Merge pull request #1318 from t-woerner/testing_container_create_enab…

…le_cap_sys_admin infra/image: Use SYS_ADMIN capability for server deployment
freeipa · Dec 2, 2024 · 8fc2de1 · 8fc2de1
2 parents 489f4d5 + 8d74fe3
commit 8fc2de1
Show file tree

Hide file tree

Showing 10 changed files with 35 additions and 30 deletions.
diff --git a/infra/azure/azure-pipelines.yml b/infra/azure/azure-pipelines.yml
@@ -9,7 +9,7 @@ variables:
   ansible_version: "-core >=2.16,<2.17"
   ansible_latest: "-core"
   ansible_minimum: "-core <2.16"
-  distros: "fedora-latest,c9s,fedora-rawhide"
+  distros: "fedora-latest,c9s,c10s,fedora-rawhide"
 
 stages:
 

diff --git a/infra/azure/build-containers.yml b/infra/azure/build-containers.yml
@@ -12,7 +12,7 @@ trigger: none
 pool:
   vmImage: 'ubuntu-24.04'
 
-variables: { distros: "fedora-latest,fedora-rawhide,c9s" }
+variables: { distros: "fedora-latest,fedora-rawhide,c9s,c10s" }
 
 stages:
 

diff --git a/infra/azure/nightly.yml b/infra/azure/nightly.yml
@@ -14,8 +14,8 @@ pool:
 
 variables:
   # We need to have two sets, as c8s is not supported by all ansible versions
-  recent_distros: "fedora-latest,fedora-rawhide,c9s"
-  distros: "fedora-latest,fedora-rawhide,c9s,c8s"
+  recent_distros: "fedora-latest,fedora-rawhide,c10s,c9s"
+  distros: "fedora-latest,fedora-rawhide,c10s,c9s,c8s"
   ansible_latest: "-core"
   ansible_minimum: "-core <2.16"
   ansible_version: "-core >=2.16,<2.17"

diff --git a/infra/azure/pr-pipeline.yml b/infra/azure/pr-pipeline.yml
@@ -6,7 +6,7 @@ pool:
   vmImage: 'ubuntu-20.04'
 
 variables:
-  distros: "fedora-latest,c9s,c8s,fedora-rawhide"
+  distros: "fedora-latest,c10s,c9s,c8s,fedora-rawhide"
   ansible_version: "-core >=2.15,<2.16"
 
 stages:

diff --git a/infra/azure/templates/build_container.yml b/infra/azure/templates/build_container.yml
@@ -23,7 +23,7 @@ jobs:
   - script: ansible-galaxy collection install containers.podman
     displayName: Install Ansible Galaxy collections
 
-  - script: infra/image/build.sh -p -s ${{ parameters.distro }}
+  - script: infra/image/build.sh -s ${{ parameters.distro }}
     displayName: Build ${{ parameters.distro }} base image
     env:
       ANSIBLE_ROLES_PATH: "${PWD}/roles"

diff --git a/infra/azure/templates/variables_c10s.yaml b/infra/azure/templates/variables_c10s.yaml
@@ -0,0 +1,21 @@
+#
+# Variables must be defined as comma separated lists.
+# For easier management of items to enable/disable,
+# use one test/module on each line, followed by a comma.
+#
+# Example:
+#
+# ipa_disabled_modules: >-
+#   dnsconfig,
+#   group,
+#   hostgroup
+#
+# If no variables are set, set "empty: true" as at least
+# one item is needed in the set.
+---
+variables:
+  empty: true
+#   ipa_enabled_modules: >-
+#   ipa_enabled_tests: >-
+#   ipa_disabled_modules: >-
+#   ipa_disabled_tests: >-
diff --git a/infra/image/build.sh b/infra/image/build.sh
@@ -15,7 +15,7 @@ valid_distro() {
 usage() {
     local prog="${0##*/}"
     cat << EOF
-usage: ${prog} [-h] [-p] [-n HOSTNAME] [-s] distro
+usage: ${prog} [-h] [-n HOSTNAME] [-s] distro
     ${prog} build a container image to test ansible-freeipa.
 EOF
 }
@@ -41,14 +41,14 @@ cpus="2"
 memory="3g"
 quayname="quay.io/ansible-freeipa/upstream-tests"
 deploy_server="N"
-privileged=""
+deploy_capabilities="SYS_ADMIN,SYSLOG"
+capabilities=""
 
-while getopts ":hn:ps" option
+while getopts ":hn:s" option
 do
     case "${option}" in
         h) help && exit 0 ;;
         n) hostname="${OPTARG}" ;;
-        p) privileged="privileged" ;;
         s) deploy_server="Y" ;;
         *) die -u "Invalid option: ${option}" ;;
     esac
@@ -66,6 +66,8 @@ container_check
 
 if [ "${deploy_server}" == "Y" ]
 then
+    capabilities="${deploy_capabilities}"
+
     [ -n "$(command -v "ansible-playbook")" ] || die "ansible-playbook is required to install FreeIPA."
 
     deploy_playbook="${TOPDIR}/playbooks/install-server.yml"
@@ -89,7 +91,7 @@ container_create "${name}" "${tag}" \
     "hostname=${hostname}" \
     "memory=${memory}" \
     "cpus=${cpus}" \
-    "${privileged}"
+    "${capabilities:+capabilities=$capabilities}"
 container_commit "${name}" "${quayname}:${tag}"
 
 if [ "${deploy_server}" == "Y" ]

diff --git a/infra/image/dockerfile/c10s b/infra/image/dockerfile/c10s
@@ -13,12 +13,6 @@ dnf --assumeyes install \
     hostname; \
 rm -rf /var/cache/dnf/;
 
-# Prepare for basic ipa-server-install in container
-# Address failing nis-domainname.service in the ipa-client-install step
-RUN mv /usr/bin/nisdomainname /usr/bin/nisdomainname.orig
-ADD utils/hostnamectl-wrapper /usr/bin/nisdomainname
-RUN chmod a+rx /usr/bin/nisdomainname
-
 RUN (cd /lib/systemd/system/; \
     if [ -e dbus-broker.service ] && [ ! -e dbus.service ]; then \
        ln -s dbus-broker.service dbus.service; \

diff --git a/infra/image/shcontainer b/infra/image/shcontainer
@@ -18,7 +18,7 @@ container_create() {
             hostname=*) extra_opts+=("--${opt}") ;;
             cpus=*) extra_opts+=("--${opt}") ;;
             memory=*) extra_opts+=("--${opt}") ;;
-            privileged) extra_opts+=("--${opt}") ;;
+            capabilities=*) extra_opts+=("--cap-add=${opt##*=}") ;;
             *) log error "container_create: Invalid option: ${opt}" ;;
         esac
     done

diff --git a/infra/image/utils/hostnamectl-wrapper b/infra/image/utils/hostnamectl-wrapper
-Original file line number
+Diff line change
@@ Expand Up / @@ -12,7 +12,7 @@ trigger: none @@
     pool:
       vmImage: 'ubuntu-24.04'
-    variables: { distros: "fedora-latest,fedora-rawhide,c9s" }
+    variables: { distros: "fedora-latest,fedora-rawhide,c9s,c10s" }
     stages:
@@ Expand Down @@