From ba585841d765f5b6276975b45f4489768e0d36f2 Mon Sep 17 00:00:00 2001 From: Gregory Giguashvili Date: Fri, 20 Sep 2024 20:13:13 +0000 Subject: [PATCH 1/5] Source images and pull secret support for building container images --- test/bin/pyutils/build_bootc_images.py | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/test/bin/pyutils/build_bootc_images.py b/test/bin/pyutils/build_bootc_images.py index f55fa2a933b..bb76f24e260 100644 --- a/test/bin/pyutils/build_bootc_images.py +++ b/test/bin/pyutils/build_bootc_images.py @@ -135,10 +135,18 @@ def set_rpm_version_info_vars(): SOURCE_VERSION = common.run_command_in_shell(f"rpm -q --queryformat '%{{version}}-%{{release}}' {release_info_rpm}") SOURCE_VERSION_BASE = common.run_command_in_shell(f"rpm -q --queryformat '%{{version}}-%{{release}}' {release_info_rpm_base}") + # The source images are used in selected container image builds + global SOURCE_IMAGES + + src_img_cmd = f"rpm2cpio {release_info_rpm}" + src_img_cmd += f' | cpio -i --to-stdout "*release-{UNAME_M}.json" 2>/dev/null' + src_img_cmd += ' | jq -r \'[ .images[] ] | join(",")\'' + SOURCE_IMAGES = common.run_command_in_shell(src_img_cmd) + # Update the source version environment variables based on the global variables. # These are used for templating container files and images. rpmver_globals_vars = [ - 'SOURCE_VERSION', 'SOURCE_VERSION_BASE' + 'SOURCE_VERSION', 'SOURCE_VERSION_BASE', 'SOURCE_IMAGES' ] for var in rpmver_globals_vars: value = globals().get(var) @@ -230,10 +238,13 @@ def process_containerfile(groupdir, containerfile, dry_run): try: # Redirect the output to the log file with open(cf_logfile, 'w') as logfile: - # Run the container build command + # Run the container build command. + # Note: The pull secret is necessary in some builds for pulling embedded + # container images specified by SOURCE_IMAGES environment variable. build_args = [ "sudo", "podman", "build", "--authfile", PULL_SECRET, + "--secret", f"id=pullsecret,src={PULL_SECRET}", "-t", cf_outname, "-f", cf_outfile, IMAGEDIR ] From 092f3f8e373d9814cdbfc6b26de3aa3f9ebc1bf2 Mon Sep 17 00:00:00 2001 From: Gregory Giguashvili Date: Fri, 20 Sep 2024 20:14:27 +0000 Subject: [PATCH 2/5] Add container builds with embedded images --- .../cos9-bootc-source-isolated.containerfile | 35 +++++++++++++++++++ .../microshift-imagestore-config.sh.template | 20 +++++++++++ ...rhel94-bootc-source-isolated.containerfile | 35 +++++++++++++++++++ 3 files changed, 90 insertions(+) create mode 100644 test/image-blueprints/layer5-bootc/group2/cos9-bootc-source-isolated.containerfile create mode 100644 test/image-blueprints/layer5-bootc/group2/microshift-imagestore-config.sh.template create mode 100644 test/image-blueprints/layer5-bootc/group2/rhel94-bootc-source-isolated.containerfile diff --git a/test/image-blueprints/layer5-bootc/group2/cos9-bootc-source-isolated.containerfile b/test/image-blueprints/layer5-bootc/group2/cos9-bootc-source-isolated.containerfile new file mode 100644 index 00000000000..2891cc3ec39 --- /dev/null +++ b/test/image-blueprints/layer5-bootc/group2/cos9-bootc-source-isolated.containerfile @@ -0,0 +1,35 @@ +FROM localhost/cos9-bootc-source:latest + +# SOURCE_IMAGES contains a comma-separated list of container image references. +# Split the variable and pull each image in a separate layer. +# +# Note: Gomplate blocks are commented out to avoid hadolint warnings. +# {{ range (.Env.SOURCE_IMAGES | strings.Split ",") }} +RUN --mount=type=secret,id=pullsecret,dst=/run/secrets/pull-secret.json \ + skopeo copy \ + --authfile /run/secrets/pull-secret.json \ + "docker://{{ . }}" \ + dir:/var/lib/containers/storage-preloaded +# {{ end }} + +# Edit the container storage configuration file to include the new path +RUN sed -i '/^additionalimagestores.