Commit graph

66 commits

Author SHA1 Message Date
Debarshi Ray
983e07adf6 Revert "playbooks: Add workaround for Fedora Rawhide"
The DNF5 Change [1] was dropped from Fedora 39 (and Rawhide) [2] and
postponed for a later Fedora.  Therefore, there's no need for this
workaround.

This reverts commit 96791726a3.

[1] https://fedoraproject.org/wiki/Changes/ReplaceDnfWithDnf5

[2] https://pagure.io/fesco/issue/3039

https://github.com/containers/toolbox/pull/1344
2023-08-24 16:34:44 +02:00
Daniel Pawlik
96791726a3 playbooks: Add workaround for Fedora Rawhide
The Zuul executor contains Ansible 2.13.7 whose 'dnf' module is not
working as it should with Fedora Rawhide because of the DNF5 Change [1].
Unlike DNF4, DNF5 no longer pulls in the python3-dnf RPM, which causes:
  TASK [Install RPM packages]
  fedora-rawhide | ERROR
  fedora-rawhide | {
  fedora-rawhide |   "msg": "Could not import the dnf python module
      using /usr/bin/python3 (3.12.0b3 (main, Jun 21 2023, 00:00:00)
      [GCC 13.1.1 20230614 (Red Hat 13.1.1-4)]). Please install
      `python3-dnf` or `python2-dnf` package or ensure you have
      specified the correct ansible_python_interpreter. (attempted
      ['/usr/libexec/platform-python', '/usr/bin/python3',
      '/usr/bin/python2', '/usr/bin/python'])",
  fedora-rawhide |   "results": []
  fedora-rawhide | }

This adds a workaround that explicitly installs the python3-dnf RPM
using Ansible's 'command' module.  It should be removed after Zuul
contains a newer release of Ansible.

[1] https://fedoraproject.org/wiki/Changes/ReplaceDnfWithDnf5

https://github.com/containers/toolbox/pull/1338

Signed-off-by: Daniel Pawlik <dpawlik@redhat.com>
2023-07-11 19:40:07 +02:00
Debarshi Ray
b57dfd8b58 playbooks: Use Ansible's 'command' module, instead of 'shell'
Ansible's 'shell' module is almost exactly like the 'command' module,
except that it runs the command through a command line shell so that
environment variables like HOSTNAME and operations like '*', '<' and '>'
work.  None of those things are necessary are here.  Hence, it's better
to use the 'command' module as elsewhere.

Note that, unlike Ansible's 'shell' module, the 'command' module doesn't
support inline scripts.  So, each command needs to be in its own
separate task.

https://github.com/containers/toolbox/pull/1318
2023-06-22 18:20:49 +02:00
Nieves Montero
a1c309541f Report the size of the image that will be downloaded from a registry
This uses 'skopeo inspect' to get the size of the image on the registry,
which is usually less than the size of the image in a local
containers/storage image store after download (eg., 'podman images'),
because they are kept compressed on the registry.  Skopeo >= 1.10.0 is
needed to retrieve the sizes [1].

However, this doesn't add a hard dependency on Skopeo to accommodate
size-constrained operating systems like Fedora CoreOS.  If skopeo(1) is
missing or too old, then the size of the image won't be shown, but
everything else would continue to work as before.

Some changes by Debarshi Ray.

[1] Skopeo commit d9dfc44888ff71a6
    https://github.com/containers/skopeo/commit/d9dfc44888ff71a6
    https://github.com/containers/skopeo/issues/641

https://github.com/containers/toolbox/issues/752

Signed-off-by: Nieves Montero <nmontero@redhat.com>
2023-03-14 01:05:50 +01:00
Debarshi Ray
de652f4102 Test that toolbox(1) can be built without podman(1) and subordinate IDs
This is meant to roughly replicate the build environments used by
downstream distributors to build toolbox(1).  These can be restricted in
odd ways compared to a fully featured environment where toolbox(1) is
actually going to be used.  eg., the inability to use podman(1) in the
case of Fedora or not having subordinate user and group ID ranges in the
case of openSUSE.

It's important to ensure that toolbox(1) can be built by downstream
distributors without any unnecessary hassle.

https://github.com/containers/podman/issues/17657
https://github.com/containers/toolbox/issues/1246
2023-03-02 10:25:54 +01:00
Debarshi Ray
052666840a Fix spelling mistakes
The noun is 'setup' and the verb is 'set up'.  Similarly 'lookup' and
'look up'.

