diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 3ef05e0a4..a727a4ab6 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -67,8 +67,6 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v4 - - name: Ensure host skopeo is disabled - run: sudo rm -f /bin/skopeo /usr/bin/skopeo - name: Free up disk space on runner run: sudo ./ci/clean-gha-runner.sh - name: Integration tests @@ -81,6 +79,9 @@ jobs: sudo install -m 0755 target/release/tests-integration /usr/bin/bootc-integration-tests rm target -rf df -h / + # The ostree-container tests + sudo podman run --privileged --pid=host -v /:/run/host -v $(pwd):/src:ro -v /var/tmp:/var/tmp \ + -v /run/dbus:/run/dbus -v /run/systemd:/run/systemd localhost/bootc /src/ostree-ext/ci/priv-integration.sh # Nondestructive but privileged tests sudo bootc-integration-tests host-privileged localhost/bootc # Finally the install-alongside suite diff --git a/ostree-ext/.github/workflows/rust.yml b/ostree-ext/.github/workflows/rust.yml index 6aeb4cccc..91c971ea0 100644 --- a/ostree-ext/.github/workflows/rust.yml +++ b/ostree-ext/.github/workflows/rust.yml @@ -128,24 +128,6 @@ jobs: run: install ostree-ext-cli /usr/bin && rm -v ostree-ext-cli - name: Integration tests run: ./ci/ima.sh - privtest: - name: "Privileged testing" - needs: build - runs-on: ubuntu-latest - container: - image: quay.io/fedora/fedora-coreos:testing-devel - options: "--privileged --pid=host -v /var/tmp:/var/tmp -v /run/dbus:/run/dbus -v /run/systemd:/run/systemd -v /:/run/host" - steps: - - name: Checkout repository - uses: actions/checkout@v3 - - name: Download - uses: actions/download-artifact@v4.1.8 - with: - name: ostree-ext-cli - - name: Install - run: install ostree-ext-cli /usr/bin && rm -v ostree-ext-cli - - name: Integration tests - run: ./ci/priv-integration.sh privtest-cockpit: name: "Privileged testing (cockpit)" needs: build diff --git a/ostree-ext/ci/priv-integration.sh b/ostree-ext/ci/priv-integration.sh index a226ef03b..aa1d588f6 100755 --- a/ostree-ext/ci/priv-integration.sh +++ b/ostree-ext/ci/priv-integration.sh @@ -28,21 +28,21 @@ if test '!' -d "${sysroot}/ostree/deploy/${stateroot}"; then ostree admin os-init "${stateroot}" --sysroot "${sysroot}" fi # Should be no images pruned -ostree-ext-cli container image prune-images --sysroot "${sysroot}" +ostree container image prune-images --sysroot "${sysroot}" # Test the syntax which uses full imgrefs. -ostree-ext-cli container image deploy --sysroot "${sysroot}" \ +ostree container image deploy --sysroot "${sysroot}" \ --stateroot "${stateroot}" --imgref "${imgref}" ostree admin --sysroot="${sysroot}" status -ostree-ext-cli container image metadata --repo "${sysroot}/ostree/repo" registry:"${image}" > manifest.json +ostree container image metadata --repo "${sysroot}/ostree/repo" registry:"${image}" > manifest.json jq '.schemaVersion' < manifest.json -ostree-ext-cli container image remove --repo "${sysroot}/ostree/repo" registry:"${image}" +ostree container image remove --repo "${sysroot}/ostree/repo" registry:"${image}" ostree admin --sysroot="${sysroot}" undeploy 0 # Now test the new syntax which has a nicer --image that defaults to registry. -ostree-ext-cli container image deploy --transport registry --sysroot "${sysroot}" \ +ostree container image deploy --transport registry --sysroot "${sysroot}" \ --stateroot "${stateroot}" --image "${image}" ostree admin --sysroot="${sysroot}" status ostree admin --sysroot="${sysroot}" undeploy 0 -if ostree-ext-cli container image deploy --transport registry --sysroot "${sysroot}" \ +if ostree container image deploy --transport registry --sysroot "${sysroot}" \ --stateroot "${stateroot}" --image "${image}" --enforce-container-sigpolicy 2>err.txt; then echo "Deployment with enforced verification succeeded unexpectedly" 1>&2 exit 1 @@ -52,16 +52,16 @@ if ! grep -Ee 'insecureAcceptAnything.