From 14f3658dad172a25ead095451dd3c761a1f52a60 Mon Sep 17 00:00:00 2001 From: Chris Evich Date: Thu, 17 Jun 2021 11:04:19 -0400 Subject: Revert ".cirrus.yml: use fresh images for all VMs" This reverts commit 404d5edb1557e3d2cb255d38bd89274586c4c100. The replacement (updated) images include a fix for: https://github.com/containers/common/issues/631 Also minor update to an unrelated FIXME comment. Signed-off-by: Chris Evich --- .cirrus.yml | 20 +++++--------------- 1 file changed, 5 insertions(+), 15 deletions(-) diff --git a/.cirrus.yml b/.cirrus.yml index d5d711075..3fcf335ed 100644 --- a/.cirrus.yml +++ b/.cirrus.yml @@ -30,20 +30,17 @@ env: PRIOR_UBUNTU_NAME: "ubuntu-2010" # Google-cloud VM Images - # TODO: At the time of this comment, an selinux-policy regression is blocking use of updated - # Fedora VM images: https://bugzilla.redhat.com/show_bug.cgi?id=1965743 - IMAGE_SUFFIX_UBUNTU: "c5521575421149184" - IMAGE_SUFFIX: "c5348179051806720" + IMAGE_SUFFIX: "c6737534580424704" FEDORA_CACHE_IMAGE_NAME: "fedora-${IMAGE_SUFFIX}" PRIOR_FEDORA_CACHE_IMAGE_NAME: "prior-fedora-${IMAGE_SUFFIX}" - UBUNTU_CACHE_IMAGE_NAME: "ubuntu-${IMAGE_SUFFIX_UBUNTU}" - PRIOR_UBUNTU_CACHE_IMAGE_NAME: "prior-ubuntu-${IMAGE_SUFFIX_UBUNTU}" + UBUNTU_CACHE_IMAGE_NAME: "ubuntu-${IMAGE_SUFFIX}" + PRIOR_UBUNTU_CACHE_IMAGE_NAME: "prior-ubuntu-${IMAGE_SUFFIX}" # Container FQIN's FEDORA_CONTAINER_FQIN: "quay.io/libpod/fedora_podman:${IMAGE_SUFFIX}" PRIOR_FEDORA_CONTAINER_FQIN: "quay.io/libpod/prior-fedora_podman:${IMAGE_SUFFIX}" - UBUNTU_CONTAINER_FQIN: "quay.io/libpod/ubuntu_podman:${IMAGE_SUFFIX_UBUNTU}" - PRIOR_UBUNTU_CONTAINER_FQIN: "quay.io/libpod/prior-ubuntu_podman:${IMAGE_SUFFIX_UBUNTU}" + UBUNTU_CONTAINER_FQIN: "quay.io/libpod/ubuntu_podman:${IMAGE_SUFFIX}" + PRIOR_UBUNTU_CONTAINER_FQIN: "quay.io/libpod/prior-ubuntu_podman:${IMAGE_SUFFIX}" #### #### Control variables that determine what to run and how to run it. @@ -671,18 +668,11 @@ meta_task: image: quay.io/libpod/imgts:$IMAGE_SUFFIX env: # Space-separated list of images used by this repository state - # TODO: Protect commonly tagged ubuntu images from puning in case - # workaround for BZ1965743 remains in use beyond the 30-days. - # Ref sha 404d5edb155 IMGNAMES: >- ${FEDORA_CACHE_IMAGE_NAME} ${PRIOR_FEDORA_CACHE_IMAGE_NAME} ${UBUNTU_CACHE_IMAGE_NAME} ${PRIOR_UBUNTU_CACHE_IMAGE_NAME} - fedora-${IMAGE_SUFFIX_UBUNTU} - prior-fedora-${IMAGE_SUFFIX_UBUNTU} - ubuntu-${IMAGE_SUFFIX} - prior-ubuntu-${IMAGE_SUFFIX} BUILDID: "${CIRRUS_BUILD_ID}" REPOREF: "${CIRRUS_REPO_NAME}" GCPJSON: ENCRYPTED[3a198350077849c8df14b723c0f4c9fece9ebe6408d35982e7adf2105a33f8e0e166ed3ed614875a0887e1af2b8775f4] -- cgit v1.2.3-54-g00ecf From 77f665200b81737da0c02c0ce97a183d57c602d3 Mon Sep 17 00:00:00 2001 From: Chris Evich Date: Fri, 16 Jul 2021 09:55:25 -0400 Subject: Restore buildah-bud test requiring new images Ref: https://github.com/containers/podman/pull/10829#issuecomment-881355983 Signed-off-by: Chris Evich --- test/buildah-bud/apply-podman-deltas | 8 -------- 1 file changed, 8 deletions(-) diff --git a/test/buildah-bud/apply-podman-deltas