From 8ca6706be0fff7136ba118914f6dbe3459c8f831 Mon Sep 17 00:00:00 2001
From: Chris Evich <cevich@redhat.com>
Date: Mon, 21 Jan 2019 08:48:15 -0500
Subject: Cirrus: Add RHEL-7 testing

Add necessary tweaks to base-image build/import process so that image
can successfully boot with networking enabled.  Build the base image and
update ``.cirrus.yml`` accordingly.

Also make a minor improvement to cache-image building to help save space in
GCP image storage.  Namely, instead of storing every produced image, export
them into google storage buckets w/ life-cycle enabled.  For production use,
they may be converted back into GCE images, otherwise they will expire after
a time.

Signed-off-by: Chris Evich <cevich@redhat.com>
---
 .cirrus.yml                                        | 17 ++++++-----
 contrib/cirrus/build_vm_images.sh                  | 22 ++++++++++++--
 contrib/cirrus/packer/Makefile                     | 12 ++------
 contrib/cirrus/packer/centos_setup.sh              |  1 +
 .../packer/image-builder-image_base-setup.sh       |  3 ++
 contrib/cirrus/packer/libpod_base_images.yml       |  8 ++---
 contrib/cirrus/packer/libpod_images.yml            | 13 +++++++--
 contrib/cirrus/packer/rhel_base-setup.sh           | 34 ++++++++++++++++++++--
 contrib/cirrus/packer/rhel_setup.sh                |  3 ++
 9 files changed, 85 insertions(+), 28 deletions(-)

diff --git a/.cirrus.yml b/.cirrus.yml
index d3a9eea40..0efe73802 100644
--- a/.cirrus.yml
+++ b/.cirrus.yml
@@ -31,7 +31,7 @@ env:
     PRIOR_FEDORA_CACHE_IMAGE_NAME: "fedora-28-libpod-7f4cd1f7"
     UBUNTU_CACHE_IMAGE_NAME: "ubuntu-18-libpod-7f4cd1f7"
     # RHEL_CACHE_IMAGE_NAME: "rhel-8-notready"
-    # PRIOR_RHEL_CACHE_IMAGE_NAME: "rhel-7-libpod-7f4cd1f7"
+    PRIOR_RHEL_CACHE_IMAGE_NAME: "rhel-7-libpod-7f4cd1f7"
     # CENTOS_CACHE_IMAGE_NAME: "centos-7-notready"
 
     ####
@@ -45,9 +45,9 @@ env:
     CRIU_COMMIT: "c74b83cd49c00589c0c0468ba5fe685b67fdbd0a"
     RUNC_COMMIT: "25f3f893c86d07426df93b7aa172f33fdf093fbd"
     # CSV of cache-image names to build (see $PACKER_BASE/libpod_images.json)
-    PACKER_BUILDS: "ubuntu-18,fedora-29,fedora-28"  # TODO: fah-29,rhel-7,centos-7
+    PACKER_BUILDS: "ubuntu-18,fedora-29,fedora-28,rhel-7"  # TODO: rhel-8,centos-7
     # Version of packer to use
-    PACKER_VER: "1.3.1"
+    PACKER_VER: "1.3.2"
     # Special image w/ nested-libvirt + tools for creating new cache and base images
     IMAGE_BUILDER_CACHE_IMAGE_NAME: "image-builder-image-1541772081"
     # Google-maintained base-image names
@@ -58,7 +58,7 @@ env:
     PRIOR_FEDORA_BASE_IMAGE: "fedora-cloud-base-28-1-1-1544474897"
     FAH_BASE_IMAGE:  "fedora-atomichost-29-20181025-1-1541787861"
     # RHEL image must be imported, google bills extra for their native image.
-    RHEL_BASE_IMAGE: "rhel-guest-image-7-6-210-x86-64-qcow2-1541783972"
+    RHEL_BASE_IMAGE: "rhel-guest-image-7-6-210-x86-64-qcow2-1548099756"
 
     ####
     #### Credentials and other secret-sauces, decrypted at runtime when authorized.
@@ -134,6 +134,7 @@ build_each_commit_task:
         - git fetch --depth $CIRRUS_CLONE_DEPTH origin $CIRRUS_BASE_BRANCH
         - env GOPATH=/var/tmp/go/ make build-all-new-commits GIT_BASE_BRANCH=origin/$CIRRUS_BASE_BRANCH
 
