diff options
Diffstat (limited to 'contrib/cirrus')
-rw-r--r-- | contrib/cirrus/README.md | 62 | ||||
-rwxr-xr-x | contrib/cirrus/check_image.sh | 42 | ||||
-rwxr-xr-x | contrib/cirrus/integration_test.sh | 15 | ||||
-rw-r--r-- | contrib/cirrus/lib.sh | 13 | ||||
-rw-r--r-- | contrib/cirrus/packer/fedora_packaging.sh | 85 | ||||
-rw-r--r-- | contrib/cirrus/packer/fedora_setup.sh | 8 | ||||
-rw-r--r-- | contrib/cirrus/packer/ubuntu_packaging.sh | 31 | ||||
-rwxr-xr-x | contrib/cirrus/rootless_test.sh | 22 | ||||
-rwxr-xr-x | contrib/cirrus/setup_environment.sh | 19 | ||||
-rw-r--r-- | contrib/cirrus/swagger_stack_trace.png | bin | 0 -> 42799 bytes |
10 files changed, 189 insertions, 108 deletions
diff --git a/contrib/cirrus/README.md b/contrib/cirrus/README.md index 541cf2f54..c8ec766e7 100644 --- a/contrib/cirrus/README.md +++ b/contrib/cirrus/README.md @@ -167,26 +167,50 @@ env: ### `docs` Task -Builds swagger API documentation YAML and uploads to google storage for both -PR's (for testing the process) and after a merge into any branch. For PR's +Builds swagger API documentation YAML and uploads to google storage (an online +service for storing unstructured data) for both +PR's (for testing the process) and the master branch. For PR's the YAML is uploaded into a [dedicated short-pruning cycle -bucket.](https://storage.googleapis.com/libpod-pr-releases/) For branches, -a [separate bucket is -used.](https://storage.googleapis.com/libpod-master-releases) -In both cases the filename includes the source -PR number or branch name. - -***Note***: [The online documentation](http://docs.podman.io/en/latest/_static/api.html) -is presented through javascript on the client-side. This requires CORS to be properly -configured on the bucket, for the `http://docs.podman.io` origin. Please see -[Configuring CORS on a bucket](https://cloud.google.com/storage/docs/configuring-cors#configure-cors-bucket) -for details. This may be performed by anybody with admin access to the google storage bucket, -using the following JSON: +bucket.](https://storage.googleapis.com/libpod-pr-releases/) for testing purposes +only. For the master branch, a [separate bucket is +used](https://storage.googleapis.com/libpod-master-releases) and provides the +content rendered on [the API Reference page](https://docs.podman.io/en/latest/_static/api.html) + +The online API reference is presented by javascript to the client. To prevent hijacking +of the client by malicious data, the [javascript utilises CORS](https://cloud.google.com/storage/docs/cross-origin). +This CORS metadata is served by `https://storage.googleapis.com` when configured correctly. +It will appear in [the request and response headers from the +client](https://cloud.google.com/storage/docs/configuring-cors#troubleshooting) when accessing +the API reference page. + +However, when the CORS metadata is missing or incorrectly configured, clients will receive an +error-message similar to: + +![Javascript Stack Trace Image](swagger_stack_trace.png) + +For documentation built by Read The Docs from the master branch, CORS metadata is +set on the `libpod-master-releases` storage bucket. Viewing or setting the CORS +metadata on the bucket requires having locally [installed and +configured the google-cloud SDK](https://cloud.google.com/sdk/docs). It also requires having +admin access to the google-storage bucket. Contact a project owner for help if you are +unsure of your permissions or need help resolving an error similar to the picture above. + +Assuming the SDK is installed, and you have the required admin access, the following command +will display the current CORS metadata: + +``` +gsutil cors get gs://libpod-master-releases +``` + +To function properly (allow client "trust" of content from `storage.googleapis.com`) the followiing +metadata JSON should be used. Following the JSON, is an example of the command used to set this +metadata on the libpod-master-releases bucket. For additional information about configuring CORS +please referr to [the google-storage documentation](https://cloud.google.com/storage/docs/configuring-cors). ```JSON [ { - "origin": ["http://docs.podman.io"], + "origin": ["http://docs.podman.io", "https://docs.podman.io"], "responseHeader": ["Content-Type"], "method": ["GET"], "maxAgeSeconds": 600 @@ -194,6 +218,14 @@ using the following JSON: ] ``` +``` +gsutil cors set /path/to/file.json gs://libpod-master-releases +``` + +***Note:*** The CORS metadata does _NOT_ change after the `docs` task uploads a new swagger YAML +file. Therefore, if it is not functioning or misconfigured, a person must have altered it or +changes were made to the referring site (e.g. `docs.podman.io`). + ## Base-images Base-images are VM disk-images specially prepared for executing as GCE VMs. diff --git a/contrib/cirrus/check_image.sh b/contrib/cirrus/check_image.sh index 5423f67d6..0d33e55bf 100755 --- a/contrib/cirrus/check_image.sh +++ b/contrib/cirrus/check_image.sh @@ -6,7 +6,7 @@ source $(dirname $0)/lib.sh EVIL_UNITS="$($CIRRUS_WORKING_DIR/$PACKER_BASE/systemd_banish.sh --list)" -req_env_var PACKER_BUILDER_NAME TEST_REMOTE_CLIENT EVIL_UNITS OS_RELEASE_ID +req_env_var PACKER_BUILDER_NAME TEST_REMOTE_CLIENT EVIL_UNITS OS_RELEASE_ID CG_FS_TYPE NFAILS=0 echo "Validating VM image" @@ -22,7 +22,8 @@ item_test 'Minimum available memory' $MEM_FREE -ge $MIN_MEM_MB || let "NFAILS+=1 # We're testing a custom-built podman; make sure there isn't a distro-provided # binary anywhere; that could potentially taint our results. -item_test "remove_packaged_podman_files() did it's job" -z "$(type -P podman)" || let "NFAILS+=1" +remove_packaged_podman_files +item_test "remove_packaged_podman_files() does it's job" -z "$(type -P podman)" || let "NFAILS+=1" # Integration Tests require varlink in Fedora item_test "The varlink executable is present" -x "$(type -P varlink)" || let "NFAILS+=1" @@ -39,8 +40,10 @@ for REQ_UNIT in google-accounts-daemon.service \ google-shutdown-scripts.service \ google-startup-scripts.service do - item_test "required $REQ_UNIT enabled" \ - "$(systemctl list-unit-files --no-legend $REQ_UNIT)" = "$REQ_UNIT enabled" || let "NFAILS+=1" + # enabled/disabled appears at the end of the line, on some Ubuntu's it appears twice + service_status=$(systemctl list-unit-files --no-legend $REQ_UNIT | tac -s ' ' | head -1) + item_test "required $REQ_UNIT status is enabled" \ + "$service_status" = "enabled" || let "NFAILS+=1" done for evil_unit in $EVIL_UNITS @@ -50,19 +53,28 @@ do item_test "No $evil_unit unit is present or active:" "$unit_status" -ne "0" || let "NFAILS+=1" done -if [[ "$OS_RELEASE_ID" == "ubuntu" ]] && [[ -x "/usr/lib/cri-o-runc/sbin/runc" ]] -then - SAMESAME=$(diff --brief /usr/lib/cri-o-runc/sbin/runc /usr/bin/runc &> /dev/null; echo $?) - item_test "On ubuntu /usr/bin/runc is /usr/lib/cri-o-runc/sbin/runc" "$SAMESAME" -eq "0" || let "NFAILS+=1" -fi - -if [[ "$OS_RELEASE_ID" == "ubuntu" ]] -then - item_test "On ubuntu, no periodic apt crap is enabled" -z "$(egrep $PERIODIC_APT_RE /etc/apt/apt.conf.d/*)" -fi - echo "Checking items specific to ${PACKER_BUILDER_NAME}${BUILT_IMAGE_SUFFIX}" case "$PACKER_BUILDER_NAME" in + ubuntu*) + item_test "On ubuntu, no periodic apt crap is enabled" -z "$(egrep $PERIODIC_APT_RE /etc/apt/apt.conf.d/*)" + ;; + fedora*) + # Only runc -OR- crun should be installed, never both + case "$CG_FS_TYPE" in + tmpfs) + HAS=runc + HAS_NOT=crun + ;; + cgroup2fs) + HAS=crun + HAS_NOT=runc + ;; + esac + HAS_RC=$(rpm -qV $HAS &> /dev/null; echo $?) + HAS_NOT_RC=$(rpm -qV $HAS_NOT &> /dev/null; echo $?) + item_test "With a cgroups-fs type $CG_FS_TYPE, the $HAS package is installed" $HAS_RC -eq 0 + item_test "With a cgroups-fs type $CG_FS_TYPE, the $HAS_NOT package is not installed" $HAS_NOT_RC -ne 0 + ;; xfedora*) echo "Kernel Command-line: $(cat /proc/cmdline)" item_test \ diff --git a/contrib/cirrus/integration_test.sh b/contrib/cirrus/integration_test.sh index 1aef678d4..33e9fbc6b 100755 --- a/contrib/cirrus/integration_test.sh +++ b/contrib/cirrus/integration_test.sh @@ -6,6 +6,11 @@ source $(dirname $0)/lib.sh req_env_var GOSRC SCRIPT_BASE OS_RELEASE_ID OS_RELEASE_VER CONTAINER_RUNTIME VARLINK_LOG +LOCAL_OR_REMOTE=local +if [[ "$TEST_REMOTE_CLIENT" = "true" ]]; then + LOCAL_OR_REMOTE=remote +fi + # Our name must be of the form xxxx_test or xxxx_test.sh, where xxxx is # the test suite to run; currently (2019-05) the only option is 'integration' # but pr2947 intends to add 'system'. @@ -34,7 +39,7 @@ case "$SPECIALMODE" in req_env_var ROOTLESS_USER ssh $ROOTLESS_USER@localhost \ -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no \ - -o CheckHostIP=no $GOSRC/$SCRIPT_BASE/rootless_test.sh ${TESTSUITE} + -o CheckHostIP=no $GOSRC/$SCRIPT_BASE/rootless_test.sh ${TESTSUITE} ${LOCAL_OR_REMOTE} ;; endpoint) make @@ -52,12 +57,8 @@ case "$SPECIALMODE" in make make install PREFIX=/usr ETCDIR=/etc make test-binaries - if [[ "$TEST_REMOTE_CLIENT" == "true" ]] - then - make remote${TESTSUITE} VARLINK_LOG=$VARLINK_LOG - else - make local${TESTSUITE} - fi + make .install.bats + make ${LOCAL_OR_REMOTE}${TESTSUITE} PODMAN_SERVER_LOG=$PODMAN_SERVER_LOG ;; *) die 110 "Unsupported \$SPECIALMODE: $SPECIALMODE" diff --git a/contrib/cirrus/lib.sh b/contrib/cirrus/lib.sh index cc5a3ffa7..66e8060cf 100644 --- a/contrib/cirrus/lib.sh +++ b/contrib/cirrus/lib.sh @@ -39,6 +39,8 @@ PACKER_BASE=${PACKER_BASE:-./contrib/cirrus/packer} # Important filepaths SETUP_MARKER_FILEPATH="${SETUP_MARKER_FILEPATH:-/var/tmp/.setup_environment_sh_complete}" AUTHOR_NICKS_FILEPATH="${CIRRUS_WORKING_DIR}/${SCRIPT_BASE}/git_authors_to_irc_nicks.csv" +# Downloaded, but not installed packages. +PACKAGE_DOWNLOAD_DIR=/var/cache/download # Log remote-client system test varlink output here export VARLINK_LOG=/var/tmp/varlink.log @@ -422,7 +424,7 @@ remove_packaged_podman_files() { then LISTING_CMD="$SUDO dpkg-query -L podman" else - LISTING_CMD='$SUDO rpm -ql podman' + LISTING_CMD="$SUDO rpm -ql podman" fi # yum/dnf/dpkg may list system directories, only remove files @@ -437,6 +439,14 @@ remove_packaged_podman_files() { sync && echo 3 > /proc/sys/vm/drop_caches } +# The version of CRI-O and Kubernetes must always match +get_kubernetes_version(){ + # TODO: Look up the kube RPM/DEB version installed, or in $PACKAGE_DOWNLOAD_DIR + # and retrieve the major-minor version directly. + local KUBERNETES_VERSION="1.15" + echo "$KUBERNETES_VERSION" +} + canonicalize_image_names() { req_env_var IMGNAMES echo "Adding all current base images to \$IMGNAMES for timestamp update" @@ -479,6 +489,7 @@ _finalize() { fi echo "Re-initializing so next boot does 'first-boot' setup again." cd / + $SUDO rm -rf $GOPATH/src # Actual source will be cloned at runtime $SUDO rm -rf /var/lib/cloud/instanc* $SUDO rm -rf /root/.ssh/* $SUDO rm -rf /etc/ssh/*key* diff --git a/contrib/cirrus/packer/fedora_packaging.sh b/contrib/cirrus/packer/fedora_packaging.sh index e80d48bc8..aecaaef93 100644 --- a/contrib/cirrus/packer/fedora_packaging.sh +++ b/contrib/cirrus/packer/fedora_packaging.sh @@ -11,6 +11,8 @@ echo "Updating/Installing repos and packages for $OS_REL_VER" source $GOSRC/$SCRIPT_BASE/lib.sh +req_env_var GOSRC SCRIPT_BASE BIGTO INSTALL_AUTOMATION_VERSION FEDORA_BASE_IMAGE PRIOR_FEDORA_BASE_IMAGE + # Pre-req. to install automation tooing $LILTO $SUDO dnf install -y git @@ -35,7 +37,7 @@ fi $BIGTO ooe.sh $SUDO dnf update -y -REMOVE_PACKAGES=() +REMOVE_PACKAGES=(runc) INSTALL_PACKAGES=(\ autoconf automake @@ -50,8 +52,11 @@ INSTALL_PACKAGES=(\ containernetworking-plugins containers-common criu + crun + curl device-mapper-devel dnsmasq + e2fsprogs-devel emacs-nox file findutils @@ -60,16 +65,26 @@ INSTALL_PACKAGES=(\ gcc git glib2-devel + glibc-devel glibc-static gnupg go-md2man golang + gpgme gpgme-devel + grubby + hostname iproute iptables jq + krb5-workstation + libassuan libassuan-devel + libblkid-devel libcap-devel + libffi-devel + libgpg-error-devel + libguestfs-tools libmsi1 libnet libnet-devel @@ -79,56 +94,60 @@ INSTALL_PACKAGES=(\ libselinux-devel libtool libvarlink-util + libxml2-devel + libxslt-devel lsof make + mlocate msitools + nfs-utils nmap-ncat + openssl + openssl-devel ostree-devel pandoc + pkgconfig podman + policycoreutils procps-ng protobuf protobuf-c protobuf-c-devel protobuf-devel - python + python2 + python3-PyYAML python3-dateutil python3-psutil python3-pytoml + python3-libsemanage + python3-libselinux + python3-libvirt + redhat-rpm-config + rpcbind rsync + sed selinux-policy-devel skopeo skopeo-containers slirp4netns + socat + tar unzip vim wget which xz zip + zlib-devel +) +DOWNLOAD_PACKAGES=(\ + "cri-o-$(get_kubernetes_version)*" + cri-tools + "kubernetes-$(get_kubernetes_version)*" + runc + oci-umount + parallel ) - -case "$OS_RELEASE_VER" in - 30) - INSTALL_PACKAGES+=(\ - atomic-registries - golang-github-cpuguy83-go-md2man - python2-future - runc - ) - REMOVE_PACKAGES+=(crun) - ;; - 