diff options
Diffstat (limited to 'contrib')
34 files changed, 991 insertions, 390 deletions
diff --git a/contrib/cirrus/README.md b/contrib/cirrus/README.md index 69d8653fe..18ef3e7f7 100644 --- a/contrib/cirrus/README.md +++ b/contrib/cirrus/README.md @@ -13,7 +13,6 @@ which alter this behavior. Within each task, each script executes in sequence, so long as any previous script exited successfully. The overall state of each task (pass or fail) is set based on the exit status of the last script to execute. - ### ``gating`` Task ***N/B: Steps below are performed by automation*** @@ -63,40 +62,11 @@ task (pass or fail) is set based on the exit status of the last script to execut Total execution time is capped at 2-hours (includes all the above) but this script normally completes in less than an hour. -### ``special_testing`` Task - -This task exercises podman under specialized environments or conditions. -The specific differences from the ``testing`` task depend upon the -contents of the ``$SPECIALMODE`` environment variable. - -| Value | Meaning | -| rootless | Setup a regular user to build/run integration tests. | -| in_podman | Setup a container image, build/run integration tests inside container | - -***N/B: Steps below are performed by automation*** - -1. After `gating` passes, spin up one VM per - `matrix: image_name` item. - -2. ``setup_environment.sh``: Mostly the same as - in ``testing`` task, then specialized depending on ``$SPECIALMODE``. - -3. Which tests and how they execute depends on ``$SPECIALMODE``. +### ``special_testing_cross`` Task -### ``optional_testing`` Task - -***N/B: Steps below are performed by automation*** - -1. Optionally executes in parallel with ``testing``. Requires - **prior** to job-start, the magic string ``***CIRRUS: SYSTEM TEST***`` - is found in the pull-request *description*. The *description* is the first - text-box under the main *summary* line in the github WebUI. - -2. ``setup_environment.sh``: Same as for other tasks. - -3. ``system_test.sh``: Build both dependencies and libpod, install them, - then execute `make localsystem` from the repository root. +Confirm that cross-compile of podman-remote functions for both `windows` +and `darwin` targets. ### ``test_build_cache_images_task`` Task @@ -131,10 +101,18 @@ images following the standard naming format; ***however, only runs a limited sub-set of automated tests***. Validating newly built images fully, requires updating ``.cirrus.yml``. -***Manual Steps:*** Assuming `verify_test_built_images` passes, then +***N/B: Steps below are performed by automation*** + +1. Using the just build VM images, launch VMs and wait for them to boot. + +2. Execute the `setup_environment.sh` as in the `testing` task. + +2. Execute the `integration_test.sh` as in the `testing` task. + + +***Manual Steps:*** Assuming the automated steps pass, then you'll find the new image names displayed at the end of the -`test_build_cache_images_task` in the `build_vm_images` output. -For example: +`test_build_cache_images`. For example: ``` @@ -169,20 +147,22 @@ the magic ``***CIRRUS: TEST IMAGES***`` string. Keeping it and `--force` pushing would needlessly cause Cirrus-CI to build and test images again. +### `release` Task -### ``build_cache_images`` Task *(Deprecated)* +Gathers up zip files uploaded by other tasks, from the local Cirrus-CI caching service. +Depending on the execution context (a PR or a branch), this task uploads the files +found to storage buckets at: -Exactly the same as ``test_build_cache_images_task`` task, but only runs on -the master branch. Requires a magic string to be in the `HEAD` -commit message: ``***CIRRUS: BUILD IMAGES***`` +* [https://storage.cloud.google.com/libpod-pr-releases](https://storage.cloud.google.com/libpod-pr-releases) +* [https://storage.cloud.google.com/libpod-master-releases](https://storage.cloud.google.com/libpod-master-releases) -When successful, the manifest file along with all VM disks, are moved -into a dedicated google storage bucket, separate from the one used by -`test_build_cache_images_task`. These may be used to create new cache-images for -PR testing by manually importing them as described above. +***Note:*** Repeated builds from the same PR or branch, will clobber previous archives + *by design*. This is intended so that the "latest" archive is always + available at a consistent URL. The precise details regarding a particular + build is encoded within the zip-archive comment. -### Base-images +## Base-images Base-images are VM disk-images specially prepared for executing as GCE VMs. In particular, they run services on startup similar in purpose/function @@ -193,10 +173,9 @@ as the standard 'cloud-init' services. with services pre-installed, for many platforms. For example, RHEL, CentOS, and Ubuntu. -* Google does ***not*** provide any images for Fedora or Fedora Atomic - Host (as of 11/2018), nor do they provide a base-image prepared to - run packer for creating other images in the ``build_vm_images`` Task - (above). +* Google does ***not*** provide any images for Fedora (as of 5/2019), nor do + they provide a base-image prepared to run packer for creating other images + in the ``test_build_vm_images`` Task (above). * Base images do not need to be produced often, but doing so completely manually would be time-consuming and error-prone. Therefor a special @@ -276,3 +255,16 @@ console output. Simply set the ``TTYDEV`` parameter, for example: $ make libpod_base_images ... TTYDEV=$(tty) ... ``` + +## `$SPECIALMODE` + +Some tasks alter their behavior based on this value. A summary of supported +values follows: + +* `none`: Operate as normal, this is the default value if unspecified. +* `rootless`: Causes a random, ordinary user account to be created + and utilized for testing. +* `in_podman`: Causes testing to occur within a container executed by + podman on the host. +* `windows`: See **darwin** +* `darwin`: Signals the ``special_testing_cross`` task to cross-compile the remote client. diff --git a/contrib/cirrus/build_vm_images.sh b/contrib/cirrus/build_vm_images.sh index 805aba428..dd5182c37 100755 --- a/contrib/cirrus/build_vm_images.sh +++ b/contrib/cirrus/build_vm_images.sh @@ -3,13 +3,12 @@ set -e source $(dirname $0)/lib.sh -ENV_VARS='CNI_COMMIT CONMON_COMMIT PACKER_BUILDS BUILT_IMAGE_SUFFIX UBUNTU_BASE_IMAGE FEDORA_BASE_IMAGE PRIOR_FEDORA_BASE_IMAGE SERVICE_ACCOUNT GCE_SSH_USERNAME GCP_PROJECT_ID PACKER_VER SCRIPT_BASE PACKER_BASE' +BASE_IMAGE_VARS='FEDORA_BASE_IMAGE PRIOR_FEDORA_BASE_IMAGE UBUNTU_BASE_IMAGE' +ENV_VARS="PACKER_BUILDS BUILT_IMAGE_SUFFIX $BASE_IMAGE_VARS SERVICE_ACCOUNT GCE_SSH_USERNAME GCP_PROJECT_ID PACKER_VER SCRIPT_BASE PACKER_BASE CIRRUS_BUILD_ID CIRRUS_CHANGE_IN_REPO" req_env_var $ENV_VARS # Must also be made available through make, into packer process export $ENV_VARS -show_env_vars - # Everything here is running on the 'image-builder-image' GCE image # Assume basic dependencies are all met, but there could be a newer version # of the packer binary @@ -26,14 +25,20 @@ then fi cd "$GOSRC/$PACKER_BASE" - -# Separate PR-produced images from those produced on master. -if [[ "${CIRRUS_BRANCH:-}" == "master" ]] -then - POST_MERGE_BUCKET_SUFFIX="-master" -else - POST_MERGE_BUCKET_SUFFIX="" -fi +# Add/update labels on base-images used in this build to prevent premature deletion +ARGS=" +" +for base_image_var in $BASE_IMAGE_VARS +do + # See entrypoint.sh in contrib/imgts and contrib/imgprune + # These updates can take a while, run them in the background, check later + gcloud compute images update \ + --update-labels=last-used=$(date +%s) \ + --update-labels=build-id=$CIRRUS_BUILD_ID \ + --update-labels=repo-ref=$CIRRUS_CHANGE_IN_REPO \ + --update-labels=project=$GCP_PROJECT_ID \ + ${!base_image_var} & +done make libpod_images \ PACKER_BUILDS=$PACKER_BUILDS \ @@ -41,12 +46,22 @@ make libpod_images \ GOSRC=$GOSRC \ SCRIPT_BASE=$SCRIPT_BASE \ PACKER_BASE=$PACKER_BASE \ - POST_MERGE_BUCKET_SUFFIX=$POST_MERGE_BUCKET_SUFFIX \ BUILT_IMAGE_SUFFIX=$BUILT_IMAGE_SUFFIX +# Separate PR-produced images from those produced on master. +if [[ "${CIRRUS_BRANCH:-}" == "master" ]] +then + POST_MERGE_BUCKET_SUFFIX="-master" +else + POST_MERGE_BUCKET_SUFFIX="" +fi + # When successful, upload manifest of produced images using a filename unique # to this build. URI="gs://packer-import${POST_MERGE_BUCKET_SUFFIX}/manifest${BUILT_IMAGE_SUFFIX}.json" gsutil cp packer-manifest.json "$URI" +# Ensure any background 'gcloud compute images update' processes finish +wait # CentOS has no -n option :( + echo "Finished. A JSON manifest of produced images is available at $URI" diff --git a/contrib/cirrus/cache_release_archive.sh b/contrib/cirrus/cache_release_archive.sh new file mode 100755 index 000000000..639bc9801 --- /dev/null +++ b/contrib/cirrus/cache_release_archive.sh @@ -0,0 +1,140 @@ +#!