Merge pull request #11163 from cevich/v3.3_update_images

[V3.3] Update images

11 files changed, 55 insertions, 63 deletions

diff --git a/.cirrus.yml b/.cirrus.yml
index 7e235d1a5..cf3bc1f51 100644
--- a/.cirrus.yml
+++ b/.cirrus.yml
@@ -30,20 +30,17 @@ env:
     PRIOR_UBUNTU_NAME: "ubuntu-2010"
 
     # Google-cloud VM Images
-    # TODO: At the time of this comment, an selinux-policy regression is blocking use of updated
-    # Fedora VM images: https://bugzilla.redhat.com/show_bug.cgi?id=1965743
-    IMAGE_SUFFIX_UBUNTU: "c5521575421149184"
-    IMAGE_SUFFIX: "c5348179051806720"
+    IMAGE_SUFFIX: "c6737534580424704"
     FEDORA_CACHE_IMAGE_NAME: "fedora-${IMAGE_SUFFIX}"
     PRIOR_FEDORA_CACHE_IMAGE_NAME: "prior-fedora-${IMAGE_SUFFIX}"
-    UBUNTU_CACHE_IMAGE_NAME: "ubuntu-${IMAGE_SUFFIX_UBUNTU}"
-    PRIOR_UBUNTU_CACHE_IMAGE_NAME: "prior-ubuntu-${IMAGE_SUFFIX_UBUNTU}"
+    UBUNTU_CACHE_IMAGE_NAME: "ubuntu-${IMAGE_SUFFIX}"
+    PRIOR_UBUNTU_CACHE_IMAGE_NAME: "prior-ubuntu-${IMAGE_SUFFIX}"
 
     # Container FQIN's
     FEDORA_CONTAINER_FQIN: "quay.io/libpod/fedora_podman:${IMAGE_SUFFIX}"
     PRIOR_FEDORA_CONTAINER_FQIN: "quay.io/libpod/prior-fedora_podman:${IMAGE_SUFFIX}"
-    UBUNTU_CONTAINER_FQIN: "quay.io/libpod/ubuntu_podman:${IMAGE_SUFFIX_UBUNTU}"
-    PRIOR_UBUNTU_CONTAINER_FQIN: "quay.io/libpod/prior-ubuntu_podman:${IMAGE_SUFFIX_UBUNTU}"
+    UBUNTU_CONTAINER_FQIN: "quay.io/libpod/ubuntu_podman:${IMAGE_SUFFIX}"
+    PRIOR_UBUNTU_CONTAINER_FQIN: "quay.io/libpod/prior-ubuntu_podman:${IMAGE_SUFFIX}"
 
     ####
     #### Control variables that determine what to run and how to run it.
@@ -241,7 +238,12 @@ bindings_task:
     clone_script: *noop  # Comes from cache
     setup_script: *setup
     main_script: *main
-    always: *runner_stats
+    always: &html_artifacts
+        <<: *runner_stats
+        # Required for `contrib/cirrus/logformatter` to work properly
+        html_artifacts:
+            path: ./*.html
+            type: text/html
 
 
 # Build the "libpod" API documentation `swagger.yaml` and
@@ -429,11 +431,7 @@ apiv2_test_task:
     setup_script: *setup
     main_script: *main
     always: &logs_artifacts
-        <<: *runner_stats
-        # Required for `contrib/cirrus/logformatter` to work properly
-        html_artifacts:
-            path: ./*.html
-            type: text/html
+        <<: *html_artifacts
         package_versions_script: '$SCRIPT_BASE/logcollector.sh packages'
         df_script: '$SCRIPT_BASE/logcollector.sh df'
         audit_log_script: '$SCRIPT_BASE/logcollector.sh audit'
@@ -632,11 +630,7 @@ rootless_system_test_task:
     main_script: *main
     always: *logs_artifacts
 
