Add a new feature plugin to verify package installation by vaibhavdaren · Pull Request #4660 · teemtee/tmt

vaibhavdaren · 2026-03-09T11:35:01Z

Pull Request Checklist: #4644

gemini-code-assist

Code Review

This pull request adds a verify-installation prepare plugin to verify package installation sources. The implementation includes abstractions in package managers, the plugin itself, its schema, and tests. The changes are well-structured. One minor improvement is suggested for a warning message.

_{Note: Security Review did not run due to the size of the PR.}

tmt/steps/prepare/verify_installation.py

tmt/package_managers/__init__.py

tmt/package_managers/dnf.py

tmt/steps/prepare/verify_installation.py

thrix

Nice plugin addition for verifying package sources. The overall structure follows tmt patterns well (container data class, normalization, schema, beakerlib tests). A few issues to address:

Must fix:

Verification failures don't actually stop test execution - The plugin records FAIL results but doesn't raise PrepareError or append to outcome.exceptions. The prepare step framework only aborts on exceptions, not on FAIL results. This contradicts the docstring promise.
expected_repo should be expected-repo (kebab-case) - tmt convention uses hyphens in user-facing YAML keys. The underscore form is inconsistent with dist-git-source, is-virtualized, etc.

Should verify:
3. dnf5 / yum compatibility for repoquery --queryformat "%{from_repo}" - Dnf5Engine and YumEngine inherit this without override.

Checklist items still unchecked:

Update the specification
Adjust plugin docstring
Mention the version
Include a release note (file exists but version not mentioned)

tmt/steps/prepare/verify_installation.py

tmt/schemas/prepare/verify-installation.yaml

tmt/package_managers/dnf.py

tmt/steps/prepare/verify_installation.py

tmt/package_managers/__init__.py

tmt/steps/prepare/verify_installation.py

tests/prepare/verify-installation/data/main.fmf

tests/prepare/verify-installation/test.sh

tmt/package_managers/dnf.py

tmt/package_managers/__init__.py

tmt/steps/prepare/verify_installation.py

vaibhavdaren · 2026-03-11T00:30:07Z

Addressed comments from code review in f128998.

tmt/package_managers/__init__.py

tmt/package_managers/dnf.py

tmt/schemas/prepare/verify-installation.yaml

tmt/steps/prepare/verify_installation.py

tests/prepare/verify-installation/test.sh

LecrisUT · 2026-03-13T13:31:50Z

tests/prepare/verify-installation/dnf4/test.sh

+    rlPhaseStartTest "Test successful verification on dnf4"
+        rlLog "Verify packages installed from BaseOS and Docker CE repo pass verification"
+
+        rlRun -s "tmt run -i \$run/success --scratch -vvv --all \
+            plan --name /plan/success \
+            provision -h \$PROVISION_HOW --image \$TEST_IMAGE_PREFIX/centos/stream10/upstream:latest" \
+            0 "Run verification test with correct repos"
+
+        rlAssertGrep "pass .* / make" $rlRun_LOG
+        rlAssertGrep "pass .* / diffutils" $rlRun_LOG
+        rlAssertGrep "pass .* / docker-ce-cli" $rlRun_LOG
+        rlAssertGrep "All packages verified successfully." $rlRun_LOG
+        rlAssertGrep "1 test passed" $rlRun_LOG
+    rlPhaseEnd


Please not like this with so much duplication. If needed, please use anything in epel10 and include epel feature. Can try centpkg for example. It doesn't use or test brew but that would be fine for now.

Addressed in a1ea9d1

It is still unnecessarily split between dnf4 and dnf5. Unify them and try to make it similar to /tests/prepare/install. Some adjust using the distro and such would be better

- Change verify field from comma-separated strings to YAML dict format with package and expected_repo keys; remove CLI counterpart for now - Batch-query all packages at once using get_installed_repos() - Record per-package failures as PhaseResult in outcome instead of raising PrepareError; let the framework handle failure reporting - Fail hard on unsupported package managers instead of warning and skipping - Fix docstrings to match surrounding style - Update schema, test data and test assertions accordingly

- Track verification failures with a local flag instead of rescanning outcome.results to avoid false positives from super().go() results - Catch RunError from get_installed_repos and record as ERROR PhaseResult instead of propagating as an unhandled exception - Log unexpected repoquery output lines at debug level instead of silently ignoring them - Use str(m.package) in serialize to avoid Package subclass leaking into serialized output - Remove redundant test assertion for 'make-devel' already covered by 'fail make-devel' check

LecrisUT · 2026-03-13T15:50:14Z

tmt/package_managers/__init__.py

+            parts = line.split(maxsplit=1)
+            if len(parts) == 2:
+                result[parts[0]] = parts[1].strip()
+            elif len(parts) == 1 and parts[0] in result:


parts[0] in result is unnecessary in various ways. Also add comments on what each of these cases represent

thrix · 2026-03-13T23:52:32Z

@vaibhavdaren btw tests are still failing hard? or will that be a focus at the end? Anyway, LGTM from my end now see below :)

thrix

Re-review after 10 iterations. All issues from my previous CHANGES_REQUESTED review have been resolved:

Failures not stopping execution — Fixed: outcome.exceptions populated alongside FAIL results (with FIXME for #4667)
kebab-case naming — No longer applies: schema simplified to plain dict[str, str]
dnf5/yum compatibility — Addressed: YumEngine raises NotImplementedError with comment; dnf5 UUIDs passed through as-is
NotImplementedError handler — Fixed: now emits PhaseResult(ERROR) + appends to outcome.exceptions, consistent with GeneralError handling

The plugin is well-structured — clean architecture (engine → manager → plugin), proper per-package PASS/FAIL results, consistent error handling. Tests cover success and failure paths on both CentOS (dnf4) and Fedora (dnf5).

One remaining item from @LecrisUT: unify data-centos/data-fedora into a single test using adjust with distro conditions instead of separate directories and if rlIsFedora branching.

Nice work iterating through the extensive review feedback @vaibhavdaren!

Generated-by: Claude Code

happz · 2026-03-15T22:54:20Z

tmt/package_managers/__init__.py

+        result: dict[str, Optional[str]] = dict.fromkeys(packages)
+        script = self.engine.get_package_origin(result.keys())
+        output = self.guest.execute(script)
+        for line in (output.stdout or '').strip().splitlines():


There are some loose ends I can't sort out:

the dnf5/dnf4 notes below in the base class implementation suggest that dnf4 probably needs its own custom implementation, an implementation aware of dnf4 quirks.

but then again, what's the contract between engine.get_package_origin() and its callers, what's the expected output? A line per package, in the package origin format - if the dnf4 implementation of this method sneaks in empty lines, it's violating the expectations. This may be problem for commands building images: engine is asked to create a command with expected output, the command would be then executed in container image build time, and the dnf4 command would produce unexpected output, possibly breaking further processing. Maybe we could extend the contract, to make it more liberal: a line per package, in the package origin format, empty lines are ignored. And we no longer need to worry about dnf4 in the base class, dnf4 engine would produce valid script.

the "not installed via a repo" might be more common, other package managers may support installation of packages from files, therefore this might be worth an extension to the get_package_origin() contract: a line per package, in the package origin format, empty lines are ignored, origin is optional and if not specified, it means "unknown".

After this, we would get a simpler base implementation, fewer notes about dnf4 quirks in the base class, nicer protocol for get_package_origin(), and the need for a custom dnf4 implementation would be gone.

happz · 2026-03-15T22:56:03Z

tmt/package_managers/__init__.py

+                result[parts[0]] = parts[1].strip()
+            elif len(parts) == 1:
+                # dnf4: empty %{from_repo} means package was not installed via a repo
+                result[parts[0]] = "[unknown]"


Deserves to be a module-level constant.

vaibhavdaren force-pushed the vaibhav-package-verify-plugin branch from ffe8028 to 5ae12a0 Compare March 9, 2026 11:35

gemini-code-assist bot reviewed Mar 9, 2026

View reviewed changes

tmt/steps/prepare/verify_installation.py Outdated Show resolved Hide resolved

vaibhavdaren marked this pull request as ready for review March 9, 2026 15:45

vaibhavdaren added this to planning Mar 9, 2026

vaibhavdaren moved this to review in planning Mar 9, 2026

vaibhavdaren added the plugin | artifact Related to the `prepare/artifact` plugin. label Mar 9, 2026

vaibhavdaren added this to the 1.69 milestone Mar 9, 2026

vaibhavdaren self-assigned this Mar 9, 2026

LecrisUT reviewed Mar 9, 2026

View reviewed changes

vaibhavdaren force-pushed the vaibhav-package-verify-plugin branch from 45bde38 to 2a3ab0f Compare March 10, 2026 12:05

thrix requested changes Mar 10, 2026

View reviewed changes

tmt/steps/prepare/verify_installation.py Show resolved Hide resolved

tmt/schemas/prepare/verify-installation.yaml Outdated Show resolved Hide resolved

tmt/package_managers/dnf.py Outdated Show resolved Hide resolved

tmt/steps/prepare/verify_installation.py Outdated Show resolved Hide resolved

LecrisUT reviewed Mar 10, 2026

View reviewed changes

thrix mentioned this pull request Mar 10, 2026

Prepare and finish step will now fail when phase fails #4667

Open

2 tasks

vaibhavdaren requested a review from thrix March 11, 2026 00:29

vaibhavdaren added the ci | full test Pull request is ready for the full test execution label Mar 11, 2026

vaibhavdaren force-pushed the vaibhav-package-verify-plugin branch from 6a3a552 to f128998 Compare March 11, 2026 07:20