/bin/bash + +set -eo pipefail + +source $(dirname $0)/lib.sh + +req_env_var GOSRC + +RELEASE_ARCHIVE_NAMES="" + +handle_archive() { # Assumed to be called with set +e + TASK_NUMBER=$1 + PR_OR_BRANCH=$2 + CACHE_URL=$3 + ARCHIVE_NAME="$(basename $CACHE_URL)" + req_env_var TASK_NUMBER PR_OR_BRANCH CACHE_URL ARCHIVE_NAME + + cd /tmp + curl -sO "$CACHE_URL" || return $(warn 0 "Couldn't download file, skipping.") + [[ -r "/tmp/$ARCHIVE_NAME" ]] || return $(warn 0 "Unreadable archive '/tmp/$ARCHIVE_NAME', skipping.") + + ZIPCOMMENT=$(unzip -qqz "$ARCHIVE_NAME" 2>/dev/null) # noisy bugger + if [[ "$?" -ne "0" ]] || [[ -z "$ZIPCOMMENT" ]] + then + return $(warn 0 "Could not unzip metadata from downloaded '/tmp/$ARCHIVE_NAME', skipping.") + fi + + RELEASE_INFO=$(echo "$ZIPCOMMENT" | grep -m 1 'X-RELEASE-INFO:' | sed -r -e 's/X-RELEASE-INFO:\s*(.+)/\1/') + if [[ "$?" -ne "0" ]] || [[ -z "$RELEASE_INFO" ]] + then + return $(warn 0 "Metadata empty or invalid: '$ZIPCOMMENT', skipping.") + fi + + # e.g. libpod v1.3.1-166-g60df124e fedora 29 amd64 + # or libpod v1.3.1-166-g60df124e amd64 + FIELDS="RELEASE_BASENAME RELEASE_VERSION RELEASE_DIST RELEASE_DIST_VER RELEASE_ARCH" + read $FIELDS <<< $RELEASE_INFO + for f in $FIELDS + do + [[ -n "${!f}" ]] || return $(warn 0 "Expecting $f to be non-empty in metadata: '$RELEASE_INFO', skipping.") + done + + echo -n "Preparing $RELEASE_BASENAME archive: " + # Drop version number to enable "latest" representation + # (version available w/in zip-file comment) + RELEASE_ARCHIVE_NAME="${RELEASE_BASENAME}-${PR_OR_BRANCH}-${RELEASE_DIST}-${RELEASE_DIST_VER}-${RELEASE_ARCH}.zip" + # Allow uploading all gathered files in parallel, later with gsutil. + mv -v "$ARCHIVE_NAME" "/$RELEASE_ARCHIVE_NAME" + RELEASE_ARCHIVE_NAMES="$RELEASE_ARCHIVE_NAMES $RELEASE_ARCHIVE_NAME" +} + +make_release() { + ARCHIVE_NAME="$1" + req_env_var ARCHIVE_NAME + + # There's no actual testing of windows/darwin targets yet + # but we still want to cross-compile and publish binaries + if [[ "$SPECIALMODE" == "windows" ]] || [[ "$SPECIALMODE" == "darwin" ]] + then + RELFILE="podman-remote-${SPECIALMODE}.zip" + elif [[ "$SPECIALMODE" == "none" ]] + then + RELFILE="podman.zip" + else + die 55 "$(basename $0) unable to handle \$SPECIALMODE=$SPECIALMODE for $ARCHIVE_NAME" + fi + echo "Calling make $RELFILE" + cd $GOSRC + make "$RELFILE" + echo "Renaming archive so it can be identified/downloaded for publishing" + mv -v "$RELFILE" "$ARCHIVE_NAME" + echo "Success!" +} + +[[ "$CI" == "true" ]] || \ + die 56 "$0 requires a Cirrus-CI cross-task cache to function" + +cd $GOSRC +# Same script re-used for both uploading and downloading to avoid duplication +if [[ "$(basename $0)" == "cache_release_archive.sh" ]] +then + # ref: https://cirrus-ci.org/guide/writing-tasks/#environment-variables + req_env_var CI_NODE_INDEX CIRRUS_BUILD_ID + # Use unique names for uncache_release_archives.sh to find/download them all + ARCHIVE_NAME="build-${CIRRUS_BUILD_ID}-task-${CI_NODE_INDEX}.zip" + make_release "$ARCHIVE_NAME" + + # ref: https://cirrus-ci.org/guide/writing-tasks/#http-cache + URL="http://$CIRRUS_HTTP_CACHE_HOST/${ARCHIVE_NAME}" + echo "Uploading $ARCHIVE_NAME to Cirrus-CI cache at $URL" + curl -s -X POST --data-binary "@$ARCHIVE_NAME" "$URL" +elif [[ "$(basename $0)" == "uncache_release_archives.sh" ]] +then + req_env_var CIRRUS_BUILD_ID CI_NODE_TOTAL GCPJSON GCPNAME GCPROJECT + [[ "${CI_NODE_INDEX}" -eq "$[CI_NODE_TOTAL-1]" ]] || \ + die 8 "The release task must be executed last to guarantee archive cache is complete" + + if [[ -n "$CIRRUS_PR" ]] + then + PR_OR_BRANCH="pr$CIRRUS_PR" + BUCKET="libpod-pr-releases" + elif [[ -n "$CIRRUS_BRANCH" ]] + then + PR_OR_BRANCH="$CIRRUS_BRANCH" + BUCKET="libpod-$CIRRUS_BRANCH-releases" + else + die 10 "Expecting either \$CIRRUS_PR or \$CIRRUS_BRANCH to be non-empty." + fi + + echo "Blindly downloading Cirrus-CI cache files for task (some will fail)." + set +e # Don't stop looping until all task's cache is attempted + for (( task_number = 0 ; task_number < $CI_NODE_TOTAL ; task_number++ )) + do + ARCHIVE_NAME="build-${CIRRUS_BUILD_ID}-task-${task_number}.zip" + URL="http://$CIRRUS_HTTP_CACHE_HOST/${ARCHIVE_NAME}" + echo "Attempting to download cached archive from $URL" + handle_archive "$task_number" "$PR_OR_BRANCH" "$URL" + echo "----------------------------------------" + done + set -e + + [[ -n "$RELEASE_ARCHIVE_NAMES" ]] || \ + die 67 "Error: No release archives found in CI cache, expecting at least one." + + echo "Preparing to upload release archives." + gcloud config set project "$GCPROJECT" + echo "$GCPJSON" > /tmp/gcp.json + gcloud auth activate-service-account --key-file=/tmp/gcp.json + rm /tmp/gcp.json + # handle_archive() placed all uploadable files under / + gsutil -m cp /*.zip "gs://$BUCKET" # Upload in parallel + echo "Successfully uploaded archives:" + for ARCHIVE_NAME in $RELEASE_ARCHIVE_NAMES + do + echo " https://storage.cloud.google.com/$BUCKET/$ARCHIVE_NAME" + done + echo "These will remain available until automatic pruning by bucket policy." +else + die 9 "I don't know what to do when called $0" +fi diff --git a/contrib/cirrus/check_image.sh b/contrib/cirrus/check_image.sh new file mode 100755 index 000000000..22ed1ddc4 --- /dev/null +++ b/contrib/cirrus/check_image.sh @@ -0,0 +1,53 @@ +#!/bin/bash + +set -eo pipefail + +source $(dirname $0)/lib.sh + +NFAILS=0 +echo "Validating VM image" + +MIN_SLASH_GIGS=50 +read SLASH_DEVICE SLASH_FSTYPE SLASH_SIZE JUNK <<<$(findmnt --df --first-only --noheadings / | cut -d '.' -f 1) +SLASH_SIZE_GIGS=$(echo "$SLASH_SIZE" | sed -r -e 's/G|g//') +item_test "Minimum available disk space" $SLASH_SIZE_GIGS -gt $MIN_SLASH_GIGS || let "NFAILS+=1" + +MIN_MEM_MB=2000 +read JUNK TOTAL USED MEM_FREE JUNK <<<$(free -tm | tail -1) +item_test 'Minimum available memory' $MEM_FREE -ge $MIN_MEM_MB || let "NFAILS+=1" + +# We're testing a custom-built podman; make sure there isn't a distro-provided +# binary anywhere; that could potentially taint our results. +item_test "remove_packaged_podman_files() did it's job" -z "$(type -P podman)" || let "NFAILS+=1" + +MIN_ZIP_VER='3.0' +VER_RE='.+([[:digit:]]+\.[[:digit:]]+).+' +ACTUAL_VER=$(zip --version 2>&1 | egrep -m 1 "Zip$VER_RE" | sed -r -e "s/$VER_RE/\\1/") +item_test "minimum zip version" "$MIN_ZIP_VER" = $(echo -e "$MIN_ZIP_VER\n$ACTUAL_VER" | sort -V | head -1) || let "NFAILS+=1" + +for REQ_UNIT in google-accounts-daemon.service \ + google-clock-skew-daemon.service \ + google-instance-setup.service \ + google-network-daemon.service \ + google-shutdown-scripts.service \ + google-startup-scripts.service +do + item_test "required $REQ_UNIT enabled" \ + "$(systemctl list-unit-files --no-legend $REQ_UNIT)" = "$REQ_UNIT enabled" || let "NFAILS+=1" +done + +for evil_unit in $EVIL_UNITS +do + # Exits zero if any unit matching pattern is running + unit_status=$(systemctl is-active $evil_unit &> /dev/null; echo $?) + item_test "No $evil_unit unit is present or active:" "$unit_status" -ne "0" || let "NFAILS+=1" +done + +if [[ "$OS_RELEASE_ID" == "ubuntu" ]] && [[ -x "/usr/lib/cri-o-runc/sbin/runc" ]] +then + SAMESAME=$(diff --brief /usr/lib/cri-o-runc/sbin/runc /usr/bin/runc &> /dev/null; echo $?) + item_test "On ubuntu /usr/bin/runc is /usr/lib/cri-o-runc/sbin/runc" "$SAMESAME" -eq "0" || let "NFAILS+=1" +fi + +echo "Total failed tests: $NFAILS" +exit $NFAILS diff --git a/contrib/cirrus/container_test.sh b/contrib/cirrus/container_test.sh index 1fd9551db..27baf0ad7 100644 --- a/contrib/cirrus/container_test.sh +++ b/contrib/cirrus/container_test.sh @@ -1,5 +1,5 @@ #!/bin/bash -set -xeuo pipefail +set -xeo pipefail export GOPATH=/var/tmp/go export PATH=$HOME/gopath/bin:$PATH:$GOPATH/bin @@ -32,10 +32,10 @@ integrationtest=0 unittest=0 validate=0 options=0 -noremote=0 +remote=0 install_tools_made=0 -while getopts "biptuv" opt; do +while getopts "bituv" opt; do case "$opt" in b) build=1 options=1 @@ -46,9 +46,6 @@ while getopts "biptuv" opt; do t) integrationtest=1 options=1 ;; - n) noremote=1 - options=1 - ;; u) unittest=1 options=1 ;; @@ -58,6 +55,12 @@ while getopts "biptuv" opt; do esac done +# The TEST_REMOTE_CLIENT environment variable decides whether +# to test varlinke +if [[ "$TEST_REMOTE_CLIENT" == "true" ]]; then + remote=1 +fi + # If no options are passed, do everything if [ $options -eq 0 ]; then build=1 @@ -130,8 +133,8 @@ fi if [ $integrationtest -eq 1 ]; then make TAGS="${TAGS}" test-binaries make varlink_generate - make ginkgo $INTEGRATION_TEST_ENVS - if [ $noremote -eq 0 ]; then - make ginkgo-remote $INTEGRATION_TEST_ENVS + make localintegration $INTEGRATION_TEST_ENVS + if [ $remote -eq 1 ]; then + make remoteintegration $INTEGRATION_TEST_ENVS fi fi diff --git a/contrib/cirrus/integration_test.sh b/contrib/cirrus/integration_test.sh index e7f582b42..cfaf33b85 100755 --- a/contrib/cirrus/integration_test.sh +++ b/contrib/cirrus/integration_test.sh @@ -1,48 +1,56 @@ #!