-# FIXME: we may want to consider running this from nightly cron instead of CI.
-# The tests are actually pretty quick (less than a minute) but they do rely
-# on pulling images from quay.io, which means we're subject to network flakes.
-#
-# FIXME: how does this env matrix work, anyway? Does it spin up multiple VMs?
+# TODO: Runs on multiple VMs
 # We might just want to encode the version matrix in runner.sh instead
 upgrade_test_task:
     name: "Upgrade test: from $PODMAN_UPGRADE_FROM"
@@ -677,18 +671,11 @@ meta_task:
         image: quay.io/libpod/imgts:$IMAGE_SUFFIX
     env:
         # Space-separated list of images used by this repository state
-        # TODO: Protect commonly tagged ubuntu images from puning in case
-        # workaround for BZ1965743 remains in use beyond the 30-days.
-        # Ref sha 404d5edb155
         IMGNAMES: >-
             ${FEDORA_CACHE_IMAGE_NAME}
             ${PRIOR_FEDORA_CACHE_IMAGE_NAME}
             ${UBUNTU_CACHE_IMAGE_NAME}
             ${PRIOR_UBUNTU_CACHE_IMAGE_NAME}
-            fedora-${IMAGE_SUFFIX_UBUNTU}
-            prior-fedora-${IMAGE_SUFFIX_UBUNTU}
-            ubuntu-${IMAGE_SUFFIX}
-            prior-ubuntu-${IMAGE_SUFFIX}
         BUILDID: "${CIRRUS_BUILD_ID}"
         REPOREF: "${CIRRUS_REPO_NAME}"
         GCPJSON: ENCRYPTED[3a198350077849c8df14b723c0f4c9fece9ebe6408d35982e7adf2105a33f8e0e166ed3ed614875a0887e1af2b8775f4]
diff --git a/contrib/cirrus/setup_environment.sh b/contrib/cirrus/setup_environment.sh
index 86b8d78ef..ca35972d0 100755
--- a/contrib/cirrus/setup_environment.sh
+++ b/contrib/cirrus/setup_environment.sh
@@ -196,7 +196,7 @@ case "$TEST_FLAVOR" in
     unit) ;;
     apiv2) ;&  # use next item
     compose)
-        dnf install -y $PACKAGE_DOWNLOAD_DIR/podman-docker*
+        rpm -ivh $PACKAGE_DOWNLOAD_DIR/podman-docker*
         ;&  # continue with next item
     int) ;&
     sys) ;&
diff --git a/test/buildah-bud/apply-podman-deltas b/test/buildah-bud/apply-podman-deltas
index 18b3d56f9..44a33b0b8 100755
--- a/test/buildah-bud/apply-podman-deltas
+++ b/test/buildah-bud/apply-podman-deltas
@@ -165,14 +165,6 @@ skip "FIXME FIXME FIXME: this passes on Ed's laptop, fails in CI??" \
 skip "buildah runs with --cgroup-manager=cgroupfs, podman with systemd" \
      "bud with --cgroup-parent"
 
-# see https://github.com/containers/podman/pull/10829
-skip "FIXME FIXME FIXME - requires updated CI images (#10829)" \
-     "bud with --runtime and --runtime-flag"
-
-###############################################################################
-# BEGIN tests which are skipped due to actual podman bugs.
-
-
 ###############################################################################
 # BEGIN tests which are skipped because they make no sense under podman-remote
 
diff --git a/test/compose/mount_and_label/docker-compose.yml b/test/compose/mount_and_label/docker-compose.yml
index 112d7e134..81fda2512 100644
--- a/test/compose/mount_and_label/docker-compose.yml
+++ b/test/compose/mount_and_label/docker-compose.yml
@@ -6,5 +6,7 @@ services:
       - '5000:5000'
     volumes:
       - /tmp/data:/data:ro
+    security_opt:
+      - label=disable
     labels:
       - "io.podman=the_best"
diff --git a/test/e2e/common_test.go b/test/e2e/common_test.go
index 2e48e1763..d03a2741b 100644
--- a/test/e2e/common_test.go
+++ b/test/e2e/common_test.go
@@ -645,9 +645,13 @@ func isRootless() bool {
 	return os.Geteuid() != 0
 }
 