Original patch from Erik Sjölund for Podman [1,2].

[1] Podman commit aa4279ae151fa9df
    https://github.com/containers/podman/commit/aa4279ae151fa9df
    https://github.com/containers/podman/pull/14658

[2] Podman commit 2827140907255ed0
    https://github.com/containers/podman/commit/2827140907255ed0
    https://github.com/containers/podman/pull/14659

https://github.com/containers/toolbox/pull/1223
2023-01-31 15:53:15 +01:00
Martin Jackson
ca8007c192 Support subordinate user and group ID ranges on enterprise set-ups
On enterprise FreeIPA set-ups, the subordinate user and group IDs are
provided by SSSD's sss plugin for the GNU Name Service Switch (or NSS)
functionality of the GNU C Library.  They are not listed in /etc/subuid
and /etc/subgid.  Therefore, its necessary to use libsubid.so to check
the subordinate ID ranges.

The CGO interaction with libsubid.so is loosely based on 'readSubid' in
github.com/containers/storage/pkg/idtools [1].

However, unlike 'readSubid', this code considers the absence of any
range (ie., nRanges == 0) to be an error as well.

More importantly, this code uses dlopen(3) and friends to dynamically
load the symbols from libsubid.so, instead of linking to libsubid.so at
build-time and having the dependency noted in the /usr/bin/toolbox
binary.  This is done because libsubid.so itself depends on several
other shared libraries, and indirect dependencies can't be influenced
by the RUNPATH [2] embedded in the /usr/bin/toolbox binary [3].  Hence,
when the binary is used inside Toolbx containers (eg., as the entry
point), those indirect dependencies won't be picked from the host's
runtime against which the binary was built.  This can render the binary
useless due to ABI compatibility issues.  Using dlopen(3) avoids this
problem, especially because libsubid.so is only used when running on the
host.

Care was taken to not load and link libsubid.so twice to separately
validate the subordinate ID ranges for the user and the group.  Note
that libsubid_init() must be passed a FILE pointer for logging.
Otherwise, it will create it's own for logging, and there's no way to
close it during dlclose(3).

Version 4 of the libsubid.so API/ABI [4] was released in Shadow 4.10,
which is newer than the versions shipped on RHEL 8 and Debian 10 [5],
and even that newer version had some problems [6].  Therefore, support
for older versions, with the relevant workarounds, is necessary.
Fortunately, the oldest that needs to be support is Shadow 4.9 because
that's when libsubid.so was introduced [7].

Note that SUBID_ABI_VERSION was only introduced with version 4 of the
libsubid.so API/ABI released in Shadow 4.10 [8].  The first release of
libsubid.so in Shadow 4.9 already had an ABI version of 3.0.0 [9], since
it was bumped a few times during development, so that's what's assumed
when SUBID_ABI_VERSION is absent.

This code doesn't set the public variables Prog and shadow_logfd that
older Shadow versions used to expect for logging, because from Shadow
4.9 onwards there's a separate function [4,10] to specify these.  This
can be changed if there are libsubid.so versions in the wild that really
do need those public variables to be set.

Finally, ISO C99 is required because of the use of <stdbool.h> in the
libsubid.so API.

Some changes by Debarshi Ray.

[1] https://github.com/containers/storage/blob/main/pkg/idtools/idtools_supported.go

[2] https://man7.org/linux/man-pages/man8/ld.so.8.html

[3] Commit 6063eb27b9
    https://github.com/containers/toolbox/issues/821

[4] Shadow commit 32f641b207f6ddff
    https://github.com/shadow-maint/shadow/commit/32f641b207f6ddff
    https://github.com/shadow-maint/shadow/issues/443

[5] https://packages.debian.org/source/buster/shadow

[6] Shadow commit 79157cbad87f42cd
    https://github.com/shadow-maint/shadow/commit/79157cbad87f42cd
    https://github.com/shadow-maint/shadow/issues/465

[7] Shadow commit 0a7888b1fad613a0
    https://github.com/shadow-maint/shadow/commit/0a7888b1fad613a0
    https://github.com/shadow-maint/shadow/issues/154

[8] Shadow commit 0c9f64140852e8d5
    https://github.com/shadow-maint/shadow/commit/0c9f64140852e8d5
    https://github.com/shadow-maint/shadow/pull/449

[9] Shadow commit 3d670ba7ed58f910
    https://github.com/shadow-maint/shadow/commit/3d670ba7ed58f910
    https://github.com/shadow-maint/shadow/issues/339

[10] Shadow commit 2b22a6909dba60d
     https://github.com/shadow-maint/shadow/commit/2b22a6909dba60d
     https://github.com/shadow-maint/shadow/issues/325

https://github.com/containers/toolbox/issues/1074

Signed-off-by: Martin Jackson <martjack@redhat.com>
2023-01-28 10:49:44 +01:00
Debarshi Ray
e3b4b5ec24 playbooks: Require GCC and show its version
Building Toolbx requires a C compiler [1], which defaults to GCC on
Fedora and CentOS Stream.  It's good to explicitly require it, so that
it doesn't go missing from the build.

