diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 3ef05e0a4..a727a4ab6 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -67,8 +67,6 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v4 - - name: Ensure host skopeo is disabled - run: sudo rm -f /bin/skopeo /usr/bin/skopeo - name: Free up disk space on runner run: sudo ./ci/clean-gha-runner.sh - name: Integration tests @@ -81,6 +79,9 @@ jobs: sudo install -m 0755 target/release/tests-integration /usr/bin/bootc-integration-tests rm target -rf df -h / + # The ostree-container tests + sudo podman run --privileged --pid=host -v /:/run/host -v $(pwd):/src:ro -v /var/tmp:/var/tmp \ + -v /run/dbus:/run/dbus -v /run/systemd:/run/systemd localhost/bootc /src/ostree-ext/ci/priv-integration.sh # Nondestructive but privileged tests sudo bootc-integration-tests host-privileged localhost/bootc # Finally the install-alongside suite diff --git a/Makefile b/Makefile index 41a6454c6..1a96f63a8 100644 --- a/Makefile +++ b/Makefile @@ -34,14 +34,15 @@ install-ostree-hooks: ln -sf ../../../bin/bootc $(DESTDIR)$(prefix)/libexec/libostree/ext/$$x; \ done -install-with-tests: install +# Install the main binary, the ostree hooks, and the integration test suite. +install-all: install install-ostree-hooks install -D -m 0755 target/release/tests-integration $(DESTDIR)$(prefix)/bin/bootc-integration-tests bin-archive: all $(MAKE) install DESTDIR=tmp-install && $(TAR_REPRODUCIBLE) --zstd -C tmp-install -cf target/bootc.tar.zst . && rm tmp-install -rf test-bin-archive: all - $(MAKE) install-with-tests DESTDIR=tmp-install && $(TAR_REPRODUCIBLE) --zstd -C tmp-install -cf target/bootc.tar.zst . && rm tmp-install -rf + $(MAKE) install-all DESTDIR=tmp-install && $(TAR_REPRODUCIBLE) --zstd -C tmp-install -cf target/bootc.tar.zst . && rm tmp-install -rf test-tmt: cargo xtask test-tmt diff --git a/ostree-ext/.github/workflows/bootc.yml b/ostree-ext/.github/workflows/bootc.yml deleted file mode 100644 index 8e8dbe78c..000000000 --- a/ostree-ext/.github/workflows/bootc.yml +++ /dev/null @@ -1,65 +0,0 @@ -name: bootc - -permissions: - actions: read - -on: - push: - branches: [main] - pull_request: - branches: [main] - workflow_dispatch: {} - -jobs: - build-c9s: - runs-on: ubuntu-latest - container: quay.io/centos/centos:stream9 - steps: - - run: dnf -y install git-core - - uses: actions/checkout@v3 - with: - repository: containers/bootc - path: bootc - - uses: actions/checkout@v3 - with: - path: ostree-rs-ext - - name: Patch bootc to use ostree-rs-ext - run: | - set -xeuo pipefail - cd bootc - cat >> Cargo.toml << 'EOF' - [patch.crates-io] - ostree-ext = { path = "../ostree-rs-ext/lib" } - EOF - - name: Install deps - run: ./bootc/ci/installdeps.sh - - name: Cache Dependencies - uses: Swatinem/rust-cache@v2 - with: - key: "build-bootc-c9s" - workspaces: bootc - - name: Build - run: cd bootc && make test-bin-archive - - name: Upload binary - uses: actions/upload-artifact@v4 - with: - name: bootc-c9s.tar.zst - path: bootc/target/bootc.tar.zst - privtest-alongside: - name: "Test install-alongside" - needs: build-c9s - runs-on: ubuntu-latest - steps: - - name: Download - uses: actions/download-artifact@v4.1.8 - with: - name: bootc-c9s.tar.zst - - name: Install - run: tar -xvf bootc.tar.zst - - name: Integration tests - run: | - set -xeuo pipefail - sudo podman run --rm -ti --privileged -v ./usr/bin/bootc:/usr/bin/bootc --pid=host --security-opt label=disable \ - quay.io/centos-bootc/centos-bootc-dev:stream9 bootc install to-filesystem \ - --karg=foo=bar --disable-selinux --replace=alongside /target - diff --git a/ostree-ext/.github/workflows/rust.yml b/ostree-ext/.github/workflows/rust.yml index 6aeb4cccc..91c971ea0 100644 --- a/ostree-ext/.github/workflows/rust.yml +++ b/ostree-ext/.github/workflows/rust.yml @@ -128,24 +128,6 @@ jobs: run: install ostree-ext-cli /usr/bin && rm -v ostree-ext-cli - name: Integration tests run: ./ci/ima.sh - privtest: - name: "Privileged testing" - needs: build - runs-on: ubuntu-latest - container: - image: quay.io/fedora/fedora-coreos:testing-devel - options: "--privileged --pid=host -v /var/tmp:/var/tmp -v /run/dbus:/run/dbus -v /run/systemd:/run/systemd -v /:/run/host" - steps: - - name: Checkout repository - uses: actions/checkout@v3 - - name: Download - uses: actions/download-artifact@v4.1.8 - with: - name: ostree-ext-cli - - name: Install - run: install ostree-ext-cli /usr/bin && rm -v ostree-ext-cli - - name: Integration tests - run: ./ci/priv-integration.sh privtest-cockpit: name: "Privileged testing (cockpit)" needs: build diff --git a/ostree-ext/ci/priv-integration.sh b/ostree-ext/ci/priv-integration.sh index a226ef03b..aa1d588f6 100755 --- a/ostree-ext/ci/priv-integration.sh +++ b/ostree-ext/ci/priv-integration.sh @@ -28,21 +28,21 @@ if test '!' -d "${sysroot}/ostree/deploy/${stateroot}"; then ostree admin os-init "${stateroot}" --sysroot "${sysroot}" fi # Should be no images pruned -ostree-ext-cli container image prune-images --sysroot "${sysroot}" +ostree container image prune-images --sysroot "${sysroot}" # Test the syntax which uses full imgrefs. -ostree-ext-cli container image deploy --sysroot "${sysroot}" \ +ostree container image deploy --sysroot "${sysroot}" \ --stateroot "${stateroot}" --imgref "${imgref}" ostree admin --sysroot="${sysroot}" status -ostree-ext-cli container image metadata --repo "${sysroot}/ostree/repo" registry:"${image}" > manifest.json +ostree container image metadata --repo "${sysroot}/ostree/repo" registry:"${image}" > manifest.json jq '.schemaVersion' < manifest.json -ostree-ext-cli container image remove --repo "${sysroot}/ostree/repo" registry:"${image}" +ostree container image remove --repo "${sysroot}/ostree/repo" registry:"${image}" ostree admin --sysroot="${sysroot}" undeploy 0 # Now test the new syntax which has a nicer --image that defaults to registry. -ostree-ext-cli container image deploy --transport registry --sysroot "${sysroot}" \ +ostree container image deploy --transport registry --sysroot "${sysroot}" \ --stateroot "${stateroot}" --image "${image}" ostree admin --sysroot="${sysroot}" status ostree admin --sysroot="${sysroot}" undeploy 0 -if ostree-ext-cli container image deploy --transport registry --sysroot "${sysroot}" \ +if ostree container image deploy --transport registry --sysroot "${sysroot}" \ --stateroot "${stateroot}" --image "${image}" --enforce-container-sigpolicy 2>err.txt; then echo "Deployment with enforced verification succeeded unexpectedly" 1>&2 exit 1 @@ -52,16 +52,16 @@ if ! grep -Ee 'insecureAcceptAnything.*refusing usage' err.txt; then cat err.txt fi # Now we should prune it -ostree-ext-cli container image prune-images --sysroot "${sysroot}" -ostree-ext-cli container image list --repo "${sysroot}/ostree/repo" > out.txt +ostree container image prune-images --sysroot "${sysroot}" +ostree container image list --repo "${sysroot}/ostree/repo" > out.txt test $(stat -c '%s' out.txt) = 0 for img in "${image}"; do - ostree-ext-cli container image deploy --sysroot "${sysroot}" \ + ostree container image deploy --sysroot "${sysroot}" \ --stateroot "${stateroot}" --imgref ostree-unverified-registry:"${img}" ostree admin --sysroot="${sysroot}" status initial_refs=$(ostree --repo="${sysroot}/ostree/repo" refs | wc -l) - ostree-ext-cli container image remove --repo "${sysroot}/ostree/repo" registry:"${img}" + ostree container image remove --repo "${sysroot}/ostree/repo" registry:"${img}" pruned_refs=$(ostree --repo="${sysroot}/ostree/repo" refs | wc -l) # Removing the image should only drop the image reference, not its layers test "$(($initial_refs - 1))" = "$pruned_refs" @@ -70,7 +70,7 @@ for img in "${image}"; do n_commits=$(find ${sysroot}/ostree/repo -name '*.commit' | wc -l) test "${n_commits}" -gt 0 # But right now this still doesn't prune *content* - ostree-ext-cli container image prune-layers --repo="${sysroot}/ostree/repo" + ostree container image prune-layers --repo="${sysroot}/ostree/repo" ostree --repo="${sysroot}/ostree/repo" refs > refs.txt if test "$(wc -l < refs.txt)" -ne 0; then echo "found refs" @@ -78,21 +78,24 @@ for img in "${image}"; do exit 1 fi # And this one should GC the objects too - ostree-ext-cli container image prune-images --full --sysroot="${sysroot}" > out.txt + ostree container image prune-images --full --sysroot="${sysroot}" > out.txt n_commits=$(find ${sysroot}/ostree/repo -name '*.commit' | wc -l) test "${n_commits}" -eq 0 done # Verify we have systemd journal messages -nsenter -m -t 1 journalctl _COMM=ostree-ext-cli > logs.txt -grep 'layers already present: ' logs.txt +nsenter -m -t 1 journalctl _COMM=bootc > logs.txt +if ! grep 'layers already present: ' logs.txt; then + cat logs.txt + exit 1 +fi podman pull ${image} ostree --repo="${sysroot}/ostree/repo" init --mode=bare-user -ostree-ext-cli container image pull ${sysroot}/ostree/repo ostree-unverified-image:containers-storage:${image} +ostree container image pull ${sysroot}/ostree/repo ostree-unverified-image:containers-storage:${image} echo "ok pulled from containers storage" -ostree-ext-cli container compare ${imgref} ${imgref} > compare.txt +ostree container compare ${imgref} ${imgref} > compare.txt grep "Removed layers: *0 *Size: 0 bytes" compare.txt grep "Added layers: *0 *Size: 0 bytes" compare.txt @@ -114,22 +117,22 @@ ostree refs ostree/container/image --delete repo="${sysroot}/ostree/repo" images=$(ostree container image list --repo "${repo}" | wc -l) test "${images}" -eq 1 -ostree-ext-cli container image deploy --sysroot "${sysroot}" \ +ostree container image deploy --sysroot "${sysroot}" \ --stateroot "${stateroot}" --imgref ostree-unverified-image:"${derived_img}" imgref=$(ostree refs --repo=${repo} ostree/container/image | head -1) img_commit=$(ostree --repo=${repo} rev-parse ostree/container/image/${imgref}) -ostree-ext-cli container image remove --repo "${repo}" "${derived_img}" +ostree container image remove --repo "${repo}" "${derived_img}" -ostree-ext-cli container image deploy --sysroot "${sysroot}" \ +ostree container image deploy --sysroot "${sysroot}" \ --stateroot "${stateroot}" --imgref ostree-unverified-image:"${derived_img}" img_commit2=$(ostree --repo=${repo} rev-parse ostree/container/image/${imgref}) test "${img_commit}" = "${img_commit2}" echo "ok deploy derived container identical revs" -ostree-ext-cli container image deploy --sysroot "${sysroot}" \ +ostree container image deploy --sysroot "${sysroot}" \ --stateroot "${stateroot}" --imgref ostree-unverified-image:"${derived_img_dir}" echo "ok deploy derived container from local dir" -ostree-ext-cli container image remove --repo "${repo}" "${derived_img_dir}" +ostree container image remove --repo "${repo}" "${derived_img_dir}" rm -rf /var/tmp/derived.dir # Verify policy