Commit graph

48 commits

Author SHA1 Message Date
Debarshi Ray
8b7511ab6f playbooks/dependencies: Improve the names of the tasks
https://github.com/containers/toolbox/pull/1158
2022-11-16 11:11:18 +01:00
Debarshi Ray
03922893af playbooks: Highlight failures from 'meson compile' and 'meson install'
Currently, 'meson compile' and 'meson install' were being invoked from
pre-run playbooks.  This meant that a genuine build failure from either
of those commands would be shown as a RETRY_LIMIT failure by the CI.

This was misleading.  It made it look as if the failure was caused by
some transient networking problem or that the CI node was too slow due
to momentary heavy load, whereas the failure was actually due to a
problem in the Toolbx sources.  A genuine problem in the sources should
be reflected as a FAILURE, not RETRY_LIMIT.

However, it's worth noting that 'meson compile' invokes 'go build',
which downloads all the Go modules required by the Toolbx sources.  This
is worth retaining in the pre-run playbooks since it primarily depends
on Internet infrastructure beyond the Toolbx sources.

As a nice side-effect, the CI no longer gets mysteriously stuck like
this while the Go modules are being downloaded:
  TASK [Build Toolbox]
  ci-node-36 | ninja: Entering directory
    `/home/zuul-worker/src/github.com/containers/toolbox/builddir'
  ...
  ci-node-36 | [8/13] Generating doc/toolbox-rmi.1 with a custom command
  ci-node-36 | [9/13] Generating doc/toolbox-run.1 with a custom command
  ci-node-36 | [10/13] Generating doc/toolbox.conf.5 with a custom
    command
  ci-node-36 | [11/13] Generating src/toolbox with a custom command

https://github.com/containers/toolbox/pull/1158
2022-11-16 11:11:01 +01:00
Debarshi Ray
df22010e4f playbooks: Use the same commands as mentioned in the documentation
... at https://containertoolbx.org/install/

There are some minor benefits to always invoking meson(1), as opposed to
directly invoking the underlying build backend, like 'ninja'.

It's one less command to be aware of.  Secondly, in theory, Meson can be
used with backends other than Ninja (see 'meson configure'), even though
Ninja is the most likely option for building Toolbx because it's only
supported on Linux.

https://github.com/containers/toolbox/pull/1142
2022-10-21 20:23:34 +02:00
Debarshi Ray
b864280e42 playbooks: Make all Meson warnings fatal
This should help detect the kind of problem that was fixed in the
previous commit.

https://github.com/containers/toolbox/pull/1096
2022-08-31 19:35:05 +02:00
Debarshi Ray
4dd73ad160 .zuul, playbooks: Run unit tests on -Dmigration_path_for_coreos_toolbox
The -Dmigration_path_for_coreos_toolbox option enables a different code
path that's currently not tested by the CI at all.  In fact, since it's
a build-time option, the corresponding code path is not even built by
the CI.

To properly support the -Dmigration_path_for_coreos_toolbox option, it
needs to be covered by the CI.  This is a step in that direction by
running the unit tests on it.

https://github.com/containers/toolbox/pull/1095
2022-08-31 13:42:40 +02:00
Debarshi Ray
f3a15c60fe playbooks: Split out the post-configuration steps into a separate file
A subsequent commit will introduce builds performed with the
-Dmigration_path_for_coreos_toolbox option to the CI.  It will be good
to avoid duplicating the build and installation steps for builds with
and without the -Dmigration_path_for_coreos_toolbox option.

https://github.com/containers/toolbox/pull/1095
2022-08-31 13:19:33 +02:00
Debarshi Ray
e965dac9f6 playbooks: Split out the dependencies into a separate file
A subsequent commit will introduce builds performed with the
-Dmigration_path_for_coreos_toolbox option to the CI.  It will be good
to avoid duplicating the installation of RPM packages, Git submodule
handling, and the listing of various debug and version information for
builds with and without -Dmigration_path_for_coreos_toolbox option.

https://github.com/containers/toolbox/pull/1095
2022-08-31 12:46:44 +02:00
Ondřej Míchal
ecd1ced719 cmd/create: Add option --authfile
The option accepts a path to a file that is passed to an internal call
to 'podman pull' via the '--authfile' option. This will make it easier
to pull images from registries with authentication in-place.

