From b63f61f5cdf5416bb1431188e98ce55bd97f5cf0 Mon Sep 17 00:00:00 2001 From: Chris Evich Date: Tue, 11 Jan 2022 13:53:53 -0500 Subject: Cirrus: Add e2e task w/ upstream netavark This PR adds the CI mechanisms to obtain the latest upstream netavark binary, and set a magic env-var to indicate e2e tests should execute podman with `--network-driver=netavark`. A future commit implement this functionality within the e2e tests. Due to the way the new environment is enabled, the standard task name is too long for github to display without adding ellipsis. Force the custom task name `Netavark Integration` to workaround this. At some future point, when netavark is more mainstream/widely supported, this custom task and upstream binary install can simply be removed - i.e. netavark will simply be used by default in the normal e2e tasks. Signed-off-by: Chris Evich --- contrib/cirrus/runner.sh | 2 +- contrib/cirrus/setup_environment.sh | 35 ++++++++++++++++++++++++++++++++--- 2 files changed, 33 insertions(+), 4 deletions(-) (limited to 'contrib/cirrus') diff --git a/contrib/cirrus/runner.sh b/contrib/cirrus/runner.sh index f0223f9eb..6376bafa2 100755 --- a/contrib/cirrus/runner.sh +++ b/contrib/cirrus/runner.sh @@ -12,7 +12,7 @@ set -eo pipefail # most notably: # # PODBIN_NAME : "podman" (i.e. local) or "remote" -# TEST_ENVIRON : 'host' or 'container'; desired environment in which to run +# TEST_ENVIRON : 'host', 'host-netavark', or 'container'; desired environment in which to run # CONTAINER : 1 if *currently* running inside a container, 0 if host # diff --git a/contrib/cirrus/setup_environment.sh b/contrib/cirrus/setup_environment.sh index 44c821bc1..62d1e6d45 100755 --- a/contrib/cirrus/setup_environment.sh +++ b/contrib/cirrus/setup_environment.sh @@ -130,7 +130,7 @@ esac # Required to be defined by caller: The environment where primary testing happens # shellcheck disable=SC2154 case "$TEST_ENVIRON" in - host) + host*) # The e2e tests wrongly guess `--cgroup-manager` option # shellcheck disable=SC2154 if [[ "$CG_FS_TYPE" == "cgroup2fs" ]] || [[ "$PRIV_NAME" == "root" ]] @@ -141,6 +141,35 @@ case "$TEST_ENVIRON" in warn "Forcing CGROUP_MANAGER=cgroupfs" echo "CGROUP_MANAGER=cgroupfs" >> /etc/ci_environment fi + # TODO: For the foreseeable future, need to support running tests + # with and without the latest netavark. Once netavark is more + # stable and widely supported in Fedora, it can be pre-installed + # from its RPM at VM image build-time. + if [[ "$TEST_ENVIRON" =~ netavark ]]; then + req_env_vars NETAVARK_BRANCH NETAVARK_URL NETAVARK_DEBUG + msg "Downloading latest netavark from upstream branch '$NETAVARK_BRANCH'" + curl --fail --location -o /tmp/netavark.zip "${NETAVARK_URL}" + + # Needs to be in a specific location + # ref: https://github.com/containers/common/blob/main/pkg/config/config_linux.go#L39 + _nvdir=/usr/local/libexec/podman + mkdir -p $_nvdir + cd $_nvdir + msg "$PWD" + unzip /tmp/netavark.zip + if ((NETAVARK_DEBUG)); then + warn "Using debug netavark binary" + mv netavark.debug netavark + else + rm netavark.debug + fi + cd - + + chmod 0755 $_nvdir/netavark + restorecon -F -v $_nvdir + msg "Forcing NETWORK_BACKEND=netavark in all subsequent environments." + echo "NETWORK_BACKEND=netavark" >> /etc/ci_environment + fi ;; container) if ((CONTAINER==0)); then # not yet inside a container @@ -247,7 +276,7 @@ case "$TEST_FLAVOR" in # Use existing host bits