From 87e53a25c82d0dbf3f3dc95721a03b3caca3d359 Mon Sep 17 00:00:00 2001 From: Lokesh Mandvekar Date: Mon, 26 May 2025 15:30:56 -0400 Subject: [PATCH 1/6] TMT: re-enable podman e2e revdep tests We need to run podman e2e tests as they are not the same as system tests. For example: `podman container restore --pod ...` test isn't run in the system tests and this test is currently failing on RHEL. This reverts commit 3f2d85afe4182976443a003ef6ba95749db7e838 and makes additional changes to suit current state. Signed-off-by: Lokesh Mandvekar --- plans/main.fmf | 18 +++++++++++-- test/Makefile | 16 ++++++++++++ test/main.fmf | 33 ++++++++++++++++------- test/podman-tests.sh | 62 +++++++++++++++++++++++++++++++++++++++++--- 4 files changed, 113 insertions(+), 16 deletions(-) create mode 100644 test/Makefile diff --git a/plans/main.fmf b/plans/main.fmf index baa8b2f..ee160b6 100644 --- a/plans/main.fmf +++ b/plans/main.fmf @@ -6,8 +6,10 @@ prepare: - when: distro == centos-stream or distro == rhel how: shell script: | - dnf -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-$(rpm --eval '%{?rhel}').noarch.rpm - dnf -y config-manager --set-enabled epel + BATS_VERSION=1.12.0 + curl -L https://github.com/bats-core/bats-core/archive/refs/tags/v"$BATS_VERSION".tar.gz | tar -xz + cd bats-core-"$BATS_VERSION" + ./install.sh /usr order: 10 - when: initiator == packit how: shell @@ -18,3 +20,15 @@ prepare: fi dnf -y upgrade --allowerasing order: 20 + +/basic_check: + discover+: + filter: 'tag:basic' + +/podman_e2e_test: + discover+: + filter: 'tag:podman_e2e' + +/podman_system_test: + discover+: + filter: 'tag:podman_system' diff --git a/test/Makefile b/test/Makefile new file mode 100644 index 0000000..9088bd9 --- /dev/null +++ b/test/Makefile @@ -0,0 +1,16 @@ +.PHONY: basic_check +basic_check: + semodule --list=full | grep container + semodule -B + rpm -Vqf /var/lib/selinux/*/active/modules/200/container + +.PHONY: podman_e2e_test +podman_e2e_test: + bash ./podman-tests.sh e2e + +.PHONY: podman_system_test +podman_system_test: + bash ./podman-tests.sh system + +clean: + rm -rf podman-*dev* podman.spec diff --git a/test/main.fmf b/test/main.fmf index 4b186d5..f2a4d53 100644 --- a/test/main.fmf +++ b/test/main.fmf @@ -1,17 +1,30 @@ +# Only common dependencies that are NOT required to run podman-tests.sh are +# specified here. Everything else is in podman-tests.sh. require: - - attr - - bats - - container-selinux - - podman-tests - - policycoreutils + - make /basic_check: summary: Run basic checks - test: | - semodule --list=full | grep container - semodule -B - rpm -Vqf /var/lib/selinux/*/active/modules/200/container + tag: [ basic ] + test: make basic_check + require+: + - policycoreutils + +/podman_e2e_test: + summary: Run SELinux specific Podman e2e tests + tag: [ podman_e2e ] + test: make podman_e2e_test + require+: + - btrfs-progs-devel + - cpio + - golang + - gpgme-devel + - podman + - zstd /podman_system_test: + tag: [ podman_system ] summary: Run SELinux specific Podman system tests - test: bash ./podman-tests.sh + test: make podman_system_test + require+: + - podman-tests diff --git a/test/podman-tests.sh b/test/podman-tests.sh index faa504b..078a874 100644 --- a/test/podman-tests.sh +++ b/test/podman-tests.sh @@ -9,8 +9,62 @@ if [[ "$(id -u)" -ne 0 ]];then exit 1 fi -# Print versions of distro and installed packages -rpm -q bats container-selinux podman podman-tests policycoreutils selinux-policy +if [[ -z "$1" ]]; then + echo -e "Usage: $(basename "${BASH_SOURCE[0]}") TEST_TYPE\nTEST_TYPE can be 'e2e' or 'system'\n" + exit 1 +fi -# Run podman system