*/a\ "/var/lib/containers/storage-preloaded",' /etc/containers/storage.conf + +# Apply a workaround to set the SELinux context on the new storage directory and +# also restore 'NET_BIND_SERVICE' capability that is currently lost when including +# images in the container. +# +# Note: This requires setting the additional image stores path to a read-write +# location on the file system. The images will still be treated as read-only by +# the container subsystem. +# See https://github.com/ostreedev/ostree-rs-ext/issues/654 +COPY --chmod=755 ./bootc-images/microshift-imagestore-config.sh /usr/bin/microshift-imagestore-config +RUN printf '[Unit]\n\ +Description=Configure the image store directory for MicroShift\n\ +Before=microshift.service\n\ +[Service]\n\ +Type=oneshot\n\ +ExecStart=/usr/bin/microshift-imagestore-config /var/lib/containers/storage /var/lib/containers/storage-preloaded\n\ +[Install]\n\ +WantedBy=multi-user.target\n' > /etc/systemd/system/microshift-imagestore-config.service && \ + systemctl enable microshift-imagestore-config.service diff --git a/test/image-blueprints/layer5-bootc/group2/microshift-imagestore-config.sh.template b/test/image-blueprints/layer5-bootc/group2/microshift-imagestore-config.sh.template new file mode 100644 index 00000000000..b1813954695 --- /dev/null +++ b/test/image-blueprints/layer5-bootc/group2/microshift-imagestore-config.sh.template @@ -0,0 +1,20 @@ +#!/bin/bash +set -euo pipefail + +if [ $# -ne 2 ] ; then + echo "Usage: $(basename "$0") " + exit 1 +fi + +if [ "$(id -u)" != 0 ] ; then + echo "This script should be executed with root permissions" + exit 1 +fi + +DEF_IMGPATH="$1" +NEW_IMGPATH="$2" + +semanage fcontext -a -e "${DEF_IMGPATH}" "${NEW_IMGPATH}" +restorecon -R "${NEW_IMGPATH}" + +find "${NEW_IMGPATH}" -type f -path "*/usr/sbin/haproxy" -exec setcap "cap_net_bind_service=+ep" {} \; diff --git a/test/image-blueprints/layer5-bootc/group2/rhel94-bootc-source-isolated.containerfile b/test/image-blueprints/layer5-bootc/group2/rhel94-bootc-source-isolated.containerfile new file mode 100644 index 00000000000..c93f3477725 --- /dev/null +++ b/test/image-blueprints/layer5-bootc/group2/rhel94-bootc-source-isolated.containerfile @@ -0,0 +1,35 @@ +FROM localhost/rhel94-bootc-source:latest + +# SOURCE_IMAGES contains a comma-separated list of container image references. +# Split the variable and pull each image in a separate layer. +# +# Note: Gomplate blocks are commented out to avoid hadolint warnings. +# {{ range (.Env.SOURCE_IMAGES | strings.Split ",") }} +RUN --mount=type=secret,id=pullsecret,dst=/run/secrets/pull-secret.json \ + skopeo copy \ + --authfile /run/secrets/pull-secret.json \ + "docker://{{ . }}" \ + dir:/var/lib/containers/storage-preloaded +# {{ end }} + +# Edit the container storage configuration file to include the new path +RUN sed -i '/^additionalimagestores.