when testing is to happen inside a container # since this script will run again in that environment. # shellcheck disable=SC2154 - if [[ "$TEST_ENVIRON" == "host" ]]; then + if [[ "$TEST_ENVIRON" =~ host ]]; then if ((CONTAINER)); then die "Refusing to config. host-test in container"; fi @@ -259,7 +288,7 @@ case "$TEST_FLAVOR" in make install PREFIX=/usr ETCDIR=/etc fi else - die "Invalid value for $$TEST_ENVIRON=$TEST_ENVIRON" + die "Invalid value for \$TEST_ENVIRON=$TEST_ENVIRON" fi install_test_configs -- cgit v1.2.3-54-g00ecf From 6b0d4d9158662501b8bf36a69d351abaa9265c84 Mon Sep 17 00:00:00 2001 From: Chris Evich Date: Tue, 18 Jan 2022 16:58:04 -0500 Subject: Cirrus: Also download aardvark-dns binary This involves a minor code-change so the download/install can run in a loop for the two different repositories and binaries. Given everything is exactly the same except the URLs and names. Signed-off-by: Chris Evich --- .cirrus.yml | 5 ++++ contrib/cirrus/setup_environment.sh | 52 +++++++++++++++++++++---------------- 2 files changed, 34 insertions(+), 23 deletions(-) (limited to 'contrib/cirrus') diff --git a/.cirrus.yml b/.cirrus.yml index c298d5daa..b7cfb2b8d 100644 --- a/.cirrus.yml +++ b/.cirrus.yml @@ -9,6 +9,8 @@ env: DEST_BRANCH: "v4.0" # Netavark branch to use when TEST_ENVIRON=host-netavark NETAVARK_BRANCH: "main" + # Aardvark branch to use + AARDVARK_BRANCH: "main" # Overrides default location (/tmp/cirrus) for repo clone GOPATH: &gopath "/var/tmp/go" GOBIN: "${GOPATH}/bin" @@ -528,6 +530,8 @@ netavark_integration_test_task: TEST_ENVIRON: host-netavark NETAVARK_URL: "https://api.cirrus-ci.com/v1/artifact/github/containers/netavark/success/binary.zip?branch=${NETAVARK_BRANCH}" NETAVARK_DEBUG: 0 # set non-zero to use the debug-mode binary + AARDVARK_URL: "https://api.cirrus-ci.com/v1/artifact/github/containers/aardvark-dns/success/binary.zip?branch=${AARDVARK_BRANCH}" + AARDVARK_DEBUG: 0 # set non-zero to use the debug-mode binary clone_script: *noop # Comes from cache gopath_cache: *ro_gopath_cache setup_script: *setup @@ -757,6 +761,7 @@ success_task: - compose_test - local_integration_test - remote_integration_test + - netavark_integration_test - rootless_integration_test - container_integration_test - netavark_integration_test diff --git a/contrib/cirrus/setup_environment.sh b/contrib/cirrus/setup_environment.sh index 62d1e6d45..36e53320c 100755 --- a/contrib/cirrus/setup_environment.sh +++ b/contrib/cirrus/setup_environment.sh @@ -142,31 +142,37 @@ case "$TEST_ENVIRON" in echo "CGROUP_MANAGER=cgroupfs" >> /etc/ci_environment fi # TODO: For the foreseeable future, need to support running tests - # with and without the latest netavark. Once netavark is more - # stable and widely supported in Fedora, it can be pre-installed + # with and without the latest netavark/aardvark. Once they're more + # stable and widely supported in Fedora, they can be pre-installed # from its RPM at VM image build-time. if [[ "$TEST_ENVIRON" =~ netavark ]]; then - req_env_vars NETAVARK_BRANCH NETAVARK_URL NETAVARK_DEBUG - msg "Downloading latest netavark from upstream branch '$NETAVARK_BRANCH'" - curl --fail --location -o /tmp/netavark.zip "${NETAVARK_URL}" - - # Needs to be in a specific location - # ref: https://github.com/containers/common/blob/main/pkg/config/config_linux.go#L39 - _nvdir=/usr/local/libexec/podman - mkdir -p $_nvdir - cd $_nvdir - msg "$PWD" - unzip /tmp/netavark.zip - if ((NETAVARK_DEBUG)); then - warn "Using debug netavark binary" - mv netavark.debug netavark - else - rm netavark.debug - fi - cd - - - chmod 0755 $_nvdir/netavark - restorecon -F -v $_nvdir + for info in "netavark $NETAVARK_BRANCH $NETAVARK_URL $NETAVARK_DEBUG" \ + "aardvark-dns $AARDVARK_BRANCH $AARDVARK_URL $AARDVARK_DEBUG"; do + + read _name _branch _url _debug <<<"$info" + req_env_vars _name _branch _url _debug + msg "Downloading latest $_name from upstream branch '$_branch'" + # Use identifiable archive filename in of a get_ci_env.sh environment + curl --fail --location -o /tmp/$_name.zip "$_url" + + # Needs to be in a specific location + # ref: https://github.com/containers/common/blob/main/pkg/config/config_linux.go#L39 + _pdir=/usr/local/libexec/podman + mkdir -p $_pdir + cd $_pdir + msg "$PWD" + unzip /tmp/$_name.zip + if ((_debug)); then + warn "Using debug $_name binary" + mv $_name.debug $_name + else + rm $_name.debug + fi + chmod 0755 $_pdir/$_name + cd - + done + + restorecon -F -v $_pdir msg "Forcing NETWORK_BACKEND=netavark in all subsequent environments." echo "NETWORK_BACKEND=netavark" >> /etc/ci_environment fi -- cgit v1.2.3-54-g00ecf From 66a3be3709ae67ec14c0ecdfee3847066c90c9ae Mon Sep 17 00:00:00 2001 From: Chris Evich Date: Wed, 26 Jan 2022 13:05:50 -0500 Subject: Cirrus: Add netavark/aardvark system test task Also add a system-test that verifies netavark driver is in use when magic env. var. is set. Signed-off-by: Chris Evich --- .cirrus.yml | 42 +++++++++++++++++++++++++++++++------ contrib/cirrus/lib.sh | 24 +++++++++++++-------- contrib/cirrus/setup_environment.sh | 2 ++ test/system/005-info.bats | 12 +++++++++++ test/system/500-networking.bats | 10 ++++++--- test/system/README.md | 1 + test/system/helpers.bash | 9 ++++++++ 7 files changed, 82 insertions(+), 18 deletions(-) (limited to 'contrib/cirrus') diff --git a/.cirrus.yml b/.cirrus.yml index b7cfb2b8d..adcbdc9e5 100644 --- a/.cirrus.yml +++ b/.cirrus.yml @@ -24,6 +24,11 @@ env: # Runner statistics log file path/name STATS_LOGFILE_SFX: 'runner_stats.log' STATS_LOGFILE: '$GOSRC/${CIRRUS_TASK_NAME}-${STATS_LOGFILE_SFX}' + # Netavark/aardvark location/options when TEST_ENVIRON=host-netavark + NETAVARK_URL: "https://api.cirrus-ci.com/v1/artifact/github/containers/netavark/success/binary.zip?branch=${NETAVARK_BRANCH}" + NETAVARK_DEBUG: 0 # set non-zero to use the debug-mode binary + AARDVARK_URL: "https://api.cirrus-ci.com/v1/artifact/github/containers/aardvark-dns/success/binary.zip?branch=${AARDVARK_BRANCH}" + AARDVARK_DEBUG: 0 # set non-zero to use the debug-mode binary #### #### Cache-image names to test with (double-quotes around names are critical) @@ -512,6 +517,7 @@ container_integration_test_task: main_script: *main always: *int_logs_artifacts + # Run the integration tests using the latest upstream build of netavark. netavark_integration_test_task: name: "Netavark integration" # using *std_name_fmt here is unreadable @@ -528,10 +534,6 @@ netavark_integration_test_task: CTR_FQIN: ${FEDORA_CONTAINER_FQIN} TEST_FLAVOR: int TEST_ENVIRON: host-netavark - NETAVARK_URL: "https://api.cirrus-ci.com/v1/artifact/github/containers/netavark/success/binary.zip?branch=${NETAVARK_BRANCH}" - NETAVARK_DEBUG: 0 # set non-zero to use the debug-mode binary - AARDVARK_URL: "https://api.cirrus-ci.com/v1/artifact/github/containers/aardvark-dns/success/binary.zip?branch=${AARDVARK_BRANCH}" - AARDVARK_DEBUG: 