+
 # This task does the unit and integration testing for every platform
 testing_task:
 
@@ -154,10 +155,10 @@ testing_task:
             image_name: "${FEDORA_CACHE_IMAGE_NAME}"
             image_name: "${PRIOR_FEDORA_CACHE_IMAGE_NAME}"
             image_name: "${UBUNTU_CACHE_IMAGE_NAME}"
+            image_name: "${PRIOR_RHEL_CACHE_IMAGE_NAME}"
 
             # TODO: tests fail
-            # image_name: "${RHEL_CACHE_IMAGE_NAME}
-            # image_name: "${PRIOR_RHEL_CACHE_IMAGE_NAME}
+            # image_name: "${RHEL_CACHE_IMAGE_NAME}"
             # image_name: "${CENTOS_CACHE_IMAGE_NAME}"
 
     timeout_in: 120m
@@ -191,9 +192,9 @@ optional_testing_task:
             image_name: "${FEDORA_CACHE_IMAGE_NAME}"
             image_name: "${PRIOR_FEDORA_CACHE_IMAGE_NAME}"
             image_name: "${UBUNTU_CACHE_IMAGE_NAME}"
+            image_name: "${PRIOR_RHEL_CACHE_IMAGE_NAME}"
             # TODO: Make these work (also build_images_task below)
-            # image_name: "${RHEL_CACHE_IMAGE_NAME}
-            # image_name: "${PRIOR_RHEL_CACHE_IMAGE_NAME}
+            # image_name: "${RHEL_CACHE_IMAGE_NAME}"
             # image_name: "${CENTOS_CACHE_IMAGE_NAME}"
 
     timeout_in: 60m
diff --git a/contrib/cirrus/build_vm_images.sh b/contrib/cirrus/build_vm_images.sh
index ee45b1ead..6b86aa4d4 100755
--- a/contrib/cirrus/build_vm_images.sh
+++ b/contrib/cirrus/build_vm_images.sh
@@ -42,15 +42,33 @@ then
     fi
 fi
 
-set -x
-
 cd "$GOSRC/$PACKER_BASE"
+
+# Separate PR-produced images from those produced on master.
+if [[ "${CIRRUS_BRANCH:-}" == "master" ]]
+then
+    POST_MERGE_BUCKET_SUFFIX="-master"
+else
+    POST_MERGE_BUCKET_SUFFIX=""
+fi
+
 make libpod_images \
     PACKER_BUILDS=$PACKER_BUILDS \
     PACKER_VER=$PACKER_VER \
     GOSRC=$GOSRC \
     SCRIPT_BASE=$SCRIPT_BASE \
     PACKER_BASE=$PACKER_BASE \
+    POST_MERGE_BUCKET_SUFFIX=$POST_MERGE_BUCKET_SUFFIX \
     BUILT_IMAGE_SUFFIX=$BUILT_IMAGE_SUFFIX
 
 record_timestamp "cache-image build end"
+
+# When successful, upload manifest of produced images using a filename unique
+# to this build.
+URI="gs://packer-import${POST_MERGE_BUCKET_SUFFIX}/manifest${BUILT_IMAGE_SUFFIX}.json"
+gsutil cp packer-manifest.json "$URI"
+
+echo "Finished."
+echo "Any tarball URI's referenced above at at $URI"
+echo "may be used to create VM images suitable for use in"
+echo ".cirrus.yml as values for the 'image_name' keys."
diff --git a/contrib/cirrus/packer/Makefile b/contrib/cirrus/packer/Makefile
index 9bf27373e..0a783e979 100644
--- a/contrib/cirrus/packer/Makefile
+++ b/contrib/cirrus/packer/Makefile
@@ -3,7 +3,7 @@
 # builder name(s) from applicable YAML file,
 # e.g for names see libpod_images.yml
 
-PACKER_VER ?= 1.3.1
+PACKER_VER ?= 1.3.2
 PACKER_DIST_FILENAME := packer_${PACKER_VER}_linux_amd64.zip
 
 # Only needed for libpod_base_images target
@@ -11,6 +11,7 @@ TIMESTAMP := $(shell date +%s)
 GOSRC ?= $(shell realpath "./../../../")
 PACKER_BASE ?= contrib/cirrus/packer
 SCRIPT_BASE ?= contrib/cirrus
+POST_MERGE_BUCKET_SUFFIX ?=
 
