Add sample integ tests for latest systemd unit file (opensearch-project#17410)

* Add integration tests for systemd

Signed-off-by: Rajat Gupta <gptrajat@amazon.com>

* Fix indentation

Signed-off-by: Rajat Gupta <gptrajat@amazon.com>

* Remove unit file mount

Signed-off-by: Rajat Gupta <gptrajat@amazon.com>

* Use centos image

Signed-off-by: Rajat Gupta <gptrajat@amazon.com>

* Change method name

Signed-off-by: Rajat Gupta <gptrajat@amazon.com>

* Add sample systemd integ tests to verify behavior

Signed-off-by: Rajat Gupta <gptrajat@amazon.com>

* Update su with sudo probably need to have a privileged mode

Signed-off-by: Peter Zhu <zhujiaxi@amazon.com>

* Additional tests

Signed-off-by: Rajat Gupta <gptrajat@amazon.com>

* Wrap commands with su -c

Signed-off-by: Rajat Gupta <gptrajat@amazon.com>

* Add sudo

Signed-off-by: Rajat Gupta <gptrajat@amazon.com>

* Remove sudo for test process exit

Signed-off-by: Rajat Gupta <gptrajat@amazon.com>

* Minor fixes

Signed-off-by: Rajat Gupta <gptrajat@amazon.com>

* Fixed script string

Signed-off-by: Rajat Gupta <gptrajat@amazon.com>

* Remove redundant code

Signed-off-by: Rajat Gupta <gptrajat@amazon.com>

* Add terminate script

Signed-off-by: Rajat Gupta <gptrajat@amazon.com>

* Modified terminate script

Signed-off-by: Rajat Gupta <gptrajat@amazon.com>

* Add Changelog-3.0 entry

Signed-off-by: Rajat Gupta <gptrajat@amazon.com>

* Fix for gradle precommit workflow

Signed-off-by: Rajat Gupta <gptrajat@amazon.com>

* Fix testing conventions gradle precommit check

Signed-off-by: Rajat Gupta <gptrajat@amazon.com>

* Fix imports

Signed-off-by: Rajat Gupta <gptrajat@amazon.com>

* Only run as part of build integTest, remove gradle check

Signed-off-by: Rajat Gupta <gptrajat@amazon.com>

* Remove bash

Signed-off-by: Rajat Gupta <gptrajat@amazon.com>

* add sudo for systemctl command

Signed-off-by: Rajat Gupta <gptrajat@amazon.com>

* Remove OpenSearchIntegTest class

Signed-off-by: Rajat Gupta <gptrajat@amazon.com>

* Rename test file

Signed-off-by: Rajat Gupta <gptrajat@amazon.com>

* Add test script

Signed-off-by: Rajat Gupta <gptrajat@amazon.com>

* Extend LuceneTestCase class

Signed-off-by: Rajat Gupta <gptrajat@amazon.com>

* Remove test bash script

Signed-off-by: Rajat Gupta <gptrajat@amazon.com>

* Modify build.gradle

Signed-off-by: Rajat Gupta <gptrajat@amazon.com>

---------

Signed-off-by: Rajat Gupta <gptrajat@amazon.com>
Signed-off-by: Peter Zhu <zhujiaxi@amazon.com>
Signed-off-by: Rajat Gupta <72070007+RajatGupta02@users.noreply.github.com>
Co-authored-by: Rajat Gupta <gptrajat@amazon.com>
Co-authored-by: Peter Zhu <zhujiaxi@amazon.com>

Author: 3 people

CHANGELOG-3.0.md

@@ -21,10 +21,12 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 - Add execution_hint to cardinality aggregator request (#[17312](https://github.com/opensearch-project/OpenSearch/pull/17312))
 - Arrow Flight RPC plugin with Flight server bootstrap logic and client for internode communication ([#16962](https://github.com/opensearch-project/OpenSearch/pull/16962))
 - Added offset management for the pull-based Ingestion ([#17354](https://github.com/opensearch-project/OpenSearch/pull/17354))
+- Added integ tests for systemd configs ([#17410](https://github.com/opensearch-project/OpenSearch/pull/17410))
 - Add filter function for AbstractQueryBuilder, BoolQueryBuilder, ConstantScoreQueryBuilder([#17409](https://github.com/opensearch-project/OpenSearch/pull/17409))
 - [Star Tree] [Search] Resolving keyword & numeric bucket aggregation with metric aggregation using star-tree ([#17165](https://github.com/opensearch-project/OpenSearch/pull/17165))
 - Added error handling support for the pull-based ingestion ([#17427](https://github.com/opensearch-project/OpenSearch/pull/17427))
 
