testsuite: secure stdio-pipe daemon transport by default, opt-in TCP

Daemon-mode tests default to the stdio-pipe transport (RSYNC_CONNECT_PROG), which opens no listening socket -- so `make check` never exposes a network service. Real TCP is opt-in via `runtests.py --use-tcp`, with the daemon bound to loopback (127.0.0.1) on a claim_ports()-reserved port; CI runs the suite both ways. start_test_daemon() is the single seam every daemon test uses: the secure pipe by default, a real rsyncd on a claimed loopback port under --use-tcp. Tests with no pipe equivalent (the fake-proxy listener and the reverse-DNS hostname-ACL daemon test) are gated behind require_tcp(). `make check` also now runs the suite in parallel by default (CHECK_J=8); the claim_ports() byte-range locks make that safe across concurrent runs. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-06-08 06:05:57 -04:00 · 2026-05-21 14:14:13 +10:00
parent bf8aab51e8
commit bea8a3a16f
25 changed files with 331 additions and 113 deletions
--- a/.github/workflows/almalinux-8-build.yml
+++ b/.github/workflows/almalinux-8-build.yml
@@ -59,8 +59,13 @@ jobs:
      run: ./rsync --version
    - name: check
      # In the container we already run as root, so no sudo. The
-      # crtimes-not-supported skip matches the other Linux jobs.
-      run: RSYNC_EXPECT_SKIPPED=crtimes make check
+      # crtimes-not-supported skip matches the other Linux jobs;
+      # daemon-chroot-acl and proxy-response-line-too-long skip because
+      # the default (secure) transport opens no listening socket.
+      run: RSYNC_EXPECT_SKIPPED=crtimes,daemon-chroot-acl,proxy-response-line-too-long make check
+    - name: check (TCP daemon transport)
+      # Second run exercising the real loopback-TCP daemon path.
+      run: ./runtests.py --rsync-bin=`pwd`/rsync --use-tcp -j 8
    - name: ssl file list
      run: ./rsync-ssl --no-motd download.samba.org::rsyncftp/ || true
    - name: save artifact
--- a/.github/workflows/cygwin-build.yml
+++ b/.github/workflows/cygwin-build.yml
@@ -39,7 +39,11 @@ jobs:
    - name: info
      run: bash -c '/usr/local/bin/rsync --version'
    - name: check
-      run: bash -c 'RSYNC_EXPECT_SKIPPED=acls-default,acls,bare-do-open-symlink-race,chdir-symlink-race,chown,daemon-chroot-acl,devices,dir-sgid,open-noatime,protected-regular,sender-flist-symlink-leak,simd-checksum,symlink-dirlink-basis make check'
+      run: bash -c 'RSYNC_EXPECT_SKIPPED=acls-default,acls,bare-do-open-symlink-race,chdir-symlink-race,chown,daemon-chroot-acl,devices,dir-sgid,open-noatime,protected-regular,proxy-response-line-too-long,sender-flist-symlink-leak,simd-checksum,symlink-dirlink-basis make check'
+    - name: check (TCP daemon transport)
+      # Second run with daemon tests over a real loopback rsyncd; the default
+      # 'make check' above uses the secure stdio-pipe transport.
+      run: bash -c './runtests.py --rsync-bin=`pwd`/rsync.exe --use-tcp -j 8'
    - name: ssl file list
      run: bash -c 'PATH="/usr/local/bin:$PATH" rsync-ssl --no-motd download.samba.org::rsyncftp/ || true'
    - name: save artifact
--- a/.github/workflows/freebsd-build.yml
+++ b/.github/workflows/freebsd-build.yml
@@ -35,6 +35,7 @@ jobs:
          make
          ./rsync --version
          make check
+          ./runtests.py --rsync-bin=`pwd`/rsync --use-tcp -j 8
          ./rsync-ssl --no-motd download.samba.org::rsyncftp/ || true
    - name: save artifact
      uses: actions/upload-artifact@v4
--- a/.github/workflows/macos-build.yml
+++ b/.github/workflows/macos-build.yml
@@ -41,7 +41,11 @@ jobs:
    - name: info
      run: rsync --version
    - name: check
-      run: sudo RSYNC_EXPECT_SKIPPED=acls-default,chmod-temp-dir,chown-fake,daemon-chroot-acl,devices-fake,dir-sgid,open-noatime,protected-regular,simd-checksum,xattrs-hlink,xattrs make check
+      run: sudo RSYNC_EXPECT_SKIPPED=acls-default,chmod-temp-dir,chown-fake,daemon-chroot-acl,devices-fake,dir-sgid,open-noatime,protected-regular,proxy-response-line-too-long,simd-checksum,xattrs-hlink,xattrs make check
+    - name: check (TCP daemon transport)
+      # Second run with daemon tests over a real loopback rsyncd; the default
+      # 'make check' above uses the secure stdio-pipe transport.