+func isCgroupsV1() bool {
+	return !CGROUPSV2
+}
+
 func SkipIfCgroupV1(reason string) {
 	checkReason(reason)
-	if !CGROUPSV2 {
+	if isCgroupsV1() {
 		Skip(reason)
 	}
 }
diff --git a/test/e2e/login_logout_test.go b/test/e2e/login_logout_test.go
index 7ad1fc1f2..d8ca9cbd9 100644
--- a/test/e2e/login_logout_test.go
+++ b/test/e2e/login_logout_test.go
@@ -79,9 +79,9 @@ var _ = Describe("Podman login and logout", func() {
 
 		session = podmanTest.Podman([]string{"run", "-d", "-p", strings.Join([]string{strconv.Itoa(port), strconv.Itoa(port)}, ":"),
 			"-e", strings.Join([]string{"REGISTRY_HTTP_ADDR=0.0.0.0", strconv.Itoa(port)}, ":"), "--name", "registry", "-v",
-			strings.Join([]string{authPath, "/auth"}, ":"), "-e", "REGISTRY_AUTH=htpasswd", "-e",
+			strings.Join([]string{authPath, "/auth:Z"}, ":"), "-e", "REGISTRY_AUTH=htpasswd", "-e",
 			"REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm", "-e", "REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd",
-			"-v", strings.Join([]string{certPath, "/certs"}, ":"), "-e", "REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt",
+			"-v", strings.Join([]string{certPath, "/certs:Z"}, ":"), "-e", "REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt",
 			"-e", "REGISTRY_HTTP_TLS_KEY=/certs/domain.key", "registry:2.6"})
 		session.WaitWithDefaultTimeout()
 		Expect(session).Should(Exit(0))
@@ -235,10 +235,13 @@ var _ = Describe("Podman login and logout", func() {
 		setup.WaitWithDefaultTimeout()
 		defer os.RemoveAll(certDir)
 
+		// N/B: This second registry container shares the same auth and cert dirs
+		//      as the registry started from BeforeEach().  Since this one starts
+		//      second, re-labeling the volumes should keep SELinux happy.
 		session := podmanTest.Podman([]string{"run", "-d", "-p", "9001:9001", "-e", "REGISTRY_HTTP_ADDR=0.0.0.0:9001", "--name", "registry1", "-v",
-			strings.Join([]string{authPath, "/auth"}, ":"), "-e", "REGISTRY_AUTH=htpasswd", "-e",
+			strings.Join([]string{authPath, "/auth:z"}, ":"), "-e", "REGISTRY_AUTH=htpasswd", "-e",
 			"REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm", "-e", "REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd",
-			"-v", strings.Join([]string{certPath, "/certs"}, ":"), "-e", "REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt",
+			"-v", strings.Join([]string{certPath, "/certs:z"}, ":"), "-e", "REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt",
 			"-e", "REGISTRY_HTTP_TLS_KEY=/certs/domain.key", "registry:2.6"})
 		session.WaitWithDefaultTimeout()
 		Expect(session).Should(Exit(0))
diff --git a/test/e2e/run_cgroup_parent_test.go b/test/e2e/run_cgroup_parent_test.go
index 3e261961b..82b6c3057 100644
--- a/test/e2e/run_cgroup_parent_test.go
+++ b/test/e2e/run_cgroup_parent_test.go
@@ -64,6 +64,7 @@ var _ = Describe("Podman run with --cgroup-parent", func() {
 	})
 
 	Specify("always honor --cgroup-parent", func() {
+		Skip("https://github.com/containers/podman/issues/11165")
 		SkipIfCgroupV1("test not supported in cgroups v1")
 		if Containerized() || podmanTest.CgroupManager == "cgroupfs" {
 			Skip("Requires Systemd cgroup manager support")
diff --git a/test/e2e/run_device_test.go b/test/e2e/run_device_test.go
index 40de1d50d..08905aed2 100644
--- a/test/e2e/run_device_test.go
+++ b/test/e2e/run_device_test.go
@@ -41,36 +41,35 @@ var _ = Describe("Podman run device", func() {
 	})
 