Fixes https://github.com/containers/toolbox/issues/689

https://github.com/containers/toolbox/pull/935
2022-03-20 18:08:42 +02:00
Debarshi Ray
be2ba6d2e2 build: Call 'systemd-tmpfiles --create' when installing
It's only necessary to call 'systemd-tmpfiles --create' when building
and installing from source on the host operating system.

It's not needed when using a pre-built binary downstream package,
because:

  * When 'meson install' is called as part of building the package,
    that's not when the temporary files need to be created. They need
    to be created when the binary package is later downloaded and
    installed by the user.

  * Downstream tools can sometimes handle it automatically. eg., on
    Fedora, the systemd RPM installs a trigger that tells RPM to call
    'systemd-tmpfiles --create' automatically when a tmpfiles.d snippet
    is installed.

It's also not needed when installing inside a toolbox container because
the files that 'systemd-tmpfiles --create' is supposed to create are
meant to be on the host.

Downstream distributors set the DESTDIR environment variable when
building their packages. Therefore, it's used to detect when a
downstream package is being built.

Unfortunately, environment variables are messy and, generally, Meson
doesn't support accessing them inside its scripts [1]. Therefore, this
adds a spurious build-time dependency on systemd for downstream
distributors. However, that's probably not a big problem because all
supported downstream operating systems are already expected to use
systemd for the tmpfiles.d(5) snippets to work.

[1] https://github.com/mesonbuild/meson/issues/9

https://github.com/containers/toolbox/issues/955
2022-01-10 22:14:01 +01:00
Debarshi Ray
8dd7ee47c5 build: Drop the use of patchelf(1)
Some downstream distributors like RHEL don't have patchelf(1). Relying
on patchelf(1) during the build will make it difficult for such
downstreams to distribute Toolbox.

Fortunately, the path of the dynamic linker (ie., PT_INTERP) is
hardcoded in the ABI specification of each architecture [1]. This means
that Toolbox's build system can keep it's own architecture to dynamic
linker mapping, and specify it during the build through the GNU ld
linker's --dynamic-linker flag, as opposed to using a tool like
patchelf(1) to change the path of the dynamic linker in the built
binary to the one inside /run/host. Currently, the list of
architectures covers the ones that Fedora builds for.

[1] https://sourceware.org/glibc/wiki/ABIList

https://github.com/containers/toolbox/pull/942
2021-12-09 13:16:27 +01:00
Debarshi Ray
606b37b226 playbooks/setup-env: Restore running ShellCheck in the CI
Fallout from c33075f3e1
2021-10-25 16:12:14 +03:00
Ondřej Míchal
69ffc888ca playbooks: Fix CI for #897
PR #897 made adjustmnets to the Toolbx binary that it requires presence
of /run/host in both the host filesystem and the filesystem in
a container.

The presence of the directory is assured by systemd-tmpfiles by
running it before the binary is started for the first time. For the run
to be effective 'data/tmpfiles.d/toolbox.conf' has to be installed in
a location visible to systemd-tmpfiles. Therefore, the call to
'systemd-tmpfiles --create' had to be placed after the install step.

https://github.com/containers/toolbox/pull/898
2021-10-22 16:43:38 +03:00
Ondřej Míchal
c33075f3e1 playbooks: Unify test setup for system & unit tests
There is no significant benefit in keeping this configuration separated.
Now the to-be installed packages are tracked in a single place and the
test playbooks only call the relevant tests.

This was pointed out by in 6063eb27b9

https://github.com/containers/toolbox/pull/898
2021-10-22 16:43:38 +03:00
Debarshi Ray
6063eb27b9 build: Ensure that binaries are run against their build-time ABI
The /usr/bin/toolbox binary is not only used to interact with toolbox
containers and images from the host. It's also used as the entry point
of the containers by bind mounting the binary from the host into the
container. This means that the /usr/bin/toolbox binary on the host must
also work inside the container, even if they have different operating
systems.

