From 4c3f4e6f7d871ebcd0efef80e2039363443f191d Mon Sep 17 00:00:00 2001 From: Thomas Woerner Date: Mon, 2 Dec 2024 15:01:20 +0100 Subject: [PATCH 1/3] infra/image: Use SYS_ADMIN capability for server deployment This adds the capabilities SYS_ADMIN and SYSLOG to the container_create call in build.sh as long as server deployment has been enabled. The privileged option has been removed as it is no longer needed. The hostnamectl-wrapper for the container has been removed as it is no longer needed. --- infra/azure/templates/build_container.yml | 2 +- infra/image/build.sh | 12 +++++++----- infra/image/dockerfile/c10s | 6 ------ infra/image/shcontainer | 2 +- infra/image/utils/hostnamectl-wrapper | 12 ------------ 5 files changed, 9 insertions(+), 25 deletions(-) delete mode 100644 infra/image/utils/hostnamectl-wrapper diff --git a/infra/azure/templates/build_container.yml b/infra/azure/templates/build_container.yml index e3c2bdea57..12f0b45030 100644 --- a/infra/azure/templates/build_container.yml +++ b/infra/azure/templates/build_container.yml @@ -23,7 +23,7 @@ jobs: - script: ansible-galaxy collection install containers.podman displayName: Install Ansible Galaxy collections - - script: infra/image/build.sh -p -s ${{ parameters.distro }} + - script: infra/image/build.sh -s ${{ parameters.distro }} displayName: Build ${{ parameters.distro }} base image env: ANSIBLE_ROLES_PATH: "${PWD}/roles" diff --git a/infra/image/build.sh b/infra/image/build.sh index 5e3418c8d5..71679238ca 100755 --- a/infra/image/build.sh +++ b/infra/image/build.sh @@ -15,7 +15,7 @@ valid_distro() { usage() { local prog="${0##*/}" cat << EOF -usage: ${prog} [-h] [-p] [-n HOSTNAME] [-s] distro +usage: ${prog} [-h] [-n HOSTNAME] [-s] distro ${prog} build a container image to test ansible-freeipa. EOF } @@ -41,14 +41,14 @@ cpus="2" memory="3g" quayname="quay.io/ansible-freeipa/upstream-tests" deploy_server="N" -privileged="" +deploy_capabilities="SYS_ADMIN,SYSLOG" +capabilities="" -while getopts ":hn:ps" option +while getopts ":hn:s" option do case "${option}" in h) help && exit 0 ;; n) hostname="${OPTARG}" ;; - p) privileged="privileged" ;; s) deploy_server="Y" ;; *) die -u "Invalid option: ${option}" ;; esac @@ -66,6 +66,8 @@ container_check if [ "${deploy_server}" == "Y" ] then + capabilities="${deploy_capabilities}" + [ -n "$(command -v "ansible-playbook")" ] || die "ansible-playbook is required to install FreeIPA." deploy_playbook="${TOPDIR}/playbooks/install-server.yml" @@ -89,7 +91,7 @@ container_create "${name}" "${tag}" \ "hostname=${hostname}" \ "memory=${memory}" \ "cpus=${cpus}" \ - "${privileged}" + "${capabilities:+capabilities=$capabilities}" container_commit "${name}" "${quayname}:${tag}" if [ "${deploy_server}" == "Y" ] diff --git a/infra/image/dockerfile/c10s b/infra/image/dockerfile/c10s index 969e8f6dd0..247fce1739 100644 --- a/infra/image/dockerfile/c10s +++ b/infra/image/dockerfile/c10s @@ -13,12 +13,6 @@ dnf --assumeyes install \ hostname; \ rm -rf /var/cache/dnf/; -# Prepare for basic ipa-server-install in container -# Address failing nis-domainname.service in the ipa-client-install step -RUN mv /usr/bin/nisdomainname /usr/bin/nisdomainname.orig -ADD utils/hostnamectl-wrapper /usr/bin/nisdomainname -RUN chmod a+rx /usr/bin/nisdomainname - RUN (cd /lib/systemd/system/; \ if [ -e dbus-broker.service ] && [ ! -e dbus.service ]; then \ ln -s dbus-broker.service dbus.service; \ diff --git a/infra/image/shcontainer b/infra/image/shcontainer index 8b736ce51b..a2d36c65c2 100644 --- a/infra/image/shcontainer +++ b/infra/image/shcontainer @@ -18,7 +18,7 @@ container_create() { hostname=*) extra_opts+=("--${opt}") ;; cpus=*) extra_opts+=("--${opt}") ;; memory=*) extra_opts+=("--${opt}") ;; - privileged) extra_opts+=("--${opt}") ;; + capabilities=*) extra_opts+=("--cap-add=${opt##*=}") ;; *) log error "container_create: Invalid option: ${opt}" ;; esac done diff --git a/infra/image/utils/hostnamectl-wrapper b/infra/image/utils/hostnamectl-wrapper deleted file mode 100644 index 19e6f8d95a..0000000000 --- a/infra/image/utils/hostnamectl-wrapper +++ /dev/null @@ -1,12 +0,0 @@ -#!