3 files changed, 38 insertions, 10 deletions

diff --git a/contrib/cirrus/99-do-not-use-google-subnets.conflist b/contrib/cirrus/99-do-not-use-google-subnets.conflist
new file mode 100644
index 000000000..e9ab638ed
--- /dev/null
+++ b/contrib/cirrus/99-do-not-use-google-subnets.conflist
@@ -0,0 +1,21 @@
+{
+    "cniVersion": "0.4.0",
+    "name": "do-not-use-google-subnets",
+    "plugins": [
+        {
+            "type": "bridge",
+            "name": "do-not-use-google-subnets",
+            "bridge": "do-not-use-google-subnets",
+            "ipam": {
+                "type": "host-local",
+                "ranges": [
+                    [
+                        {
+                            "subnet": "10.128.0.0/9"
+                        }
+                    ]
+                ]
+            }
+        }
+    ]
+}
diff --git a/contrib/cirrus/lib.sh b/contrib/cirrus/lib.sh
index 555f3e717..f66e63140 100644
--- a/contrib/cirrus/lib.sh
+++ b/contrib/cirrus/lib.sh
@@ -323,13 +323,15 @@ EOF
 
 install_test_configs(){
     echo "Installing cni config, policy and registry config"
-    req_env_var GOSRC
-    sudo install -D -m 755 $GOSRC/cni/87-podman-bridge.conflist \
-                           /etc/cni/net.d/87-podman-bridge.conflist
-    sudo install -D -m 755 $GOSRC/test/policy.json \
-                           /etc/containers/policy.json
-    sudo install -D -m 755 $GOSRC/test/registries.conf \
-                           /etc/containers/registries.conf
+    req_env_var GOSRC SCRIPT_BASE
+    cd $GOSRC
+    install -v -D -m 644 ./cni/87-podman-bridge.conflist /etc/cni/net.d/
+    # This config must always sort last in the list of networks (podman picks first one
+    # as the default).  This config prevents allocation of network address space used
+    # by default in google cloud.  https://cloud.google.com/vpc/docs/vpc#ip-ranges
+    install -v -D -m 644 $SCRIPT_BASE/99-do-not-use-google-subnets.conflist /etc/cni/net.d/
+    install -v -D -m 644 ./test/policy.json /etc/containers/
+    install -v -D -m 644 ./test/registries.conf /etc/containers/
 }
 
 # Remove all files (except conmon, for now) provided by the distro version of podman.
diff --git a/contrib/cirrus/setup_environment.sh b/contrib/cirrus/setup_environment.sh
index 323a05489..7c7659169 100755
--- a/contrib/cirrus/setup_environment.sh
+++ b/contrib/cirrus/setup_environment.sh
@@ -44,11 +44,15 @@ case "${OS_REL_VER}" in
         ;;
     fedora-30) ;&  # continue to next item
     fedora-29)
+	# All SELinux distros need this for systemd-in-a-container
+	setsebool container_manage_cgroup true
         if [[ "$ADD_SECOND_PARTITION" == "true" ]]; then
             bash "$SCRIPT_BASE/add_second_partition.sh"; fi
         ;;
     centos-7)  # Current VM is an image-builder-image no local podman/testing
-        echo "No further setup required for VM image building"
+	echo "No further setup required for VM image building"
+	# All SELinux distros need this for systemd-in-a-container
+	setsebool container_manage_cgroup true
         exit 0
         ;;
     *) bad_os_id_ver ;;
@@ -57,8 +61,7 @@ esac
 # Reload to incorporate any changes from above
 source "$SCRIPT_BASE/lib.sh"
 
-install_test_configs
-
+# Must execute before possible setup_rootless()
 make install.tools
 
 case "$SPECIALMODE" in
@@ -92,3 +95,5 @@ case "$SPECIALMODE" in
     *)
         die 111 "Unsupported \$SPECIALMODE: $SPECIALMODE"
 esac
+
+install_test_configs