Showing the version of the C compiler is a big help when debugging weird
build problems involving the toolchain.  A following commit will use CGO
to link to libsubid.so, which will only increase the relevance of the C
compiler.

[1] Commit c8aaed52c5
    https://github.com/containers/toolbox/pull/923

https://github.com/containers/toolbox/pull/1218
2023-01-27 22:02:40 +01:00
Debarshi Ray
4cd1c798b3 Test -Dmigration_path_for_coreos_toolbox on CentOS Stream 9
The code behind -Dmigration_path_for_coreos_toolbox is meant for Red Hat
Enterprise Linux 8 and 9.  Hence, it makes sense to use CentOS Stream 9
to run the 'unit tests' on the corresponding code path.

Note that, just like Fedora, Podman prefers crun(1) as its OCI runtime
on CentOS Stream 9 [1,2].

[1] Podman commit 060775901de09b27
    https://gitlab.com/redhat/centos-stream/rpms/podman/-/commit/060775901de09b27

[2] Podman commit f327e88a08ca224b
    https://gitlab.com/redhat/centos-stream/rpms/podman/-/commit/f327e88a08ca224b

https://github.com/containers/toolbox/pull/1171
2022-12-14 23:09:55 +01:00
Debarshi Ray
ccaa27e034 playbooks: Rename the file with the dependencies
This will be used by the subsequent commit to have a separate set of
dependencies for CentOS Stream 9 builds.  eg., unlike Fedora, CentOS
Stream 9 doesn't have the ShellCheck, bats and fish RPMs.

https://github.com/containers/toolbox/pull/1171
2022-12-14 23:09:55 +01:00
Debarshi Ray
bc1781085b playbooks: Reveal the standard error & output streams from 'meson test'
Currently, the standard error and output streams of the child commands
invoked by 'meson test' are redirected to a separate log file.  When the
tests fail, it's difficult, or maybe even impossible, to access this
file from the Zuul CI, and all that can be seen is something like:
  1/7 shellcheck src/go-build-wrapper OK              0.04s
  2/7 shellcheck profile.d/toolbox.sh FAIL            0.06s   exit status 1
  >>> MALLOC_PERTURB_=241 /usr/bin/shellcheck
    --shell=sh
    /home/zuul-worker/src/github.com/containers/toolbox/builddir/../profile.d/toolbox.sh

  3/7 go fmt                          FAIL            0.05s   exit status 1
  >>> MALLOC_PERTURB_=209 /usr/bin/python3
    /home/zuul-worker/src/github.com/containers/toolbox/src/meson_go_fmt.py
    /home/zuul-worker/src/github.com/containers/toolbox/src

  4/7 codespell                       FAIL            0.31s   exit status 65
  >>> MALLOC_PERTURB_=180 /usr/bin/codespell
    --check-filenames
    --check-hidden
    --context 3
    --exclude-file /home/zuul-worker/src/github.com/containers/toolbox/.codespellexcludefile
    --skip /home/zuul-worker/src/github.com/containers/toolbox/builddir
    --skip /home/zuul-worker/src/github.com/containers/toolbox/.git
    --skip /home/zuul-worker/src/github.com/containers/toolbox/test/system/libs/bats-assert
    --skip /home/zuul-worker/src/github.com/containers/toolbox/test/system/libs/bats-support
    /home/zuul-worker/src/github.com/containers/toolbox

  5/7 shellcheck toolbox (deprecated) FAIL            1.09s   exit status 1
  >>> MALLOC_PERTURB_=233 /usr/bin/shellcheck
    /home/zuul-worker/src/github.com/containers/toolbox/builddir/../toolbox

  6/7 go test                         OK              1.89s
  7/7 go vet                          OK             17.60s

This doesn't have enough information to understand what caused the tests
to fail on non-interactive CI environments.