In the past, this worked perfectly well with the POSIX shell
implementation because it got intepreted by whichever /bin/sh was
available. However, the Go implementation, can run into ABI
compatibility issues because binaries built on newer toolchains aren't
meant to be run against older runtimes.

The previous approach [1] of restricting the versions of the glibc
symbols that are linked against isn't actually supported by glibc, and
breaks if the early process start-up code changes. This is seen in
glibc-2.34, which is used by Fedora 35 onwards, where a new version of
the __libc_start_main symbol [2] was added as part of some security
hardening:
  $ objdump -T ./usr/bin/toolbox | grep GLIBC_2.34
  0000000000000000      DF *UND*	0000000000000000  GLIBC_2.34
    __libc_start_main
  0000000000000000      DF *UND*	0000000000000000  GLIBC_2.34
    pthread_detach
  0000000000000000      DF *UND*	0000000000000000  GLIBC_2.34
    pthread_create
  0000000000000000      DF *UND*	0000000000000000  GLIBC_2.34
    pthread_attr_getstacksize

This means that /usr/bin/toolbox binaries built against glibc-2.34 on
newer Fedoras fail to run against older glibcs in older Fedoras.

Another option is to make the host's runtime available inside the
toolbox container and ensure that the binary always runs against it.

Luckily, almost all supported containers have the host's /usr available
at /run/host/usr. This is exploited by embedding RPATHs or RUNPATHs to
/run/host/usr/lib and /run/host/usr/lib64 in the binary, and changing
the path of the dynamic linker (ie., PT_INTERP) to the one inside
/run/host.

Unfortunately, there can only be one PT_INTERP entry inside the
binary, so there must be a /run/host on the host too. Therefore, a
/run/host symbolic link is created on the host that points to the
host's /.

Based on ideas from Alexander Larsson and Ray Strode.

[1] Commit 6ad9c63180
    https://github.com/containers/toolbox/pull/534

[2] glibc commit 035c012e32c11e84
    https://sourceware.org/git/?p=glibc.git;a=commit;h=035c012e32c11e84
    https://sourceware.org/bugzilla/show_bug.cgi?id=23323

https://github.com/containers/toolbox/issues/821
2021-10-22 01:20:03 +02:00
Ondřej Míchal
0ff01977d6 playbooks: Stop cloning bats libraries
The libraries are now provided as submodules. There's no need to clone
them separately.

https://github.com/containers/toolbox/pull/842
2021-07-22 10:23:53 +02:00
Ondřej Míchal
2e5b6aed3f playbooks/setup-env: Show version of glibc
An upgrade of glibc has caused an issue on Fedora Rawhide[0]. We need a
clear indicator that a change in glibc could cause it.

[0] https://github.com/containers/toolbox/issues/821

https://github.com/containers/toolbox/pull/834
2021-07-08 15:15:57 +02:00
Ondřej Míchal
dd5cd5f25a playbooks/setup-env: Show versions of more packages
https://github.com/containers/toolbox/pull/795
2021-06-22 00:00:57 +02:00
Ondřej Míchal
54a2ca1ead test/system: Decouple image caching from Zuul
Since the rewrite of the system test suite[0] we've relied on the Zuul
playbooks for taking care of caching images using Skopeo for increasing
the reliability of the tests (in the past the instability of the Fedora
registry caused problems). This state is problematic if we want to use
the tests in other environments than the Zuul CI. This moves the caching
from Zuul into the system tests.

Currently, Bats does not support officially suite-wide setup and
teardown functions. The solution I chose was to add two new test files
that are executed before and after all tests. This may complicate the
execution of cherry-picked tests but that is not a very common use case
anyway.

The tests are now to some extent capable of adjusting to the host
environment. This is meant in the sense of: I'm running on RHEL, the
"default image" is UBI; I'm running on Fedora, the "default image" is
fedora-toolbox. This mechanism relies on os-release, which is the same
as what Toolbox itself uses.