/bin/bash set -e + source $(dirname $0)/lib.sh req_env_var GOSRC SCRIPT_BASE OS_RELEASE_ID OS_RELEASE_VER CONTAINER_RUNTIME -cd "$GOSRC" - -if [[ "$SPECIALMODE" == "in_podman" ]] -then - ${CONTAINER_RUNTIME} run --rm --privileged --net=host \ - -v $GOSRC:$GOSRC:Z \ - --workdir $GOSRC \ - -e "CGROUP_MANAGER=cgroupfs" \ - -e "STORAGE_OPTIONS=--storage-driver=vfs" \ - -e "CRIO_ROOT=$GOSRC" \ - -e "PODMAN_BINARY=/usr/bin/podman" \ - -e "CONMON_BINARY=/usr/libexec/podman/conmon" \ - -e "DIST=$OS_RELEASE_ID" \ - -e "CONTAINER_RUNTIME=$CONTAINER_RUNTIME" \ - ${OS_RELEASE_ID}podmanbuild bash $GOSRC/$SCRIPT_BASE/container_test.sh -b -i -t -n +# Our name must be of the form xxxx_test or xxxx_test.sh, where xxxx is +# the test suite to run; currently (2019-05) the only option is 'integration' +# but pr2947 intends to add 'system'. +TESTSUITE=$(expr $(basename $0) : '\(.*\)_test') +if [[ -z $TESTSUITE ]]; then + die 1 "Script name is not of the form xxxx_test.sh" +fi - exit $? -elif [[ "$SPECIALMODE" == "rootless" ]] -then - req_env_var ROOTLESS_USER +cd "$GOSRC" - if [[ "$USER" == "$ROOTLESS_USER" ]] - then - $GOSRC/$SCRIPT_BASE/rootless_test.sh - else +case "$SPECIALMODE" in + in_podman) + ${CONTAINER_RUNTIME} run --rm --privileged --net=host \ + -v $GOSRC:$GOSRC:Z \ + --workdir $GOSRC \ + -e "CGROUP_MANAGER=cgroupfs" \ + -e "STORAGE_OPTIONS=--storage-driver=vfs" \ + -e "CRIO_ROOT=$GOSRC" \ + -e "PODMAN_BINARY=/usr/bin/podman" \ + -e "CONMON_BINARY=/usr/libexec/podman/conmon" \ + -e "DIST=$OS_RELEASE_ID" \ + -e "CONTAINER_RUNTIME=$CONTAINER_RUNTIME" \ + $IN_PODMAN_IMAGE bash $GOSRC/$SCRIPT_BASE/container_test.sh -b -i -t + ;; + rootless) + req_env_var ROOTLESS_USER ssh $ROOTLESS_USER@localhost \ - -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o CheckHostIP=no \ - $GOSRC/$SCRIPT_BASE/rootless_test.sh - fi -else - make - make install PREFIX=/usr ETCDIR=/etc - make test-binaries - if [[ "$TEST_REMOTE_CLIENT" == "true" ]] - then - make remoteintegration - else - make localintegration - fi - exit $? -fi + -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no \ + -o CheckHostIP=no $GOSRC/$SCRIPT_BASE/rootless_test.sh ${TESTSUITE} + ;; + none) + make + make install PREFIX=/usr ETCDIR=/etc + make test-binaries + if [[ "$TEST_REMOTE_CLIENT" == "true" ]] + then + make remote${TESTSUITE} + else + make local${TESTSUITE} + fi + ;; + windows) ;& # for podman-remote building only + darwin) + warn '' "No $SPECIALMODE remote client integration tests configured" + ;; + *) + die 110 "Unsupported \$SPECIAL_MODE: $SPECIALMODE" +esac diff --git a/contrib/cirrus/lib.sh b/contrib/cirrus/lib.sh index 334202aa9..737ca3c01 100644 --- a/contrib/cirrus/lib.sh +++ b/contrib/cirrus/lib.sh @@ -18,9 +18,8 @@ if type -P go &> /dev/null then # required for go 1.12+ export GOCACHE="${GOCACHE:-$HOME/.cache/go-build}" - eval "$(go env)" - # required by make and other tools - export $(go env | cut -d '=' -f 1) + # called processes like `make` and other tools need these vars. + eval "export $(go env)" # Ensure compiled tooling is reachable export PATH="$PATH:$GOPATH/bin" @@ -46,6 +45,7 @@ fi # Defaults when not running under CI export CI="${CI:-false}" CIRRUS_CI="${CIRRUS_CI:-false}" +DEST_BRANCH="${DEST_BRANCH:-master}" CONTINUOUS_INTEGRATION="${CONTINUOUS_INTEGRATION:-false}" CIRRUS_REPO_NAME=${CIRRUS_REPO_NAME:-libpod} CIRRUS_BASE_SHA=${CIRRUS_BASE_SHA:-unknown$(date +%s)} # difficult to reliably discover @@ -55,21 +55,32 @@ PACKER_VER="1.3.5" # CSV of cache-image names to build (see $PACKER_BASE/libpod_images.json) # Base-images rarely change, define them here so they're out of the way. -PACKER_BUILDS="${PACKER_BUILDS:-ubuntu-18,fedora-29,fedora-28}" +export PACKER_BUILDS="${PACKER_BUILDS:-ubuntu-18,fedora-30,fedora-29}" # Google-maintained base-image names -UBUNTU_BASE_IMAGE="ubuntu-1804-bionic-v20181203a" +export UBUNTU_BASE_IMAGE="ubuntu-1804-bionic-v20181203a" # Manually produced base-image names (see $SCRIPT_BASE/README.md) -FEDORA_BASE_IMAGE="fedora-cloud-base-29-1-2-1541789245" -# FEDORA_BASE_IMAGE: "fedora-cloud-base-30-1-2-1556821664" -PRIOR_FEDORA_BASE_IMAGE="fedora-cloud-base-28-1-1-1544474897" -# PRIOR_FEDORA_BASE_IMAGE="fedora-cloud-base-29-1-2-1541789245" -BUILT_IMAGE_SUFFIX="${BUILT_IMAGE_SUFFIX:--$CIRRUS_REPO_NAME-${CIRRUS_BUILD_ID}}" +export FEDORA_BASE_IMAGE="fedora-cloud-base-30-1-2-1559164849" +export PRIOR_FEDORA_BASE_IMAGE="fedora-cloud-base-29-1-2-1559164849" +export BUILT_IMAGE_SUFFIX="${BUILT_IMAGE_SUFFIX:--$CIRRUS_REPO_NAME-${CIRRUS_BUILD_ID}}" +# IN_PODMAN container image +IN_PODMAN_IMAGE="quay.io/libpod/in_podman:latest" + +# Avoid getting stuck waiting for user input +export DEBIAN_FRONTEND="noninteractive" +SUDOAPTGET="ooe.sh sudo -E apt-get -qq --yes" +SUDOAPTADD="ooe.sh sudo -E add-apt-repository --yes" +# Short-cuts for retrying/timeout calls +LILTO="timeout_attempt_delay_command 24s 5 30s" +BIGTO="timeout_attempt_delay_command 300s 5 30s" # Safe env. vars. to transfer from root -> $ROOTLESS_USER (go env handled separetly) -ROOTLESS_ENV_RE='(CIRRUS_.+)|(ROOTLESS_.+)|(.+_IMAGE.*)|(.+_BASE)|(.*DIRPATH)|(.*FILEPATH)|(SOURCE.*)|(DEPEND.*)|(.+_DEPS_.+)|(OS_REL.*)|(.+_ENV_RE)|(TRAVIS)|(CI.+)' +ROOTLESS_ENV_RE='(CIRRUS_.+)|(ROOTLESS_.+)|(.+_IMAGE.*)|(.+_BASE)|(.*DIRPATH)|(.*FILEPATH)|(SOURCE.*)|(DEPEND.*)|(.+_DEPS_.+)|(OS_REL.*)|(.+_ENV_RE)|(TRAVIS)|(CI.+)|(TEST_REMOTE.*)' # Unsafe env. vars for display SECRET_ENV_RE='(IRCID)|(ACCOUNT)|(^GC[EP]..+)|(SSH)' +# Names of systemd units which should never be running +EVIL_UNITS="cron crond atd apt-daily-upgrade apt-daily fstrim motd-news systemd-tmpfiles-clean" + SPECIALMODE="${SPECIALMODE:-none}" TEST_REMOTE_CLIENT="${TEST_REMOTE_CLIENT:-false}" export CONTAINER_RUNTIME=${CONTAINER_RUNTIME:-podman} @@ -114,6 +125,30 @@ req_env_var() { done } +item_test() { + ITEM="$1" + shift + TEST_ARGS="$@" + req_env_var ITEM TEST_ARGS + + if ERR=$(test "$@" 2>&1) + then + echo "ok $ITEM" + return 0 + else + RET=$? + echo -n "not ok $ITEM: $TEST_ARGS" + if [[ -z "$ERR" ]] + then + echo "" + else # test command itself failed + echo -n ":" # space follows :'s in $ERR + echo "$ERR" | cut -d : -f 4- # omit filename, line number, and command + fi + return $RET + fi +} + show_env_vars() { echo "Showing selection of environment variable definitions:" _ENV_VAR_NAMES=$(awk 'BEGIN{for(v in ENVIRON) print v}' | \ @@ -124,9 +159,6 @@ show_env_vars() { # Supports older BASH versions printf " ${_env_var_name}=%q\n" "$(printenv $_env_var_name)" done - echo "" - echo "##### $(go version) #####" - echo "" } die() { @@ -136,6 +168,11 @@ die() { exit ${1:-1} } +warn() { + echo ">>>>> ${2:-WARNING (but no message given!) in ${FUNCNAME[1]}()}" > /dev/stderr + echo ${1:-1} > /dev/stdout +} + bad_os_id_ver() { echo "Unknown/Unsupported distro. $OS_RELEASE_ID and/or version $OS_RELEASE_VER for $(basename $0)" exit 42 @@ -145,6 +182,35 @@ stub() { echo "STUB: Pretending to do $1" } +timeout_attempt_delay_command() { + TIMEOUT=$1 + ATTEMPTS=$2 + DELAY=$3 + shift 3 + STDOUTERR=$(mktemp -p '' $(basename $0)_XXXXX) + req_env_var ATTEMPTS DELAY + echo "Retrying $ATTEMPTS times with a $DELAY delay, and $TIMEOUT timeout for command: $@" + for (( COUNT=1 ; COUNT <= $ATTEMPTS ; COUNT++ )) + do + echo "##### (attempt #$COUNT)" &>> "$STDOUTERR" + if timeout --foreground $TIMEOUT "$@" &>> "$STDOUTERR" + then + echo "##### (success after #$COUNT attempts)" &>> "$STDOUTERR" + break + else + echo "##### (failed with exit: $?)" &>> "$STDOUTERR" + sleep $DELAY + fi + done + cat "$STDOUTERR" + rm -f "$STDOUTERR" + if (( COUNT > $ATTEMPTS )) + then + echo "##### (exceeded $ATTEMPTS attempts)" + exit 125 + fi +} + ircmsg() { req_env_var CIRRUS_TASK_ID IRCID [[ -n "$*" ]] || die 9 "ircmsg() invoked without message text argument" @@ -159,7 +225,7 @@ ircmsg() { } setup_rootless() { - req_env_var ROOTLESS_USER GOSRC + req_env_var ROOTLESS_USER GOSRC SECRET_ENV_RE ROOTLESS_ENV_RE # Only do this once if passwd --status $ROOTLESS_USER @@ -208,13 +274,32 @@ setup_rootless() { # Works with older versions of bash printf "${_env_var_name}=%q\n" "$(printenv $_env_var_name)" >> "/home/$ROOTLESS_USER/.bashrc" done + + echo "Ensure the systems ssh process is up and running within 5 minutes" + systemctl start sshd + NOW=$(date +%s) + TIMEOUT=$(date --date '+5 minutes' +%s) + while [[ "$(date +%s)" -lt "$TIMEOUT" ]] + do + if timeout --foreground -k 1s 1s \ + ssh $ROOTLESS_USER@localhost \ + -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o CheckHostIP=no \ + true + then + break + else + sleep 2s + fi + done + [[ "$(date +%s)" -lt "$TIMEOUT" ]] || \ + die 11 "Timeout exceeded waiting for localhost ssh capability" } # Helper/wrapper script to only show stderr/stdout on non-zero exit install_ooe() { req_env_var SCRIPT_BASE echo "Installing script to mask stdout/stderr unless non-zero exit." - sudo install -D -m 755 "/tmp/libpod/$SCRIPT_BASE/ooe.sh" /usr/local/bin/ooe.sh + sudo install -D -m 755 "$GOSRC/$SCRIPT_BASE/ooe.sh" /usr/local/bin/ooe.sh } # Grab a newer version of git from software collections @@ -231,110 +316,58 @@ EOF sudo chmod 755 /usr/bin/git } -install_cni_plugins() { - echo "Installing CNI Plugins from commit $CNI_COMMIT" - req_env_var GOPATH CNI_COMMIT - DEST="$GOPATH/src/github.com/containernetworking/plugins" - rm -rf "$DEST" - ooe.sh git clone "https://github.com/containernetworking/plugins.git" "$DEST" - cd "$DEST" - ooe.sh git checkout -q "$CNI_COMMIT" - ooe.sh ./build.sh - sudo mkdir -p /usr/libexec/cni - sudo cp bin/* /usr/libexec/cni +install_test_configs(){ + echo "Installing cni config, policy and registry config" + req_env_var GOSRC + sudo install -D -m 755 $GOSRC/cni/87-podman-bridge.conflist \ + /etc/cni/net.d/87-podman-bridge.conflist + sudo install -D -m 755 $GOSRC/test/policy.json \ + /etc/containers/policy.json + sudo install -D -m 755 $GOSRC/test/registries.conf \ + /etc/containers/registries.conf } -install_runc_from_git(){ - req_env_var GOPATH OS_RELEASE_ID RUNC_COMMIT - wd=$(pwd) - DEST="$GOPATH/src/github.com/opencontainers/runc" - rm -rf "$DEST" - ooe.sh git clone https://github.com/opencontainers/runc.git "$DEST" - cd "$DEST" - ooe.sh git fetch origin --tags - ooe.sh git checkout -q "$RUNC_COMMIT" - if [[ "${OS_RELEASE_ID}" == "ubuntu" ]] +# Remove all files (except conmon, for now) provided by the distro version of podman. +# Except conmon, for now as it's expected to eventually be packaged separately. +# All VM cache-images used for testing include the distro podman because (1) it's +# required for podman-in-podman testing and (2) it somewhat simplifies the task +# of pulling in necessary prerequisites packages as the set can change over time. +# For general CI testing however, calling this function makes sure the system +# can only run the compiled source version. +remove_packaged_podman_files(){ + echo "Removing packaged podman files to prevent conflicts with source build and testing." + req_env_var OS_RELEASE_ID + if [[ "$OS_RELEASE_ID" =~ "ubuntu" ]] then - ooe.sh make static BUILDTAGS="seccomp apparmor" + LISTING_CMD="sudo -E dpkg-query -L podman" else - ooe.sh make BUILDTAGS="seccomp selinux" + LISTING_CMD='sudo rpm -ql podman' fi - sudo install -m 755 runc /usr/bin/runc - cd $wd -} -install_runc(){ - echo "Installing RunC from commit $RUNC_COMMIT" - echo "Platform is $OS_RELEASE_ID" - req_env_var GOPATH RUNC_COMMIT OS_RELEASE_ID - if [[ "$OS_RELEASE_ID" =~ "ubuntu" ]]; then - echo "Running make install.libseccomp.sudo for ubuntu" - if ! [[ -d "/tmp/libpod" ]] - then - echo "Expecting a copy of libpod repository in /tmp/libpod" - exit 5 - fi - mkdir -p "$GOPATH/src/github.com/containers/" - # Symlinks don't work with Go - cp -a /tmp/libpod "$GOPATH/src/github.com/containers/" - cd "$GOPATH/src/github.com/containers/libpod" - ooe.sh sudo make install.libseccomp.sudo - fi - install_runc_from_git -} - -install_buildah() { - echo "Installing buildah from latest upstream master" - req_env_var GOPATH - DEST="$GOPATH/src/github.com/containers/buildah" - rm -rf "$DEST" - ooe.sh git clone https://github.com/containers/buildah "$DEST" - cd "$DEST" - ooe.sh make - ooe.sh sudo make install -} - -# Requires $GOPATH and $CONMON_COMMIT to be set -install_conmon(){ - echo "Installing conmon from commit $CONMON_COMMIT" - req_env_var GOPATH CONMON_COMMIT - DEST="$GOPATH/src/github.com/containers/conmon.git" - rm -rf "$DEST" - ooe.sh git clone https://github.com/containers/conmon.git "$DEST" - cd "$DEST" - ooe.sh git fetch origin --tags - ooe.sh git checkout -q "$CONMON_COMMIT" - ooe.sh make - sudo install -D -m 755 bin/conmon /usr/libexec/podman/conmon -} - -install_criu(){ - echo "Installing CRIU" - echo "Installing CRIU from commit $CRIU_COMMIT" - echo "Platform is $OS_RELEASE_ID" - req_env_var CRIU_COMMIT - - if [[ "$OS_RELEASE_ID" =~ "ubuntu" ]]; then - ooe.sh sudo -E add-apt-repository -y ppa:criu/ppa - ooe.sh sudo -E apt-get -qq -y update - ooe.sh sudo -E apt-get -qq -y install criu - elif [[ "$OS_RELEASE_ID" =~ "fedora" ]]; then - echo "Using CRIU from distribution" - else - DEST="/tmp/criu" - rm -rf "$DEST" - ooe.sh git clone https://github.com/checkpoint-restore/criu.git "$DEST" - cd $DEST - ooe.sh git fetch origin --tags - ooe.sh git checkout -q "$CRIU_COMMIT" - ooe.sh make - sudo install -D -m 755 criu/criu /usr/sbin/ - fi + # yum/dnf/dpkg may list system directories, only remove files + $LISTING_CMD | while read fullpath + do + # TODO: This can go away when conmon gets it's own package + if [[ -d "$fullpath" ]] || [[ $(basename "$fullpath") == "conmon" ]] ; then continue; fi + ooe.sh sudo rm -vf "$fullpath" + done } -install_varlink() { - echo "Installing varlink from the cheese-factory" - ooe.sh sudo -H pip3 install varlink +systemd_banish(){ + echo "Disabling periodic services that could destabilize testing:" + set +e # Not all of these exist on every platform + for unit in $EVIL_UNITS + do + echo "Banishing $unit (ignoring errors)" + ( + sudo systemctl stop $unit + sudo systemctl disable $unit + sudo systemctl disable $unit.timer + sudo systemctl mask $unit + sudo systemctl mask $unit.timer + ) &> /dev/null + done + set -e } _finalize(){ @@ -342,12 +375,12 @@ _finalize(){ set +e # make errors non-fatal echo "Removing leftover giblets from cloud-init" cd / - sudo rm -rf /var/lib/cloud/instance? + sudo rm -rf /var/lib/cloud/instanc* sudo rm -rf /root/.ssh/* sudo rm -rf /home/* sudo rm -rf /tmp/* sudo rm -rf /tmp/.??* - sync + sudo sync sudo fstrim -av } @@ -370,6 +403,7 @@ rh_finalize(){ ubuntu_finalize(){ set +e # Don't fail at the very end echo "Resetting to fresh-state for usage as cloud-image." + $LILTO $SUDOAPTGET autoremove sudo rm -rf /var/cache/apt _finalize } diff --git a/contrib/cirrus/lib.sh.t b/contrib/cirrus/lib.sh.t index 1f05b3bb5..70246ef41 100755 --- a/contrib/cirrus/lib.sh.t +++ b/contrib/cirrus/lib.sh.t @@ -12,7 +12,7 @@ function check_result { testnum=$(expr $testnum + 1) MSG=$(echo "$1" | tr -d '*>\012'|sed -e 's/^ \+//') if [ "$MSG" = "$2" ]; then - echo "ok $testnum $3 = $MSG" + echo "ok $testnum $(echo $3) = $(echo $MSG)" else echo "not ok $testnum $3" echo "# expected: $2" @@ -84,5 +84,40 @@ BAR=1 test_rev "FOO BAR" 0 '' ############################################################################### +# tests for test_okay() + +function test_item_test { + local exp_msg=$1 + local exp_ret=$2 + local item=$3 + shift 3 + local test_args="$@" + local msg + msg=$(item_test "$item" "$@") + local status=$? + + check_result "$msg" "$exp_msg" "test_item $item $test_args" + check_result "$status" "$exp_ret" "test_item $item $test_args (actual rc $status)" +} + +# negative tests +test_item_test "FATAL: item_test() requires \$ITEM to be non-empty" 9 "" "" +test_item_test "FATAL: item_test() requires \$TEST_ARGS to be non-empty" 9 "foo" "" +test_item_test "not ok foo: -gt 5 ~= bar: too many arguments" 2 "foo" "-gt" "5" "~=" "bar" +test_item_test "not ok bar: a -ge 10: a: integer expression expected" 2 "bar" "a" "-ge" "10" +test_item_test "not ok basic logic: 0 -ne 0" 1 "basic logic" "0" "-ne" "0" + +# positive tests +test_item_test "ok snafu" 0 "snafu" "foo" "!=" "bar" +test_item_test "ok foobar" 0 "foobar" "one two three" "=" "one two three" +test_item_test "ok oh boy" 0 "oh boy" "line 1 +line2" "!=" "line 1 + +line2" +test_item_test "ok okay enough" 0 "okay enough" "line 1 +line2" "=" "line 1 +line2" + +############################################################################### exit $rc diff --git a/contrib/cirrus/logcollector.sh b/contrib/cirrus/logcollector.sh new file mode 100755 index 000000000..425a619b0 --- /dev/null +++ b/contrib/cirrus/logcollector.sh @@ -0,0 +1,36 @@ +#!