b/test/buildah-bud/apply-podman-deltas index 18b3d56f9..44a33b0b8 100755 --- a/test/buildah-bud/apply-podman-deltas +++ b/test/buildah-bud/apply-podman-deltas @@ -165,14 +165,6 @@ skip "FIXME FIXME FIXME: this passes on Ed's laptop, fails in CI??" \ skip "buildah runs with --cgroup-manager=cgroupfs, podman with systemd" \ "bud with --cgroup-parent" -# see https://github.com/containers/podman/pull/10829 -skip "FIXME FIXME FIXME - requires updated CI images (#10829)" \ - "bud with --runtime and --runtime-flag" - -############################################################################### -# BEGIN tests which are skipped due to actual podman bugs. - - ############################################################################### # BEGIN tests which are skipped because they make no sense under podman-remote -- cgit v1.2.3-54-g00ecf From dc70382886c9ae14c57277eabe3d2ce552c618fd Mon Sep 17 00:00:00 2001 From: Chris Evich Date: Mon, 2 Aug 2021 16:22:59 -0400 Subject: Fix AVC denials in tests of volume mounts This becomes a problem on hosts with upgraded policies. Ref: https://github.com/containers/podman/issues/10522 Also, made a small change to compose-test setup to reduce runtime. Signed-off-by: Chris Evich --- contrib/cirrus/setup_environment.sh | 2 +- test/compose/mount_and_label/docker-compose.yml | 2 ++ test/e2e/login_logout_test.go | 11 +++++++---- test/e2e/run_test.go | 2 +- 4 files changed, 11 insertions(+), 6 deletions(-) diff --git a/contrib/cirrus/setup_environment.sh b/contrib/cirrus/setup_environment.sh index 3f2176fd6..e4c95631c 100755 --- a/contrib/cirrus/setup_environment.sh +++ b/contrib/cirrus/setup_environment.sh @@ -208,7 +208,7 @@ case "$TEST_FLAVOR" in unit) ;; apiv2) ;& # use next item compose) - dnf install -y $PACKAGE_DOWNLOAD_DIR/podman-docker* + rpm -ivh $PACKAGE_DOWNLOAD_DIR/podman-docker* ;& # continue with next item int) ;& sys) ;& diff --git a/test/compose/mount_and_label/docker-compose.yml b/test/compose/mount_and_label/docker-compose.yml index 112d7e134..81fda2512 100644 --- a/test/compose/mount_and_label/docker-compose.yml +++ b/test/compose/mount_and_label/docker-compose.yml @@ -6,5 +6,7 @@ services: - '5000:5000' volumes: - /tmp/data:/data:ro + security_opt: + - label=disable labels: - "io.podman=the_best" diff --git a/test/e2e/login_logout_test.go b/test/e2e/login_logout_test.go index 7ad1fc1f2..d8ca9cbd9 100644 --- a/test/e2e/login_logout_test.go +++ b/test/e2e/login_logout_test.go @@ -79,9 +79,9 @@ var _ = Describe("Podman login and logout", func() { session = podmanTest.Podman([]string{"run", "-d", "-p", strings.Join([]string{strconv.Itoa(port), strconv.Itoa(port)}, ":"), "-e", strings.Join([]string{"REGISTRY_HTTP_ADDR=0.0.0.0", strconv.Itoa(port)}, ":"), "--name", "registry", "-v", - strings.Join([]string{authPath, "/auth"}, ":"), "-e", "REGISTRY_AUTH=htpasswd", "-e", + strings.Join([]string{authPath, "/auth:Z"}, ":"), "-e", "REGISTRY_AUTH=htpasswd", "-e", "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm", "-e", "REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd", - "-v", strings.Join([]string{certPath, "/certs"}, ":"), "-e", "REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt", + "-v", strings.Join([]string{certPath, "/certs:Z"}, ":"), "-e", "REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt", "-e", "REGISTRY_HTTP_TLS_KEY=/certs/domain.key", "registry:2.6"}) session.WaitWithDefaultTimeout() Expect(session).Should(Exit(0)) @@ -235,10 +235,13 @@ var _ = Describe("Podman login and logout", func() { setup.WaitWithDefaultTimeout() defer os.RemoveAll(certDir) + // N/B: This second registry container shares the same auth and cert dirs + // as the registry started from BeforeEach(). Since this one starts + // second, re-labeling the volumes should keep SELinux happy. session := podmanTest.Podman([]string{"run", "-d", "-p", "9001:9001", "-e", "REGISTRY_HTTP_ADDR=0.0.0.0:9001", "--name", "registry1", "-v", - strings.Join([]string{authPath, "/auth"}, ":"), "-e", "REGISTRY_AUTH=htpasswd", "-e", + strings.Join([]string{authPath, "/auth:z"}, ":"), "-e", "REGISTRY_AUTH=htpasswd", "-e", "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm", "-e", "REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd", - "-v", strings.Join([]string{certPath, "/certs"}, ":"), "-e", "REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt", + "-v", strings.Join([]string{certPath, "/certs:z"}, ":"), "-e", "REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt", "-e", "REGISTRY_HTTP_TLS_KEY=/certs/domain.key", "registry:2.6"}) session.WaitWithDefaultTimeout() Expect(session).Should(Exit(0)) diff --git a/test/e2e/run_test.go b/test/e2e/run_test.go index d68aa6ac4..1fb1a179a 100644 --- a/test/e2e/run_test.go +++ b/test/e2e/run_test.go @@ -946,7 +946,7 @@ USER mail`, BB) Expect(err).To(BeNil()) mountpoint := "/myvol/" - session := podmanTest.Podman([]string{"create", "--volume", vol + ":" + mountpoint, ALPINE, "cat", mountpoint + filename}) + session := podmanTest.Podman([]string{"create", "--volume", vol + ":" + mountpoint + ":z", ALPINE, "cat", mountpoint + filename}) session.WaitWithDefaultTimeout() Expect(session).Should(Exit(0)) ctrID := session.OutputToString() -- cgit v1.2.3-54-g00ecf From 5c837fe5b0409593176b3f185c5f4a59545a423b Mon Sep 17 00:00:00 2001 From: Chris Evich Date: Tue, 17 Aug 2021 12:35:29 -0400 Subject: Skip stats test in CGv1 container environments These tests were originally enabled in a situation where CI provided false-positive results. Now that has been corrected, these tests all fail under a CGv1 container environment with the error: ``` Error: unable to load cgroup at /machine.slice/libpod-e4f...086.scope/libpod_parent/libpod-fbd...425: cgroup deleted ``` This commit simply disables the tests under this specific environment. Signed-off-by: Chris Evich --- test/e2e/common_test.go | 6 +++++- test/e2e/stats_test.go | 3 +++ test/e2e/systemd_test.go | 11 ++++++----- 3 files changed, 14 insertions(+), 6 deletions(-) diff --git a/test/e2e/common_test.go b/test/e2e/common_test.go index 2e48e1763..d03a2741b 100644 --- a/test/e2e/common_test.go +++ b/test/e2e/common_test.go @@ -645,9 +645,13 @@ func