+
 ### Dependencies
 - Update Apache Lucene to 10.1.0 ([#16366](https://github.com/opensearch-project/OpenSearch/pull/16366))
 - Bump Apache HttpCore5/HttpClient5 dependencies from 5.2.5/5.3.1 to 5.3.1/5.4.1 to support ExtendedSocketOption in HttpAsyncClient ([#16757](https://github.com/opensearch-project/OpenSearch/pull/16757))

qa/systemd-test/build.gradle

@@ -0,0 +1,5 @@
+apply plugin: 'opensearch.standalone-rest-test'
+
+tasks.register("integTest", Test){
+    include "**/*IntegTests.class"
+}

qa/systemd-test/src/test/java/org/opensearch/systemdinteg/SystemdIntegTests.java

@@ -0,0 +1,177 @@
+/*
+* SPDX-License-Identifier: Apache-2.0
+*
+* The OpenSearch Contributors require contributions made to
+* this file be licensed under the Apache-2.0 license or a
+* compatible open source license.
+*/
+/*
+* Modifications Copyright OpenSearch Contributors. See
+* GitHub history for details.
+*/
+
+package org.opensearch.systemdinteg;
+import org.apache.lucene.tests.util.LuceneTestCase;
+
+import org.apache.hc.core5.http.HttpHeaders;
+import org.apache.hc.core5.http.HttpHost;
+import org.apache.hc.core5.http.HttpStatus;
+import org.junit.After;
+import org.junit.Before;
+import org.junit.BeforeClass;
+import org.junit.Test;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.InputStreamReader;
+import java.net.URISyntaxException;
+import java.nio.charset.StandardCharsets;
+import java.io.BufferedReader;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.nio.file.Paths;
+import java.nio.file.StandardOpenOption;
+import java.nio.file.attribute.PosixFilePermissions;
+import java.util.Locale;
+
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
+
+
+public class SystemdIntegTests extends LuceneTestCase {
+
+    private static String opensearchPid;
+
+    @BeforeClass
+    public static void setup() throws IOException, InterruptedException {
+        opensearchPid = getOpenSearchPid();
+
+        if (opensearchPid.isEmpty()) {
+            throw new RuntimeException("Failed to find OpenSearch process ID");
+        }
+    }
+
+    private static String getOpenSearchPid() throws IOException, InterruptedException {
+        String command = "systemctl show --property=MainPID opensearch";
+        String output = executeCommand(command, "Failed to get OpenSearch PID");
+        return output.replace("MainPID=", "").trim();
+    }
+
+    private boolean checkPathExists(String path) throws IOException, InterruptedException {
+        String command = String.format(Locale.ROOT, "test -e %s && echo true || echo false", path);
+        return Boolean.parseBoolean(executeCommand(command, "Failed to check path existence"));
+    }
+
+    private boolean checkPathReadable(String path) throws IOException, InterruptedException {
+        String command = String.format(Locale.ROOT, "sudo su opensearch -s /bin/sh -c 'test -r %s && echo true || echo false'", path);
+        return Boolean.parseBoolean(executeCommand(command, "Failed to check read permission"));
+    }
+
+    private boolean checkPathWritable(String path) throws IOException, InterruptedException {
+        String command = String.format(Locale.ROOT, "sudo su opensearch -s /bin/sh -c 'test -w %s && echo true || echo false'", path);
+        return Boolean.parseBoolean(executeCommand(command, "Failed to check write permission"));
+    }
+
+    private String getPathOwnership(String path) throws IOException, InterruptedException {
+        String command = String.format(Locale.ROOT, "stat -c '%%U:%%G' %s", path);
+        return executeCommand(command, "Failed to get path ownership");
+    }
+
+    private static String executeCommand(String command, String errorMessage) throws IOException, InterruptedException {
+        Process process = Runtime.getRuntime().exec(new String[]{"bash", "-c", command});
+        try (BufferedReader reader = new BufferedReader(new InputStreamReader(process.getInputStream(), StandardCharsets.UTF_8))) {
+            StringBuilder output = new StringBuilder();
+            String line;
+            while ((line = reader.readLine()) != null) {
+                output.append(line).append("\n");
+            }
+            if (process.waitFor() != 0) {
+                throw new RuntimeException(errorMessage);
+            }
+            return output.toString().trim();
+        }
+    }
+
+    public void testReadOnlyPaths() throws IOException, InterruptedException {
+        String[] readOnlyPaths = {
+            "/etc/os-release", "/usr/lib/os-release", "/etc/system-release",