Not redirecting the standard error and output streams of the child
commands invoked by 'meson test' will readily reveal more details about
the test failures and remove the need to find the log file created by
Meson.

https://github.com/containers/toolbox/pull/1171
2022-12-14 23:09:55 +01:00
Debarshi Ray
995c6d175e playbooks/dependencies: Avoid stale DNF caches on high-churn RPM repos
Sometimes the RPM dependencies can't be installed because the DNF cache
refers to old packages that have been replaced by newer builds on the
RPM repositories [1].  This often happens on Fedora Rawhide because it
sees a lot more churn than stable Fedoras.

Currently, one has to keep restarting the tests manually by typing
'recheck' until the DNF caches eventually get updated.  This is both
very inefficient because it requires manual intervention; and wasteful
because it can take several attempts and it doesn't just run the failing
Ansible job, but all the other ones too.

It will be good to force the DNF cache to be updated [2] when an Ansible
job is being attempted more than once [3].

[1] https://github.com/containers/toolbox/pull/1171
    https://github.com/containers/toolbox/pull/1200

[2] https://docs.ansible.com/ansible/latest/collections/ansible/builtin/dnf_module.html#parameter-update_cache

[3] https://zuul-ci.org/docs/zuul/latest/job-content.html#var-zuul.attempts

https://github.com/containers/toolbox/pull/1201
2022-12-14 22:38:08 +01:00
Debarshi Ray
35783e0d0c playbooks/dependencies: Show the ShellCheck and codespell versions
Different versions of ShellCheck and codespell may treat the same code
base differently.  eg., these tools are currently being used on Fedora
36 as part of the 'unit tests', but CentOS Stream 9 has newer versions
that are stricter and catch several new problems.

Knowing the versions of the tools used in the tests helps to understand
these differences, and is a step towards testing on CentOS Stream 9.

https://github.com/containers/toolbox/pull/1199
2022-12-14 00:35:43 +01:00
Debarshi Ray
ca966e377c .zuul, playbooks: Add copyright and license notices
https://github.com/containers/toolbox/pull/1179
2022-11-28 22:47:15 +01:00
Debarshi Ray
2e437d69db playbooks: Remove unnecessary parameter
The documentation for Ansible's built-in 'package' module [1] says this
about the 'use' parameter:
  You should only use this field if the automatic selection is not
  working for some reason.

[1] https://docs.ansible.com/ansible/latest/collections/ansible/builtin/package_module.html

https://github.com/containers/toolbox/pull/1173
2022-11-19 15:46:46 +01:00
Nieves Montero
9438db2f79 build, playbooks: Add a test that runs codespell
https://github.com/containers/toolbox/issues/1146

Signed-off-by: Nieves Montero <nmontero@redhat.com>
2022-11-19 15:32:13 +01:00
Debarshi Ray
9204d90da4 playbooks: Don't worry about runc(8)
... because it was replaced by crun(1) as Podman's default OCI runtime
during the migration to cgroups v2 in Fedora 31 [1].  eg., on Fedora 36:
  # repoquery --whatrequires runc
  ...
  containerd-0:1.6.1-1.fc36.x86_64
  containerd-0:1.6.9-3.fc36.x86_64
  containers-common-4:1-53.fc36.noarch
  containers-common-extra-4:1-62.fc36.noarch
  moby-engine-0:20.10.12-3.fc36.x86_64
  moby-engine-0:20.10.20-1.fc36.x86_64

... and it doesn't get installed on Fedora 35 either:
  TASK [Check versions of crucial packages]
  ci-node-35 | glibc-gconv-extra-2.34-43.fc35.x86_64
  ci-node-35 | glibc-2.34-43.fc35.x86_64
  ci-node-35 | glibc-common-2.34-43.fc35.x86_64
  ci-node-35 | glibc-langpack-en-2.34-43.fc35.x86_64
  ci-node-35 | kernel-core-6.0.5-100.fc35.x86_64
  ci-node-35 | kernel-core-6.0.7-100.fc35.x86_64
  ci-node-35 | kernel-core-6.0.8-100.fc35.x86_64
  ci-node-35 | kernel-headers-6.0.5-100.fc35.x86_64
  ci-node-35 | glibc-headers-x86-2.34-43.fc35.noarch
  ci-node-35 | glibc-devel-2.34-43.fc35.x86_64
  ci-node-35 | kernel-srpm-macros-1.0-6.fc35.noarch
  ci-node-35 | containernetworking-plugins-1.1.0-1.fc35.x86_64
  ci-node-35 | container-selinux-2.189.0-1.fc35.noarch
  ci-node-35 | conmon-2.1.0-2.fc35.x86_64
  ci-node-35 | golang-1.16.15-3.fc35.x86_64
  ci-node-35 | crun-1.6-2.fc35.x86_64
  ci-node-35 | fuse-overlayfs-1.9-1.fc35.x86_64
  ci-node-35 | containers-common-1-45.fc35.noarch
  ci-node-35 | podman-3.4.7-2.fc35.x86_64
  ci-node-35 | flatpak-session-helper-1.12.7-2.fc35.x86_64
  ci-node-35 | ok: Runtime: 0:00:00.139573