/bin/bash + +set -e + +source $(dirname $0)/lib.sh + +req_env_var CIRRUS_WORKING_DIR OS_RELEASE_ID + +# Assume there are other log collection commands to follow - Don't +# let one break another that may be useful, but also keep any +# actual script-problems fatal so they are noticed right away. +showrun() { + echo '+ '$(printf " %q" "$@") + set +e + echo '------------------------------------------------------------' + "$@" + local status=$? + [[ $status -eq 0 ]] || \ + echo "[ rc = $status -- proceeding anyway ]" + echo '------------------------------------------------------------' + set -e +} + +case $1 in + audit) + case $OS_RELEASE_ID in + ubuntu) showrun cat /var/log/kern.log ;; + fedora) showrun cat /var/log/audit/audit.log ;; + *) bad_os_id_ver ;; + esac + ;; + df) showrun df -lhTx tmpfs ;; + ginkgo) showrun cat $CIRRUS_WORKING_DIR/test/e2e/ginkgo-node-*.log ;; + journal) showrun journalctl -b ;; + *) die 1 "Warning, $(basename $0) doesn't know how to handle the parameter '$1'" +esac diff --git a/contrib/cirrus/notice_master_failure.sh b/contrib/cirrus/notice_branch_failure.sh index 1fc15cdf9..f030c12e5 100755 --- a/contrib/cirrus/notice_master_failure.sh +++ b/contrib/cirrus/notice_branch_failure.sh @@ -9,10 +9,10 @@ ETX="$(echo -n -e '\x03')" RED="${ETX}4" NOR="$(echo -n -e '\x0f')" -if [[ "$CIRRUS_BRANCH" =~ "master" ]] +if [[ "$CIRRUS_BRANCH" = "$DEST_BRANCH" ]] then BURL="https://cirrus-ci.com/build/$CIRRUS_BUILD_ID" - ircmsg "${RED}[Action Recommended]: ${NOR}Post-merge testing ${RED}$CIRRUS_BRANCH failed${NOR} in $CIRRUS_TASK_NAME on $(OS_RELEASE_ID)-$(OS_RELEASE_VER): $BURL. Please investigate, and re-run if appropriate." + ircmsg "${RED}[Action Recommended]: ${NOR}Post-merge testing on ${RED}$CIRRUS_BRANCH failed${NOR} in $CIRRUS_TASK_NAME on ${OS_RELEASE_ID}-${OS_RELEASE_VER}: $BURL. Please investigate, and re-run if appropriate." fi # This script assumed to be executed on failure diff --git a/contrib/cirrus/packer/cloud-init/fedora/cloud-init.service b/contrib/cirrus/packer/cloud-init/fedora/cloud-init.service new file mode 100644 index 000000000..4d2197d87 --- /dev/null +++ b/contrib/cirrus/packer/cloud-init/fedora/cloud-init.service @@ -0,0 +1,20 @@ +[Unit] +Description=Initial cloud-init job (metadata service crawler) +DefaultDependencies=no +Wants=cloud-init-local.service +After=cloud-init-local.service +Wants=google-network-daemon.service +After=google-network-daemon.service +Before=systemd-user-sessions.service + +[Service] +Type=oneshot +ExecStart=/usr/bin/cloud-init init +RemainAfterExit=yes +TimeoutSec=0 + +# Output needs to appear in instance console output +StandardOutput=journal+console + +[Install] +WantedBy=cloud-init.target diff --git a/contrib/cirrus/packer/fedora_base-setup.sh b/contrib/cirrus/packer/fedora_base-setup.sh index 2e6d3eceb..788a54c34 100644 --- a/contrib/cirrus/packer/fedora_base-setup.sh +++ b/contrib/cirrus/packer/fedora_base-setup.sh @@ -16,11 +16,20 @@ echo "Updating packages" ooe.sh dnf -y update echo "Installing necessary packages and google services" -ooe.sh dnf -y install rng-tools google-compute-engine-tools google-compute-engine-oslogin +ooe.sh dnf -y install rng-tools google-compute-engine-tools google-compute-engine-oslogin ethtool echo "Enabling services" ooe.sh systemctl enable rngd +# There is a race that can happen on boot between the GCE services configuring +# the VM, and cloud-init trying to do similar activities. Use a customized +# unit file to make sure cloud-init starts after the google-compute-* services. +echo "Setting cloud-init service to start after google-network-daemon.service" +cp -v $GOSRC/$PACKER_BASE/cloud-init/fedora/cloud-init.service /etc/systemd/system/ + +# Ensure there are no disruptive periodic services enabled by default in image +systemd_banish + rh_finalize echo "SUCCESS!" diff --git a/contrib/cirrus/packer/fedora_setup.sh b/contrib/cirrus/packer/fedora_setup.sh index 33e240895..1e25a1a3c 100644 --- a/contrib/cirrus/packer/fedora_setup.sh +++ b/contrib/cirrus/packer/fedora_setup.sh @@ -8,7 +8,7 @@ set -e # Load in library (copied by packer, before this script was run) source /tmp/libpod/$SCRIPT_BASE/lib.sh -req_env_var SCRIPT_BASE FEDORA_CNI_COMMIT CNI_COMMIT CONMON_COMMIT CRIU_COMMIT +req_env_var SCRIPT_BASE install_ooe @@ -17,11 +17,16 @@ trap "sudo rm -rf $GOPATH" EXIT ooe.sh sudo dnf update -y +echo "Installing general build/test dependencies" ooe.sh sudo dnf install -y \ atomic-registries \ bats \ + bridge-utils \ btrfs-progs-devel \ bzip2 \ + container-selinux \ + containernetworking-plugins \ + containers-common \ criu \ device-mapper-devel \ emacs-nox \ @@ -32,22 +37,24 @@ ooe.sh sudo dnf install -y \ gnupg \ golang \ golang-github-cpuguy83-go-md2man \ - golang-github-cpuguy83-go-md2man \ gpgme-devel \ - iptables \ iproute \ + iptables \ jq \ libassuan-devel \ libcap-devel \ libnet \ libnet-devel \ libnl3-devel \ + libseccomp \ libseccomp-devel \ libselinux-devel \ lsof \ make \ nmap-ncat \ + ostree \ ostree-devel \ + podman \ procps-ng \ protobuf \ protobuf-c \ @@ -61,7 +68,7 @@ ooe.sh sudo dnf install -y \ python3-psutil \ python3-pytoml \ runc \ - skopeo-containers \ + selinux-policy-devel \ slirp4netns \ unzip \ vim \ @@ -69,17 +76,11 @@ ooe.sh sudo dnf install -y \ xz \ zip -install_varlink - -install_conmon - -CNI_COMMIT=$FEDORA_CNI_COMMIT -install_cni_plugins - -install_buildah +# Ensure there are no disruptive periodic services enabled by default in image +systemd_banish sudo /tmp/libpod/hack/install_catatonit.sh -rh_finalize # N/B: Halts system! +rh_finalize echo "SUCCESS!" diff --git a/contrib/cirrus/packer/libpod_base_images.yml b/contrib/cirrus/packer/libpod_base_images.yml index 560cb321c..e519d2fba 100644 --- a/contrib/cirrus/packer/libpod_base_images.yml +++ b/contrib/cirrus/packer/libpod_base_images.yml @@ -78,7 +78,7 @@ builders: ssh_username: 'root' - <<: *nested_virt - name: 'prior-fedora' + name: 'prior_fedora' iso_url: '{{user `PRIOR_FEDORA_IMAGE_URL`}}' iso_checksum_url: '{{user `PRIOR_FEDORA_CSUM_URL`}}' @@ -121,7 +121,7 @@ provisioners: post-processors: - - type: "compress" - only: ['fedora', 'prior-fedora'] + only: ['fedora', 'prior_fedora'] output: '/tmp/{{build_name}}/disk.raw.tar.gz' format: '.tar.gz' compression_level: 9 @@ -136,7 +136,7 @@ post-processors: image_description: 'Based on {{user `FEDORA_IMAGE_URL`}}' image_family: '{{user `FEDORA_BASE_IMAGE_NAME`}}' - <<: *gcp_import - only: ['prior-fedora'] + only: ['prior_fedora'] image_name: "{{user `PRIOR_FEDORA_BASE_IMAGE_NAME`}}-{{user `TIMESTAMP`}}" image_description: 'Based on {{user `PRIOR_FEDORA_IMAGE_URL`}}' image_family: '{{user `PRIOR_FEDORA_BASE_IMAGE_NAME`}}' diff --git a/contrib/cirrus/packer/libpod_images.yml b/contrib/cirrus/packer/libpod_images.yml index 34d4db7fb..91ed3b474 100644 --- a/contrib/cirrus/packer/libpod_images.yml +++ b/contrib/cirrus/packer/libpod_images.yml @@ -7,13 +7,6 @@ variables: FEDORA_BASE_IMAGE: '{{env `FEDORA_BASE_IMAGE`}}' PRIOR_FEDORA_BASE_IMAGE: '{{env `PRIOR_FEDORA_BASE_IMAGE`}}' - # libpod dependencies to build and install into images - FEDORA_CNI_COMMIT: "{{env `FEDORA_CNI_COMMIT`}}" - CNI_COMMIT: "{{env `CNI_COMMIT`}}" - CONMON_COMMIT: "{{env `CONMON_COMMIT`}}" - CRIU_COMMIT: "{{env `CRIU_COMMIT`}}" - RUNC_COMMIT: "{{env `RUNC_COMMIT`}}" - BUILT_IMAGE_SUFFIX: '{{env `BUILT_IMAGE_SUFFIX`}}' GOSRC: '{{env `GOSRC`}}' PACKER_BASE: '{{env `PACKER_BASE`}}' @@ -25,10 +18,6 @@ variables: SERVICE_ACCOUNT: '{{env `SERVICE_ACCOUNT`}}' GOOGLE_APPLICATION_CREDENTIALS: '{{env `GOOGLE_APPLICATION_CREDENTIALS`}}' - # Used to separate images produced during PR testing from those - # produced from post-merge testing. Must be empty for PR testing. - POST_MERGE_BUCKET_SUFFIX: '' - # Don't leak sensitive values in error messages / output sensitive-variables: - 'GCE_SSH_USERNAME' @@ -55,11 +44,11 @@ builders: # v----- is a YAML alias, allows partial re-use of the anchor object - <<: *gce_hosted_image - name: 'fedora-29' + name: 'fedora-30' source_image: '{{user `FEDORA_BASE_IMAGE`}}' - <<: *gce_hosted_image - name: 'fedora-28' + name: 'fedora-29' source_image: '{{user `PRIOR_FEDORA_BASE_IMAGE`}}' # The brains of the operation, making actual modifications to the base-image. @@ -72,12 +61,7 @@ provisioners: script: '{{user `GOSRC`}}/{{user `PACKER_BASE`}}/{{split build_name "-" 0}}_setup.sh' environment_vars: - 'GOSRC=/tmp/libpod' - - 'CNI_COMMIT={{user `CNI_COMMIT`}}' - - 'FEDORA_CNI_COMMIT={{user `FEDORA_CNI_COMMIT`}}' - - 'CONMON_COMMIT={{user `CONMON_COMMIT`}}' - - 'CRIU_COMMIT={{user `CRIU_COMMIT`}}' - - 'RUNC_COMMIT={{user `RUNC_COMMIT`}}' - 'SCRIPT_BASE={{user `SCRIPT_BASE`}}' post-processors: - - - type: 'manifest' # writes packer-manifest.json + - type: 'manifest' # writes packer-manifest.json diff --git a/contrib/cirrus/packer/ubuntu_setup.sh b/contrib/cirrus/packer/ubuntu_setup.sh index 17e274d97..dba191ad2 100644 --- a/contrib/cirrus/packer/ubuntu_setup.sh +++ b/contrib/cirrus/packer/ubuntu_setup.sh @@ -6,31 +6,28 @@ set -e # Load in library (copied by packer, before this script was run) -source /tmp/libpod/$SCRIPT_BASE/lib.sh +source $GOSRC/$SCRIPT_BASE/lib.sh -req_env_var SCRIPT_BASE CNI_COMMIT CONMON_COMMIT CRIU_COMMIT +req_env_var SCRIPT_BASE install_ooe export