tests -bats /usr/share/podman/test/system/410-selinux.bats +TEST_TYPE=$1 + +export PODMAN_BINARY=/usr/bin/podman + +# Remove testing-farm repos if they exist as these interfere with the packages +# we want to install, especially when podman-next copr is involved +rm -f /etc/yum.repos.d/tag-repository.repo + +if [[ "$TEST_TYPE" == "e2e" ]]; then + rpm -q container-selinux golang podman selinux-policy + + # /tmp is often unsufficient + export TMPDIR=/var/tmp + + # Fetch and extract latest podman source from the highest priority dnf repo + # NOTE: On upstream pull-requests, the srpm will be fetched from the + # podman-next copr while on bodhi updates, it will be fetched from Fedora's + # official repos. + PODMAN_DIR=$(mktemp -d) + pushd "$PODMAN_DIR" + + # Download srpm, srpm opts differ between dnf and dnf5 + if ! rpm -q dnf5; then + dnf download --source podman + else + dnf download --srpm podman + fi + + # Extract and untar podman source from srpm + rpm2cpio "$(ls podman*.src.rpm)" | cpio -di + tar zxf ./*.tar.gz + + popd + + if [[ "$(arch)" == "x86_64" ]]; then + ARCH=amd64 + else + ARCH=arm64 + fi + + # Run podman e2e tests + pushd "$PODMAN_DIR"/podman-*/test/e2e + go test -v config.go config_test.go config_"$ARCH".go common_test.go libpod_suite_test.go run_selinux_test.go + go test -v config.go config_test.go config_"$ARCH".go common_test.go libpod_suite_test.go checkpoint_test.go + popd +fi + +if [[ "$TEST_TYPE" == "system" ]]; then + rpm -q container-selinux podman podman-tests selinux-policy + + # Run podman system tests + bats /usr/share/podman/test/system/410-selinux.bats + bats /usr/share/podman/test/system/520-checkpoint.bats +fi From 681d9e1a34073b56aaf49d49b659de75e0a3121a Mon Sep 17 00:00:00 2001 From: Lokesh Mandvekar Date: Wed, 28 May 2025 09:21:12 -0400 Subject: [PATCH 2/6] disable centos-stream-10 tests Signed-off-by: Lokesh Mandvekar --- .packit.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.packit.yaml b/.packit.yaml index cc1d83b..e13fa96 100644 --- a/.packit.yaml +++ b/.packit.yaml @@ -66,8 +66,8 @@ jobs: targets: ¢os_copr_targets - centos-stream-9-x86_64 - centos-stream-9-aarch64 - - centos-stream-10-x86_64 - - centos-stream-10-aarch64 + # - centos-stream-10-x86_64 + # - centos-stream-10-aarch64 # Run on commit to main branch # Build targets managed in copr settings From 63910745d6f6cd616206bafebe48b80cc8787f1c Mon Sep 17 00:00:00 2001 From: Lokesh Mandvekar Date: Wed, 28 May 2025 10:09:17 -0400 Subject: [PATCH 3/6] Get selinux denials if tests failed Signed-off-by: Lokesh Mandvekar --- test/podman-tests.sh | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/test/podman-tests.sh b/test/podman-tests.sh index 078a874..b3bdc5a 100644 --- a/test/podman-tests.sh +++ b/test/podman-tests.sh @@ -68,3 +68,9 @@ if [[ "$TEST_TYPE" == "system" ]]; then bats /usr/share/podman/test/system/410-selinux.bats bats /usr/share/podman/test/system/520-checkpoint.bats fi + +# shellcheck disable=SC2181 +if [[ $? -ne 0 ]]; then + echo "Fetching AVC denials..." + ausearch -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -ts recent +fi From 9bf5c124b03ca79f4e4a826cd63fca94a8ff2676 Mon Sep 17 00:00:00 2001 From: Lokesh Mandvekar Date: Wed, 28 May 2025 10:38:31 -0400 Subject: [PATCH 4/6] check crun rpm as well Signed-off-by: Lokesh Mandvekar --- test/podman-tests.sh | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/test/podman-tests.sh b/test/podman-tests.sh index b3bdc5a..d29ad44 100644 --- a/test/podman-tests.sh +++ b/test/podman-tests.sh @@ -22,9 +22,13 @@ export PODMAN_BINARY=/usr/bin/podman # we want to install, especially