 # For debugging nested-virt, use
 #TTYDEV := $(shell tty)
@@ -50,10 +51,6 @@ endif
 		-var PACKER_BASE=$(PACKER_BASE) \
 		-var SCRIPT_BASE=$(SCRIPT_BASE) \
 		libpod_images.json
-	@echo ""
-	@echo "Finished.  The images mentioned above, and in packer-manifest.json"
-	@echo "can be used in .cirrus.yml as values for the 'image_name' keys"
-	@echo ""
 
 cidata.ssh:
 	ssh-keygen -f $@ -P "" -q
@@ -100,9 +97,6 @@ endif
 		-var RHEL_IMAGE_FILE=$(RHEL_IMAGE_FILE) \
 		-var RHEL_CSUM_FILE=$(RHEL_CSUM_FILE) \
 	    -var 'RHSM_COMMAND=$(RHSM_COMMAND)' \
+		-var POST_MERGE_BUCKET_SUFFIX=$(POST_MERGE_BUCKET_SUFFIX) \
 		-only $(PACKER_BUILDS) \
 		libpod_base_images.json
-	@echo ""
-	@echo "Finished.  The images mentioned above, and in packer-manifest.json"
-	@echo "can be used in .cirrus.yml as values for the *_BASE_IMAGE keys."
-	@echo ""
diff --git a/contrib/cirrus/packer/centos_setup.sh b/contrib/cirrus/packer/centos_setup.sh
index a13050569..923f2563b 100644
--- a/contrib/cirrus/packer/centos_setup.sh
+++ b/contrib/cirrus/packer/centos_setup.sh
@@ -25,6 +25,7 @@ ooe.sh sudo yum -y update
 ooe.sh sudo yum -y install centos-release-scl epel-release
 
 ooe.sh sudo yum -y install \
+    PyYAML \
     atomic-registries \
     btrfs-progs-devel \
     bzip2 \
diff --git a/contrib/cirrus/packer/image-builder-image_base-setup.sh b/contrib/cirrus/packer/image-builder-image_base-setup.sh
index b8e2824a7..8cf9fd8ab 100644
--- a/contrib/cirrus/packer/image-builder-image_base-setup.sh
+++ b/contrib/cirrus/packer/image-builder-image_base-setup.sh
@@ -45,10 +45,13 @@ ooe.sh sudo yum -y install \
     qemu-kvm-tools \
     qemu-user \
     rsync \
+    rng-tools \
     unzip \
     util-linux \
     vim
 
+sudo systemctl enable rngd
+
 sudo ln -s /usr/libexec/qemu-kvm /usr/bin/
 
 sudo tee /etc/modprobe.d/kvm-nested.conf <<EOF
diff --git a/contrib/cirrus/packer/libpod_base_images.yml b/contrib/cirrus/packer/libpod_base_images.yml
index 109b9b8d5..bf568b40e 100644
--- a/contrib/cirrus/packer/libpod_base_images.yml
+++ b/contrib/cirrus/packer/libpod_base_images.yml
@@ -105,7 +105,7 @@ builders:
       ssh_username: 'root'
 
     - <<: *nested_virt
-      name: 'prior_fedora'
+      name: 'prior-fedora'
       iso_url: '{{user `PRIOR_FEDORA_IMAGE_URL`}}'
       iso_checksum_url: '{{user `PRIOR_FEDORA_CSUM_URL`}}'
 
@@ -161,7 +161,7 @@ provisioners:
 