[1] https://fedoraproject.org/wiki/Changes/CGroupsV2

https://github.com/containers/toolbox/pull/1170
2022-11-18 19:21:50 +01:00
Debarshi Ray
c1ac8bc102 playbooks: Build the shell completions for fish
https://github.com/containers/toolbox/pull/1169
2022-11-18 18:51:52 +01:00
Debarshi Ray
8b7511ab6f playbooks/dependencies: Improve the names of the tasks
https://github.com/containers/toolbox/pull/1158
2022-11-16 11:11:18 +01:00
Debarshi Ray
03922893af playbooks: Highlight failures from 'meson compile' and 'meson install'
Currently, 'meson compile' and 'meson install' were being invoked from
pre-run playbooks.  This meant that a genuine build failure from either
of those commands would be shown as a RETRY_LIMIT failure by the CI.

This was misleading.  It made it look as if the failure was caused by
some transient networking problem or that the CI node was too slow due
to momentary heavy load, whereas the failure was actually due to a
problem in the Toolbx sources.  A genuine problem in the sources should
be reflected as a FAILURE, not RETRY_LIMIT.

However, it's worth noting that 'meson compile' invokes 'go build',
which downloads all the Go modules required by the Toolbx sources.  This
is worth retaining in the pre-run playbooks since it primarily depends
on Internet infrastructure beyond the Toolbx sources.

As a nice side-effect, the CI no longer gets mysteriously stuck like
this while the Go modules are being downloaded:
  TASK [Build Toolbox]
  ci-node-36 | ninja: Entering directory
    `/home/zuul-worker/src/github.com/containers/toolbox/builddir'
  ...
  ci-node-36 | [8/13] Generating doc/toolbox-rmi.1 with a custom command
  ci-node-36 | [9/13] Generating doc/toolbox-run.1 with a custom command
  ci-node-36 | [10/13] Generating doc/toolbox.conf.5 with a custom
    command
  ci-node-36 | [11/13] Generating src/toolbox with a custom command

https://github.com/containers/toolbox/pull/1158
2022-11-16 11:11:01 +01:00
Debarshi Ray
df22010e4f playbooks: Use the same commands as mentioned in the documentation
... at https://containertoolbx.org/install/

There are some minor benefits to always invoking meson(1), as opposed to
directly invoking the underlying build backend, like 'ninja'.

It's one less command to be aware of.  Secondly, in theory, Meson can be
used with backends other than Ninja (see 'meson configure'), even though
Ninja is the most likely option for building Toolbx because it's only
supported on Linux.

https://github.com/containers/toolbox/pull/1142
2022-10-21 20:23:34 +02:00
Debarshi Ray
b864280e42 playbooks: Make all Meson warnings fatal
This should help detect the kind of problem that was fixed in the
previous commit.

https://github.com/containers/toolbox/pull/1096
2022-08-31 19:35:05 +02:00
Debarshi Ray
4dd73ad160 .zuul, playbooks: Run unit tests on -Dmigration_path_for_coreos_toolbox
The -Dmigration_path_for_coreos_toolbox option enables a different code
path that's currently not tested by the CI at all.  In fact, since it's
a build-time option, the corresponding code path is not even built by
the CI.