+      run: sudo ./runtests.py --rsync-bin=`pwd`/rsync --use-tcp -j 8
    - name: ssl file list
      run: rsync-ssl --no-motd download.samba.org::rsyncftp/ || true
    - name: save artifact
--- a/.github/workflows/netbsd-build.yml
+++ b/.github/workflows/netbsd-build.yml
@@ -36,6 +36,7 @@ jobs:
          make
          ./rsync --version
          make check
+          ./runtests.py --rsync-bin=`pwd`/rsync --use-tcp -j 8
          ./rsync-ssl --no-motd download.samba.org::rsyncftp/ || true
    - name: save artifact
      uses: actions/upload-artifact@v4
--- a/.github/workflows/openbsd-build.yml
+++ b/.github/workflows/openbsd-build.yml
@@ -37,6 +37,7 @@ jobs:
          make
          ./rsync --version
          make check
+          ./runtests.py --rsync-bin=`pwd`/rsync --use-tcp -j 8
          ./rsync-ssl --no-motd download.samba.org::rsyncftp/ || true
    - name: save artifact
      uses: actions/upload-artifact@v4
--- a/.github/workflows/solaris-build.yml
+++ b/.github/workflows/solaris-build.yml
@@ -35,6 +35,7 @@ jobs:
          make
          ./rsync --version
          make check
+          ./runtests.py --rsync-bin=`pwd`/rsync --use-tcp -j 8
          ./rsync-ssl --no-motd download.samba.org::rsyncftp/ || true
    - name: save artifact
      uses: actions/upload-artifact@v4
--- a/.github/workflows/ubuntu-22.04-build.yml
+++ b/.github/workflows/ubuntu-22.04-build.yml
@@ -39,11 +39,15 @@ jobs:
    - name: info
      run: rsync --version
    - name: check
-      run: sudo RSYNC_EXPECT_SKIPPED=crtimes make check
+      run: sudo RSYNC_EXPECT_SKIPPED=crtimes,daemon-chroot-acl,proxy-response-line-too-long make check
    - name: check30
-      run: sudo RSYNC_EXPECT_SKIPPED=crtimes make check30
+      run: sudo RSYNC_EXPECT_SKIPPED=crtimes,daemon-chroot-acl,proxy-response-line-too-long make check30
    - name: check29
-      run: sudo RSYNC_EXPECT_SKIPPED=crtimes make check29
+      run: sudo RSYNC_EXPECT_SKIPPED=crtimes,daemon-chroot-acl,proxy-response-line-too-long make check29
+    - name: check (TCP daemon transport)
+      # Second run with daemon tests over a real loopback rsyncd; the default
+      # 'make check' above uses the secure stdio-pipe transport.
+      run: sudo ./runtests.py --rsync-bin=`pwd`/rsync --use-tcp -j 8
    - name: ssl file list
      run: rsync-ssl --no-motd download.samba.org::rsyncftp/ || true
    - name: save artifact
--- a/.github/workflows/ubuntu-build.yml
+++ b/.github/workflows/ubuntu-build.yml
@@ -35,11 +35,17 @@ jobs:
    - name: info
      run: rsync --version
    - name: check
-      run: sudo RSYNC_EXPECT_SKIPPED=crtimes make check
+      run: sudo RSYNC_EXPECT_SKIPPED=crtimes,daemon-chroot-acl,proxy-response-line-too-long make check
    - name: check30
-      run: sudo RSYNC_EXPECT_SKIPPED=crtimes make check30
+      run: sudo RSYNC_EXPECT_SKIPPED=crtimes,daemon-chroot-acl,proxy-response-line-too-long make check30
    - name: check29
-      run: sudo RSYNC_EXPECT_SKIPPED=crtimes make check29
+      run: sudo RSYNC_EXPECT_SKIPPED=crtimes,daemon-chroot-acl,proxy-response-line-too-long make check29
+    - name: check (TCP daemon transport)
+      # Second run with daemon tests over a real loopback rsyncd. The default
+      # 'make check' above uses the secure stdio-pipe transport (no listening
+      # sockets); this run exercises the real TCP accept/auth path. Skip-set
+      # is env-dependent here (chroot-acl), so leave RSYNC_EXPECT_SKIPPED unset.
+      run: sudo ./runtests.py --rsync-bin=`pwd`/rsync --use-tcp -j 8
    - name: ssl file list
      run: rsync-ssl --no-motd download.samba.org::rsyncftp/ || true
    - name: save artifact