This commit reorganizes tests such that tests can be easily
triggered on local environment without any specialized CI
setup as well as triggered by TMT on PRs and bodhi updates.
This essentially moves all Fedora and CentOS Stream downstream
testing maintenance to the upstream repo.
Tests on upstream PRs use packages from the podman-next copr
wherever relevant while downstream tests use packages from the
official distro repos.
This commit also separates out rhel and centos stream tasks.
This enables centos-stream jobs to run automatically on all PRs
regardless of the PR author's access level on the repo. RHEL tests on
PRs by non-maintainers would need manual triggereing by maintainers.
Co-authored-by: Cristian Le <github@lecris.me>
Signed-off-by: Lokesh Mandvekar <lsm5@redhat.com>
Using GPUs to accelerate workloads requires the permissions guarded
by container_use_xserver_devices. By default it's disabled
Signed-off-by: Johannes Segitz <jsegitz@suse.de>
This commit enables downstream syncing to CentOS Stream 10.
This isn't fully automated yet and requires the maintainer to run
`packit propse-downstream` and `centpkg build` steps manually.
This commit also adds TMT podman revdep tests for CentOS Stream 10 and
RHEL 10 Beta Nightly. These tests are likely to fail pending netavark
work to default to nftables.
This commit will also run separate jobs for `epel-9` and
`centos-stream-9` to ensure we're using rhel rpms for rhel tests and
centos stream rpms for centos stream tests. This will also be done for
centos stream 10 / rhel 10 once the epel-10 target is created on copr.
Signed-off-by: Lokesh Mandvekar <lsm5@redhat.com>
- EL8 will go EOL soon and centos stream 10 is now available in copr.
- Remove old fedora 37 and rhel8 conditionals from spec file
- Switch to idiomatic TMT usage wherever possible
Signed-off-by: Lokesh Mandvekar <lsm5@redhat.com>
This commit also reorganizes individual tests in scripts so they can be
executed standalone if need be.
The RHEL targets are also updated to use more generic floating targets
wherever possible.
Signed-off-by: Lokesh Mandvekar <lsm5@redhat.com>
With the 1f76e522a ("Rename all /var/run file context entries to /run")
selinux-policy commit, all /var/run file context entries moved to /run
and the equivalency was inverted. Subsequently, changes in container.fc
need to be done, too, in a similar manner. Together with that, the
"/run/lock = /var/lock" equivalency was also inverted and entries moved.
For RHEL < 10 and Fedora < 40, these changes are reverted in specfile.
Signed-off-by: Zdenek Pytela <zpytela@redhat.com>
BPF Filesystems (bpffs) are used to manage BPF Object Lifecycles.
For example, you can place a special object (called a pin) on a BPF
filesystem and use that object to get a reference to the
program/link/map that it references if you have permissions to make
bpf() syscalls.
In a recent kernel patch, a container may also recieve a token
that allows it to make BPF syscalls on this filesystem.
Since bpffs doesn't support xattrs, it's not possible to bind mount
it from the host with `:Z` so it can be re-labelled. Adding xattrs
to bpffs is not something that I've looked into in detail, but I
imagine it's non-trivial.
This commit should add the necessary rules to ensure that SELinux
permits the use of bpf_t file/directory objects from containers
when the BPFFS volume was bind mounted from the host.
Signed-off-by: Dave Tucker <dave@dtucker.co.uk>
on openshift, kubenswrapper service calls kubensenter, which calls the kubelet. Without this change,
kubelet will continue to be labeled unconfined_t
Signed-off-by: Peter Hunt <pehunt@redhat.com>
Daniel J Walsh
Lokesh Mandvekar
Peter Hunt
Johannes Segitz
Zdeněk Pytela
Dave Tucker