+            "/proc/self/mountinfo", "/proc/diskstats",
+            "/proc/self/cgroup", "/sys/fs/cgroup/cpu", "/sys/fs/cgroup/cpu/-",
+            "/sys/fs/cgroup/cpuacct", "/sys/fs/cgroup/cpuacct/-",
+            "/sys/fs/cgroup/memory", "/sys/fs/cgroup/memory/-"
+        };
+
+        for (String path : readOnlyPaths) {
+            if (checkPathExists(path)) {
+                assertTrue("Path should be readable: " + path, checkPathReadable(path));
+                assertFalse("Path should not be writable: " + path, checkPathWritable(path));
+            }
+        }
+    }
+
+    public void testReadWritePaths() throws IOException, InterruptedException {
+        String[] readWritePaths = {"/var/log/opensearch", "/var/lib/opensearch"};
+        for (String path : readWritePaths) {
+            assertTrue("Path should exist: " + path, checkPathExists(path));
+            assertTrue("Path should be readable: " + path, checkPathReadable(path));
+            assertTrue("Path should be writable: " + path, checkPathWritable(path));
+            assertEquals("Path should be owned by opensearch:opensearch", "opensearch:opensearch", getPathOwnership(path));
+        }
+    }
+
+    public void testMaxProcesses() throws IOException, InterruptedException {
+        String limits = executeCommand("sudo su -c 'cat /proc/" + opensearchPid + "/limits'", "Failed to read process limits");
+        assertTrue("Max processes limit should be 4096 or unlimited", 
+                limits.contains("Max processes             4096                 4096") ||
+                limits.contains("Max processes             unlimited            unlimited"));
+    }
+
+    public void testFileDescriptorLimit() throws IOException, InterruptedException {
+        String limits = executeCommand("sudo su -c 'cat /proc/" + opensearchPid + "/limits'", "Failed to read process limits");
+        assertTrue("File descriptor limit should be at least 65535", 
+                limits.contains("Max open files            65535                65535") ||
+                limits.contains("Max open files            unlimited            unlimited"));
+    }
+
+    public void testSystemCallFilter() throws IOException, InterruptedException {
+        // Check if Seccomp is enabled
+        String seccomp = executeCommand("sudo su -c 'grep Seccomp /proc/" + opensearchPid + "/status'", "Failed to read Seccomp status");
+        assertFalse("Seccomp should be enabled", seccomp.contains("0"));
+        
+        // Test specific system calls that should be blocked
+        String rebootResult = executeCommand("sudo su opensearch -c 'kill -s SIGHUP 1' 2>&1 || echo 'Operation not permitted'", "Failed to test reboot system call");
+        assertTrue("Reboot system call should be blocked", rebootResult.contains("Operation not permitted"));
+        
+        String swapResult = executeCommand("sudo su opensearch -c 'swapon -a' 2>&1 || echo 'Operation not permitted'", "Failed to test swap system call");
+        assertTrue("Swap system call should be blocked", swapResult.contains("Operation not permitted"));
+    }
+
+    public void testOpenSearchProcessCannotExit() throws IOException, InterruptedException {
+
+        String scriptPath;
+        try {
+            scriptPath = SystemdIntegTests.class.getResource("/scripts/terminate.sh").toURI().getPath();
+        } catch (URISyntaxException e) {
+            throw new RuntimeException("Failed to convert URL to URI", e);
+        }
+
+        if (scriptPath == null) {
+            throw new IllegalStateException("Could not find terminate.sh script in resources");
+        }
+        ProcessBuilder processBuilder = new ProcessBuilder(scriptPath, opensearchPid);
+        Process process = processBuilder.start();
+
+        // Wait a moment for any potential termination to take effect
+        Thread.sleep(2000);
+
+        // Verify the OpenSearch service status
+        String serviceStatus = executeCommand(
+            "systemctl is-active opensearch",
+            "Failed to check OpenSearch service status"
+        );
+
+        assertEquals("OpenSearch service should be active", "active", serviceStatus.trim());
+    }
+
+}

qa/systemd-test/src/test/resources/scripts/terminate.sh

@@ -0,0 +1,12 @@
+#!/bin/sh
+
+if [ $# -ne 1 ]; then
+    echo "Usage: $0 <PID>"
+    exit 1
+fi
+
+if kill -15 $1 2>/dev/null; then
+    echo "SIGTERM signal sent to process $1"
+else
+    echo "Failed to send SIGTERM to process $1"
+fi