 post-processors:
     - - type: "compress"
-        only: ['fedora', 'prior_fedora', 'fah', 'rhel']
+        only: ['fedora', 'prior-fedora', 'fah', 'rhel']
         output: '/tmp/{{build_name}}/disk.raw.tar.gz'
         format: '.tar.gz'
         compression_level: 9
@@ -171,12 +171,12 @@ post-processors:
         project_id: '{{user `GCP_PROJECT_ID`}}'
         account_file: '{{user `GOOGLE_APPLICATION_CREDENTIALS`}}'
         bucket: '{{user `XFERBUCKET`}}'
-        gcs_object_name: '{{build_name}}-{{user `TIMESTAMP`}}-{{uuid}}.tar.gz'
+        gcs_object_name: '{{build_name}}-{{user `TIMESTAMP`}}.tar.gz'
         image_name: "{{user `FEDORA_BASE_IMAGE_NAME`}}-{{user `TIMESTAMP`}}"
         image_description: 'Based on {{user `FEDORA_IMAGE_URL`}}'
         image_family: '{{user `FEDORA_BASE_IMAGE_NAME`}}'
       - <<: *gcp_import
-        only: ['prior_fedora']
+        only: ['prior-fedora']
         image_name: "{{user `PRIOR_FEDORA_BASE_IMAGE_NAME`}}-{{user `TIMESTAMP`}}"
         image_description: 'Based on {{user `PRIOR_FEDORA_IMAGE_URL`}}'
         image_family: '{{user `PRIOR_FEDORA_BASE_IMAGE_NAME`}}'
diff --git a/contrib/cirrus/packer/libpod_images.yml b/contrib/cirrus/packer/libpod_images.yml
index d31c11a8d..30ad0723a 100644
--- a/contrib/cirrus/packer/libpod_images.yml
+++ b/contrib/cirrus/packer/libpod_images.yml
@@ -29,6 +29,10 @@ variables:
     SERVICE_ACCOUNT: '{{env `SERVICE_ACCOUNT`}}'
     GOOGLE_APPLICATION_CREDENTIALS: '{{env `GOOGLE_APPLICATION_CREDENTIALS`}}'
 
+    # Used to separate images produced during PR testing from those
+    # produced from post-merge testing.  Must be empty for PR testing.
+    POST_MERGE_BUCKET_SUFFIX: ''
+
 # Don't leak sensitive values in error messages / output
 sensitive-variables:
     - 'GCE_SSH_USERNAME'
@@ -84,13 +88,18 @@ provisioners:
     - type: 'shell'
       script: '{{user `GOSRC`}}/{{user `PACKER_BASE`}}/{{split build_name "-" 0}}_setup.sh'
       environment_vars:
-          - 'SCRIPT_BASE={{user `SCRIPT_BASE`}}'
+          - 'GOSRC=/tmp/libpod'
           - 'CNI_COMMIT={{user `CNI_COMMIT`}}'
           - 'FEDORA_CNI_COMMIT={{user `FEDORA_CNI_COMMIT`}}'
           - 'CRIO_COMMIT={{user `CRIO_COMMIT`}}'
           - 'CRIU_COMMIT={{user `CRIU_COMMIT`}}'
           - 'RUNC_COMMIT={{user `RUNC_COMMIT`}}'
+          - 'SCRIPT_BASE={{user `SCRIPT_BASE`}}'
           - 'RHSM_COMMAND={{user `RHSM_COMMAND`}}'
 
 post-processors:
-    - - type: 'manifest'
+    # Store VM disk in GCP storage, where it will expire based on a defined
+    # lifecycle. This prevents GCE from filling with disused images.
+    - - type: 'googlecompute-export'
+        paths: ['gs://packer-import{{user `POST_MERGE_BUCKET_SUFFIX`}}/{{build_name}}{{user `BUILT_IMAGE_SUFFIX`}}.tar.gz']
+      - type: 'manifest'  # writes packer-manifest.json
diff --git a/contrib/cirrus/packer/rhel_base-setup.sh b/contrib/cirrus/packer/rhel_base-setup.sh
index 8b2073d4f..fbf9f61af 100644
--- a/contrib/cirrus/packer/rhel_base-setup.sh
+++ b/contrib/cirrus/packer/rhel_base-setup.sh
@@ -16,6 +16,8 @@ req_env_var "
 
 install_ooe
 
+rhsm_enable
+
 echo "Setting up repos"
 # Frequently needed
 ooe.sh sudo yum -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
@@ -32,12 +34,15 @@ gpgkey=https://packages.cloud.google.com/yum/doc/yum-key.gpg
        https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg
 EOM
 
-rhsm_enable
+echo "Updating all packages"
+ooe.sh sudo yum -y update
 
 echo "Installing/removing packages"
-ooe.sh sudo yum -y install google-compute-engine google-compute-engine-oslogin
-ooe.sh sudo yum -y erase "cloud-init" "rh-amazon-rhui-client*" || true
+ooe.sh sudo yum -y install rng-tools google-compute-engine google-compute-engine-oslogin
+
+echo "Enabling critical services"
 ooe.sh sudo systemctl enable \
+    rngd \
     google-accounts-daemon \
     google-clock-skew-daemon \
     google-instance-setup \
@@ -47,6 +52,29 @@ ooe.sh sudo systemctl enable \
 
 rhel_exit_handler  # release subscription!
 
