diff --git a/.gitignore b/.gitignore index 523a91e..1217f78 100644 --- a/.gitignore +++ b/.gitignore @@ -227,19 +227,5 @@ /v2.229.1.tar.gz /v2.230.0.tar.gz /v2.231.0.tar.gz -/packit-tmt-bodhi-reuse.zip /v2.232.1.tar.gz /v2.233.0.tar.gz -/v2.234.1.tar.gz -/v2.234.2.tar.gz -/v2.235.0.tar.gz -/v2.236.0.tar.gz -/v2.237.0.tar.gz -/v2.238.0.tar.gz -/v2.239.0.tar.gz -/v2.240.0.tar.gz -/v2.241.0.tar.gz -/v2.242.0.tar.gz -/v2.243.0.tar.gz -/v2.244.0.tar.gz -/v2.245.0.tar.gz diff --git a/.packit.yaml b/.packit.yaml index d25d664..2f048d0 100644 --- a/.packit.yaml +++ b/.packit.yaml @@ -13,11 +13,9 @@ files_to_sync: - src: plans/ dest: plans/ delete: true - mkpath: true - src: test/ dest: test/ delete: true - mkpath: true - src: .fmf/ dest: .fmf/ delete: true @@ -30,7 +28,7 @@ packages: container-selinux-centos: pkg_tool: centpkg specfile_path: rpm/container-selinux.spec - container-selinux-eln: + container-selinux-rhel: specfile_path: rpm/container-selinux.spec srpm_build_deps: @@ -45,29 +43,26 @@ jobs: message: "Ephemeral COPR build failed. @containers/packit-build please check." enable_net: true # container-selinux is noarch so we only need to test on one arch - targets: &fedora_copr_targets - - fedora-all-x86_64 - - fedora-all-aarch64 - - - job: copr_build - trigger: pull_request - packages: [container-selinux-eln] - notifications: *copr_build_failure_notification - enable_net: true - targets: &eln_copr_targets - - fedora-eln-x86_64 - - fedora-eln-aarch64 + targets: + - fedora-all + - fedora-eln - job: copr_build trigger: pull_request packages: [container-selinux-centos] notifications: *copr_build_failure_notification enable_net: true - targets: ¢os_copr_targets - - centos-stream-9-x86_64 - - centos-stream-9-aarch64 - - centos-stream-10-x86_64 - - centos-stream-10-aarch64 + targets: ¢os_targets + - centos-stream-9 + - centos-stream-10 + + - job: copr_build + trigger: pull_request + packages: [container-selinux-rhel] + notifications: *copr_build_failure_notification + enable_net: true + targets: + - epel-9 # Run on commit to main branch # Build targets managed in copr settings @@ -90,41 +85,47 @@ jobs: notifications: &test_failure_notification failure_comment: message: "Tests failed. @containers/packit-build please check." - targets: *fedora_copr_targets + targets: + - fedora-all tf_extra_params: environments: - artifacts: - type: repository-file id: https://copr.fedorainfracloud.org/coprs/rhcontainerbot/podman-next/repo/fedora-$releasever/rhcontainerbot-podman-next-fedora-$releasever.repo - # Tests for Fedora - - job: tests - trigger: pull_request - packages: [container-selinux-eln] - notifications: *test_failure_notification - targets: *eln_copr_targets - tf_extra_params: - environments: - - artifacts: - - type: repository-file - id: https://copr.fedorainfracloud.org/coprs/rhcontainerbot/podman-next/repo/fedora-eln/rhcontainerbot-podman-next-fedora-eln.repo - # Tests for CentOS Stream - job: tests trigger: pull_request packages: [container-selinux-centos] notifications: *test_failure_notification - targets: *centos_copr_targets + targets: *centos_targets tf_extra_params: environments: - artifacts: - type: repository-file id: https://copr.fedorainfracloud.org/coprs/rhcontainerbot/podman-next/repo/centos-stream-$releasever/rhcontainerbot-podman-next-centos-stream-$releasever.repo + # Tests for RHEL + - job: tests + trigger: pull_request + packages: [container-selinux-rhel] + use_internal_tf: true + notifications: *test_failure_notification + targets: + epel-9-x86_64: + distros: [RHEL-9.4.0-Nightly,RHEL-9-Nightly] + tf_extra_params: + environments: + - artifacts: + - type: repository-file + id: https://copr.fedorainfracloud.org/coprs/rhcontainerbot/podman-next/repo/epel-$releasever/rhcontainerbot-podman-next-epel-$releasever.repo + - type: repository-file + id: https://src.fedoraproject.org/rpms/epel-release/raw/epel9/f/epel.repo + - job: propose_downstream trigger: release packages: [container-selinux-fedora] - dist_git_branches: &fedora_targets + dist_git_branches: - fedora-all - job: propose_downstream @@ -136,7 +137,8 @@ jobs: - job: koji_build trigger: commit packages: [container-selinux-fedora] - dist_git_branches: *fedora_targets + dist_git_branches: + - fedora-all - job: bodhi_update trigger: commit diff --git a/README.packit b/README.packit index db537f9..459869a 100644 --- a/README.packit +++ b/README.packit @@ -1,3 +1,3 @@ This repository is maintained by packit. https://packit.dev/ -The file was generated using packit 1.13.0. +The file was generated using packit 0.101.0. diff --git a/container-selinux.spec b/container-selinux.spec index 6348202..cc61060 100644 --- a/container-selinux.spec +++ b/container-selinux.spec @@ -2,6 +2,7 @@ # container-selinux stuff (prefix with ds_ for version/release etc.) # Some bits borrowed from the openstack-selinux package +%global selinuxtype targeted %global moduletype services %global modulenames container @@ -20,22 +21,22 @@ %define no_user_namespace 1 %endif -# set copr_build is more intuitive than copr_username -%if %{defined copr_username} && "%{copr_username}" == "rhcontainerbot" && "%{copr_projectname}" == "podman-next" -%define next_build 1 +# copr_build is more intuitive than copr_username +%if %{defined copr_username} +%define copr_build 1 %endif Name: container-selinux -# Set different Epoch for rhcontainerbot/podman-next copr build -%if %{defined next_build} +# Set different Epochs for copr and koji +%if %{defined copr_build} Epoch: 102 %else -Epoch: 4 +Epoch: 2 %endif # Keep Version in upstream specfile at 0. It will be automatically set # to the correct value by Packit for copr and koji builds. # IGNORE this comment if you're looking at it in dist-git. -Version: 2.245.0 +Version: 2.233.0 Release: %autorelease License: GPL-2.0-only URL: https://github.com/containers/%{name} @@ -50,8 +51,7 @@ BuildRequires: selinux-policy-devel >= %_selinux_policy_version # RE: rhbz#1195804 - ensure min NVR for selinux-policy Requires: selinux-policy >= %_selinux_policy_version Requires(post): selinux-policy-base >= %_selinux_policy_version -Requires(post): selinux-policy-any >= %_selinux_policy_version -Recommends: selinux-policy-targeted >= %_selinux_policy_version +Requires(post): selinux-policy-targeted >= %_selinux_policy_version Requires(post): policycoreutils Requires(post): libselinux-utils Requires(post): sed @@ -86,8 +86,11 @@ make %_format MODULES $x.pp.bz2 %{__make} DATADIR=%{buildroot}%{_datadir} SYSCONFDIR=%{buildroot}%{_sysconfdir} install install.udica-templates install.selinux-user +# Ref: https://bugzilla.redhat.com/show_bug.cgi?id=2209120 +rm %{buildroot}%{_mandir}/man8/container_selinux.8 + %pre -%selinux_relabel_pre +%selinux_relabel_pre -s %{selinuxtype} %post # Install all modules in a single transaction @@ -95,24 +98,21 @@ if [ $1 -eq 1 ]; then %{_sbindir}/setsebool -P -N virt_use_nfs=1 virt_sandbox_use_all_caps=1 fi %_format MODULES %{_datadir}/selinux/packages/$x.pp.bz2 +%{_sbindir}/semodule -n -s %{selinuxtype} -r container 2> /dev/null +%{_sbindir}/semodule -n -s %{selinuxtype} -d docker 2> /dev/null +%{_sbindir}/semodule -n -s %{selinuxtype} -d gear 