GOPATH="$(mktemp -d)" trap "sudo rm -rf $GOPATH" EXIT -# Avoid getting stuck waiting for user input -export DEBIAN_FRONTEND=noninteractive +echo "Updating/configuring package repositories." +$LILTO $SUDOAPTGET update +$LILTO $SUDOAPTGET install software-properties-common +$LILTO $SUDOAPTADD ppa:longsleep/golang-backports +$LILTO $SUDOAPTADD ppa:projectatomic/ppa +$LILTO $SUDOAPTADD ppa:criu/ppa -# Try twice as workaround for minor networking problems -echo "Updating system and installing package dependencies" -ooe.sh sudo -E apt-get -qq update || sudo -E apt-get -qq update -ooe.sh sudo -E apt-get -qq upgrade || sudo -E apt-get -qq upgrade -ooe.sh sudo -E apt-get -qq install software-properties-common +echo "Upgrading all packages" +$LILTO $SUDOAPTGET update +$BIGTO $SUDOAPTGET upgrade -# Required to have Go 1.11 on Ubuntu 18.0.4 -ooe.sh sudo -E add-apt-repository --yes ppa:longsleep/golang-backports -ooe.sh sudo -E add-apt-repository --yes ppa:projectatomic/ppa -ooe.sh sudo -E add-apt-repository --yes ppa:criu/ppa -ooe.sh sudo -E apt-get -qq update || sudo -E apt-get -qq update - -ooe.sh sudo -E apt-get -qq install \ +echo "Installing general testing and system dependencies" +$BIGTO $SUDOAPTGET install \ apparmor \ autoconf \ automake \ @@ -38,6 +35,8 @@ ooe.sh sudo -E apt-get -qq install \ bison \ btrfs-tools \ build-essential \ + containernetworking-plugins \ + containers-common \ cri-o-runc \ criu \ curl \ @@ -73,6 +72,7 @@ ooe.sh sudo -E apt-get -qq install \ lsof \ netcat \ pkg-config \ + podman \ protobuf-c-compiler \ protobuf-compiler \ python-future \ @@ -83,31 +83,25 @@ ooe.sh sudo -E apt-get -qq install \ python3-psutil \ python3-pytoml \ python3-setuptools \ + slirp4netns \ + skopeo \ socat \ unzip \ vim \ xz-utils \ zip -echo "Fixing Ubuntu kernel not enabling swap accounting by default" +echo "Forced Ubuntu 18 kernel to enable cgroup swap accounting." SEDCMD='s/^GRUB_CMDLINE_LINUX="(.*)"/GRUB_CMDLINE_LINUX="\1 cgroup_enable=memory swapaccount=1"/g' ooe.sh sudo sed -re "$SEDCMD" -i /etc/default/grub.d/* ooe.sh sudo sed -re "$SEDCMD" -i /etc/default/grub ooe.sh sudo update-grub -install_conmon - -install_cni_plugins - -install_buildah - sudo /tmp/libpod/hack/install_catatonit.sh +ooe.sh sudo make -C /tmp/libpod install.libseccomp.sudo -install_varlink - -sudo mkdir -p /etc/containers -sudo curl https://raw.githubusercontent.com/projectatomic/registries/master/registries.fedora\ - -o /etc/containers/registries.conf +# Ensure there are no disruptive periodic services enabled by default in image +systemd_banish ubuntu_finalize diff --git a/contrib/cirrus/rootless_test.sh b/contrib/cirrus/rootless_test.sh index 3b668034b..3f45aac84 100755 --- a/contrib/cirrus/rootless_test.sh +++ b/contrib/cirrus/rootless_test.sh @@ -2,6 +2,14 @@ set -e +remote=0 + +# The TEST_REMOTE_CLIENT environment variable decides whether +# to test varlink +if [[ "$TEST_REMOTE_CLIENT" == "true" ]]; then + remote=1 +fi + source $(dirname $0)/lib.sh if [[ "$UID" == "0" ]] @@ -10,6 +18,12 @@ then exit 1 fi +# Which set of tests to run; possible alternative is "system" +TESTSUITE=integration +if [[ -n "$*" ]]; then + TESTSUITE="$1" +fi + # Ensure environment setup correctly req_env_var GOSRC ROOTLESS_USER @@ -25,5 +39,8 @@ cd "$GOSRC" make make varlink_generate make test-binaries -make ginkgo -make ginkgo-remote +if [ $remote -eq 0 ]; then + make local${TESTSUITE} +else + make remote${TESTSUITE} +fi diff --git a/contrib/cirrus/setup_container_environment.sh b/contrib/cirrus/setup_container_environment.sh index eda6f6167..c268c162e 100755 --- a/contrib/cirrus/setup_container_environment.sh +++ b/contrib/cirrus/setup_container_environment.sh @@ -5,9 +5,6 @@ source $(dirname $0)/lib.sh req_env_var GOSRC OS_RELEASE_ID CONTAINER_RUNTIME -DIST=$OS_RELEASE_ID -IMAGE=${DIST}podmanbuild - # Since CRIU 3.11 has been pushed to Fedora 28 the checkpoint/restore # test cases are actually run. As CRIU uses iptables to lock and unlock # the network during checkpoint and restore it needs the following two @@ -15,5 +12,5 @@ IMAGE=${DIST}podmanbuild modprobe ip6table_nat || : modprobe iptable_nat || : -# Build the test image -${CONTAINER_RUNTIME} build -t ${IMAGE} -f Dockerfile.${DIST} . +# Pull the test image +${CONTAINER_RUNTIME} pull ${IN_PODMAN_IMAGE} diff --git a/contrib/cirrus/setup_environment.sh b/contrib/cirrus/setup_environment.sh index f40405e8d..2230684ac 100755 --- a/contrib/cirrus/setup_environment.sh +++ b/contrib/cirrus/setup_environment.sh @@ -6,14 +6,15 @@ source $(dirname $0)/lib.sh req_env_var USER HOME GOSRC SCRIPT_BASE SETUP_MARKER_FILEPATH +show_env_vars + # Ensure this script only executes successfully once and always logs ending timestamp [[ ! -e "$SETUP_MARKER_FILEPATH" ]] || exit 0 exithandler() { RET=$? - set +e - show_env_vars + echo "." echo "$(basename $0) exit status: $RET" - [[ "$RET" -eq "0" ]] && date +%s >> "SETUP_MARKER_FILEPATH" + [[ "$RET" -eq "0" ]] && date +%s >> "$SETUP_MARKER_FILEPATH" } trap exithandler EXIT @@ -31,22 +32,18 @@ done # Anything externally dependent, should be made fixed-in-time by adding to # contrib/cirrus/packer/*_setup.sh to be incorporated into VM cache-images # (see docs). +cd "${GOSRC}/" case "${OS_REL_VER}" in - ubuntu-18) ;; - fedora-29) - # Occasionally, and seemingly only on F29 the root disk fails to expand - # upon boot. When this happens, any number of failures could occur if - # space runs out. Until there is time to investigate the actual cause, - # workaround this problem by detecting it and acting accordingly. - REMAINING=$(df /dev/sda1 | tail -1 | awk '{print $4}') - if [[ "$REMAINING" -lt "100000000" ]] # .cirrus.yml specifies 200gig + ubuntu-18) + CRIO_RUNC_PATH="/usr/lib/cri-o-runc/sbin/runc" + if dpkg -L cri-o-runc | grep -m 1 -q "$CRIO_RUNC_PATH" then - echo "Fixing failure to expand root filesystem" - growpart /dev/sda 1 # device guaranteed by cloud provider - resize2fs /dev/sda1 # growpart & resuze guaranteed by base-image + echo "Linking $CRIO_RUNC_PATH to /usr/bin/runc for ease of testing." + ln -f "$CRIO_RUNC_PATH" "/usr/bin/runc" fi ;; - fedora-28) ;; + fedora-30) ;; + fedora-29) ;; centos-7) # Current VM is an image-builder-image no local podman/testing echo "No further setup required for VM image building" exit 0 @@ -54,25 +51,17 @@ case "${OS_REL_VER}" in *) bad_os_id_ver ;; esac -cd "${GOSRC}/" # Reload to incorporate any changes from above source "$SCRIPT_BASE/lib.sh" -echo "Installing cni config, policy and registry config" -req_env_var GOSRC -sudo install -D -m 755 $GOSRC/cni/87-podman-bridge.conflist \ - /etc/cni/net.d/87-podman-bridge.conflist -sudo install -D -m 755 $GOSRC/test/policy.json \ - /etc/containers/policy.json -sudo install -D -m 755 $GOSRC/test/registries.conf \ - /etc/containers/registries.conf -# cri-o if installed will mess with testing in non-obvious ways -rm -f /etc/cni/net.d/*cri* +install_test_configs make install.tools case "$SPECIALMODE" in - none) ;; # Do the normal thing + none) + remove_packaged_podman_files # we're building from source + ;; rootless) # Only do this once, even if ROOTLESS_USER (somehow) changes if ! grep -q 'ROOTLESS_USER' /etc/environment @@ -85,11 +74,13 @@ case "$SPECIALMODE" in tee -a /etc/environment) && eval "$X" && echo "$X" setup_rootless fi + remove_packaged_podman_files ;; in_podman) # Assumed to be Fedora - dnf install -y podman buildah $SCRIPT_BASE/setup_container_environment.sh ;; + windows) ;& # for podman-remote building only + darwin) ;; *) die 111 "Unsupported \$SPECIAL_MODE: $SPECIALMODE" esac diff --git a/contrib/cirrus/system_test.sh b/contrib/cirrus/system_test.sh index a2cc1af05..cbc481d6b 100755..120000 --- a/contrib/cirrus/system_test.sh +++ b/contrib/cirrus/system_test.sh @@ -1,21 +1 @@ -#!/bin/bash - -set -e -source $(dirname $0)/lib.sh - -req_env_var GOSRC OS_RELEASE_ID OS_RELEASE_VER - -set -x -cd "$GOSRC" - -case "${OS_RELEASE_ID}" in - ubuntu) ;& # Continue to the next item - fedora) - make install.tools - make - make test-binaries - ;; - *) bad_os_id_ver ;; -esac - -make localsystem +integration_test.sh
\ No newline at end of file diff --git a/contrib/cirrus/uncache_release_archives.sh b/contrib/cirrus/uncache_release_archives.sh new file mode 120000 index 000000000..e9fc6edff --- /dev/null +++ b/contrib/cirrus/uncache_release_archives.sh @@ -0,0 +1 @@ +cache_release_archive.sh
