From 79080c91e3f2de398de0c0193daa5471c9be02e5 Mon Sep 17 00:00:00 2001 From: Rafael Guterres Jeffman Date: Fri, 8 Mar 2024 18:09:32 -0300 Subject: [PATCH] upstream ci: Create containers with IPA not configured To allow uspstream testing of deployment roles, containers that do not have IPA pre-configured are necessary. Currently all the testing images available come with pre-configured images. This patch provides a new pipeline to create raw containers, that is, containers that contain all necessary files, but do not have IPA configured. Currently, only 'fedora:latest' is supported. --- containers/fedora-latest/00-ipv6.conf | 3 + containers/fedora-latest/Dockerfile | 50 ++++++++++++++++ containers/fedora-latest/hostnamectl-wrapper | 12 ++++ tests/azure/build-raw-containers.yml | 59 +++++++++++++++++++ tests/azure/templates/build_raw_container.yml | 25 ++++++++ 5 files changed, 149 insertions(+) create mode 100644 containers/fedora-latest/00-ipv6.conf create mode 100644 containers/fedora-latest/Dockerfile create mode 100755 containers/fedora-latest/hostnamectl-wrapper create mode 100644 tests/azure/build-raw-containers.yml create mode 100644 tests/azure/templates/build_raw_container.yml diff --git a/containers/fedora-latest/00-ipv6.conf b/containers/fedora-latest/00-ipv6.conf new file mode 100644 index 0000000000..c79441818d --- /dev/null +++ b/containers/fedora-latest/00-ipv6.conf @@ -0,0 +1,3 @@ +net.ipv6.conf.all.disable_ipv6 = 0 +net.ipv6.conf.lo.disable_ipv6 = 0 +net.ipv6.conf.eth0.disable_ipv6 = 1 diff --git a/containers/fedora-latest/Dockerfile b/containers/fedora-latest/Dockerfile new file mode 100644 index 0000000000..2a250fcd21 --- /dev/null +++ b/containers/fedora-latest/Dockerfile @@ -0,0 +1,50 @@ +FROM fedora:latest +ENV container=docker + +RUN groupadd -g 288 kdcproxy ; useradd -u 288 -g 288 -c 'IPA KDC Proxy User' -d / -s '/sbin/nologin' kdcproxy +RUN groupadd -g 289 ipaapi; useradd -u 289 -g 289 -c 'IPA Framework User' -r -d / -s '/sbin/nologin' ipaapi + +RUN ln -s /bin/false /usr/sbin/systemd-machine-id-setup + +RUN rm -fv /var/cache/dnf/metadata_lock.pid; \ +dnf makecache; \ +dnf --assumeyes install \ + /usr/bin/python3 \ + /usr/bin/python3-config \ + /usr/bin/dnf-3 \ + sudo \ + bash \ + systemd \ + procps-ng \ + iproute \ + sudo \ + nss \ + freeipa-server python3-libselinux freeipa-server-dns freeipa-server-trust-ad freeipa-client \ + firewalld \ + && \ +dnf clean all; + +ENTRYPOINT [ "/usr/sbin/init" ] +STOPSIGNAL RTMIN+3 + +RUN rm -f /etc/systemd/system/*.wants/*;\ + rm -f /lib/systemd/system/local-fs.target.wants/*; \ + rm -f /lib/systemd/system/sockets.target.wants/*udev*; \ + rm -f /lib/systemd/system/sockets.target.wants/*initctl*; \ + rm -f /lib/systemd/system/basic.target.wants/*;\ + rm -f /lib/systemd/system/anaconda.target.wants/*; \ + rm -rf /var/cache/dnf/; + + +RUN rmdir -v /etc/systemd/system/multi-user.target.wants \ + && mkdir /etc/systemd/system/container-ipa.target.wants \ + && ln -s /etc/systemd/system/container-ipa.target.wants /etc/systemd/system/multi-user.target.wants +RUN systemd-tmpfiles --remove --create + +RUN mv /usr/bin/nisdomainname /usr/bin/nisdomainname.orig +ADD hostnamectl-wrapper /usr/bin/nisdomainname +ADD 00-ipv6.conf /etc/sysctl.d/00-ipv6.conf + +EXPOSE 53/udp 53 80 443 389 636 88 464 88/udp 464/udp 123/udp + +CMD ["/usr/sbin/init"] diff --git a/containers/fedora-latest/hostnamectl-wrapper b/containers/fedora-latest/hostnamectl-wrapper new file mode 100755 index 0000000000..b03ac8813a --- /dev/null +++ b/containers/fedora-latest/hostnamectl-wrapper @@ -0,0 +1,12 @@ +#!