0 # set non-zero to use the debug-mode binary clone_script: *noop # Comes from cache gopath_cache: *ro_gopath_cache setup_script: *setup @@ -539,6 +541,28 @@ netavark_integration_test_task: always: *int_logs_artifacts +netavark_system_test_task: + name: "Netavark system" + alias: netavark_system_test + skip: *tags + only_if: *not_build + depends_on: + - netavark_integration_test + gce_instance: *standardvm + env: + DISTRO_NV: ${FEDORA_NAME} + _BUILD_CACHE_HANDLE: ${FEDORA_NAME}-build-${CIRRUS_BUILD_ID} + VM_IMAGE_NAME: ${FEDORA_CACHE_IMAGE_NAME} + CTR_FQIN: ${FEDORA_CONTAINER_FQIN} + TEST_ENVIRON: host-netavark + TEST_FLAVOR: sys + clone_script: *noop # Comes from cache + gopath_cache: *ro_gopath_cache + setup_script: *setup + main_script: *main + always: *logs_artifacts + + # Execute most integration tests as a regular (non-root) user. rootless_integration_test_task: name: *std_name_fmt @@ -591,6 +615,7 @@ remote_system_test_task: TEST_FLAVOR: sys PODBIN_NAME: remote + rootless_remote_system_test_task: <<: *local_system_test_task alias: rootless_remote_system_test @@ -611,6 +636,7 @@ rootless_remote_system_test_task: PODBIN_NAME: remote PRIV_NAME: rootless + buildah_bud_test_task: name: *std_name_fmt alias: buildah_bud_test @@ -639,6 +665,7 @@ buildah_bud_test_task: main_script: *main always: *int_logs_artifacts + rootless_system_test_task: name: *std_name_fmt alias: rootless_system_test @@ -657,6 +684,7 @@ rootless_system_test_task: main_script: *main always: *logs_artifacts + rootless_gitlab_test_task: name: *std_name_fmt alias: rootless_gitlab_test @@ -684,6 +712,7 @@ rootless_gitlab_test_task: type: text/xml format: junit + upgrade_test_task: name: "Upgrade test: from $PODMAN_UPGRADE_FROM" alias: upgrade_test @@ -713,6 +742,7 @@ upgrade_test_task: main_script: *main always: *logs_artifacts + # This task is critical. It updates the "last-used by" timestamp stored # in metadata for all VM images. This mechanism functions in tandem with # an out-of-band pruning operation to remove disused VM images. @@ -761,10 +791,10 @@ success_task: - compose_test - local_integration_test - remote_integration_test - - netavark_integration_test - - rootless_integration_test - container_integration_test - netavark_integration_test + - netavark_system_test + - rootless_integration_test - local_system_test - remote_system_test - rootless_system_test diff --git a/contrib/cirrus/lib.sh b/contrib/cirrus/lib.sh index ae538d23f..09a255e6f 100644 --- a/contrib/cirrus/lib.sh +++ b/contrib/cirrus/lib.sh @@ -214,16 +214,22 @@ setup_rootless() { } install_test_configs() { - echo "Installing cni config, policy and registry config" - req_env_vars GOSRC SCRIPT_BASE - cd $GOSRC || exit 1 - install -v -D -m 644 ./cni/87-podman-bridge.conflist /etc/cni/net.d/ - # This config must always sort last in the list of networks (podman picks first one - # as the default). This config prevents allocation of network address space used - # by default in google cloud. https://cloud.google.com/vpc/docs/vpc#ip-ranges - install -v -D -m 644 $SCRIPT_BASE/99-do-not-use-google-subnets.conflist /etc/cni/net.d/ - + msg "Installing ./test/registries.conf system-wide." install -v -D -m 644 ./test/registries.conf /etc/containers/ + if [[ "$TEST_ENVIRON" =~ netavark ]]; then + # belt-and-suspenders: any pre-existing CNI config. will spoil + # default use tof netavark (when both are