when podman-next copr is involved rm -f /etc/yum.repos.d/tag-repository.repo -if [[ "$TEST_TYPE" == "e2e" ]]; then - rpm -q container-selinux golang podman selinux-policy +for pkg in container-selinux crun golang podman podman-tests selinux-policy; do + if ! rpm -q "$pkg"; then + continue + fi +done +if [[ "$TEST_TYPE" == "e2e" ]]; then # /tmp is often unsufficient export TMPDIR=/var/tmp @@ -62,8 +66,6 @@ if [[ "$TEST_TYPE" == "e2e" ]]; then fi if [[ "$TEST_TYPE" == "system" ]]; then - rpm -q container-selinux podman podman-tests selinux-policy - # Run podman system tests bats /usr/share/podman/test/system/410-selinux.bats bats /usr/share/podman/test/system/520-checkpoint.bats From 23b564ae7eeb62090f41470452a2626dd4784f89 Mon Sep 17 00:00:00 2001 From: Lokesh Mandvekar Date: Wed, 28 May 2025 10:43:23 -0400 Subject: [PATCH 5/6] fetch selinux denials on every failed test Signed-off-by: Lokesh Mandvekar --- test/podman-tests.sh | 27 +++++++++++++++++---------- 1 file changed, 17 insertions(+), 10 deletions(-) diff --git a/test/podman-tests.sh b/test/podman-tests.sh index d29ad44..a6d0d73 100644 --- a/test/podman-tests.sh +++ b/test/podman-tests.sh @@ -28,6 +28,11 @@ for pkg in container-selinux crun golang podman podman-tests selinux-policy; do fi done +fetch_selinux_denials() { + echo "Fetching AVC denials..." + ausearch -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -ts recent +} + if [[ "$TEST_TYPE" == "e2e" ]]; then # /tmp is often unsufficient export TMPDIR=/var/tmp @@ -60,19 +65,21 @@ if [[ "$TEST_TYPE" == "e2e" ]]; then # Run podman e2e tests pushd "$PODMAN_DIR"/podman-*/test/e2e - go test -v config.go config_test.go config_"$ARCH".go common_test.go libpod_suite_test.go run_selinux_test.go - go test -v config.go config_test.go config_"$ARCH".go common_test.go libpod_suite_test.go checkpoint_test.go + if ! go test -v config.go config_test.go config_"$ARCH".go common_test.go libpod_suite_test.go run_selinux_test.go; then + fetch_selinux_denials + fi + if ! go test -v config.go config_test.go config_"$ARCH".go common_test.go libpod_suite_test.go checkpoint_test.go; then + fetch_selinux_denials + fi popd fi if [[ "$TEST_TYPE" == "system" ]]; then # Run podman system tests - bats /usr/share/podman/test/system/410-selinux.bats - bats /usr/share/podman/test/system/520-checkpoint.bats -fi - -# shellcheck disable=SC2181 -if [[ $? -ne 0 ]]; then - echo "Fetching AVC denials..." - ausearch -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -ts recent + if ! bats /usr/share/podman/test/system/410-selinux.bats; then + fetch_selinux_denials + fi + if ! bats /usr/share/podman/test/system/520-checkpoint.bats; then + fetch_selinux_denials + fi fi From f926b5db05b5a108cdcc53caa590ae165447a256 Mon Sep 17 00:00:00 2001 From: Lokesh Mandvekar Date: Wed, 28 May 2025 11:19:35 -0400 Subject: [PATCH 6/6] TMT: fetch criu rpm info Signed-off-by: Lokesh Mandvekar --- test/podman-tests.sh | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/test/podman-tests.sh b/test/podman-tests.sh index a6d0d73..21ee4b9 100644 --- a/test/podman-tests.sh +++ b/test/podman-tests.sh @@ -22,11 +22,14 @@ export PODMAN_BINARY=/usr/bin/podman # we want to install, especially when podman-next copr is involved rm -f /etc/yum.repos.d/tag-repository.repo -for pkg in container-selinux crun golang podman podman-tests selinux-policy; do +# Disable tracing mode for cleaner rpm -q output +set +x +for pkg in container-selinux criu crun golang podman podman-tests selinux-policy; do if ! rpm -q "$pkg"; then continue fi done +set -x fetch_selinux_denials() { echo "Fetching AVC denials..."