diff options
Diffstat (limited to 'contrib')
-rw-r--r-- | contrib/cirrus/README.md | 35 | ||||
-rw-r--r-- | contrib/cirrus/container_test.sh | 21 | ||||
-rwxr-xr-x | contrib/cirrus/integration_test.sh | 18 | ||||
-rw-r--r-- | contrib/cirrus/lib.sh | 5 | ||||
-rwxr-xr-x | contrib/cirrus/rootless_test.sh | 21 | ||||
-rwxr-xr-x | contrib/cirrus/setup_container_environment.sh | 7 | ||||
-rwxr-xr-x | contrib/cirrus/setup_environment.sh | 2 | ||||
-rwxr-xr-x | contrib/imgts/entrypoint.sh | 1 | ||||
-rw-r--r-- | contrib/podmanimage/README.md | 44 | ||||
-rw-r--r-- | contrib/podmanimage/stable/Dockerfile | 26 | ||||
-rw-r--r-- | contrib/podmanimage/testing/Dockerfile | 28 | ||||
-rw-r--r-- | contrib/podmanimage/upstream/Dockerfile | 77 | ||||
-rw-r--r-- | contrib/spec/podman.spec.in | 2 |
13 files changed, 228 insertions, 59 deletions
diff --git a/contrib/cirrus/README.md b/contrib/cirrus/README.md index 69d8653fe..94494a558 100644 --- a/contrib/cirrus/README.md +++ b/contrib/cirrus/README.md @@ -63,41 +63,6 @@ task (pass or fail) is set based on the exit status of the last script to execut Total execution time is capped at 2-hours (includes all the above) but this script normally completes in less than an hour. -### ``special_testing`` Task - -This task exercises podman under specialized environments or conditions. -The specific differences from the ``testing`` task depend upon the -contents of the ``$SPECIALMODE`` environment variable. - -| Value | Meaning | -| rootless | Setup a regular user to build/run integration tests. | -| in_podman | Setup a container image, build/run integration tests inside container | - -***N/B: Steps below are performed by automation*** - -1. After `gating` passes, spin up one VM per - `matrix: image_name` item. - -2. ``setup_environment.sh``: Mostly the same as - in ``testing`` task, then specialized depending on ``$SPECIALMODE``. - -3. Which tests and how they execute depends on ``$SPECIALMODE``. - - -### ``optional_testing`` Task - -***N/B: Steps below are performed by automation*** - -1. Optionally executes in parallel with ``testing``. Requires - **prior** to job-start, the magic string ``***CIRRUS: SYSTEM TEST***`` - is found in the pull-request *description*. The *description* is the first - text-box under the main *summary* line in the github WebUI. - -2. ``setup_environment.sh``: Same as for other tasks. - -3. ``system_test.sh``: Build both dependencies and libpod, install them, - then execute `make localsystem` from the repository root. - ### ``test_build_cache_images_task`` Task diff --git a/contrib/cirrus/container_test.sh b/contrib/cirrus/container_test.sh index 1fd9551db..27baf0ad7 100644 --- a/contrib/cirrus/container_test.sh +++ b/contrib/cirrus/container_test.sh @@ -1,5 +1,5 @@ #!/bin/bash -set -xeuo pipefail +set -xeo pipefail export GOPATH=/var/tmp/go export PATH=$HOME/gopath/bin:$PATH:$GOPATH/bin @@ -32,10 +32,10 @@ integrationtest=0 unittest=0 validate=0 options=0 -noremote=0 +remote=0 install_tools_made=0 -while getopts "biptuv" opt; do +while getopts "bituv" opt; do case "$opt" in b) build=1 options=1 @@ -46,9 +46,6 @@ while getopts "biptuv" opt; do t) integrationtest=1 options=1 ;; - n) noremote=1 - options=1 - ;; u) unittest=1 options=1 ;; @@ -58,6 +55,12 @@ while getopts "biptuv" opt; do esac done +# The TEST_REMOTE_CLIENT environment variable decides whether +# to test varlinke +if [[ "$TEST_REMOTE_CLIENT" == "true" ]]; then + remote=1 +fi + # If no options are passed, do everything if [ $options -eq 0 ]; then build=1 @@ -130,8 +133,8 @@ fi if [ $integrationtest -eq 1 ]; then make TAGS="${TAGS}" test-binaries make varlink_generate - make ginkgo $INTEGRATION_TEST_ENVS - if [ $noremote -eq 0 ]; then - make ginkgo-remote $INTEGRATION_TEST_ENVS + make localintegration $INTEGRATION_TEST_ENVS + if [ $remote -eq 1 ]; then + make remoteintegration $INTEGRATION_TEST_ENVS fi fi diff --git a/contrib/cirrus/integration_test.sh b/contrib/cirrus/integration_test.sh index e7f582b42..f9ba010cd 100755 --- a/contrib/cirrus/integration_test.sh +++ b/contrib/cirrus/integration_test.sh @@ -5,6 +5,14 @@ source $(dirname $0)/lib.sh req_env_var GOSRC SCRIPT_BASE OS_RELEASE_ID OS_RELEASE_VER CONTAINER_RUNTIME +# Our name must be of the form xxxx_test or xxxx_test.sh, where xxxx is +# the test suite to run; currently (2019-05) the only option is 'integration' +# but pr2947 intends to add 'system'. +TESTSUITE=$(expr $(basename $0) : '\(.*\)_test') +if [[ -z $TESTSUITE ]]; then + die 1 "Script name is not of the form xxxx_test.sh" +fi + cd "$GOSRC" if [[ "$SPECIALMODE" == "in_podman" ]] @@ -19,7 +27,7 @@ then -e "CONMON_BINARY=/usr/libexec/podman/conmon" \ -e "DIST=$OS_RELEASE_ID" \ -e "CONTAINER_RUNTIME=$CONTAINER_RUNTIME" \ - ${OS_RELEASE_ID}podmanbuild bash $GOSRC/$SCRIPT_BASE/container_test.sh -b -i -t -n + $IN_PODMAN_IMAGE bash $GOSRC/$SCRIPT_BASE/container_test.sh -b -i -t exit $? elif [[ "$SPECIALMODE" == "rootless" ]] @@ -28,11 +36,11 @@ then if [[ "$USER" == "$ROOTLESS_USER" ]] then - $GOSRC/$SCRIPT_BASE/rootless_test.sh + $GOSRC/$SCRIPT_BASE/rootless_test.sh ${TESTSUITE} else ssh $ROOTLESS_USER@localhost \ -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o CheckHostIP=no \ - $GOSRC/$SCRIPT_BASE/rootless_test.sh + $GOSRC/$SCRIPT_BASE/rootless_test.sh ${TESTSUITE} fi else make @@ -40,9 +48,9 @@ else make test-binaries if [[ "$TEST_REMOTE_CLIENT" == "true" ]] then - make remoteintegration + make remote${TESTSUITE} else - make localintegration + make local${TESTSUITE} fi exit $? fi diff --git a/contrib/cirrus/lib.sh b/contrib/cirrus/lib.sh index 334202aa9..462fa332a 100644 --- a/contrib/cirrus/lib.sh +++ b/contrib/cirrus/lib.sh @@ -66,7 +66,7 @@ PRIOR_FEDORA_BASE_IMAGE="fedora-cloud-base-28-1-1-1544474897" BUILT_IMAGE_SUFFIX="${BUILT_IMAGE_SUFFIX:--$CIRRUS_REPO_NAME-${CIRRUS_BUILD_ID}}" # Safe env. vars. to transfer from root -> $ROOTLESS_USER (go env handled separetly) -ROOTLESS_ENV_RE='(CIRRUS_.+)|(ROOTLESS_.+)|(.+_IMAGE.*)|(.+_BASE)|(.*DIRPATH)|(.*FILEPATH)|(SOURCE.*)|(DEPEND.*)|(.+_DEPS_.+)|(OS_REL.*)|(.+_ENV_RE)|(TRAVIS)|(CI.+)' +ROOTLESS_ENV_RE='(CIRRUS_.+)|(ROOTLESS_.+)|(.+_IMAGE.*)|(.+_BASE)|(.*DIRPATH)|(.*FILEPATH)|(SOURCE.*)|(DEPEND.*)|(.+_DEPS_.+)|(OS_REL.*)|(.+_ENV_RE)|(TRAVIS)|(CI.+)|(TEST_REMOTE.*)' # Unsafe env. vars for display SECRET_ENV_RE='(IRCID)|(ACCOUNT)|(^GC[EP]..+)|(SSH)' @@ -74,6 +74,9 @@ SPECIALMODE="${SPECIALMODE:-none}" TEST_REMOTE_CLIENT="${TEST_REMOTE_CLIENT:-false}" export CONTAINER_RUNTIME=${CONTAINER_RUNTIME:-podman} +# IN_PODMAN container image +IN_PODMAN_IMAGE="quay.io/libpod/in_podman:latest" + # When running as root, this may be empty or not, as a user, it MUST be set. if [[ "$USER" == "root" ]] then diff --git a/contrib/cirrus/rootless_test.sh b/contrib/cirrus/rootless_test.sh index 3b668034b..b5744671b 100755 --- a/contrib/cirrus/rootless_test.sh +++ b/contrib/cirrus/rootless_test.sh @@ -2,6 +2,14 @@ set -e +remote=0 + +# The TEST_REMOTE_CLIENT environment variable decides whether +# to test varlinke +if [[ "$TEST_REMOTE_CLIENT" == "true" ]]; then + remote=1 +fi + source $(dirname $0)/lib.sh if [[ "$UID" == "0" ]] @@ -10,6 +18,12 @@ then exit 1 fi +# Which set of tests to run; possible alternative is "system" +TESTSUITE=integration +if [[ -n "$*" ]]; then + TESTSUITE="$1" +fi + # Ensure environment setup correctly req_env_var GOSRC ROOTLESS_USER @@ -25,5 +39,8 @@ cd "$GOSRC" make make varlink_generate make test-binaries -make ginkgo -make ginkgo-remote +if [ $remote -eq 0 ]; then + make local${TESTSUITE} +else + make remote${TESTSUITE} +fi diff --git a/contrib/cirrus/setup_container_environment.sh b/contrib/cirrus/setup_container_environment.sh index eda6f6167..c268c162e 100755 --- a/contrib/cirrus/setup_container_environment.sh +++ b/contrib/cirrus/setup_container_environment.sh @@ -5,9 +5,6 @@ source $(dirname $0)/lib.sh req_env_var GOSRC OS_RELEASE_ID CONTAINER_RUNTIME -DIST=$OS_RELEASE_ID -IMAGE=${DIST}podmanbuild - # Since CRIU 3.11 has been pushed to Fedora 28 the checkpoint/restore # test cases are actually run. As CRIU uses iptables to lock and unlock # the network during checkpoint and restore it needs the following two @@ -15,5 +12,5 @@ IMAGE=${DIST}podmanbuild modprobe ip6table_nat || : modprobe iptable_nat || : -# Build the test image -${CONTAINER_RUNTIME} build -t ${IMAGE} -f Dockerfile.${DIST} . +# Pull the test image +${CONTAINER_RUNTIME} pull ${IN_PODMAN_IMAGE} diff --git a/contrib/cirrus/setup_environment.sh b/contrib/cirrus/setup_environment.sh index f40405e8d..13bce506a 100755 --- a/contrib/cirrus/setup_environment.sh +++ b/contrib/cirrus/setup_environment.sh @@ -87,7 +87,7 @@ case "$SPECIALMODE" in fi ;; in_podman) # Assumed to be Fedora - dnf install -y podman buildah + dnf install -y podman $SCRIPT_BASE/setup_container_environment.sh ;; *) diff --git a/contrib/imgts/entrypoint.sh b/contrib/imgts/entrypoint.sh index 65a76d8e4..610e1f3b6 100755 --- a/contrib/imgts/entrypoint.sh +++ b/contrib/imgts/entrypoint.sh @@ -32,6 +32,7 @@ ARGS="--update-labels=last-used=$(date +%s)" # optional [[ -z "$BUILDID" ]] || ARGS="$ARGS --update-labels=build-id=$BUILDID" [[ -z "$REPOREF" ]] || ARGS="$ARGS --update-labels=repo-ref=$REPOREF" +[[ -z "$GCPPROJECT" ]] || ARGS="$ARGS --update-labels=project=$GCPPROJECT" gcloud config set account "$GCPNAME" gcloud config set project "$GCPPROJECT" diff --git a/contrib/podmanimage/README.md b/contrib/podmanimage/README.md new file mode 100644 index 000000000..79484d4a3 --- /dev/null +++ b/contrib/podmanimage/README.md @@ -0,0 +1,44 @@ +![PODMAN logo](logo/podman-logo-source.svg) + +# podmanimage + +## Overview + +This directory contains the Dockerfiles necessary to create the three podmanimage container +images that are housed on quay.io under the podman account. All three repositories where +the images live are public and can be pulled without credentials. These container images are secured and the +resulting containers can run safely with privileges within the container. The container images are built +using the latest Fedora and then Podman is installed into them: + + * quay.io/podman/stable - This image is built using the latest stable version of Podman in a Fedora based container. Built with podman/stable/Dockerfile. + * quay.io/podman/upstream - This image is built using the latest code found in this GitHub repository. When someone creates a commit and pushes it, the image is created. Due to that the image changes frequently and is not guaranteed to be stable. Built with podmanimage/upstream/Dockerfile. + * quay.io/podman/testing - This image is built using the latest version of Podman that is or was in updates testing for Fedora. At times this may be the same as the stable image. This container image will primarily be used by the development teams for verification testing when a new package is created. Built with podmanimage/testing/Dockerfile. + +## Sample Usage + + +``` +podman pull docker://quay.io/podman/stable:latest + +podman run --privileged stable podman version + +# Create a directory on the host to mount the container's +# /var/lib/container directory to so containers can be +# run within the container. +mkdir /var/lib/mycontainer + +# Run the image detached using the host's network in a container name +# podmanctr, turn off label and seccomp confinement in the container +# and then do a little shell hackery to keep the container up and running. +podman run --detach --name=podmanctr --net=host --security-opt label=disable --security-opt seccomp=unconfined --device /dev/fuse:rw -v /var/lib/mycontainer:/var/lib/containers:Z --privileged stable sh -c 'while true ;do wait; done' + +podman exec -it podmanctr /bin/sh + +# Now inside of the container + +podman pull alpine + +podman images + +exit +``` diff --git a/contrib/podmanimage/stable/Dockerfile b/contrib/podmanimage/stable/Dockerfile new file mode 100644 index 000000000..056f62624 --- /dev/null +++ b/contrib/podmanimage/stable/Dockerfile @@ -0,0 +1,26 @@ +# stable/Dockerfile +# +# Build a Podman container image from the latest +# stable version of Podman on the Fedoras Updates System. +# https://bodhi.fedoraproject.org/updates/?search=podman +# This image can be used to create a secured container +# that runs safely with privileges within the container. +# +FROM fedora:latest + +# Don't include container-selinux and remove +# directories used by dnf that are just taking +# up space. +RUN yum -y install podman fuse-overlayfs --exclude container-selinux; rm -rf /var/cache /var/log/dnf* /var/log/yum.* + +# Adjust storage.conf to enable Fuse storage. +RUN sed -i -e 's|^#mount_program|mount_program|g' -e '/additionalimage.*/a "/var/lib/shared",' /etc/containers/storage.conf +RUN mkdir -p /var/lib/shared/overlay-images /var/lib/shared/overlay-layers; touch /var/lib/shared/overlay-images/images.lock; touch /var/lib/shared/overlay-layers/layers.lock + +# Adjust libpod.conf to write logging to a file +RUN sed -i 's/events_logger = "journald"/events_logger = "file"/g' /usr/share/containers/libpod.conf + +# Set up environment variables to note that this is +# not starting with usernamespace and default to +# isolate the filesystem with chroot. +ENV _BUILDAH_STARTED_IN_USERNS="" BUILDAH_ISOLATION=chroot diff --git a/contrib/podmanimage/testing/Dockerfile b/contrib/podmanimage/testing/Dockerfile new file mode 100644 index 000000000..50d8ed7f2 --- /dev/null +++ b/contrib/podmanimage/testing/Dockerfile @@ -0,0 +1,28 @@ +# testing/Dockerfile +# +# Build a Podman image using the latest +# version of Podman that is in updates-testing +# on the Fedoras Updates System. At times this +# may be the same the latest stable version. +# https://bodhi.fedoraproject.org/updates/?search=podman +# This image can be used to create a secured container +# that runs safely with privileges within the container. +# +FROM fedora:latest + +# Don't include container-selinux and remove +# directories used by dnf that are just taking +# up space. +RUN yum -y install podman fuse-overlayfs --exclude container-selinux --enablerepo updates-testing; rm -rf /var/cache /var/log/dnf* /var/log/yum.* + +# Adjust storage.conf to enable Fuse storage. +RUN sed -i -e 's|^#mount_program|mount_program|g' -e '/additionalimage.