To properly support the -Dmigration_path_for_coreos_toolbox option, it
needs to be covered by the CI.  This is a step in that direction by
running the unit tests on it.

https://github.com/containers/toolbox/pull/1095
2022-08-31 13:42:40 +02:00
Debarshi Ray
f3a15c60fe playbooks: Split out the post-configuration steps into a separate file
A subsequent commit will introduce builds performed with the
-Dmigration_path_for_coreos_toolbox option to the CI.  It will be good
to avoid duplicating the build and installation steps for builds with
and without the -Dmigration_path_for_coreos_toolbox option.

https://github.com/containers/toolbox/pull/1095
2022-08-31 13:19:33 +02:00
Debarshi Ray
e965dac9f6 playbooks: Split out the dependencies into a separate file
A subsequent commit will introduce builds performed with the
-Dmigration_path_for_coreos_toolbox option to the CI.  It will be good
to avoid duplicating the installation of RPM packages, Git submodule
handling, and the listing of various debug and version information for
builds with and without -Dmigration_path_for_coreos_toolbox option.

https://github.com/containers/toolbox/pull/1095
2022-08-31 12:46:44 +02:00
Ondřej Míchal
ecd1ced719 cmd/create: Add option --authfile
The option accepts a path to a file that is passed to an internal call
to 'podman pull' via the '--authfile' option. This will make it easier
to pull images from registries with authentication in-place.

Fixes https://github.com/containers/toolbox/issues/689

https://github.com/containers/toolbox/pull/935
2022-03-20 18:08:42 +02:00
Debarshi Ray
be2ba6d2e2 build: Call 'systemd-tmpfiles --create' when installing
It's only necessary to call 'systemd-tmpfiles --create' when building
and installing from source on the host operating system.

It's not needed when using a pre-built binary downstream package,
because:

  * When 'meson install' is called as part of building the package,
    that's not when the temporary files need to be created. They need
    to be created when the binary package is later downloaded and
    installed by the user.

  * Downstream tools can sometimes handle it automatically. eg., on
    Fedora, the systemd RPM installs a trigger that tells RPM to call
    'systemd-tmpfiles --create' automatically when a tmpfiles.d snippet
    is installed.

It's also not needed when installing inside a toolbox container because
the files that 'systemd-tmpfiles --create' is supposed to create are
meant to be on the host.

Downstream distributors set the DESTDIR environment variable when
building their packages. Therefore, it's used to detect when a
downstream package is being built.

Unfortunately, environment variables are messy and, generally, Meson
doesn't support accessing them inside its scripts [1]. Therefore, this
adds a spurious build-time dependency on systemd for downstream
distributors. However, that's probably not a big problem because all
supported downstream operating systems are already expected to use
systemd for the tmpfiles.d(5) snippets to work.

[1] https://github.com/mesonbuild/meson/issues/9

https://github.com/containers/toolbox/issues/955
2022-01-10 22:14:01 +01:00
Debarshi Ray
8dd7ee47c5 build: Drop the use of patchelf(1)
Some downstream distributors like RHEL don't have patchelf(1). Relying
on patchelf(1) during the build will make it difficult for such
downstreams to distribute Toolbox.

Fortunately, the path of the dynamic linker (ie., PT_INTERP) is
hardcoded in the ABI specification of each architecture [1]. This means
that Toolbox's build system can keep it's own architecture to dynamic
linker mapping, and specify it during the build through the GNU ld
linker's --dynamic-linker flag, as opposed to using a tool like
patchelf(1) to change the path of the dynamic linker in the built
binary to the one inside /run/host. Currently, the list of
architectures covers the ones that Fedora builds for.

[1] https://sourceware.org/glibc/wiki/ABIList

https://github.com/containers/toolbox/pull/942
2021-12-09 13:16:27 +01:00
Debarshi Ray
606b37b226 playbooks/setup-env: Restore running ShellCheck in the CI
Fallout from c33075f3e1
2021-10-25 16:12:14 +03:00
Ondřej Míchal
69ffc888ca playbooks: Fix CI for #897
PR #897 made adjustmnets to the Toolbx binary that it requires presence
of /run/host in both the host filesystem and the filesystem in
a container.

The presence of the directory is assured by systemd-tmpfiles by
running it before the binary is started for the first time. For the run
to be effective 'data/tmpfiles.d/toolbox.conf' has to be installed in
a location visible to systemd-tmpfiles. Therefore, the call to
'systemd-tmpfiles --create' had to be placed after the install step.

https://github.com/containers/toolbox/pull/898
2021-10-22 16:43:38 +03:00
Ondřej Míchal
c33075f3e1 playbooks: Unify test setup for system & unit tests
There is no significant benefit in keeping this configuration separated.
Now the to-be installed packages are tracked in a single place and the
test playbooks only call the relevant tests.