[0] https://github.com/containers/toolbox/pull/517

https://github.com/containers/toolbox/pull/774
2021-06-01 00:41:20 +02:00
Ondřej Míchal
a24c2f6dc1 test/system: Bump secondary fedora image from 29 to 32
The fedora-toolbox:32 image is the first of images in the renamed
toolbox image repository[0]. With the change we can drop the
pull_image_old() function because it was kept only for the old image.

Seems like newer version of ShellCheck checks the validity of variable
names (SC2153). This caused a false positive, so I silenced it.

[0] https://github.com/containers/toolbox/pull/615

https://github.com/containers/toolbox/pull/780
2021-05-31 12:28:24 +02:00
Ondřej Míchal
05e6368882 playbooks/system-test: Show test execution time
Execution time of a test can be a very useful tool.

https://github.com/containers/toolbox/pull/725
2021-03-31 16:02:30 +02:00
Ondřej Míchal
424691b404 playbooks: Properly separate builddir setup & build
Call "meson builddir" makes Meson create a build directory called
"builddir". It does not make it build the project. A subsequent call to
"meson compile" or "ninja" needs to be made. This subtle detail causes
a minor (purely visual) discrepancy in the CI output. Fix this for both
unit-test & system-test job definitions.
2021-03-21 23:15:15 +01:00
Ondřej Míchal
b91a93044b Connect Go unit tests to Meson & rename CI job
We now have some Go unit tests[0] and we should use them. By adding a
new test case to Meson, the existing CI job called "shellcheck" has no
longer an accurate name. With this it has been renamed to "unit-test".
Also, the job is now more important and therefore should also be used
for gating.

[0] https://github.com/containers/toolbox/pull/474

https://github.com/containers/toolbox/pull/730
2021-03-21 22:20:59 +01:00
Juanje Ojeda
7973181136 playbooks, test/system: Avoid downloading the images multiple times
Since commit b27795a03e, each section of the test suite starts
and ends with a clean Podman state. This includes removing all images
from the local containers storage. Therefore, the images get downloaded
multiple times during the course of the test suite.

This commit restores the earlier behaviour where the images would get
downloaded only once, by copying them to separate directories outside
the local containers storage and then restoring them when the tests
are run.

https://github.com/containers/toolbox/pull/517
https://github.com/containers/toolbox/pull/704
2021-02-19 20:18:21 +01:00
Juanje Ojeda
285a54ba5b playbooks: Specify the artifact generated at each step of the build
See:
https://docs.ansible.com/ansible/latest/collections/ansible/builtin/command_module.html

https://github.com/containers/toolbox/pull/517
https://github.com/containers/toolbox/pull/703
2021-02-19 19:18:29 +01:00
Juanje Ojeda
0e8cfe95eb playbooks: Specify the precise versions of bats-assert & bats-support
See:
https://docs.ansible.com/ansible/latest/collections/ansible/builtin/git_module.html

https://github.com/containers/toolbox/pull/517
https://github.com/containers/toolbox/pull/703
2021-02-19 19:18:25 +01:00
Juanje Ojeda
e654f20d58 .zuul, playbooks: Unify the system-test*.yaml for all Fedora versions
The playbooks were too fragmented and were hard to maintain. With this
the number of files is significantly lowered.

https://github.com/containers/toolbox/pull/517
https://github.com/containers/toolbox/pull/702
2021-02-19 18:54:33 +01:00
Juanje Ojeda
2a2fd5baa5 .zuul, playbooks: Unify the setup-env.yaml across all Fedora versions
The playbooks were too fragmented and were hard to maintain. With this
the number of files is significantly lowered.

https://github.com/containers/toolbox/pull/517
https://github.com/containers/toolbox/pull/701
2021-02-19 18:15:55 +01:00
Ondřej Míchal
f5bbe356ad Drop the FGC namespace from the fedora-toolbox images
The FGC namespace used to be required by the Fedora container
guidelines, but not anymore [1].