 	It("podman run device test", func() {
-		session := podmanTest.Podman([]string{"run", "-q", "--security-opt", "label=disable", "--device", "/dev/kmsg", ALPINE, "ls", "--color=never", "/dev/kmsg"})
+		session := podmanTest.Podman([]string{"run", "-q", "--security-opt", "label=disable", "--device", "/dev/kmsg", ALPINE, "test", "-c", "/dev/kmsg"})
 		session.WaitWithDefaultTimeout()
 		Expect(session).Should(Exit(0))
-		Expect(session.OutputToString()).To(Equal("/dev/kmsg"))
 	})
 
 	It("podman run device rename test", func() {
-		session := podmanTest.Podman([]string{"run", "-q", "--security-opt", "label=disable", "--device", "/dev/kmsg:/dev/kmsg1", ALPINE, "ls", "--color=never", "/dev/kmsg1"})
+		// TODO: Confirm absence of /dev/kmsg in container
+		session := podmanTest.Podman([]string{"run", "-q", "--security-opt", "label=disable", "--device", "/dev/kmsg:/dev/kmsg1", ALPINE, "test", "-c", "/dev/kmsg1"})
 		session.WaitWithDefaultTimeout()
 		Expect(session).Should(Exit(0))
-		Expect(session.OutputToString()).To(Equal("/dev/kmsg1"))
 	})
 
 	It("podman run device permission test", func() {
-		session := podmanTest.Podman([]string{"run", "-q", "--security-opt", "label=disable", "--device", "/dev/kmsg:r", ALPINE, "ls", "--color=never", "/dev/kmsg"})
+		// TODO: Confirm write-permission failure
+		session := podmanTest.Podman([]string{"run", "-q", "--security-opt", "label=disable", "--device", "/dev/kmsg:r", ALPINE, "test", "-r", "/dev/kmsg"})
 		session.WaitWithDefaultTimeout()
 		Expect(session).Should(Exit(0))
-		Expect(session.OutputToString()).To(Equal("/dev/kmsg"))
 	})
 
 	It("podman run device rename and permission test", func() {
-		session := podmanTest.Podman([]string{"run", "-q", "--security-opt", "label=disable", "--device", "/dev/kmsg:/dev/kmsg1:r", ALPINE, "ls", "--color=never", "/dev/kmsg1"})
+		// TODO: Confirm write-permission failure
+		session := podmanTest.Podman([]string{"run", "-q", "--security-opt", "label=disable", "--device", "/dev/kmsg:/dev/kmsg1:r", ALPINE, "test", "-r", "/dev/kmsg1"})
 		session.WaitWithDefaultTimeout()
 		Expect(session).Should(Exit(0))
-		Expect(session.OutputToString()).To(Equal("/dev/kmsg1"))
 	})
 	It("podman run device rename and bad permission test", func() {
-		session := podmanTest.Podman([]string{"run", "-q", "--security-opt", "label=disable", "--device", "/dev/kmsg:/dev/kmsg1:rd", ALPINE, "ls", "--color=never", "/dev/kmsg1"})
+		session := podmanTest.Podman([]string{"run", "-q", "--security-opt", "label=disable", "--device", "/dev/kmsg:/dev/kmsg1:rd", ALPINE, "true"})
 		session.WaitWithDefaultTimeout()
-		Expect(session).To(ExitWithError())
+		Expect(session).Should(Exit(125))
 	})
 
 	It("podman run device host device and container device parameter are directories", func() {
@@ -89,12 +88,13 @@ var _ = Describe("Podman run device", func() {
 	})
 
 	It("podman run device host device with --privileged", func() {
-		if _, err := os.Stat("/dev/kvm"); err != nil {
-			Skip("/dev/kvm not available")
-		}
-		session := podmanTest.Podman([]string{"run", "--privileged", ALPINE, "ls", "/dev/kvm"})
+		session := podmanTest.Podman([]string{"run", "--privileged", ALPINE, "test", "-c", "/dev/kmsg"})
 		session.WaitWithDefaultTimeout()
 		Expect(session).Should(Exit(0))
+		// verify --privileged is required
+		session2 := podmanTest.Podman([]string{"run", ALPINE, "test", "-c", "/dev/kmsg"})
+		session2.WaitWithDefaultTimeout()
+		Expect(session2).Should((Exit(1)))
 	})
 