This was pointed out by in 6063eb27b9

https://github.com/containers/toolbox/pull/898
2021-10-22 16:43:38 +03:00
Debarshi Ray
6063eb27b9 build: Ensure that binaries are run against their build-time ABI
The /usr/bin/toolbox binary is not only used to interact with toolbox
containers and images from the host. It's also used as the entry point
of the containers by bind mounting the binary from the host into the
container. This means that the /usr/bin/toolbox binary on the host must
also work inside the container, even if they have different operating
systems.

In the past, this worked perfectly well with the POSIX shell
implementation because it got intepreted by whichever /bin/sh was
available. However, the Go implementation, can run into ABI
compatibility issues because binaries built on newer toolchains aren't
meant to be run against older runtimes.

The previous approach [1] of restricting the versions of the glibc
symbols that are linked against isn't actually supported by glibc, and
breaks if the early process start-up code changes. This is seen in
glibc-2.34, which is used by Fedora 35 onwards, where a new version of
the __libc_start_main symbol [2] was added as part of some security
hardening:
  $ objdump -T ./usr/bin/toolbox | grep GLIBC_2.34
  0000000000000000      DF *UND*	0000000000000000  GLIBC_2.34
    __libc_start_main
  0000000000000000      DF *UND*	0000000000000000  GLIBC_2.34
    pthread_detach
  0000000000000000      DF *UND*	0000000000000000  GLIBC_2.34
    pthread_create
  0000000000000000      DF *UND*	0000000000000000  GLIBC_2.34
    pthread_attr_getstacksize

This means that /usr/bin/toolbox binaries built against glibc-2.34 on
newer Fedoras fail to run against older glibcs in older Fedoras.

Another option is to make the host's runtime available inside the
toolbox container and ensure that the binary always runs against it.

Luckily, almost all supported containers have the host's /usr available
at /run/host/usr. This is exploited by embedding RPATHs or RUNPATHs to
/run/host/usr/lib and /run/host/usr/lib64 in the binary, and changing
the path of the dynamic linker (ie., PT_INTERP) to the one inside
/run/host.

Unfortunately, there can only be one PT_INTERP entry inside the
binary, so there must be a /run/host on the host too. Therefore, a
/run/host symbolic link is created on the host that points to the
host's /.

Based on ideas from Alexander Larsson and Ray Strode.

[1] Commit 6ad9c63180
    https://github.com/containers/toolbox/pull/534

[2] glibc commit 035c012e32c11e84
    https://sourceware.org/git/?p=glibc.git;a=commit;h=035c012e32c11e84
    https://sourceware.org/bugzilla/show_bug.cgi?id=23323

https://github.com/containers/toolbox/issues/821
2021-10-22 01:20:03 +02:00
Ondřej Míchal
0ff01977d6 playbooks: Stop cloning bats libraries
The libraries are now provided as submodules. There's no need to clone
them separately.

https://github.com/containers/toolbox/pull/842
2021-07-22 10:23:53 +02:00
Ondřej Míchal
2e5b6aed3f playbooks/setup-env: Show version of glibc
An upgrade of glibc has caused an issue on Fedora Rawhide[0]. We need a
clear indicator that a change in glibc could cause it.

[0] https://github.com/containers/toolbox/issues/821

https://github.com/containers/toolbox/pull/834
2021-07-08 15:15:57 +02:00
Ondřej Míchal
dd5cd5f25a playbooks/setup-env: Show versions of more packages
https://github.com/containers/toolbox/pull/795
2021-06-22 00:00:57 +02:00
Ondřej Míchal
54a2ca1ead test/system: Decouple image caching from Zuul
Since the rewrite of the system test suite[0] we've relied on the Zuul
playbooks for taking care of caching images using Skopeo for increasing
the reliability of the tests (in the past the instability of the Fedora
registry caused problems). This state is problematic if we want to use
the tests in other environments than the Zuul CI. This moves the caching
from Zuul into the system tests.

Currently, Bats does not support officially suite-wide setup and
teardown functions. The solution I chose was to add two new test files
that are executed before and after all tests. This may complicate the
execution of cherry-picked tests but that is not a very common use case
anyway.

The tests are now to some extent capable of adjusting to the host
environment. This is meant in the sense of: I'm running on RHEL, the
"default image" is UBI; I'm running on Fedora, the "default image" is
fedora-toolbox. This mechanism relies on os-release, which is the same
as what Toolbox itself uses.

[0] https://github.com/containers/toolbox/pull/517

https://github.com/containers/toolbox/pull/774
2021-06-01 00:41:20 +02:00
Ondřej Míchal
a24c2f6dc1 test/system: Bump secondary fedora image from 29 to 32
The fedora-toolbox:32 image is the first of images in the renamed
toolbox image repository[0]. With the change we can drop the
pull_image_old() function because it was kept only for the old image.