/bin/bash -eu + +if setpriv --dump | grep -q sys_admin ; then + if [[ "$( basename "$0" )" =~ "domainname" ]] ; then + /usr/bin/hostname -y "$@" + else + "$0.orig" "$@" + fi +else + echo "Skipping invocation of $0 $* in unprivileged container." >&2 + exit +fi diff --git a/tests/azure/build-raw-containers.yml b/tests/azure/build-raw-containers.yml new file mode 100644 index 0000000000..aeeedb0a75 --- /dev/null +++ b/tests/azure/build-raw-containers.yml @@ -0,0 +1,59 @@ +--- + +schedules: +- cron: "0 0 * * 0" + displayName: Weekly Sunday midnight build + branches: + include: + - master + always: true + +trigger: none + +pool: + vmImage: 'ubuntu-20.04' + +stages: + +#- stage: CentOS_7 +# dependsOn: [] +# jobs: +# - template: templates/build_container.yml +# parameters: +# job_name_suffix: Centos7 +# container_name: centos-7 +# build_scenario_name: centos-7-build +# +#- stage: CentOS_8_Stream +# dependsOn: [] +# jobs: +# - template: templates/build_container.yml +# parameters: +# job_name_suffix: C8S +# container_name: c8s +# build_scenario_name: c8s-build +# +#- stage: CentOS_9_Stream +# dependsOn: [] +# jobs: +# - template: templates/build_container.yml +# parameters: +# job_name_suffix: C9S +# container_name: c9s +# build_scenario_name: c9s-build + +- stage: Fedora_Latest + dependsOn: [] + jobs: + - template: templates/build_raw_container.yml + parameters: + job_name_suffix: FedoraLatest + container_name: fedora-latest + +#- stage: Fedora_Rawhide +# dependsOn: [] +# jobs: +# - template: templates/build_raw_container.yml +# parameters: +# job_name_suffix: FedoraRawhide +# container_name: fedora-rawhide diff --git a/tests/azure/templates/build_raw_container.yml b/tests/azure/templates/build_raw_container.yml new file mode 100644 index 0000000000..9c247e8218 --- /dev/null +++ b/tests/azure/templates/build_raw_container.yml @@ -0,0 +1,25 @@ +--- +parameters: + - name: job_name_suffix + type: string + - name: container_name + type: string + +jobs: +- job: BuildTestImage${{ parameters.job_name_suffix }} + displayName: Build ${{ parameters.container_name }} test container + steps: + - script: | + docker build -t quay.io/ansible-freeipa/upstream-tests:raw-${{ parameters.container_name }} containers/${{ parameters.container_name }} + retryCountOnTaskFailure: 5 + displayName: Create test container + + - script: | + docker stop -i raw-${{ parameters.container_name }} + docker commit raw-${{ parameters.container_name }} quay.io/ansible-freeipa/upstream-tests:raw-${{ parameters.container_name }} + docker login -u="$QUAY_ROBOT_USERNAME" -p="$QUAY_ROBOT_TOKEN" quay.io + docker push quay.io/ansible-freeipa/upstream-tests:raw-${{ parameters.container_name }} + displayName: Save image and upload + env: + # Secrets needs to be mapped as env vars to work properly + QUAY_ROBOT_TOKEN: $(QUAY_ROBOT_TOKEN)