[1] https://pagure.io/ContainerSIG/container-sig/issue/2

https://github.com/containers/toolbox/pull/615
2021-02-19 14:47:44 +01:00
Ondřej Míchal
986efd2666 playbooks: Show Podman info necessary for filing issues 2021-02-17 16:21:54 +01:00
Ondřej Míchal
b0407a1f6e ci: Fix pulled image name
I made a mistake in previous commit and did not update the pulled image
name.
2021-02-17 16:04:54 +01:00
Ondřej Míchal
aa0ec80e07 ci: Enable testing on Fedora 34 2021-02-17 14:07:39 +01:00
Ondřej Míchal
a4812f9bca ci: Drop testing on Fedora 31 2021-02-17 14:06:15 +01:00
Juanje Ojeda
b27795a03e test/system: Refactor tests using bats-support and bats-assert
The bats-support[0] and bats-assert[1] libraries extend the
capabilities of bats[2]. Mainly, bats-assert is very useful for clean
checking of values/outputs/return codes.

Apart from updating the cases to use the libraries, the test cases have
been restructured in a way that they don't depend on each other anymore.
This required major changes in the helpers.bats file.

Overall, the tests are cleaner to read and easier to extend due to the
test cases being independent.

Some slight changes were made to the test cases themselves. Should not
alter their final behaviour.

There will be a follow up commit that will take care of downloading of
the tested images locally and caching them using Skopeo to speedup the
tests and try to resolve network problems when pulling the images that
we experienced in the past.

[0] https://github.com/bats-core/bats-support
[1] https://github.com/bats-core/bats-assert
[2] https://github.com/bats-core/bats-core
2021-02-12 14:02:08 +01:00
Debarshi Ray
a05830893a playbooks: Don't use a separate file to pull the images
The Ansible playbooks are small enough as they are. Splitting things
across too many files makes it harder to remember which file does what.

https://github.com/containers/toolbox/pull/653
2020-12-21 16:41:17 +01:00
Juanje Ojeda
cf256870ce playbooks: Improve how 'systemd-tmpfiles --create' is invoked
The most important bit is the use of the 'creates' parameter of the
'command' module [1] because it conditionalizes the invocation of
'systemd-tmpfiles' on the presence of /run/media and self-documents its
purpose.

[1] https://docs.ansible.com/ansible/2.4/command_module.html

https://github.com/containers/toolbox/pull/652
2020-12-21 15:01:38 +01:00
Debarshi Ray
0af82ab339 playbooks/fedora-33: Fix the image URLs by adding the version suffix
The system tests for Fedora 33 were failing:
  not ok 21 Remove all images (2 should be present; --force should not
    be necessary)
  # (from function `is' in file test/system/helpers.bash, line 287,
  #  in test file test/system/302-rmi.bats, line 7)
  #   `is "$output" "" "The output should be empty"' failed
  # $ /usr/local/bin/toolbox rmi --all
  # Error: image
    3ac100502d2123aff1cf6314760c7a89c55108b8de6ea3c10ddc79a1479f0fca
    has dependent children
  # Error: image
    4a6adf1f2a96adf5ea0c02b61f9fa574306f77fc522f39c2ce6bb164daead882
    has dependent children
  # #/vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv
  # #|     FAIL: The output should be empty
  # #| expected: '[no output]'
  # #|   actual: 'Error: image
    3ac100502d2123aff1cf6314760c7a89c55108b8de6ea3c10ddc79a1479f0fca
    has dependent children'
  # #|         > 'Error: image
    4a6adf1f2a96adf5ea0c02b61f9fa574306f77fc522f39c2ce6bb164daead882
    has dependent children'
  # #\^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Fallout from ff4e4905da

https://github.com/containers/toolbox/pull/642
2020-12-02 18:45:01 +01:00
Ondřej Míchal
ecc796246b playbooks: Bump fedora-toolbox image to f34 for Rawhide 2020-10-08 15:07:42 +02:00
Ondřej Míchal
ff4e4905da zuul, playbooks: Enable system tests on Fedora 33
https://github.com/containers/toolbox/pull/550
2020-09-08 14:54:07 -04:00
Ondřej Míchal
8c971b381a playbooks, .zuul: Clarify naming and descriptions
Not all tests are the same and the ones we're currently running are
system tests. Also the mention of 'podman-stable' is not that important
because we're using the version in the 'stable' stream of Fedora
releases.