+echo "Configuring boot"
+cat << "EOF" | sudo tee /etc/default/grub
+GRUB_TIMEOUT=0
+GRUB_DISTRIBUTOR="$(sed 's, release .*$,,g' /etc/system-release)"
+GRUB_DEFAULT=saved
+GRUB_DISABLE_SUBMENU=true
+GRUB_TERMINAL="serial console"
+GRUB_SERIAL_COMMAND="serial --speed=38400"
+GRUB_CMDLINE_LINUX="crashkernel=auto console=ttyS0,38400n8"
+GRUB_DISABLE_RECOVERY="true"
+EOF
+sudo grub2-mkconfig -o /boot/grub2/grub.cfg
+
+echo "Configuring networking"
+ooe.sh sudo nmcli connection modify 'System eth0' 802-3-ethernet.mtu 1460
+ooe.sh sudo nmcli connection modify 'System eth0' connection.autoconnect yes
+ooe.sh sudo nmcli connection modify 'System eth0' connection.autoconnect-priority
+ooe.sh sudo nmcli connection modify 'System eth0' ipv4.method auto
+ooe.sh sudo nmcli connection modify 'System eth0' ipv4.dhcp-send-hostname yes
+ooe.sh sudo nmcli connection modify 'System eth0' ipv4.dhcp-timeout 0
+ooe.sh sudo nmcli connection modify 'System eth0' ipv4.never-default no
+ooe.sh /usr/bin/google_instance_setup
+
 rh_finalize
 
 echo "SUCCESS!"
diff --git a/contrib/cirrus/packer/rhel_setup.sh b/contrib/cirrus/packer/rhel_setup.sh
index 99376fd65..ac6866a57 100644
--- a/contrib/cirrus/packer/rhel_setup.sh
+++ b/contrib/cirrus/packer/rhel_setup.sh
@@ -31,6 +31,7 @@ ooe.sh sudo subscription-manager repos \
 ooe.sh sudo yum -y update
 
 ooe.sh sudo yum -y install \
+    PyYAML \
     atomic-registries \
     btrfs-progs-devel \
     bzip2 \
@@ -64,9 +65,11 @@ ooe.sh sudo yum -y install \
     protobuf-python \
     python \
     python2-future \
+    python2-pyyaml \
     python34-dateutil \
     python34-psutil \
     python34-pytoml \
+    python34-PyYAML \
     runc \
     skopeo-containers \
     unzip \
-- 
cgit v1.2.3-54-g00ecf


From 10d749b9a8c36ce5d3e2dc904222863528c349f6 Mon Sep 17 00:00:00 2001
From: Chris Evich <cevich@redhat.com>
Date: Thu, 24 Jan 2019 14:17:44 -0500
Subject: Set SELinux type on bin/podman after install

Different components of testing reference the podman binary differently.
While they are identical in content, their SELinux types are not the
same, depending on build location.  Avoid confusion and test failures
by always matching the bin/podman SELinux type to that of $BINDIR/podman
 **after** install.  This ensures even if the code or default contexts
change, a subsequent `make install` will re-match the SELinux type.

Signed-off-by: Chris Evich <cevich@redhat.com>
---
 Makefile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/Makefile b/Makefile
index f0f6a1fab..b68b8adbe 100644
--- a/Makefile
+++ b/Makefile
@@ -224,6 +224,7 @@ install: .gopathok install.bin install.man install.cni install.systemd
 install.bin:
 	install ${SELINUXOPT} -d -m 755 $(BINDIR)
 	install ${SELINUXOPT} -m 755 bin/podman $(BINDIR)/podman
+	test -z "${SELINUXOPT}" || chcon --verbose --reference=$(BINDIR)/podman bin/podman
 
 install.man: docs
 	install ${SELINUXOPT} -d -m 755 $(MANDIR)/man1
-- 
cgit v1.2.3-54-g00ecf