From cad871a8cfad77ccc97aef836410c9cf353d1c38 Mon Sep 17 00:00:00 2001 From: Robert Kaussow Date: Fri, 28 Jul 2023 20:00:59 +0200 Subject: [PATCH 1/3] ci: add test for rocky9 --- .drone.jsonnet | 6 +- .drone.yml | 8 +- molecule/default | 2 +- molecule/{rocky8 => rocky9}/converge.yml | 0 molecule/{rocky8 => rocky9}/create.yml | 0 molecule/rocky9/default | 1 + molecule/{rocky8 => rocky9}/destroy.yml | 0 molecule/{rocky8 => rocky9}/molecule.yml | 4 +- molecule/{rocky8 => rocky9}/prepare.yml | 0 .../{rocky8 => rocky9}/tests/test_default.py | 0 tasks/main.yml | 76 ++++++++++++++++++- tasks/setup.yml | 76 ------------------- 12 files changed, 86 insertions(+), 87 deletions(-) rename molecule/{rocky8 => rocky9}/converge.yml (100%) rename molecule/{rocky8 => rocky9}/create.yml (100%) create mode 120000 molecule/rocky9/default rename molecule/{rocky8 => rocky9}/destroy.yml (100%) rename molecule/{rocky8 => rocky9}/molecule.yml (91%) rename molecule/{rocky8 => rocky9}/prepare.yml (100%) rename molecule/{rocky8 => rocky9}/tests/test_default.py (100%) delete mode 100644 tasks/setup.yml diff --git a/.drone.jsonnet b/.drone.jsonnet index b58970d..e70684c 100644 --- a/.drone.jsonnet +++ b/.drone.jsonnet @@ -41,7 +41,7 @@ local PipelineLinting = { }, }; -local PipelineDeployment(scenario='rocky8') = { +local PipelineDeployment(scenario='rocky9') = { kind: 'pipeline', name: 'testing-' + scenario, platform: { @@ -115,7 +115,7 @@ local PipelineDocumentation = { ref: ['refs/heads/main', 'refs/tags/**', 'refs/pull/**'], }, depends_on: [ - 'testing-rocky8', + 'testing-rocky9', ], }; @@ -153,7 +153,7 @@ local PipelineNotification = { [ PipelineLinting, - PipelineDeployment(scenario='rocky8'), + PipelineDeployment(scenario='rocky9'), PipelineDocumentation, PipelineNotification, ] diff --git a/.drone.yml b/.drone.yml index ab5cbeb..5d9780e 100644 --- a/.drone.yml +++ b/.drone.yml @@ -36,7 +36,7 @@ trigger: --- kind: pipeline -name: testing-rocky8 +name: testing-rocky9 platform: os: linux @@ -53,7 +53,7 @@ steps: - name: ansible-molecule image: thegeeklab/molecule:4 commands: - - molecule test -s rocky8 + - molecule test -s rocky9 environment: HCLOUD_TOKEN: from_secret: hcloud_token @@ -107,7 +107,7 @@ trigger: - refs/pull/** depends_on: - - testing-rocky8 + - testing-rocky9 --- kind: pipeline @@ -147,6 +147,6 @@ depends_on: --- kind: signature -hmac: 0a198d7d6b43b7f522c4ee73dc7464ff4b5dc379f9555b4b49ea5b3dd6e8c1cb +hmac: c29456b152af21f872f70b8477cc3ac8edadb3e058c994cbc564319a66469851 ... diff --git a/molecule/default b/molecule/default index 62ea184..afa9fc6 120000 --- a/molecule/default +++ b/molecule/default @@ -1 +1 @@ -rocky8 \ No newline at end of file +rocky9 \ No newline at end of file diff --git a/molecule/rocky8/converge.yml b/molecule/rocky9/converge.yml similarity index 100% rename from molecule/rocky8/converge.yml rename to molecule/rocky9/converge.yml diff --git a/molecule/rocky8/create.yml b/molecule/rocky9/create.yml similarity index 100% rename from molecule/rocky8/create.yml rename to molecule/rocky9/create.yml diff --git a/molecule/rocky9/default b/molecule/rocky9/default new file mode 120000 index 0000000..331d858 --- /dev/null +++ b/molecule/rocky9/default @@ -0,0 +1 @@ +default \ No newline at end of file diff --git a/molecule/rocky8/destroy.yml b/molecule/rocky9/destroy.yml similarity index 100% rename from molecule/rocky8/destroy.yml rename to molecule/rocky9/destroy.yml diff --git a/molecule/rocky8/molecule.yml b/molecule/rocky9/molecule.yml similarity index 91% rename from molecule/rocky8/molecule.yml rename to molecule/rocky9/molecule.yml index 0d085dd..73cfed1 100644 --- a/molecule/rocky8/molecule.yml +++ b/molecule/rocky9/molecule.yml @@ -9,8 +9,8 @@ dependency: driver: name: delegated platforms: - - name: rocky8-podman - image: rocky-8 + - name: rocky9-podman + image: rocky-9 server_type: cx11 lint: | /usr/local/bin/flake8 diff --git a/molecule/rocky8/prepare.yml b/molecule/rocky9/prepare.yml similarity index 100% rename from molecule/rocky8/prepare.yml rename to molecule/rocky9/prepare.yml diff --git a/molecule/rocky8/tests/test_default.py b/molecule/rocky9/tests/test_default.py similarity index 100% rename from molecule/rocky8/tests/test_default.py rename to molecule/rocky9/tests/test_default.py diff --git a/tasks/main.yml b/tasks/main.yml index 1f69f7a..5200370 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,2 +1,76 @@ --- -- include_tasks: setup.yml +- block: + - name: Ensure required packages are installed + package: + name: "{{ item }}" + state: "present" + loop: + - podman + - slirp4netns + - fuse-overlayfs + - crun + - container-selinux + - bash-completion + + - name: Install Podman bash-completion + command: + cmd: "podman completion bash -f /etc/bash_completion.d/podman" + creates: "/etc/bash_completion.d/podman" + + - name: Deploy container configuration + template: + src: etc/containers/containers.conf.j2 + dest: /etc/containers/containers.conf + owner: root + group: root + mode: 0644 + + - name: Deploy storage configuration + template: + src: etc/containers/storage.conf.j2 + dest: /etc/containers/storage.conf + owner: root + group: root + mode: 0644 + + - name: Set SELinux booleans + seboolean: + name: "{{ item.name }}" + state: "{{ item.state | bool }}" + persistent: "{{ item.persistent | default(True) | bool }}" + loop: "{{ podman_sebooleans }}" + loop_control: + label: "{{ item.name }}: {{ item.state | bool }}" + + - name: Create journal log dir + file: + path: /var/log/journal + state: directory + owner: root + group: systemd-journal + mode: 02755 + + - name: Create home basedir for systemd users + file: + path: "{{ podman_systemd_home_basedir }}" + state: directory + owner: root + group: root + mode: 0755 + register: __podman_home_basedir + become: True + become_user: root + +- block: + - name: Set SELinux context for home basedir + command: semanage fcontext -a -e /home "{{ podman_systemd_home_basedir }}" + register: __podman_home_fcontext + failed_when: + - __podman_home_fcontext.rc != 0 + - "'already exists' not in __podman_home_fcontext.stderr" + + - name: Apply new SELinux file context to filesystem + command: restorecon -R "{{ podman_systemd_home_basedir }}" + when: __podman_home_basedir.changed + become: True + become_user: root diff --git a/tasks/setup.yml b/tasks/setup.yml deleted file mode 100644 index 5200370..0000000 --- a/tasks/setup.yml +++ /dev/null @@ -1,76 +0,0 @@ ---- -- block: - - name: Ensure required packages are installed - package: - name: "{{ item }}" - state: "present" - loop: - - podman - - slirp4netns - - fuse-overlayfs - - crun - - container-selinux - - bash-completion - - - name: Install Podman bash-completion - command: - cmd: "podman completion bash -f /etc/bash_completion.d/podman" - creates: "/etc/bash_completion.d/podman" - - - name: Deploy container configuration - template: - src: etc/containers/containers.conf.j2 - dest: /etc/containers/containers.conf - owner: root - group: root - mode: 0644 - - - name: Deploy storage configuration - template: - src: etc/containers/storage.conf.j2 - dest: /etc/containers/storage.conf - owner: root - group: root - mode: 0644 - - - name: Set SELinux booleans - seboolean: - name: "{{ item.name }}" - state: "{{ item.state | bool }}" - persistent: "{{ item.persistent | default(True) | bool }}" - loop: "{{ podman_sebooleans }}" - loop_control: - label: "{{ item.name }}: {{ item.state | bool }}" - - - name: Create journal log dir - file: - path: /var/log/journal - state: directory - owner: root - group: systemd-journal - mode: 02755 - - - name: Create home basedir for systemd users - file: - path: "{{ podman_systemd_home_basedir }}" - state: directory - owner: root - group: root - mode: 0755 - register: __podman_home_basedir - become: True - become_user: root - -- block: - - name: Set SELinux context for home basedir - command: semanage fcontext -a -e /home "{{ podman_systemd_home_basedir }}" - register: __podman_home_fcontext - failed_when: - - __podman_home_fcontext.rc != 0 - - "'already exists' not in __podman_home_fcontext.stderr" - - - name: Apply new SELinux file context to filesystem - command: restorecon -R "{{ podman_systemd_home_basedir }}" - when: __podman_home_basedir.changed - become: True - become_user: root -- 2.24.4 From 01e1b5f008c7445b597a466d39d0fdb799bf5131 Mon Sep 17 00:00:00 2001 From: Robert Kaussow Date: Fri, 28 Jul 2023 20:06:42 +0200 Subject: [PATCH 2/3] enable deployment tests for PRs --- .drone.jsonnet | 2 +- .drone.yml | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/.drone.jsonnet b/.drone.jsonnet index e70684c..226614e 100644 --- a/.drone.jsonnet +++ b/.drone.jsonnet @@ -71,7 +71,7 @@ local PipelineDeployment(scenario='rocky9') = { 'linting', ], trigger: { - ref: ['refs/heads/main', 'refs/tags/**'], + ref: ['refs/heads/main', 'refs/tags/**', 'refs/pull/**'], }, }; diff --git a/.drone.yml b/.drone.yml index 5d9780e..dbd0dbe 100644 --- a/.drone.yml +++ b/.drone.yml @@ -62,6 +62,7 @@ trigger: ref: - refs/heads/main - refs/tags/** + - refs/pull/** depends_on: - linting @@ -147,6 +148,6 @@ depends_on: --- kind: signature -hmac: c29456b152af21f872f70b8477cc3ac8edadb3e058c994cbc564319a66469851 +hmac: 81536c79ea3dcf2f503450427b9aa5faeb29d613cb1da19b8605010295561341 ... -- 2.24.4 From 2872f74770e29f5bf06392bf783567d14500c471 Mon Sep 17 00:00:00 2001 From: Robert Kaussow Date: Fri, 28 Jul 2023 21:44:24 +0200 Subject: [PATCH 3/3] refactor: drop rootless support --- defaults/main.yml | 14 +++++- molecule/rocky9/tests/test_default.py | 7 ++- tasks/main.yml | 51 ++++++++------------- templates/etc/containers/containers.conf.j2 | 6 +-- templates/etc/containers/storage.conf.j2 | 4 +- 5 files changed, 37 insertions(+), 45 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 3f05091..fb93c41 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -7,4 +7,16 @@ podman_sebooleans: podman_containers_logger: journald podman_engine_event_logger: journald -podman_systemd_home_basedir: /var/lib/rootless +podman_nsremap_range_start: 231072 +podman_nsremap_range_length: 65536 + +# @var podman_registries:description: List of docker registries to auto login +# @var podman_registries:example: > +# podman_registries: +# - registry: myregistry.example.com (optional) +# username: docker +# password: secure +# reauthorize: False +# state: present +# @end +podman_registries: [] diff --git a/molecule/rocky9/tests/test_default.py b/molecule/rocky9/tests/test_default.py index dc268a3..b35a03b 100644 --- a/molecule/rocky9/tests/test_default.py +++ b/molecule/rocky9/tests/test_default.py @@ -8,13 +8,12 @@ testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( ).get_hosts("all") -@pytest.mark.parametrize("package", ["podman", "crun", "slirp4netns"]) -def test_podman_installed(host, package): - assert host.package(package).is_installed +def test_podman_installed(host): + assert host.package("podman").is_installed def test_podman_run(host): cmd = host.run("/usr/bin/podman info") - assert "cgroupVersion: v1" in cmd.stdout + assert "cgroupVersion: v2" in cmd.stdout assert cmd.succeeded diff --git a/tasks/main.yml b/tasks/main.yml index 5200370..bd9810e 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -6,9 +6,6 @@ state: "present" loop: - podman - - slirp4netns - - fuse-overlayfs - - crun - container-selinux - bash-completion @@ -42,35 +39,23 @@ loop_control: label: "{{ item.name }}: {{ item.state | bool }}" - - name: Create journal log dir - file: - path: /var/log/journal - state: directory - owner: root - group: systemd-journal - mode: 02755 - - - name: Create home basedir for systemd users - file: - path: "{{ podman_systemd_home_basedir }}" - state: directory - owner: root - group: root - mode: 0755 - register: __podman_home_basedir - become: True - become_user: root - -- block: - - name: Set SELinux context for home basedir - command: semanage fcontext -a -e /home "{{ podman_systemd_home_basedir }}" - register: __podman_home_fcontext - failed_when: - - __podman_home_fcontext.rc != 0 - - "'already exists' not in __podman_home_fcontext.stderr" - - - name: Apply new SELinux file context to filesystem - command: restorecon -R "{{ podman_systemd_home_basedir }}" - when: __podman_home_basedir.changed + - name: Configure namespace id range + lineinfile: + dest: "{{ item }}" + regexp: "^containers:" + line: "containers:{{ podman_nsremap_range_start }}:{{ podman_nsremap_range_length }}" + loop: + - /etc/subuid + - /etc/subgid + + - name: Handle registry logins + containers.podman.podman_login: + registry: "{{ item.url | default(omit) }}" + username: "{{ item.username }}" + password: "{{ item.password }}" + state: '{{ item.state | default("present") }}' + loop: "{{ podman_registries }}" + loop_control: + label: "{{ item.url }}" become: True become_user: root diff --git a/templates/etc/containers/containers.conf.j2 b/templates/etc/containers/containers.conf.j2 index f0b9dcb..2038eaa 100644 --- a/templates/etc/containers/containers.conf.j2 +++ b/templates/etc/containers/containers.conf.j2 @@ -1,6 +1,5 @@ #jinja2: lstrip_blocks: True {{ ansible_managed | comment }} - # The containers configuration file specifies all of the available configuration # command-line options/flags for container engine tools like Podman & Buildah, # but in a TOML format that can be easily modified and versioned. @@ -19,7 +18,6 @@ [containers] default_capabilities = [ - "NET_RAW", "CHOWN", "DAC_OVERRIDE", "FOWNER", @@ -30,7 +28,6 @@ default_capabilities = [ "SETGID", "SETPCAP", "SETUID", - "SYS_CHROOT" ] default_sysctls = [ @@ -38,7 +35,7 @@ default_sysctls = [ ] log_driver = "{{ podman_containers_logger }}" -rootless_networking = "slirp4netns" +userns = "auto" [secrets] @@ -48,7 +45,6 @@ rootless_networking = "slirp4netns" [engine] events_logger = "{{ podman_engine_event_logger }}" -infra_image = "registry.access.redhat.com/ubi8/pause" runtime = "crun" [engine.runtimes] diff --git a/templates/etc/containers/storage.conf.j2 b/templates/etc/containers/storage.conf.j2 index 3759374..71bb530 100644 --- a/templates/etc/containers/storage.conf.j2 +++ b/templates/etc/containers/storage.conf.j2 @@ -7,14 +7,14 @@ driver = "overlay" runroot = "/run/containers/storage" graphroot = "/var/lib/containers/storage" -rootless_storage_path = "$HOME/.local/share/containers/storage" [storage.options] additionalimagestores = [ ] +pull_options = {enable_partial_images = "false", use_hard_links = "false", ostree_repos=""} + [storage.options.overlay] -mount_program = "/usr/bin/fuse-overlayfs" mountopt = "nodev,metacopy=on" [storage.options.thinpool] -- 2.24.4