isRootless() bool { return os.Geteuid() != 0 } +func isCgroupsV1() bool { + return !CGROUPSV2 +} + func SkipIfCgroupV1(reason string) { checkReason(reason) - if !CGROUPSV2 { + if isCgroupsV1() { Skip(reason) } } diff --git a/test/e2e/stats_test.go b/test/e2e/stats_test.go index a0be5d462..c0d56fdbc 100644 --- a/test/e2e/stats_test.go +++ b/test/e2e/stats_test.go @@ -22,6 +22,9 @@ var _ = Describe("Podman stats", func() { BeforeEach(func() { SkipIfRootlessCgroupsV1("stats not supported on cgroupv1 for rootless users") + if isContainerized() { + SkipIfCgroupV1("stats not supported inside cgroupv1 container environment") + } var err error tempdir, err = CreateTempDirInTempDir() if err != nil { diff --git a/test/e2e/systemd_test.go b/test/e2e/systemd_test.go index bb51d6ac2..3213a839a 100644 --- a/test/e2e/systemd_test.go +++ b/test/e2e/systemd_test.go @@ -6,7 +6,6 @@ import ( "strings" "time" - "github.com/containers/podman/v3/pkg/rootless" . "github.com/containers/podman/v3/test/utils" . "github.com/onsi/ginkgo" . "github.com/onsi/gomega" @@ -118,11 +117,13 @@ WantedBy=multi-user.target Expect(len(conData)).To(Equal(1)) Expect(conData[0].Config.SystemdMode).To(BeTrue()) - if CGROUPSV2 || !rootless.IsRootless() { - stats := podmanTest.Podman([]string{"stats", "--no-stream", ctrName}) - stats.WaitWithDefaultTimeout() - Expect(stats).Should(Exit(0)) + // stats not supported w/ CGv1 rootless or containerized + if isCgroupsV1() && (isRootless() || isContainerized()) { + return } + stats := podmanTest.Podman([]string{"stats", "--no-stream", ctrName}) + stats.WaitWithDefaultTimeout() + Expect(stats).Should(Exit(0)) }) It("podman create container with systemd entrypoint triggers systemd mode", func() { -- cgit v1.2.3-54-g00ecf From 9dd088e555870c6bf149f9d83a5095880580a56a Mon Sep 17 00:00:00 2001 From: Chris Evich Date: Tue, 17 Aug 2021 13:03:31 -0400 Subject: Cirrus: Confirm CGv1 / CGv2 VM expectations Signed-off-by: Chris Evich --- contrib/cirrus/setup_environment.sh | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/contrib/cirrus/setup_environment.sh b/contrib/cirrus/setup_environment.sh index e4c95631c..d0c348d58 100755 --- a/contrib/cirrus/setup_environment.sh +++ b/contrib/cirrus/setup_environment.sh @@ -77,6 +77,13 @@ case "$CG_FS_TYPE" in else echo "OCI_RUNTIME=runc" >> /etc/ci_environment fi + + # As a general policy CGv1 + runc should coincide with the "older" + # VM Images in CI. Verify this is the case. + if [[ -n "$VM_IMAGE_NAME" ]] && [[ ! "$VM_IMAGE_NAME" =~ prior ]] + then + die "Most recent distro. version should never run with CGv1" + fi fi ;; cgroup2fs) @@ -85,6 +92,13 @@ case "$CG_FS_TYPE" in # which uses runc as the default. warn "Forcing testing with crun instead of runc" echo "OCI_RUNTIME=crun" >> /etc/ci_environment + + # As a general policy CGv2 + crun should coincide with the "newer" + # VM Images in CI. Verify this is the case. + if [[ -n "$VM_IMAGE_NAME" ]] && [[ "$VM_IMAGE_NAME" =~ prior ]] + then + die "Least recent distro. version should never run with CGv2" + fi fi ;; *) die_unknown CG_FS_TYPE -- cgit v1.2.3-54-g00ecf