*/a\ "/var/lib/containers/storage-preloaded",' /etc/containers/storage.conf + +# Apply a workaround to set the SELinux context on the new storage directory and +# also restore 'NET_BIND_SERVICE' capability that is currently lost when including +# images in the container. +# +# Note: This requires setting the additional image stores path to a read-write +# location on the file system. The images will still be treated as read-only by +# the container subsystem. +# See https://github.com/ostreedev/ostree-rs-ext/issues/654 +COPY --chmod=755 ./bootc-images/microshift-imagestore-config.sh /usr/bin/microshift-imagestore-config +RUN printf '[Unit]\n\ +Description=Configure the image store directory for MicroShift\n\ +Before=microshift.service\n\ +[Service]\n\ +Type=oneshot\n\ +ExecStart=/usr/bin/microshift-imagestore-config /var/lib/containers/storage /var/lib/containers/storage-preloaded\n\ +[Install]\n\ +WantedBy=multi-user.target\n' > /etc/systemd/system/microshift-imagestore-config.service && \ + systemctl enable microshift-imagestore-config.service From 8aa122f89e77aee3e1a2d1189a75649f564a3556 Mon Sep 17 00:00:00 2001 From: Gregory Giguashvili Date: Fri, 20 Sep 2024 20:15:06 +0000 Subject: [PATCH 3/5] Add isolated network test scenarios --- .../periodics/cos9-src@isolated-net.sh | 22 +++++++++++++++++++ .../periodics/el94-src@isolated-net.sh | 22 +++++++++++++++++++ 2 files changed, 44 insertions(+) create mode 100644 test/scenarios-bootc/periodics/cos9-src@isolated-net.sh create mode 100644 test/scenarios-bootc/periodics/el94-src@isolated-net.sh diff --git a/test/scenarios-bootc/periodics/cos9-src@isolated-net.sh b/test/scenarios-bootc/periodics/cos9-src@isolated-net.sh new file mode 100644 index 00000000000..ab7f0a416e8 --- /dev/null +++ b/test/scenarios-bootc/periodics/cos9-src@isolated-net.sh @@ -0,0 +1,22 @@ +#!/bin/bash + +# Sourced from scenario.sh and uses functions defined there. + +# Redefine network-related settings to use the isolated network bridge +VM_BRIDGE_IP="$(get_vm_bridge_ip "${VM_ISOLATED_NETWORK}")" +# shellcheck disable=SC2034 # used elsewhere +BOOTC_REGISTRY_URL="${VM_BRIDGE_IP}:5000" + +scenario_create_vms() { + prepare_kickstart host1 kickstart-bootc.ks.template cos9-bootc-source-isolated + # Use the isolated network when creating a VM + launch_vm --boot_blueprint centos9-bootc --network_name "${VM_ISOLATED_NETWORK}" --bootc +} + +scenario_remove_vms() { + remove_vm host1 +} + +scenario_run_tests() { + run_tests host1 suites/network/isolated-network.robot +} diff --git a/test/scenarios-bootc/periodics/el94-src@isolated-net.sh b/test/scenarios-bootc/periodics/el94-src@isolated-net.sh new file mode 100644 index 00000000000..b42828180b9 --- /dev/null +++ b/test/scenarios-bootc/periodics/el94-src@isolated-net.sh @@ -0,0 +1,22 @@ +#!/bin/bash + +# Sourced from scenario.sh and uses functions defined there. + +# Redefine network-related settings to use the isolated network bridge +VM_BRIDGE_IP="$(get_vm_bridge_ip "${VM_ISOLATED_NETWORK}")" +# shellcheck disable=SC2034 # used elsewhere +BOOTC_REGISTRY_URL="${VM_BRIDGE_IP}:5000" + +scenario_create_vms() { + prepare_kickstart host1 kickstart-bootc.ks.template rhel94-bootc-source-isolated + # Use the isolated network when creating a VM + launch_vm --boot_blueprint rhel94-bootc --network_name "${VM_ISOLATED_NETWORK}" --bootc +} + +scenario_remove_vms() { + remove_vm host1 +} + +scenario_run_tests() { + run_tests host1 suites/network/isolated-network.robot +} From 4020bdb958f1a2eb2f1adc4ddbd2bbf51a47a6ee Mon Sep 17 00:00:00 2001 From: Gregory Giguashvili Date: Sun, 22 Sep 2024 05:21:27 +0000 Subject: [PATCH 4/5] Add retry to skopeo copy command --- .../group2/cos9-bootc-source-isolated.containerfile | 7 ++++--- .../group2/rhel94-bootc-source-isolated.containerfile | 7 ++++--- 2 files changed, 8 insertions(+), 6 deletions(-) diff --git a/test/image-blueprints/layer5-bootc/group2/cos9-bootc-source-isolated.containerfile b/test/image-blueprints/layer5-bootc/group2/cos9-bootc-source-isolated.containerfile index 2891cc3ec39..df802000ffa 