*refusing usage' err.txt; then cat err.txt fi # Now we should prune it -ostree-ext-cli container image prune-images --sysroot "${sysroot}" -ostree-ext-cli container image list --repo "${sysroot}/ostree/repo" > out.txt +ostree container image prune-images --sysroot "${sysroot}" +ostree container image list --repo "${sysroot}/ostree/repo" > out.txt test $(stat -c '%s' out.txt) = 0 for img in "${image}"; do - ostree-ext-cli container image deploy --sysroot "${sysroot}" \ + ostree container image deploy --sysroot "${sysroot}" \ --stateroot "${stateroot}" --imgref ostree-unverified-registry:"${img}" ostree admin --sysroot="${sysroot}" status initial_refs=$(ostree --repo="${sysroot}/ostree/repo" refs | wc -l) - ostree-ext-cli container image remove --repo "${sysroot}/ostree/repo" registry:"${img}" + ostree container image remove --repo "${sysroot}/ostree/repo" registry:"${img}" pruned_refs=$(ostree --repo="${sysroot}/ostree/repo" refs | wc -l) # Removing the image should only drop the image reference, not its layers test "$(($initial_refs - 1))" = "$pruned_refs" @@ -70,7 +70,7 @@ for img in "${image}"; do n_commits=$(find ${sysroot}/ostree/repo -name '*.commit' | wc -l) test "${n_commits}" -gt 0 # But right now this still doesn't prune *content* - ostree-ext-cli container image prune-layers --repo="${sysroot}/ostree/repo" + ostree container image prune-layers --repo="${sysroot}/ostree/repo" ostree --repo="${sysroot}/ostree/repo" refs > refs.txt if test "$(wc -l < refs.txt)" -ne 0; then echo "found refs" @@ -78,21 +78,24 @@ for img in "${image}"; do exit 1 fi # And this one should GC the objects too - ostree-ext-cli container image prune-images --full --sysroot="${sysroot}" > out.txt + ostree container image prune-images --full --sysroot="${sysroot}" > out.txt n_commits=$(find ${sysroot}/ostree/repo -name '*.commit' | wc -l) test "${n_commits}" -eq 0 done # Verify we have systemd journal messages -nsenter -m -t 1 journalctl _COMM=ostree-ext-cli > logs.txt -grep 'layers already present: ' logs.txt +nsenter -m -t 1 journalctl _COMM=bootc > logs.txt +if ! grep 'layers already present: ' logs.txt; then + cat logs.txt + exit 1 +fi podman pull ${image} ostree --repo="${sysroot}/ostree/repo" init --mode=bare-user -ostree-ext-cli container image pull ${sysroot}/ostree/repo ostree-unverified-image:containers-storage:${image} +ostree container image pull ${sysroot}/ostree/repo ostree-unverified-image:containers-storage:${image} echo "ok pulled from containers storage" -ostree-ext-cli container compare ${imgref} ${imgref} > compare.txt +ostree container compare ${imgref} ${imgref} > compare.txt grep "Removed layers: *0 *Size: 0 bytes" compare.txt grep "Added layers: *0 *Size: 0 bytes" compare.txt @@ -114,22 +117,22 @@ ostree refs ostree/container/image --delete repo="${sysroot}/ostree/repo" images=$(ostree container image list --repo "${repo}" | wc -l) test "${images}" -eq 1 -ostree-ext-cli container image deploy --sysroot "${sysroot}" \ +ostree container image deploy --sysroot "${sysroot}" \ --stateroot "${stateroot}" --imgref ostree-unverified-image:"${derived_img}" imgref=$(ostree refs --repo=${repo} ostree/container/image | head -1) img_commit=$(ostree --repo=${repo} rev-parse ostree/container/image/${imgref}) -ostree-ext-cli container image remove --repo "${repo}" "${derived_img}" +ostree container image remove --repo "${repo}" "${derived_img}" -ostree-ext-cli container image deploy --sysroot "${sysroot}" \ +ostree container image deploy --sysroot "${sysroot}" \ --stateroot "${stateroot}" --imgref ostree-unverified-image:"${derived_img}" img_commit2=$(ostree --repo=${repo} rev-parse ostree/container/image/${imgref}) test "${img_commit}" = "${img_commit2}" echo "ok deploy derived container identical revs" -ostree-ext-cli container image deploy --sysroot "${sysroot}" \ +ostree container image deploy --sysroot "${sysroot}" \ --stateroot "${stateroot}" --imgref ostree-unverified-image:"${derived_img_dir}" echo "ok deploy derived container from local dir" -ostree-ext-cli container image remove --repo "${repo}" "${derived_img_dir}" +ostree container image remove --repo "${repo}" "${derived_img_dir}" rm -rf /var/tmp/derived.dir # Verify policy