/bin/bash -eu - -if setpriv --dump | grep -q sys_admin ; then - if [[ "$( basename $0 )" =~ "domainname" ]] ; then - /usr/bin/hostname -y "$@" - else - $0.orig "$@" - fi -else - echo "Skipping invocation of $0 $@ in unprivileged container." >&2 - exit -fi From 87ad46f7a4acc5e9ce1e41dd07af9af502e87b2e Mon Sep 17 00:00:00 2001 From: Thomas Woerner Date: Mon, 2 Dec 2024 15:11:48 +0100 Subject: [PATCH 2/3] Enable to build c10s test container image --- infra/azure/build-containers.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infra/azure/build-containers.yml b/infra/azure/build-containers.yml index 8f6b57d8ef..ec9b0b3bb2 100644 --- a/infra/azure/build-containers.yml +++ b/infra/azure/build-containers.yml @@ -12,7 +12,7 @@ trigger: none pool: vmImage: 'ubuntu-24.04' -variables: { distros: "fedora-latest,fedora-rawhide,c9s" } +variables: { distros: "fedora-latest,fedora-rawhide,c9s,c10s" } stages: From 8d74fe34efe57f6d57dec7655d410aebd21d5bdd Mon Sep 17 00:00:00 2001 From: Thomas Woerner Date: Mon, 2 Dec 2024 15:31:33 +0100 Subject: [PATCH 3/3] Enable c10s testing for PRs and nightly and after merge testing --- infra/azure/azure-pipelines.yml | 2 +- infra/azure/nightly.yml | 4 ++-- infra/azure/pr-pipeline.yml | 2 +- infra/azure/templates/variables_c10s.yaml | 21 +++++++++++++++++++++ 4 files changed, 25 insertions(+), 4 deletions(-) create mode 100644 infra/azure/templates/variables_c10s.yaml diff --git a/infra/azure/azure-pipelines.yml b/infra/azure/azure-pipelines.yml index 8b915b4cef..584cabecd6 100644 --- a/infra/azure/azure-pipelines.yml +++ b/infra/azure/azure-pipelines.yml @@ -9,7 +9,7 @@ variables: ansible_version: "-core >=2.16,<2.17" ansible_latest: "-core" ansible_minimum: "-core <2.16" - distros: "fedora-latest,c9s,fedora-rawhide" + distros: "fedora-latest,c9s,c10s,fedora-rawhide" stages: diff --git a/infra/azure/nightly.yml b/infra/azure/nightly.yml index ded5877851..2790199eb2 100644 --- a/infra/azure/nightly.yml +++ b/infra/azure/nightly.yml @@ -14,8 +14,8 @@ pool: variables: # We need to have two sets, as c8s is not supported by all ansible versions - recent_distros: "fedora-latest,fedora-rawhide,c9s" - distros: "fedora-latest,fedora-rawhide,c9s,c8s" + recent_distros: "fedora-latest,fedora-rawhide,c10s,c9s" + distros: "fedora-latest,fedora-rawhide,c10s,c9s,c8s" ansible_latest: "-core" ansible_minimum: "-core <2.16" ansible_version: "-core >=2.16,<2.17" diff --git a/infra/azure/pr-pipeline.yml b/infra/azure/pr-pipeline.yml index ea89f321cf..648a554ec3 100644 --- a/infra/azure/pr-pipeline.yml +++ b/infra/azure/pr-pipeline.yml @@ -6,7 +6,7 @@ pool: vmImage: 'ubuntu-20.04' variables: - distros: "fedora-latest,c9s,c8s,fedora-rawhide" + distros: "fedora-latest,c10s,c9s,c8s,fedora-rawhide" ansible_version: "-core >=2.15,<2.16" stages: diff --git a/infra/azure/templates/variables_c10s.yaml b/infra/azure/templates/variables_c10s.yaml new file mode 100644 index 0000000000..8fdc2819b6 --- /dev/null +++ b/infra/azure/templates/variables_c10s.yaml @@ -0,0 +1,21 @@ +# +# Variables must be defined as comma separated lists. +# For easier management of items to enable/disable, +# use one test/module on each line, followed by a comma. +# +# Example: +# +# ipa_disabled_modules: >- +# dnsconfig, +# group, +# hostgroup +# +# If no variables are set, set "empty: true" as at least +# one item is needed in the set. +--- +variables: + empty: true +# ipa_enabled_modules: >- +# ipa_enabled_tests: >- +# ipa_disabled_modules: >- +# ipa_disabled_tests: >-