Seems like newer version of ShellCheck checks the validity of variable
names (SC2153). This caused a false positive, so I silenced it.

[0] https://github.com/containers/toolbox/pull/615

https://github.com/containers/toolbox/pull/780
2021-05-31 12:28:24 +02:00
Ondřej Míchal
05e6368882 playbooks/system-test: Show test execution time
Execution time of a test can be a very useful tool.

https://github.com/containers/toolbox/pull/725
2021-03-31 16:02:30 +02:00
Ondřej Míchal
424691b404 playbooks: Properly separate builddir setup & build
Call "meson builddir" makes Meson create a build directory called
"builddir". It does not make it build the project. A subsequent call to
"meson compile" or "ninja" needs to be made. This subtle detail causes
a minor (purely visual) discrepancy in the CI output. Fix this for both
unit-test & system-test job definitions.
2021-03-21 23:15:15 +01:00
Ondřej Míchal
b91a93044b Connect Go unit tests to Meson & rename CI job
We now have some Go unit tests[0] and we should use them. By adding a
new test case to Meson, the existing CI job called "shellcheck" has no
longer an accurate name. With this it has been renamed to "unit-test".
Also, the job is now more important and therefore should also be used
for gating.

[0] https://github.com/containers/toolbox/pull/474

https://github.com/containers/toolbox/pull/730
2021-03-21 22:20:59 +01:00
Juanje Ojeda
7973181136 playbooks, test/system: Avoid downloading the images multiple times
Since commit b27795a03e, each section of the test suite starts
and ends with a clean Podman state. This includes removing all images
from the local containers storage. Therefore, the images get downloaded
multiple times during the course of the test suite.

This commit restores the earlier behaviour where the images would get
downloaded only once, by copying them to separate directories outside
the local containers storage and then restoring them when the tests
are run.

https://github.com/containers/toolbox/pull/517
https://github.com/containers/toolbox/pull/704
2021-02-19 20:18:21 +01:00
Juanje Ojeda
285a54ba5b playbooks: Specify the artifact generated at each step of the build
See:
https://docs.ansible.com/ansible/latest/collections/ansible/builtin/command_module.html

https://github.com/containers/toolbox/pull/517
https://github.com/containers/toolbox/pull/703
2021-02-19 19:18:29 +01:00
Juanje Ojeda
0e8cfe95eb playbooks: Specify the precise versions of bats-assert & bats-support
See:
https://docs.ansible.com/ansible/latest/collections/ansible/builtin/git_module.html

https://github.com/containers/toolbox/pull/517
https://github.com/containers/toolbox/pull/703
2021-02-19 19:18:25 +01:00
Juanje Ojeda
e654f20d58 .zuul, playbooks: Unify the system-test*.yaml for all Fedora versions
The playbooks were too fragmented and were hard to maintain. With this
the number of files is significantly lowered.

https://github.com/containers/toolbox/pull/517
https://github.com/containers/toolbox/pull/702
2021-02-19 18:54:33 +01:00
Juanje Ojeda
2a2fd5baa5 .zuul, playbooks: Unify the setup-env.yaml across all Fedora versions
The playbooks were too fragmented and were hard to maintain. With this
the number of files is significantly lowered.

https://github.com/containers/toolbox/pull/517
https://github.com/containers/toolbox/pull/701
2021-02-19 18:15:55 +01:00
Ondřej Míchal
f5bbe356ad Drop the FGC namespace from the fedora-toolbox images
The FGC namespace used to be required by the Fedora container
guidelines, but not anymore [1].

[1] https://pagure.io/ContainerSIG/container-sig/issue/2

https://github.com/containers/toolbox/pull/615
2021-02-19 14:47:44 +01:00
Ondřej Míchal
986efd2666 playbooks: Show Podman info necessary for filing issues 2021-02-17 16:21:54 +01:00
Ondřej Míchal
b0407a1f6e ci: Fix pulled image name
I made a mistake in previous commit and did not update the pulled image
name.
2021-02-17 16:04:54 +01:00
Ondřej Míchal
aa0ec80e07 ci: Enable testing on Fedora 34 2021-02-17 14:07:39 +01:00
Ondřej Míchal
a4812f9bca ci: Drop testing on Fedora 31 2021-02-17 14:06:15 +01:00