2> /dev/null +%selinux_modules_install -s %{selinuxtype} $MODULES . %{_sysconfdir}/selinux/config -%{_sbindir}/semodule -n -s ${SELINUXTYPE} -r container 2> /dev/null -%{_sbindir}/semodule -n -s ${SELINUXTYPE} -d docker 2> /dev/null -%{_sbindir}/semodule -n -s ${SELINUXTYPE} -d gear 2> /dev/null -%selinux_modules_install -s ${SELINUXTYPE} $MODULES sed -e "\|container_file_t|h; \${x;s|container_file_t||;{g;t};a\\" -e "container_file_t" -e "}" -i /etc/selinux/${SELINUXTYPE}/contexts/customizable_types matchpathcon -qV %{_sharedstatedir}/containers || restorecon -R %{_sharedstatedir}/containers &> /dev/null || : %postun if [ $1 -eq 0 ]; then - %selinux_modules_uninstall %{modulenames} docker + %selinux_modules_uninstall -s %{selinuxtype} %{modulenames} docker fi %posttrans -%selinux_relabel_post - -# Empty placeholder check to silence rpmlint -%check +%selinux_relabel_post -s %{selinuxtype} #define license tag if not already defined %{!?_licensedir:%global license %doc} @@ -126,10 +126,9 @@ fi %dir %{_datadir}/udica/templates/ %{_datadir}/udica/templates/* # Ref: https://bugzilla.redhat.com/show_bug.cgi?id=2209120 -%{_mandir}/man8/container_selinux.8.gz -%{_sysconfdir}/selinux/targeted/contexts/users/container_u -%ghost %verify(not mode) %{_selinux_store_path}/targeted/active/modules/200/%{modulenames} -%ghost %verify(not mode) %{_selinux_store_path}/mls/active/modules/200/%{modulenames} +#%%{_mandir}/man8/container_selinux.8.gz +%{_sysconfdir}/selinux/targeted/contexts/users/* +%ghost %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulenames} %triggerpostun -- container-selinux < 2:2.162.1-3 if %{_sbindir}/selinuxenabled ; then diff --git a/gating.yaml b/gating.yaml index c692db7..dbb1d91 100644 --- a/gating.yaml +++ b/gating.yaml @@ -1,9 +1,7 @@ --- !Policy product_versions: - fedora-* -decision_contexts: - - bodhi_update_push_stable - - bodhi_update_push_testing +decision_context: bodhi_update_push_stable rules: - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.tier0.functional} diff --git a/plans/all.fmf b/plans/all.fmf new file mode 100644 index 0000000..9e0d10b --- /dev/null +++ b/plans/all.fmf @@ -0,0 +1,20 @@ +discover: + how: fmf +execute: + how: tmt + +/upstream: + summary: Run SELinux specific Podman tests on upstream PRs + discover+: + filter: tag:upstream + adjust+: + enabled: false + when: initiator is not defined or initiator != packit + +/downstream: + summary: Run SELinux specific Podman tests on bodhi / errata and dist-git PRs + discover+: + filter: tag:downstream + adjust+: + enabled: false + when: initiator == packit diff --git a/plans/main.fmf b/plans/main.fmf deleted file mode 100644 index c758669..0000000 --- a/plans/main.fmf +++ /dev/null @@ -1,30 +0,0 @@ -discover: - how: fmf -execute: - how: tmt -prepare: - - how: feature - epel: enabled - # TODO: Revisit this once https://github.com/teemtee/tmt/issues/3990 is in place. - # FIXME: For whatever reason, CentOS Stream envs end up upgrading container-selinux - # from podman-next instead of using the one installed by Packit. This apparently should - # be easier to handle once tmt#3990 is done. Things work as expected on Fedora already. - - when: initiator == packit - how: shell - script: | - COPR_REPO_FILE="/etc/yum.repos.d/*podman-next*.repo" - if compgen -G $COPR_REPO_FILE > /dev/null; then - sed -i -n '/^priority=/!p;$apriority=1' $COPR_REPO_FILE - fi - -/basic_check: - discover+: - test: /test/basic_check - -/podman_rootful_system: - discover+: - test: /test/podman_rootful_system - -/podman_rootless_system: - discover+: - test: /test/podman_rootless_system diff --git a/plans/tmt.fmf b/plans/tmt.fmf deleted file mode 100644 index 1941978..0000000 --- a/plans/tmt.fmf +++ /dev/null @@ -1,9 +0,0 @@ -/: - inherit: false - -summary: Run tmt's integration tests -plan: - import: - url: https://github.com/teemtee/tmt - path: /plans/friends - name: /podman diff --git a/sources b/sources index ce107a4..e8e9fbc 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (v2.245.0.tar.gz) = 0bc85980780631ceccb38f2fde64ff7f3792be18d4501806532f097deedde70f446e2389c543dd78e9087b45cd1a6916c0e096e6ea42dd77ac377ad4111b7db2 +SHA512 (v2.233.0.tar.gz) = f79380a3312cb57953bc1286ba7dcdbf29ab95ce72de79c5bac1eb6c4401d2bcb0c9875802c7198a9680af19affb34170581c609180408b21cc27cf680c3feb4 diff --git a/test/Makefile b/test/Makefile new file mode 100644 index 0000000..5fee1ea --- /dev/null +++ b/test/Makefile @@ -0,0 +1,15 @@ +.PHONY: basic_check +basic_check: + semodule --list=full | grep container + semodule -B + +.PHONY: podman_e2e_test +podman_e2e_test: + bash ./podman-tests.sh e2e + +.PHONY: podman_system_test +podman_system_test: + bash ./podman-tests.sh system + +clean: + rm -rf podman-*dev* podman.spec diff --git a/test/main.fmf b/test/main.fmf index 741aef1..8c30075 100644 --- a/test/main.fmf +++ b/test/main.fmf @@ -1,34 +1,21 @@ +# Only common dependencies that are NOT required to run podman-tests.sh are +# specified here. Everything else is in podman-tests.sh. require: - - attr - - container-selinux - - podman-tests + - cpio + - make - policycoreutils -recommend: - - bats /basic_check: + tag: [ upstream, downstream ] summary: Run basic checks - test: | - semodule --list=full | grep container - semodule -B - rpm -Vqf /var/lib/selinux/*/active/modules/200/container + test: make basic_check -/podman_rootful_system: +/podman_e2e_test: + tag: [ upstream, downstream ] + summary: Run SELinux specific Podman e2e tests + test: make podman_e2e_test + +/podman_system_test: + tag: [ upstream, downstream ] summary: Run SELinux specific Podman system tests - test: bash ./podman-rootful-tests.sh - -/podman_rootless_system: - summary: Run rootless Podman system tests - test: bash ./podman-rootless-tests.sh - require+: - - passt - - passt-selinux - environment: - ROOTLESS_USER: "fedora" - adjust: - - when: distro == centos-stream - environment+: - ROOTLESS_USER: "ec2-user" - - when: distro == rhel - environment+: - ROOTLESS_USER: "cloud-user" + test: make podman_system_test diff --git a/test/podman-rootful-tests.sh b/test/podman-rootful-tests.sh deleted file mode 100644 index faa504b..0000000 --- a/test/podman-rootful-tests.sh +++ /dev/null @@ -1,16 +0,0 @@ -#!/usr/bin/env bash - -set -exo pipefail - -cat /etc/redhat-release - -if [[ "$(id -u)" -ne 0 ]];then - echo "Please run as superuser" - exit 1 -fi - -# Print versions of distro and installed packages -rpm -q bats container-selinux podman podman-tests policycoreutils selinux-policy - -# Run podman system tests -bats /usr/share/podman/test/system/410-selinux.bats diff --git a/test/podman-rootless-tests.sh b/test/podman-rootless-tests.sh deleted file mode 100644 index e5583e0..0000000 --- a/test/podman-rootless-tests.sh +++ /dev/null @@ -1,15 +0,0 @@ -#!/usr/bin/env bash - -set -exo pipefail - -cat /etc/redhat-release - -# Print versions of distro and installed packages -rpm -q bats container-selinux passt passt-selinux podman podman-tests policycoreutils selinux-policy - -loginctl enable-linger "$ROOTLESS_USER" - -# Run podman system tests -su - "$ROOTLESS_USER" -c "bats /usr/share/podman/test/system/410-selinux.bats" -su - "$ROOTLESS_USER" -c "bats /usr/share/podman/test/system/500-networking.bats" -su - "$ROOTLESS_USER" -c "bats /usr/share/podman/test/system/505-networking-pasta.bats" diff --git a/test/podman-tests.sh b/test/podman-tests.sh new file mode 100644 index 0000000..b758cc8 --- /dev/null +++ b/test/podman-tests.sh @@ -0,0 +1,79 @@ +#!