\ No newline at end of file diff --git a/contrib/cirrus/unit_test.sh b/contrib/cirrus/unit_test.sh index 202663fb7..004839f17 100755 --- a/contrib/cirrus/unit_test.sh +++ b/contrib/cirrus/unit_test.sh @@ -1,12 +1,25 @@ #!/bin/bash set -e + source $(dirname $0)/lib.sh req_env_var GOSRC -set -x cd "$GOSRC" make install.tools make localunit -make + +case "$SPECIALMODE" in + in_podman) ;& + rootless) ;& + none) + make + ;; + windows) ;& + darwin) + make podman-remote-$SPECIALMODE + ;; + *) + die 109 "Unsupported \$SPECIAL_MODE: $SPECIALMODE" +esac diff --git a/contrib/gate/Dockerfile b/contrib/gate/Dockerfile index 9a6f5dc8d..c886fc9aa 100644 --- a/contrib/gate/Dockerfile +++ b/contrib/gate/Dockerfile @@ -1,19 +1,15 @@ -FROM fedora:29 +FROM fedora:30 RUN dnf -y install \ atomic-registries \ btrfs-progs-devel \ - buildah \ bzip2 \ - conmon \ container-selinux \ containernetworking-cni \ - containernetworking-cni-devel \ device-mapper-devel \ findutils \ git \ glib2-devel \ glibc-static \ - gnupg \ golang \ gpgme-devel \ iptables \ diff --git a/contrib/imgprune/Dockerfile b/contrib/imgprune/Dockerfile new file mode 100644 index 000000000..26329e828 --- /dev/null +++ b/contrib/imgprune/Dockerfile @@ -0,0 +1,7 @@ +FROM libpod/imgts:latest + +RUN yum -y update && \ + yum clean all + +COPY /contrib/imgprune/entrypoint.sh /usr/local/bin/entrypoint.sh +RUN chmod 755 /usr/local/bin/entrypoint.sh diff --git a/contrib/imgprune/README.md b/contrib/imgprune/README.md new file mode 100644 index 000000000..48abc2028 --- /dev/null +++ b/contrib/imgprune/README.md @@ -0,0 +1,11 @@ + + +A container image for maintaining the collection of +VM images used by CI/CD on this project and several others. +Acts upon metadata maintained by the imgts container. + +Example build (from repository root): + +```bash +sudo podman build -t $IMAGE_NAME -f contrib/imgprune/Dockerfile . +``` diff --git a/contrib/imgprune/entrypoint.sh b/contrib/imgprune/entrypoint.sh new file mode 100755 index 000000000..a4b77523b --- /dev/null +++ b/contrib/imgprune/entrypoint.sh @@ -0,0 +1,67 @@ +#!/bin/bash + +set -e + +source /usr/local/bin/lib_entrypoint.sh + +req_env_var GCPJSON GCPNAME GCPPROJECT IMGNAMES + +gcloud_init + +# For safety's sake + limit nr background processes +PRUNE_LIMIT=10 +THEFUTURE=$(date --date='+1 hour' +%s) +TOO_OLD='90 days ago' +THRESHOLD=$(date --date="$TOO_OLD" +%s) +# Format Ref: https://cloud.google.com/sdk/gcloud/reference/topic/formats +FORMAT='value[quote](name,selfLink,creationTimestamp,labels)' +PROJRE="/v1/projects/$GCPPROJECT/global/" +BASE_IMAGE_RE='cloud-base' +RECENTLY=$(date --date='30 days ago' --iso-8601=date) +EXCLUDE="$IMGNAMES $IMAGE_BUILDER_CACHE_IMAGE_NAME" # whitespace separated values +# Filter Ref: https://cloud.google.com/sdk/gcloud/reference/topic/filters +FILTER="selfLink~$PROJRE AND creationTimestamp<$RECENTLY AND NOT name=($EXCLUDE)" +TODELETE=$(mktemp -p '' todelete.XXXXXX) + +echo "Searching images for pruning candidates older than $TOO_OLD ($THRESHOLD):" +$GCLOUD compute images list --format="$FORMAT" --filter="$FILTER" | \ + while read name selfLink creationTimestamp labels + do + created_ymd=$(date --date=$creationTimestamp --iso-8601=date) + last_used=$(egrep --only-matching --max-count=1 'last-used=[[:digit:]]+' <<< $labels || true) + markmsgpfx="Marking $name (created $created_ymd) for deletion" + if [[ -z "$last_used" ]] + then # image pre-dates addition of tracking labels + echo "$markmsgpfx: Missing 'last-used' metadata, labels: '$labels'" + echo "$name" >> $TODELETE + continue + fi + + last_used_timestamp=$(date --date=@$(cut -d= -f2 <<< $last_used || true) +%s || true) + last_used_ymd=$(date --date=@$last_used_timestamp --iso-8601=date) + if [[ -z "$last_used_timestamp" ]] || [[ "$last_used_timestamp" -ge "$THEFUTURE" ]] + then + echo "$markmsgpfx: Missing or invalid last-used timestamp: '$last_used_timestamp'" + echo "$name" >> $TODELETE + continue + fi + + if [[ "$last_used_timestamp" -le "$THRESHOLD" ]] + then + echo "$markmsgpfx: Used over $TOO_OLD on $last_used_ymd" + echo "$name" >> $TODELETE + continue + fi + + echo "NOT $markmsgpfx: last used on $last_used_ymd)" + done + +echo "Pruning up to $PRUNE_LIMIT images that were marked for deletion:" +for image_name in $(tail -$PRUNE_LIMIT $TODELETE | sort --random-sort) +do + # This can take quite some time (minutes), run in parallel disconnected from terminal + echo "TODO: Would have: $GCLOUD compute images delete $image_name &" + sleep "$[1+RANDOM/1000]s" & # Simlate background operation +done + +wait || true # Nothing to delete: No background jobs diff --git a/contrib/imgts/Dockerfile b/contrib/imgts/Dockerfile index 0746eca4c..deaadb899 100644 --- a/contrib/imgts/Dockerfile +++ b/contrib/imgts/Dockerfile @@ -7,14 +7,14 @@ RUN yum -y update && \ yum -y install google-cloud-sdk && \ yum clean all -COPY /contrib/imgts/entrypoint.sh /usr/local/bin/entrypoint.sh ENV GCPJSON="__unknown__" \ GCPNAME="__unknown__" \ GCPPROJECT="__unknown__" \ IMGNAMES="__unknown__" \ - TIMESTAMP="__unknown__" \ BUILDID="__unknown__" \ REPOREF="__unknown__" + +COPY ["/contrib/imgts/entrypoint.sh", "/contrib/imgts/lib_entrypoint.sh", "/usr/local/bin/"] RUN chmod 755 /usr/local/bin/entrypoint.sh ENTRYPOINT ["/usr/local/bin/entrypoint.sh"] diff --git a/contrib/imgts/entrypoint.sh b/contrib/imgts/entrypoint.sh index 65a76d8e4..9c653eda0 100755 --- a/contrib/imgts/entrypoint.sh +++ b/contrib/imgts/entrypoint.sh @@ -2,44 +2,22 @@ set -e -RED="\e[1;36;41m" -YEL="\e[1;33;44m" -NOR="\e[0m" +source /usr/local/bin/lib_entrypoint.sh -die() { - echo -e "$2" >&2 - exit "$1" -} +req_env_var GCPJSON GCPNAME GCPPROJECT IMGNAMES BUILDID REPOREF -SENTINEL="__unknown__" # default set in dockerfile +gcloud_init -[[ "$GCPJSON" != "$SENTINEL" ]] || \ - die 1 "Must specify service account JSON in \$GCPJSON" -[[ "$GCPNAME" != "$SENTINEL" ]] || \ - die 2 "Must specify service account name in \$GCPNAME" -[[ "$GCPPROJECT" != "$SENTINEL" ]] || \ - die 4 "Must specify GCP Project ID in \$GCPPROJECT" -[[ -n "$GCPPROJECT" ]] || \ - die 5 "Must specify non-empty GCP Project ID in \$GCPPROJECT" -[[ "$IMGNAMES" != "$SENTINEL" ]] || \ - die 6 "Must specify space separated list of GCE image names in \$IMGNAMES" -[[ "$BUILDID" != "$SENTINEL" ]] || \ - die 7 "Must specify the number of current build in \$BUILDID" -[[ "$REPOREF" != "$SENTINEL" ]] || \ - die 8 "Must specify a PR number or Branch name in \$REPOREF" +ARGS=" + --update-labels=last-used=$(date +%s) + --update-labels=build-id=$BUILDID + --update-labels=repo-ref=$REPOREF + --update-labels=project=$GCPPROJECT +" -ARGS="--update-labels=last-used=$(date +%s)" -# optional -[[ -z "$BUILDID" ]] || ARGS="$ARGS --update-labels=build-id=$BUILDID" -[[ -z "$REPOREF" ]] || ARGS="$ARGS --update-labels=repo-ref=$REPOREF" - -gcloud config set account "$GCPNAME" -gcloud config set project "$GCPPROJECT" -echo "$GCPJSON" > /tmp/gcp.json -gcloud auth activate-service-account --key-file=/tmp/gcp.json || rm /tmp/gcp.json for image in $IMGNAMES do - gcloud compute images update "$image" $ARGS & + $GCLOUD compute images update "$image" $ARGS & done -set +e # Actual update failures are only warnings -wait || die 0 "${RED}WARNING:$NOR ${YEL}Failed to update labels on one or more images:$NOR '$IMGNAMES'" + +wait || echo "Warning: No \$IMGNAMES were specified." diff --git a/contrib/imgts/lib_entrypoint.sh b/contrib/imgts/lib_entrypoint.sh new file mode 100644 index 000000000..7b76c823f --- /dev/null +++ b/contrib/imgts/lib_entrypoint.sh @@ -0,0 +1,44 @@ +#!/bin/bash + +set -e + +RED="\e[1;36;41m" +YEL="\e[1;33;44m" +NOR="\e[0m" +SENTINEL="__unknown__" # default set in dockerfile +# Disable all input prompts +# https://cloud.google.com/sdk/docs/scripting-gcloud +GCLOUD="gcloud --quiet" + +die() { + EXIT=$1 + PFX=$2 + shift 2 + MSG="$@" + echo -e "${RED}${PFX}:${NOR} ${YEL}$MSG${NOR}" + [[ "$EXIT" -eq "0" ]] || exit "$EXIT" +} + +# Pass in a list of one or more envariable names; exit non-zero with +# helpful error message if any value is empty +req_env_var() { + for i; do + if [[ -z "${!i}" ]] + then + die 1 FATAL entrypoint.sh requires \$$i to be non-empty. + elif [[ "${!i}" == "$SENTINEL" ]] + then + die 2 FATAL entrypoint.sh requires \$$i to be explicitly set. + fi + done +} + +gcloud_init() { + set +xe + TMPF=$(mktemp -p '' .