*/a "/var/lib/shared",' /etc/containers/storage.conf +RUN mkdir -p /var/lib/shared/overlay-images /var/lib/shared/overlay-layers; touch /var/lib/shared/overlay-images/images.lock; touch /var/lib/shared/overlay-layers/layers.lock + +# Adjust libpod.conf to write logging to a file +RUN sed -i 's/events_logger = "journald"/events_logger = "file"/g' /usr/share/containers/libpod.conf + +# Set up environment variables to note that this is +# not starting with usernamespace and default to +# isolate the filesystem with chroot. +ENV _BUILDAH_STARTED_IN_USERNS="" BUILDAH_ISOLATION=chroot diff --git a/contrib/podmanimage/upstream/Dockerfile b/contrib/podmanimage/upstream/Dockerfile new file mode 100644 index 000000000..3583e1c54 --- /dev/null +++ b/contrib/podmanimage/upstream/Dockerfile @@ -0,0 +1,77 @@ +# git/Dockerfile +# +# Build a Podman container image from the latest +# upstream version of Podman on GitHub. +# https://github.com/containers/libpod +# This image can be used to create a secured container +# that runs safely with privileges within the container. +# The containers created by this image also come with a +# Podman development environment in /root/podman. +# +FROM fedora:latest +ENV GOPATH=/root/podman + +# Install the software required to build Podman. +# Then create a directory and clone from the Podman +# GitHub repository, make and install Podman +# to the container. +# Finally remove the podman directory and a few other packages +# that are needed for building but not running Podman +RUN dnf -y install --exclude container-selinux \ + --enablerepo=updates-testing \ + atomic-registries \ + btrfs-progs-devel \ + containernetworking-cni \ + device-mapper-devel \ + git \ + glib2-devel \ + glibc-devel \ + glibc-static \ + go \ + golang-github-cpuguy83-go-md2man \ + gpgme-devel \ + iptables \ + libassuan-devel \ + libgpg-error-devel \ + libseccomp-devel \ + libselinux-devel \ + make \ + ostree-devel \ + pkgconfig \ + runc \ + fuse-overlayfs \ + fuse3 \ + containers-common; \ + mkdir /root/podman; \ + git clone https://github.com/containers/libpod /root/podman/src/github.com/containers/libpod; \ + cd /root/podman/src/github.com/containers/libpod; \ + make BUILDTAGS="selinux seccomp"; \ + make install PREFIX=/usr; \ + cd /root/podman; \ + git clone https://github.com/containers/conmon /root/podman/conmon; \ + cd conmon; \ + make; \ + install -D -m 755 bin/conmon /usr/libexec/podman/conmon; \ + git clone https://github.com/containernetworking/plugins.git $GOPATH/src/github.com/containernetworking/plugins; \ + cd $GOPATH/src/github.com/containernetworking/plugins; \ + ./build_linux.sh; \ + mkdir -p /usr/libexec/cni; \ + \cp -fR bin/* /usr/libexec/cni; \ + mkdir -p /etc/cni/net.d; \ + curl -qsSL https://raw.githubusercontent.com/containers/libpod/master/cni/87-podman-bridge.conflist | tee /etc/cni/net.d/99-loopback.conf; \ + mkdir -p /usr/share/containers; \ + cp $GOPATH/src/github.com/containers/libpod/libpod.conf /usr/share/containers; \ + # Adjust libpod.conf to write logging to a file + sed -i 's/events_logger = "journald"/events_logger = "file"/g' /usr/share/containers/libpod.conf; \ + rm -rf /root/podman/*; \ + dnf -y remove git golang go-md2man make; \ + dnf clean all; + +# Adjust storage.conf to enable Fuse storage. +RUN sed -i -e 's|^#mount_program|mount_program|g' -e '/additionalimage.*/a "/var/lib/shared",' /etc/containers/storage.conf +RUN mkdir -p /var/lib/shared/overlay-images /var/lib/shared/overlay-layers; touch /var/lib/shared/overlay-images/images.lock; touch /var/lib/shared/overlay-layers/layers.lock + +# Set up environment variables to note that this is +# not starting with usernamespace and default to +# isolate the filesystem with chroot. +ENV _BUILDAH_STARTED_IN_USERNS="" BUILDAH_ISOLATION=chroot diff --git a/contrib/spec/podman.spec.in b/contrib/spec/podman.spec.in index a1c11a5a6..8c2ccd4b0 100644 --- a/contrib/spec/podman.spec.in +++ b/contrib/spec/podman.spec.in @@ -39,7 +39,7 @@ %global shortcommit_conmon %(c=%{commit_conmon}; echo ${c:0:7}) Name: podman -Version: 1.3.2 +Version: 1.4.1 Release: #COMMITDATE#.git%{shortcommit0}%{?dist} Summary: Manage Pods, Containers and Container Images License: ASL 2.0 |