installed). + rm -rf /etc/cni/net.d/* + else + echo "Installing cni config, policy and registry config" + req_env_vars GOSRC SCRIPT_BASE + cd $GOSRC || exit 1 + install -v -D -m 644 ./cni/87-podman-bridge.conflist /etc/cni/net.d/ + # This config must always sort last in the list of networks (podman picks first one + # as the default). This config prevents allocation of network address space used + # by default in google cloud. https://cloud.google.com/vpc/docs/vpc#ip-ranges + install -v -D -m 644 $SCRIPT_BASE/99-do-not-use-google-subnets.conflist /etc/cni/net.d/ + fi } # Remove all files provided by the distro version of podman. diff --git a/contrib/cirrus/setup_environment.sh b/contrib/cirrus/setup_environment.sh index 36e53320c..4e9361152 100755 --- a/contrib/cirrus/setup_environment.sh +++ b/contrib/cirrus/setup_environment.sh @@ -173,6 +173,8 @@ case "$TEST_ENVIRON" in done restorecon -F -v $_pdir + # This is critical, it signals to all tests that netavark + # use is expected. msg "Forcing NETWORK_BACKEND=netavark in all subsequent environments." echo "NETWORK_BACKEND=netavark" >> /etc/ci_environment fi diff --git a/test/system/005-info.bats b/test/system/005-info.bats index 5f3cdff7e..0f7e8b2e4 100644 --- a/test/system/005-info.bats +++ b/test/system/005-info.bats @@ -88,6 +88,18 @@ host.slirp4netns.executable | $expr_path is "$output" ".*graphOptions: {}" "output includes graphOptions: {}" } +@test "podman info netavark " { + # Confirm netavark in use when explicitely required by execution environment. + if [[ "$NETWORK_BACKEND" == "netavark" ]]; then + if ! is_netavark; then + # Assume is_netavark() will provide debugging feedback. + die "Netavark driver testing required, but not in use by podman." + fi + else + skip "Netavark testing not requested (\$NETWORK_BACKEND='$NETWORK_BACKEND')" + fi +} + @test "podman --root PATH info - basic output" { if ! is_remote; then run_podman --storage-driver=vfs --root ${PODMAN_TMPDIR}/nothing-here-move-along info --format '{{ .Store.GraphOptions }}' diff --git a/test/system/500-networking.bats b/test/system/500-networking.bats index 9f70c1c6c..9b39ebf97 100644 --- a/test/system/500-networking.bats +++ b/test/system/500-networking.bats @@ -256,13 +256,17 @@ load helpers # rootless cannot modify iptables if ! is_rootless; then - # flush the CNI iptables here - run iptables -t nat -F CNI-HOSTPORT-DNAT + # flush the port forwarding iptable rule here + chain="CNI-HOSTPORT-DNAT" + if is_netavark; then + chain="NETAVARK-HOSTPORT-DNAT" + fi + run iptables -t nat -F "$chain" # check that we cannot curl (timeout after 5 sec) run timeout 5 curl -s $SERVER/index.txt if [ "$status" -ne 124 ]; then - die "curl did not timeout, status code: $status" + die "curl did not timeout, status code: $status" fi fi diff --git a/test/system/README.md b/test/system/README.md index fe6d1ed52..76626b6dd 100644 --- a/test/system/README.md +++ b/test/system/README.md @@ -49,6 +49,7 @@ Running tests To run the tests locally in your sandbox, you can use one of these methods: * make;PODMAN=./bin/podman bats ./test/system/070-build.bats # runs just the specified test * make;PODMAN=./bin/podman bats ./test/system # runs all +* make;PODMAN=./bin/podman NETWORK_BACKEND=netavark bats ./test/system # Assert & enable netavark testing To test as root: * $ PODMAN=./bin/podman sudo --preserve-env=PODMAN bats test/system diff --git a/test/system/helpers.bash