$(uuidgen)XXXX) + trap "rm -f $TMPF" EXIT + echo "$GCPJSON" > $TMPF && \ + $GCLOUD auth activate-service-account --project "$GCPPROJECT" --key-file=$TMPF || \ + die 5 FATAL auth + rm -f $TMPF +} diff --git a/contrib/podmanimage/README.md b/contrib/podmanimage/README.md new file mode 100644 index 000000000..3dc07ad63 --- /dev/null +++ b/contrib/podmanimage/README.md @@ -0,0 +1,44 @@ + + +# podmanimage + +## Overview + +This directory contains the Dockerfiles necessary to create the three podmanimage container +images that are housed on quay.io under the podman account. All three repositories where +the images live are public and can be pulled without credentials. These container images are secured and the +resulting containers can run safely with privileges within the container. The container images are built +using the latest Fedora and then Podman is installed into them: + + * quay.io/podman/stable - This image is built using the latest stable version of Podman in a Fedora based container. Built with podman/stable/Dockerfile. + * quay.io/podman/upstream - This image is built using the latest code found in this GitHub repository. When someone creates a commit and pushes it, the image is created. Due to that the image changes frequently and is not guaranteed to be stable. Built with podmanimage/upstream/Dockerfile. + * quay.io/podman/testing - This image is built using the latest version of Podman that is or was in updates testing for Fedora. At times this may be the same as the stable image. This container image will primarily be used by the development teams for verification testing when a new package is created. Built with podmanimage/testing/Dockerfile. + +## Sample Usage + + +``` +podman pull docker://quay.io/podman/stable:latest + +podman run --privileged stable podman version + +# Create a directory on the host to mount the container's +# /var/lib/container directory to so containers can be +# run within the container. +mkdir /var/lib/mycontainer + +# Run the image detached using the host's network in a container name +# podmanctr, turn off label and seccomp confinement in the container +# and then do a little shell hackery to keep the container up and running. +podman run --detach --name=podmanctr --net=host --security-opt label=disable --security-opt seccomp=unconfined --device /dev/fuse:rw -v /var/lib/mycontainer:/var/lib/containers:Z --privileged stable sh -c 'while true ;do sleep 100000 ; done' + +podman exec -it podmanctr /bin/sh + +# Now inside of the container + +podman pull alpine + +podman images + +exit +``` diff --git a/contrib/podmanimage/stable/Dockerfile b/contrib/podmanimage/stable/Dockerfile new file mode 100644 index 000000000..056f62624 --- /dev/null +++ b/contrib/podmanimage/stable/Dockerfile @@ -0,0 +1,26 @@ +# stable/Dockerfile +# +# Build a Podman container image from the latest +# stable version of Podman on the Fedoras Updates System. +# https://bodhi.fedoraproject.org/updates/?search=podman +# This image can be used to create a secured container +# that runs safely with privileges within the container. +# +FROM fedora:latest + +# Don't include container-selinux and remove +# directories used by dnf that are just taking +# up space. +RUN yum -y install podman fuse-overlayfs --exclude container-selinux; rm -rf /var/cache /var/log/dnf* /var/log/yum.* + +# Adjust storage.conf to enable Fuse storage. +RUN sed -i -e 's|^#mount_program|mount_program|g' -e '/additionalimage.*/a "/var/lib/shared",' /etc/containers/storage.conf +RUN mkdir -p /var/lib/shared/overlay-images /var/lib/shared/overlay-layers; touch /var/lib/shared/overlay-images/images.lock; touch /var/lib/shared/overlay-layers/layers.lock + +# Adjust libpod.conf to write logging to a file +RUN sed -i 's/events_logger = "journald"/events_logger = "file"/g' /usr/share/containers/libpod.conf + +# Set up environment variables to note that this is +# not starting with usernamespace and default to +# isolate the filesystem with chroot. +ENV _BUILDAH_STARTED_IN_USERNS="" BUILDAH_ISOLATION=chroot diff --git a/contrib/podmanimage/testing/Dockerfile b/contrib/podmanimage/testing/Dockerfile new file mode 100644 index 000000000..50d8ed7f2 --- /dev/null +++ b/contrib/podmanimage/testing/Dockerfile @@ -0,0 +1,28 @@ +# testing/Dockerfile +# +# Build a Podman image using the latest +# version of Podman that is in updates-testing +# on the Fedoras Updates System. At times this +# may be the same the latest stable version. +# https://bodhi.fedoraproject.org/updates/?search=podman +# This image can be used to create a secured container +# that runs safely with privileges within the container. +# +FROM fedora:latest + +# Don't include container-selinux and remove +# directories used by dnf that are just taking +# up space. +RUN yum -y install podman fuse-overlayfs --exclude container-selinux --enablerepo updates-testing; rm -rf /var/cache /var/log/dnf* /var/log/yum.* + +# Adjust storage.conf to enable Fuse storage. +RUN sed -i -e 's|^#mount_program|mount_program|g' -e '/additionalimage.*/a "/var/lib/shared",' /etc/containers/storage.conf +RUN mkdir -p /var/lib/shared/overlay-images /var/lib/shared/overlay-layers; touch /var/lib/shared/overlay-images/images.lock; touch /var/lib/shared/overlay-layers/layers.lock + +# Adjust libpod.conf to write logging to a file +RUN sed -i 's/events_logger = "journald"/events_logger = "file"/g' /usr/share/containers/libpod.conf + +# Set up environment variables to note that this is +# not starting with usernamespace and default to +# isolate the filesystem with chroot. +ENV _BUILDAH_STARTED_IN_USERNS="" BUILDAH_ISOLATION=chroot diff --git a/contrib/podmanimage/upstream/Dockerfile b/contrib/podmanimage/upstream/Dockerfile new file mode 100644 index 000000000..3583e1c54 --- /dev/null +++ b/contrib/podmanimage/upstream/Dockerfile @@ -0,0 +1,77 @@ +# git/Dockerfile +# +# Build a Podman container image from the latest +# upstream version of Podman on GitHub. +# https://github.com/containers/libpod +# This image can be used to create a secured container +# that runs safely with privileges within the container. +# The containers created by this image also come with a +# Podman development environment in /root/podman. +# +FROM fedora:latest +ENV GOPATH=/root/podman + +# Install the software required to build Podman. +# Then create a directory and clone from the Podman +# GitHub repository, make and install Podman +# to the container. +# Finally remove the podman directory and a few other packages +# that are needed for building but not running Podman +RUN dnf -y install --exclude container-selinux \ + --enablerepo=updates-testing \ + atomic-registries \ + btrfs-progs-devel \ + containernetworking-cni \ + device-mapper-devel \ + git \ + glib2-devel \ + glibc-devel \ + glibc-static \ + go \ + golang-github-cpuguy83-go-md2man \ + gpgme-devel \ + iptables \ + libassuan-devel \ + libgpg-error-devel \ + libseccomp-devel \ + libselinux-devel \ + make \ + ostree-devel \ + pkgconfig \ + runc \ + fuse-overlayfs \ + fuse3 \ + containers-common; \ + mkdir /root/podman; \ + git clone https://github.com/containers/libpod /root/podman/src/github.com/containers/libpod; \ + cd /root/podman/src/github.com/containers/libpod; \ + make BUILDTAGS="selinux seccomp"; \ + make install PREFIX=/usr; \ + cd /root/podman; \ + git clone https://github.com/containers/conmon /root/podman/conmon; \ + cd conmon; \ + make; \ + install -D -m 755 bin/conmon /usr/libexec/podman/conmon; \ + git clone https://github.com/containernetworking/plugins.git $GOPATH/src/github.com/containernetworking/plugins; \ + cd $GOPATH/src/github.com/containernetworking/plugins; \ + ./build_linux.sh; \ + mkdir -p /usr/libexec/cni; \ + \cp -fR bin/* /usr/libexec/cni; \ + mkdir -p /etc/cni/net.d; \ + curl -qsSL https://raw.githubusercontent.com/containers/libpod/master/cni/87-podman-bridge.conflist | tee /etc/cni/net.d/99-loopback.conf; \ + mkdir -p /usr/share/containers; \ + cp $GOPATH/src/github.com/containers/libpod/libpod.conf /usr/share/containers; \ + # Adjust libpod.conf to write logging to a file + sed -i 's/events_logger = "journald"/events_logger = "file"/g' /usr/share/containers/libpod.conf; \ + rm -rf /root/podman/*; \ + dnf -y remove git golang go-md2man make; \ + dnf clean all; + +# Adjust storage.conf to enable Fuse storage. +RUN sed -i -e 's|^#mount_program|mount_program|g' -e '/additionalimage.*/a "/var/lib/shared",' /etc/containers/storage.conf +RUN mkdir -p /var/lib/shared/overlay-images /var/lib/shared/overlay-layers; touch /var/lib/shared/overlay-images/images.lock; touch /var/lib/shared/overlay-layers/layers.lock + +# Set up environment variables to note that this is +# not starting with usernamespace and default to +# isolate the filesystem with chroot. +ENV _BUILDAH_STARTED_IN_USERNS="" BUILDAH_ISOLATION=chroot diff --git a/contrib/spec/podman.spec.in b/contrib/spec/podman.spec.in index a1c11a5a6..9d8467783 100644 --- a/contrib/spec/podman.spec.in +++ b/contrib/spec/podman.spec.in @@ -35,11 +35,11 @@ # People want conmon packaged with the copr rpm %global import_path_conmon github.com/containers/conmon %global git_conmon https://%{import_path_conmon} -%global commit_conmon 59952292a3b07ac125575024ae21956efe0ecdfb +%global commit_conmon 6f3572558b97bc60dd8f8c7f0807748e6ce2c440 %global shortcommit_conmon %(c=%{commit_conmon}; echo ${c:0:7}) Name: podman -Version: 1.3.2 +Version: 1.4.5 Release: #COMMITDATE#.git%{shortcommit0}%{?dist} Summary: Manage Pods, Containers and Container Images License: ASL 2.0 |