 	It("podman run CDI device test", func() {
@@ -109,14 +109,13 @@ var _ = Describe("Podman run device", func() {
 		err = cmd.Run()
 		Expect(err).To(BeNil())
 
-		session := podmanTest.Podman([]string{"run", "-q", "--security-opt", "label=disable", "--device", "myKmsg", ALPINE, "ls", "--color=never", "/dev/kmsg1"})
+		session := podmanTest.Podman([]string{"run", "-q", "--security-opt", "label=disable", "--device", "myKmsg", ALPINE, "test", "-c", "/dev/kmsg1"})
 		session.WaitWithDefaultTimeout()
 		Expect(session).Should(Exit(0))
-		Expect(session.OutputToString()).To(Equal("/dev/kmsg1"))
 	})
 
 	It("podman run --gpus noop", func() {
-		session := podmanTest.Podman([]string{"run", "--gpus", "all", ALPINE, "ls", "/"})
+		session := podmanTest.Podman([]string{"run", "--gpus", "all", ALPINE, "true"})
 		session.WaitWithDefaultTimeout()
 		Expect(session).Should(Exit(0))
 	})
diff --git a/test/e2e/run_test.go b/test/e2e/run_test.go
index 3c65c02d1..57d57554c 100644
--- a/test/e2e/run_test.go
+++ b/test/e2e/run_test.go
@@ -946,7 +946,7 @@ USER mail`, BB)
 		Expect(err).To(BeNil())
 		mountpoint := "/myvol/"
 
-		session := podmanTest.Podman([]string{"create", "--volume", vol + ":" + mountpoint, ALPINE, "cat", mountpoint + filename})
+		session := podmanTest.Podman([]string{"create", "--volume", vol + ":" + mountpoint + ":z", ALPINE, "cat", mountpoint + filename})
 		session.WaitWithDefaultTimeout()
 		Expect(session).Should(Exit(0))
 		ctrID := session.OutputToString()
diff --git a/test/e2e/stats_test.go b/test/e2e/stats_test.go
index e32d515a0..47cdeca11 100644
--- a/test/e2e/stats_test.go
+++ b/test/e2e/stats_test.go
@@ -24,6 +24,9 @@ var _ = Describe("Podman stats", func() {
 
 	BeforeEach(func() {
 		SkipIfRootlessCgroupsV1("stats not supported on cgroupv1 for rootless users")
+		if isContainerized() {
+			SkipIfCgroupV1("stats not supported inside cgroupv1 container environment")
+		}
 		var err error
 		tempdir, err = CreateTempDirInTempDir()
 		if err != nil {
diff --git a/test/e2e/systemd_test.go b/test/e2e/systemd_test.go
index bb51d6ac2..3213a839a 100644
--- a/test/e2e/systemd_test.go
+++ b/test/e2e/systemd_test.go
@@ -6,7 +6,6 @@ import (
 	"strings"
 	"time"
 
-	"github.com/containers/podman/v3/pkg/rootless"
 	. "github.com/containers/podman/v3/test/utils"
 	. "github.com/onsi/ginkgo"
 	. "github.com/onsi/gomega"
@@ -118,11 +117,13 @@ WantedBy=multi-user.target
 		Expect(len(conData)).To(Equal(1))
 		Expect(conData[0].Config.SystemdMode).To(BeTrue())
 
-		if CGROUPSV2 || !rootless.IsRootless() {
-			stats := podmanTest.Podman([]string{"stats", "--no-stream", ctrName})
-			stats.WaitWithDefaultTimeout()
-			Expect(stats).Should(Exit(0))
+		// stats not supported w/ CGv1 rootless or containerized
+		if isCgroupsV1() && (isRootless() || isContainerized()) {
+			return
 		}
+		stats := podmanTest.Podman([]string{"stats", "--no-stream", ctrName})
+		stats.WaitWithDefaultTimeout()
+		Expect(stats).Should(Exit(0))
 	})
 
 	It("podman create container with systemd entrypoint triggers systemd mode", func() {