
+{
+#if HAVE_FLUX_SECURITY
+    int major, minor;
+
+    if (flux_security_version (&major, &minor, NULL) < 0
+        || (major == 0 && minor < 14)) {
+        errno = EINVAL;
+        return -1;
+    }
+#endif /* HAVE_FLUX_SECURITY */
+    return 0;
+}
+
 int mod_main (flux_t *h, int argc, char **argv)
 {
     struct sdexec_ctx *ctx;
     flux_error_t error;
     int rc = -1;
 
+    /* sdexec launches work in transient Type=notify containers, but
+     * this functionality requires flux-security v0.14.0 or greater.
+     * Check for correct flux-security version here and abort if the
+     * requirement is not met (check is skipped if flux-core is not
+     * built with flux-security):
+     */
+    if (check_security_version () < 0) {
+        flux_log (h, LOG_ERR, "sdexec requires flux-security >= v0.14.0 ");
+        return -1;
+    }
+
     if (!(ctx = sdexec_ctx_create (h)))
         goto error;
     if (sdexec_configure (ctx, flux_get_conf (h), &error) < 0) {

diff --git a/t/sharness.d/flux-sharness.sh b/t/sharness.d/flux-sharness.sh
@@ -316,6 +316,29 @@ test_columns_variable_preserved() {
 	test "$cols" = "12"
 }
 
+#  flux-security version check. If flux is built with flux-security,
+#  check that version >= x.y.z:
+#
+#  Usage: test_flux_security_version x.y.z
+#
+#  Sets FLUX_SECURITY_VERSION environment variable for use after return
+#  Note this function always succeeds if flux is not built with flux-security.
+#  If a test requires flux-security, that should be separately tested.
+#
+test_flux_security_version() {
+    req_major=$(echo $1 | cut -d. -f1)
+    req_minor=$(echo $1 | cut -d. -f2)
+    req_patch=$(echo $1 | cut -d. -f3)
+    FLUX_SECURITY_VERSION=$(flux version | awk '/security:/ {print $2}')
+    if test -z "$FLUX_SECURITY_VERSION"; then
+        return 0
+    fi
+    major=$(echo $FLUX_SECURITY_VERSION | cut -d. -f1)
+    minor=$(echo $FLUX_SECURITY_VERSION | cut -d. -f2)
+    patch=$(echo $FLUX_SECURITY_VERSION | cut -d. -f3)
+    test $major -ge $req_major -a $minor -ge $req_minor -a $patch -ge $req_patch
+}
+
 #  Export a shorter name for this test
 TEST_NAME=$SHARNESS_TEST_NAME
 export TEST_NAME

diff --git a/t/t2409-sdexec.t b/t/t2409-sdexec.t
@@ -17,6 +17,10 @@ if ! busctl --user status >/dev/null; then
 	skip_all="user dbus is not running"
 	test_done
 fi
+if ! test_flux_security_version 0.14.0; then
+	skip_all="requires flux-security >= v0.14, got ${FLUX_SECURITY_VERSION}"
+	test_done
+fi
 
 test_under_flux 2 minimal
 

diff --git a/t/t2410-sdexec-memlimit.t b/t/t2410-sdexec-memlimit.t
@@ -29,6 +29,10 @@ if ! systemctl show user@$(id -u) -p DelegateControllers | grep memory; then
 	skip_all="cgroups memory controller is not delegated"
 	test_done
 fi
+if ! test_flux_security_version 0.14.0; then
+	skip_all="requires flux-security >= v0.14, got ${FLUX_SECURITY_VERSION}"
+	test_done
+fi
 if stress=$(which stress); then
 	test_set_prereq STRESS
 fi

diff --git a/t/t2411-sdexec-job.t b/t/t2411-sdexec-job.t
@@ -17,6 +17,10 @@ if ! busctl --user status >/dev/null; then
 	skip_all="user dbus is not running"
 	test_done
 fi
+if ! test_flux_security_version 0.14.0; then
+	skip_all="requires flux-security >= v0.14, got ${FLUX_SECURITY_VERSION}"
+	test_done
+fi
 
 mkdir -p config
 cat >config/config.toml <<EOT