31) - INSTALL_PACKAGES+=(crun) - REMOVE_PACKAGES+=(runc) - ;; - 32) - INSTALL_PACKAGES+=(crun) - REMOVE_PACKAGES+=(runc) - ;; - *) - bad_os_id_ver ;; -esac echo "Installing general build/test dependencies for Fedora '$OS_RELEASE_VER'" $BIGTO ooe.sh $SUDO dnf install -y ${INSTALL_PACKAGES[@]} @@ -136,6 +155,18 @@ $BIGTO ooe.sh $SUDO dnf install -y ${INSTALL_PACKAGES[@]} [[ ${#REMOVE_PACKAGES[@]} -eq 0 ]] || \ $LILTO ooe.sh $SUDO dnf erase -y ${REMOVE_PACKAGES[@]} -export GOPATH="$(mktemp -d)" -trap "$SUDO rm -rf $GOPATH" EXIT -ooe.sh $SUDO $GOSRC/hack/install_catatonit.sh +if [[ ${#DOWNLOAD_PACKAGES[@]} -gt 0 ]]; then + echo "Downloading packages for optional installation at runtime, as needed." + # Required for cri-o + ooe.sh $SUDO dnf -y module enable cri-o:$(get_kubernetes_version) + $SUDO mkdir -p "$PACKAGE_DOWNLOAD_DIR" + cd "$PACKAGE_DOWNLOAD_DIR" + $LILTO ooe.sh $SUDO dnf download -y --resolve ${DOWNLOAD_PACKAGES[@]} + ls -la "$PACKAGE_DOWNLOAD_DIR/" +fi + +echo "Installing runtime tooling" +# Save some runtime by having these already available +cd $GOSRC +$SUDO make install.tools +$SUDO $GOSRC/hack/install_catatonit.sh diff --git a/contrib/cirrus/packer/fedora_setup.sh b/contrib/cirrus/packer/fedora_setup.sh index 3830b3bc4..25b568e8a 100644 --- a/contrib/cirrus/packer/fedora_setup.sh +++ b/contrib/cirrus/packer/fedora_setup.sh @@ -12,11 +12,11 @@ req_env_var SCRIPT_BASE PACKER_BASE INSTALL_AUTOMATION_VERSION PACKER_BUILDER_NA workaround_bfq_bug -# Do not enable update-stesting on the previous Fedora release -if [[ "$FEDORA_BASE_IMAGE" =~ "${OS_RELEASE_ID}-cloud-base-${OS_RELEASE_VER}" ]]; then - DISABLE_UPDATES_TESTING=0 -else +# Do not enable updates-testing on the previous Fedora release +if [[ "$PRIOR_FEDORA_BASE_IMAGE" =~ "${OS_RELEASE_ID}-cloud-base-${OS_RELEASE_VER}" ]]; then DISABLE_UPDATES_TESTING=1 +else + DISABLE_UPDATES_TESTING=0 fi bash $PACKER_BASE/fedora_packaging.sh diff --git a/contrib/cirrus/packer/ubuntu_packaging.sh b/contrib/cirrus/packer/ubuntu_packaging.sh index fd0280230..09f9aab9f 100644 --- a/contrib/cirrus/packer/ubuntu_packaging.sh +++ b/contrib/cirrus/packer/ubuntu_packaging.sh @@ -11,6 +11,8 @@ echo "Updating/Installing repos and packages for $OS_REL_VER" source $GOSRC/$SCRIPT_BASE/lib.sh +req_env_var GOSRC SCRIPT_BASE BIGTO SUDOAPTGET INSTALL_AUTOMATION_VERSION + echo "Updating/configuring package repositories." $BIGTO $SUDOAPTGET update @@ -99,6 +101,7 @@ INSTALL_PACKAGES=(\ protobuf-c-compiler protobuf-compiler python-protobuf + python2 python3-dateutil python3-pip python3-psutil @@ -118,6 +121,11 @@ INSTALL_PACKAGES=(\ zip zlib1g-dev ) +DOWNLOAD_PACKAGES=(\ + cri-o-$(get_kubernetes_version) + cri-tools + parallel +) # These aren't resolvable on Ubuntu 20 if [[ "$OS_RELEASE_VER" -le 19 ]]; then @@ -137,16 +145,15 @@ echo "Installing general testing and system dependencies" $LILTO ooe.sh $SUDOAPTGET update $BIGTO ooe.sh $SUDOAPTGET install ${INSTALL_PACKAGES[@]} -export GOPATH="$(mktemp -d)" -trap "$SUDO rm -rf $GOPATH" EXIT -echo "Installing cataonit and libseccomp.sudo" -cd $GOSRC -ooe.sh $SUDO hack/install_catatonit.sh -ooe.sh $SUDO make install.libseccomp.sudo - -CRIO_RUNC_PATH="/usr/lib/cri-o-runc/sbin/runc" -if $SUDO dpkg -L cri-o-runc | grep -m 1 -q "$CRIO_RUNC_PATH" -then - echo "Linking $CRIO_RUNC_PATH to /usr/bin/runc for ease of testing." - $SUDO ln -f "$CRIO_RUNC_PATH" "/usr/bin/runc" +if [[ ${#DOWNLOAD_PACKAGES[@]} -gt 0 ]]; then + echo "Downloading packages for optional installation at runtime, as needed." + $SUDO ln -s /var/cache/apt/archives "$PACKAGE_DOWNLOAD_DIR" + $LILTO ooe.sh $SUDOAPTGET install --download-only ${DOWNLOAD_PACKAGES[@]} + ls -la "$PACKAGE_DOWNLOAD_DIR/" fi + +echo "Installing runtime tooling" +cd $GOSRC +$SUDO hack/install_catatonit.sh +$SUDO make install.libseccomp.sudo +$SUDO make install.tools diff --git a/contrib/cirrus/rootless_test.sh b/contrib/cirrus/rootless_test.sh index 3f45aac84..9e1b1d911 100755 --- a/contrib/cirrus/rootless_test.sh +++ b/contrib/cirrus/rootless_test.sh @@ -2,14 +2,6 @@ set -e -remote=0 - -# The TEST_REMOTE_CLIENT environment variable decides whether -# to test varlink -if [[ "$TEST_REMOTE_CLIENT" == "true" ]]; then - remote=1 -fi - source $(dirname $0)/lib.sh if [[ "$UID" == "0" ]] @@ -18,11 +10,8 @@ then exit 1 fi -# Which set of tests to run; possible alternative is "system" -TESTSUITE=integration -if [[ -n "$*" ]]; then - TESTSUITE="$1" -fi +TESTSUITE=${1?Missing TESTSUITE argument (arg1)} +LOCAL_OR_REMOTE=${2?Missing LOCAL_OR_REMOTE argument (arg2)} # Ensure environment setup correctly req_env_var GOSRC ROOTLESS_USER @@ -31,7 +20,6 @@ echo "." echo "Hello, my name is $USER and I live in $PWD can I be your friend?" echo "." -export PODMAN_VARLINK_ADDRESS=unix:/tmp/podman-$(id -u) show_env_vars set -x @@ -39,8 +27,4 @@ cd "$GOSRC" make make varlink_generate make test-binaries -if [ $remote -eq 0 ]; then - make local${TESTSUITE} -else - make remote${TESTSUITE} -fi +make ${LOCAL_OR_REMOTE}${TESTSUITE} diff --git a/contrib/cirrus/setup_environment.sh b/contrib/cirrus/setup_environment.sh index 25b7ff941..323e7c35b 100755 --- a/contrib/cirrus/setup_environment.sh +++ b/contrib/cirrus/setup_environment.sh @@ -39,6 +39,17 @@ done cd "${GOSRC}/" case "${OS_RELEASE_ID}" in ubuntu) + apt-get update + apt-get install -y containers-common + sed -ie 's/^\(# \)\?apparmor_profile =.*/apparmor_profile = ""/' /etc/containers/containers.conf + if [[ "$OS_RELEASE_VER" == "19" ]]; then + apt-get purge -y --auto-remove golang* + apt-get install -y golang-1.13 + ln -s /usr/lib/go-1.13/bin/go /usr/bin/go + fi + if [[ "$OS_RELEASE_VER" == "20" ]]; then + apt-get install -y python-is-python3 + fi ;; fedora) # All SELinux distros need this for systemd-in-a-container @@ -78,14 +89,6 @@ case "$CG_FS_TYPE" in warn "Forcing testing with crun instead of runc" X=$(echo "export OCI_RUNTIME=/usr/bin/crun" | \ tee -a /etc/environment) && eval "$X" && echo "$X" - - if [[ "$OS_RELEASE_ID" == "fedora" ]]; then - warn "Upgrading to the latest crun" - # Normally not something to do for stable testing - # but crun is new, and late-breaking fixes may be required - # on short notice - dnf update -y crun containers-common - fi ;; *) die 110 "Unsure how to handle cgroup filesystem type '$CG_FS_TYPE'" diff --git a/contrib/cirrus/swagger_stack_trace.png b/contrib/cirrus/swagger_stack_trace.png Binary files differnew file mode 100644 index 000000000..6aa063bab --- /dev/null +++ b/contrib/cirrus/swagger_stack_trace.png |