100644 --- a/test/image-blueprints/layer5-bootc/group2/cos9-bootc-source-isolated.containerfile +++ b/test/image-blueprints/layer5-bootc/group2/cos9-bootc-source-isolated.containerfile @@ -7,9 +7,10 @@ FROM localhost/cos9-bootc-source:latest # {{ range (.Env.SOURCE_IMAGES | strings.Split ",") }} RUN --mount=type=secret,id=pullsecret,dst=/run/secrets/pull-secret.json \ skopeo copy \ - --authfile /run/secrets/pull-secret.json \ - "docker://{{ . }}" \ - dir:/var/lib/containers/storage-preloaded + --retry-times 3 \ + --authfile /run/secrets/pull-secret.json \ + "docker://{{ . }}" \ + dir:/var/lib/containers/storage-preloaded # {{ end }} # Edit the container storage configuration file to include the new path diff --git a/test/image-blueprints/layer5-bootc/group2/rhel94-bootc-source-isolated.containerfile b/test/image-blueprints/layer5-bootc/group2/rhel94-bootc-source-isolated.containerfile index c93f3477725..7b2c39c6592 100644 --- a/test/image-blueprints/layer5-bootc/group2/rhel94-bootc-source-isolated.containerfile +++ b/test/image-blueprints/layer5-bootc/group2/rhel94-bootc-source-isolated.containerfile @@ -7,9 +7,10 @@ FROM localhost/rhel94-bootc-source:latest # {{ range (.Env.SOURCE_IMAGES | strings.Split ",") }} RUN --mount=type=secret,id=pullsecret,dst=/run/secrets/pull-secret.json \ skopeo copy \ - --authfile /run/secrets/pull-secret.json \ - "docker://{{ . }}" \ - dir:/var/lib/containers/storage-preloaded + --retry-times 3 \ + --authfile /run/secrets/pull-secret.json \ + "docker://{{ . }}" \ + dir:/var/lib/containers/storage-preloaded # {{ end }} # Edit the container storage configuration file to include the new path From 7a98ec5b9b9bbddaf244d86c38bb75322b5bc837 Mon Sep 17 00:00:00 2001 From: Gregory Giguashvili Date: Sun, 22 Sep 2024 16:36:36 +0000 Subject: [PATCH 5/5] Limit skopeo max process number to 8 --- .../group2/cos9-bootc-source-isolated.containerfile | 2 +- .../group2/rhel94-bootc-source-isolated.containerfile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/test/image-blueprints/layer5-bootc/group2/cos9-bootc-source-isolated.containerfile b/test/image-blueprints/layer5-bootc/group2/cos9-bootc-source-isolated.containerfile index df802000ffa..c050d3c2ef0 100644 --- a/test/image-blueprints/layer5-bootc/group2/cos9-bootc-source-isolated.containerfile +++ b/test/image-blueprints/layer5-bootc/group2/cos9-bootc-source-isolated.containerfile @@ -6,7 +6,7 @@ FROM localhost/cos9-bootc-source:latest # Note: Gomplate blocks are commented out to avoid hadolint warnings. # {{ range (.Env.SOURCE_IMAGES | strings.Split ",") }} RUN --mount=type=secret,id=pullsecret,dst=/run/secrets/pull-secret.json \ - skopeo copy \ + GOMAXPROCS=8 skopeo copy \ --retry-times 3 \ --authfile /run/secrets/pull-secret.json \ "docker://{{ . }}" \ diff --git a/test/image-blueprints/layer5-bootc/group2/rhel94-bootc-source-isolated.containerfile b/test/image-blueprints/layer5-bootc/group2/rhel94-bootc-source-isolated.containerfile index 7b2c39c6592..737ef28d314 100644 --- a/test/image-blueprints/layer5-bootc/group2/rhel94-bootc-source-isolated.containerfile +++ b/test/image-blueprints/layer5-bootc/group2/rhel94-bootc-source-isolated.containerfile @@ -6,7 +6,7 @@ FROM localhost/rhel94-bootc-source:latest # Note: Gomplate blocks are commented out to avoid hadolint warnings. # {{ range (.Env.SOURCE_IMAGES | strings.Split ",") }} RUN --mount=type=secret,id=pullsecret,dst=/run/secrets/pull-secret.json \ - skopeo copy \ + GOMAXPROCS=8 skopeo copy \ --retry-times 3 \ --authfile /run/secrets/pull-secret.json \ "docker://{{ . }}" \