https://github.com/containers/toolbox/pull/508
2020-07-21 17:09:17 +02:00
Harry Míchal
cf1b74e1db .zuul, playbooks/fedora-32: Enable testing for Fedora 32
New release out, we need to run the tests there.

https://github.com/containers/toolbox/pull/507
2020-07-21 16:31:56 +02:00
Harry Míchal
5a651eae2f playbooks, test/system: Test the Go implementation and update tests
In the Go implementation, when the 'rm' and 'rmi' commands fail to
remove a container or image, they don't use a non-zero exit code.
There's currently no nice fix for this. So, the tests have been
adjusted as a temporary measure.

https://github.com/containers/toolbox/pull/507
2020-07-21 16:31:50 +02:00
Harry Míchal
9c5bc56bbd playbooks: Add Go to the list of build dependencies
Otherwise, the tests on Fedora 31 and Rawhide fail with:
  meson.build:8:0: ERROR: Program(s) ['go'] not found or not executable

https://github.com/containers/toolbox/pull/506
2020-07-21 16:04:40 +02:00
Harry Míchal
6bcd9fd0c4 .zuul, playbooks/fedora-30: Drop testing for Fedora 30
Fedora 30 reached it's End of Life on the 26th of May, 2020 [1]; and
Toolbox requires Go 1.13 which is not available in Fedora 30.

[1] https://fedoraproject.org/wiki/End_of_life

https://github.com/containers/toolbox/pull/495
2020-07-09 16:02:49 +02:00
Harry Míchal
493bc1ffd5 .zuul, playbooks/shellcheck: Use Go 1.13
Toolbox requires Go 1.13, while Fedora 30 only has Go 1.12.17.
Therefore the test environment needs to be upgraded to something more
recent.

Otherwise, the test fails with:
  note: module requires Go 1.13

The name of the go-md2man package changed in Fedora 31, and hence had
to be updated.

https://github.com/containers/toolbox/pull/442
2020-05-14 16:14:47 +02:00
Harry Míchal
c95aacc488 playbooks/shellcheck: Add Go to the list of build dependencies
Otherwise, the test fails with:
  meson.build:8:0: ERROR: Program(s) ['go'] not found or not executable

https://github.com/containers/toolbox/pull/441
2020-05-14 15:39:00 +02:00
Harry Míchal
2d18f295a7 test/system: Update pre-pulled image for Rawhide
Current Rawhide is actually version 33. So the appropriate image should
be pre-pulled.

Because of the old version of image being pulled, the tests were
failing.
2020-03-13 17:16:12 +01:00
Tristan Cacqueray
50683c9d9a playbooks: Reduce flakiness due to network errors when pulling images
This change adds a pre-run task to pull the fedora-toolbox images from
the registry to reduce the number of false positives caused by
'podman pull' failing to download them during the actual test.

Each section needs a separate playbook because they use different
versions of Fedora, and hence different default images.

https://github.com/containers/toolbox/pull/375
2020-02-18 14:00:01 +01:00
Tristan Cacqueray
a28177a7ab Enable Zuul
This adds several .yaml files that specify jobs (those in folder
playbooks) and one that serves as the main config (.zuul.yaml).

Tests and builds are currently executed on every change in PRs (ie.,
check and gating) and periodically (according to the documentation
this pipeline should be run at least once a day).

There are 4 tests in total:

1. 'ninja test' - does the same thing that Travis did
2. Fedora 30 - runs the system tests with current Podman and Toolbox
   in Fedora 30
3. Fedora 31 - the same but for Fedora 31
4. Fedora Rawhide - the same but for Fedora Rawhide

https://github.com/containers/toolbox/issues/68
2020-01-22 16:11:53 +01:00