b/test/system/helpers.bash index 36a88fc10..c622a5172 100644 --- a/test/system/helpers.bash +++ b/test/system/helpers.bash @@ -341,6 +341,15 @@ function is_cgroupsv2() { test "$cgroup_type" = "cgroup2fs" } +# True if podman is using netavark +function is_netavark() { + run_podman info --format '{{.Host.NetworkBackend}}' + if [[ "$output" =~ netavark ]]; then + return 0 + fi + return 1 +} + # Returns the OCI runtime *basename* (typically crun or runc). Much as we'd # love to cache this result, we probably shouldn't. function podman_runtime() { -- cgit v1.2.3-54-g00ecf From 1e3115cf42b3abc2cd62427e59ba71851da29b12 Mon Sep 17 00:00:00 2001 From: Chris Evich Date: Fri, 28 Jan 2022 15:09:49 -0500 Subject: Cirrus: Log netavark/aardvark binary build info. Enabled by: * https://github.com/containers/netavark/pull/191 * https://github.com/containers/aardvark-dns/pull/36 Signed-off-by: Chris Evich --- contrib/cirrus/logcollector.sh | 13 +++++++++++++ 1 file changed, 13 insertions(+) (limited to 'contrib/cirrus') diff --git a/contrib/cirrus/logcollector.sh b/contrib/cirrus/logcollector.sh index 38a15ded1..0cfbf7135 100755 --- a/contrib/cirrus/logcollector.sh +++ b/contrib/cirrus/logcollector.sh @@ -74,6 +74,19 @@ case $1 in echo "Cgroups: " $(stat -f -c %T /sys/fs/cgroup) # Any not-present packages will be listed as such $PKG_LST_CMD "${PKG_NAMES[@]}" | sort -u + + # TODO: Remove this once netavark/aardvark-dns packages are used + if [[ "$TEST_ENVIRON" =~ netavark ]]; then + _npath=/usr/local/libexec/podman/ + for name in netavark aardvark-dns; do + echo "$name binary details:" + if [[ -r "$_npath/${name}.info" ]]; then + cat "$_npath/${name}.info" + else + echo "WARNING: $_npath/${name}.info not found." + fi + done + fi ;; time) # Assumed to be empty/undefined outside of Cirrus-CI (.cirrus.yml) -- cgit v1.2.3-54-g00ecf From 926c3b08ae4cf0d825f48b9a54a1544123be6fb7 Mon Sep 17 00:00:00 2001 From: Lokesh Mandvekar Date: Mon, 31 Jan 2022 11:44:52 -0500 Subject: CI: fix nightly builds Nightly builds were failing on CI ever since the Makefile change to have install target independent of build targets. See: e4636ebdc84ca28cf378873435cc9a27c81756f8 This commit ensures everything is built before installation. [NO NEW TESTS NEEDED] Signed-off-by: Lokesh Mandvekar --- contrib/cirrus/setup_environment.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'contrib/cirrus') diff --git a/contrib/cirrus/setup_environment.sh b/contrib/cirrus/setup_environment.sh index 4e9361152..2ae5c2d77 100755 --- a/contrib/cirrus/setup_environment.sh +++ b/contrib/cirrus/setup_environment.sh @@ -289,11 +289,11 @@ case "$TEST_FLAVOR" in die "Refusing to config. host-test in container"; fi remove_packaged_podman_files - make install PREFIX=/usr ETCDIR=/etc + make && make install PREFIX=/usr ETCDIR=/etc elif [[ "$TEST_ENVIRON" == "container" ]]; then if ((CONTAINER)); then remove_packaged_podman_files - make install PREFIX=/usr ETCDIR=/etc + make && make install PREFIX=/usr ETCDIR=/etc fi else die "Invalid value for \$TEST_ENVIRON=$TEST_ENVIRON" @@ -310,7 +310,7 @@ case "$TEST_FLAVOR" in # Ref: https://gitlab.com/gitlab-org/gitlab-runner/-/issues/27270#note_499585550 remove_packaged_podman_files - make install PREFIX=/usr ETCDIR=/etc + make && make install PREFIX=/usr ETCDIR=/etc msg "Installing docker and containerd" # N/B: Tests check/expect `docker info` output, and this `!= podman info` -- cgit v1.2.3-54-g00ecf