/usr/bin/env bash + +set -exo pipefail + +cat /etc/redhat-release + +if [[ "$(id -u)" -ne 0 ]];then + echo "Please run as superuser" + exit 1 +fi + +if [[ -z "$1" ]]; then + echo -e "Usage: $(basename ${BASH_SOURCE[0]}) TEST_TYPE\nTEST_TYPE can be 'e2e' or 'system'\n" + exit 1 +fi + +TEST_TYPE=$1 + +# Remove testing-farm repos if they exist as these interfere with the packages +# we want to install, especially when podman-next copr is involved +rm -f /etc/yum.repos.d/tag-repository.repo + +# Fetch and extract latest podman source from the highest priority dnf repo +# NOTE: On upstream pull-requests, the srpm will be fetched from the +# podman-next copr while on bodhi updates, it will be fetched from Fedora's +# official repos. +PODMAN_DIR=$(mktemp -d) +pushd $PODMAN_DIR + +# Download podman and podman-tests rpms, along with podman srpm +dnf download podman podman-tests +# Download srpm, srpm opts differ between dnf and dnf5 +rpm -q dnf5 && dnf download --srpm podman || dnf download --source podman + +# Ensure podman-tests RPM and podman SRPM version-release match +# NOTE: podman RPM and podman-tests RPM matching is ensured by podman.spec so +# matching podman-tests and podman srpm is sufficient here. +PODMAN_TESTS_VERSION=$(ls podman-tests* | sed -e "s/.$(uname -m).rpm//" -e "s/podman-tests-//") +PODMAN_SRPM_VERSION=$(ls podman*.src.rpm | sed -e "s/.src.rpm//" -e "s/podman-//") +if [[ "$PODMAN_TESTS_VERSION" != "$PODMAN_SRPM_VERSION" ]]; then + echo "podman-tests and podman srpm version-release don't match" + exit 1 +fi + +# Install downloaded podman and podman-tests rpms +dnf -y install ./podman*.$(uname -m).rpm + +# Extract and untar podman source from srpm +rpm2cpio $(ls podman*.src.rpm) | cpio -di +tar zxf *.tar.gz + +popd + +# Install dependencies for running tests +# NOTE: bats will be fetched from Fedora repos on public testing-farm envs if EPEL repo is absent or disabled. +dnf -y install bats golang + +# Print versions of distro and installed packages +rpm -q bats container-selinux golang podman podman-tests selinux-policy + +if [[ "$TEST_TYPE" == "e2e" ]]; then + # /tmp is often unsufficient + export TMPDIR=/var/tmp + + # dnf5 contains breaking changes + # Either of `dnf` OR `dnf5` will be installed, never both. + # To fetch srpm, dnf uses `--source`, dnf5 uses `--srpm`. + #rpm -q dnf5 && SRPM_OPTS="--srpm" || SRPM_OPTS="--source" + + # Run podman e2e tests + pushd $PODMAN_DIR/podman-*/test/e2e + PODMAN_BINARY=/usr/bin/podman go test -v config.go config_amd64.go common_test.go libpod_suite_test.go run_selinux_test.go + popd +fi + +if [[ "$TEST_TYPE" == "system" ]]; then + # Run podman system tests + bats /usr/share/podman/test/system/410-selinux.bats +fi diff --git a/tests/tests.yml b/tests/tests.yml new file mode 100644 index 0000000..552bdbb --- /dev/null +++ b/tests/tests.yml @@ -0,0 +1,16 @@ +- hosts: localhost + tags: + - classic + roles: + - role: standard-test-basic + required_packages: + - policycoreutils + - container-selinux + - podman + tests: + - is-module-installed: + run: semodule --list=full | grep container + - can-rebuild-policy: + run: semodule -B + - can-run-podman: + run: podman run --rm quay.io/libpod/testimage:20210610 cat -v /proc/self/attr/current