Try to speed up the CI tests by using tmpfs as container storage.
This is important for system tests, other tests setup their own --root
already on tmpfs so it should not effect them.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Linting code changes with golangci-lint is a very slow and resource
intensive process. However, it does not depend on compiling anything.
This means it may run in parallel with the build tasks for
a modest perceived runtime duration improvement.
Additionally, the former validation make targets that **do** require a
build execute faster than CI is able to provision a VM, simply tack them
onto the end of all build operations.
Signed-off-by: Chris Evich <cevich@redhat.com>
As of commit d9183f0587 we use the cirrus.yml skip logic to skip based
on source changes. As such the add hoc logic inside our test setup can
be removed. However as I did not yet implement the skip logic for all
tests task in cirrus.yml it must remain for the other tasks for now.
I plan to migrate the other in a week or two once we are confident that
the cirrus.yml logic works well for us.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Two enormous misunderstandings:
1) $CIRRUS_BASE_SHA is worthless. I thought it was, you know,
the BASE SHA of the current commit, but (as best I can tell)
it seems to be the SHA of the most recent commit on the
destination branch. Cirrus docs are unhelpful. Anyhow,
it's clearly not anything useful. Stop using it.
2) $EPOCH_TEST_COMMIT is closer to what we want. It is
defined in Makefile as the git merge-base. But for unknown
reasons it was being clobbered in CI scripts, and it
doesn't seem to work in all contexts, so, eliminate it
from CI setup scripts. Leave it only in Makefile.
This leaves us with no option other than defining our own
merge-base variable, PR_BASE_SHA. Do so and pass it along
to rootless jobs.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Extend Makefile and package.sh to download, sign and bundle krunkit and
its dependencies into the package.
Signed-off-by: Sergio Lopez <slp@redhat.com>
With (esp. Debian) CI VM images built by
https://github.com/containers/automation_images/ pull/338 CI no-longer
tests with runc nor cgroups v1. Add logic to fail under these
conditions. Prune back high-level YAML/script envars and logic formerly
required to support these things.
Signed-off-by: Chris Evich <cevich@redhat.com>
Now that we have source based skips there might be a case where we have
to run all tests. One option is to simply change a line in one of the
danger files but having something that can be set as title might be
easier for users.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
We do not have to test everything for each PR, we can know based on the
source if we changed (i.e. machine code) and only run the tests then.
This implements it as skip conditions, due to the nature of yaml files
we unfortunately cannot deduplicate everything, i.e. the is PR check and
danger files apply to everything but as skip is only a single yaml
string we cannot deduplicate parts of that string. If anyone knows a way
to achieve this I like to hear it.
For now I implemented this for int, system, bud and machine tests. Once
we are more comfortable with this I plan on adding it to other tests as
well.
This will replace the current _bail_if_test_can_be_skipped logic as it
covers more, marks tasks actually skipped in the github UI and works
even for the windows/macos machine tests.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
The leak check is slower (over 5mins) so we do not wnat them on PR runs
to speed system tests up. However that opens the door for someone to add
a test which forgets to do the correct cleanup themselves. This might
not cause a fatal error right away and only later when new tests would
be added. To prevent this happening the nighlty run will check leaks so
that we can fix them quickly and not notice them months/years later when
a new test is added that might trip over it.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
No idea why we need them, it passes without them so I just remove them.
Currently CI is broken as this install is failing on rawhide for some
reason. I don't know what changed there but this is working and unblocks
CI so I like to get this in.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
I'm hitting a bug with 9p when trying to transfer large files.
In RHEL at least 9p isn't supported because it's known to have a
lot of design flaws; virtiofsd is the supported and recommended
way to share files between a host and guest.
Add a new hidden `PODMAN_MACHINE_VIRTFS` environment
variable that can be set to `virtiofs` to switch to virtiofsd.
Signed-off-by: Colin Walters <walters@verbum.org>
The path mentioned above is linked in the sysadmin
article on running podman inside containers. The content
has since been moved and users are getting a 404 there now.
Add the path back with a readme pointing to the new location
of the content.
Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
podman.msi GUI has a radio-button to select WSL or Hyper-V
The checkbox in podman.msi GUI allow the user to specify if
the machine provider installation (WSL or Hyper-V) should
be part of podman installation or not.
podman-setup.exe supports 2 new variables: MachineProvider
(valid values are `wsl` and `hyperv`) and HyperVCheckbox
(valid values are `0` and `1`)
Installation creates the configuration file
`99-podman-machine-provider.conf` under folder
`%APPDATA\containers\containers.conf.d` with the selected
machine provider
Cirrus CI `win_installer_task` tests the installation with
both `hyperv` and `wsl` and verifies the configuration.
Uninstallation is tested too.
Note that podman-setup.exe GUI doesn't allow to choose the
provider yet. See https://github.com/containers/podman/issues/22492
Signed-off-by: Mario Loriedo <mario.loriedo@gmail.com>
Previously, the mac podman-machine tests installed rosetta before
executing any tests. As a best-practice (and because the Macs in CI are
shared) tests should never permanently modify the system. As of this
commit, the system setup script used for the CI Macs does the rosetta
installation. Remove the test setup code that installed rosetta and
add a CI-level confirmation that it's been pre-installed.
Signed-off-by: Chris Evich <cevich@redhat.com>
First, setup a custom TMPDIR to ensure we have no special assumptions
about hard coded paths. Second, make sure it is actually on a tmpfs so
we can catch regressions in the VM setup immediately.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Small usability improvements for our containerized validate target.
- Responds to SIGINT
- Exits if build fails, only validate if builds succeed
- Warns about potential of insufficient memory
- Document `make validatepr`
Signed-off-by: Ashley Cui <acui@redhat.com>
A long time ago, `passthrough_envars()` was defined in `lib.sh`. It has
since been moved, but the related comments were never updated. Update
the env. var. comments pointing future maintainers to the function that
relies on them. Otherwise a simple search w/in this repo. won't turn up
anything.
Signed-off-by: Chris Evich <cevich@redhat.com>
Followup to #13936 : add an exclusion to localmachine tests
so we can avoid running those on test- or doc-only PRs.
Reason: #22551, the machine-start-timeout flake, is causing
hours of wasted time.
Signed-off-by: Ed Santiago <santiago@redhat.com>
TMPDIR is typically /tmp which is typically(*) a tmpfs.
This PR ignores $TMPDIR when $CI is defined, forcing all
e2e tests to set up one central working directory in /var/tmp
instead.
Also, lots of cleanup.
(*) For many years, up to and still including the time of
this PR, /tmp on Fedora CI VMs is actually NOT tmpfs,
it is just / (root). This is nonstandard and undesirable.
Efforts are underway to remove this special case.
Signed-off-by: Ed Santiago <santiago@redhat.com>
Both tests need the podman-registry script in $PATH, this never worked
locally as only the cirrus specific CI setup scripts configured this.
To make it work correctly locally add the hack dir to $PATH for these
Makefile targets.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
compose v1 has been deprecated for some time now, since July 2023 it no
longer receives any updates[1]. As such testing it on every PR is
pointless, it also does not provide any more coverage then compose v2.
At least I never saw only compose v1 test fails (except for flakes) so
it doesn't help us to catch regressions.
We tried to remove it before but decided against it at that time[2].
[1] https://docs.docker.com/compose/migrate/
[2] https://github.com/containers/podman/issues/18688
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
First of all this removes the need for a network connection, second
renovate can update the version as it is tracked in go.mod.
However the real important part is that the binary downloads are
broken[1]. For some reason the swagger created with them does not
include all the type information for the examples. However when building
from source the same thing works fine.
[1] https://github.com/go-swagger/go-swagger/issues/2842
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
This PR is only a first step towards being able to validate developer
code locally prior to pushing a PR and using CI. Right now, we have a
prepared image in a temporary spot (will change when done). That image
can be used to exercise various podman builds, make validate, and DCO
check.
The idea here is we have a make target that spins a podman container (or
machine) and then execute a small script to perform the actual builds.
Note, these builds are to verify code, not make production binaries so
corners are cut. As of now, we choose to not build cross-arch binaries
because most of our problems thus far have been operating system builds
and not arch.
Of course this can be expanded in the future. This is just step one to
start getting some of it in place. The rest of the work is tracked in
JIRA under two cards.
Signed-off-by: Brent Baude <bbaude@redhat.com>
make validate should work locally, this check makes no sense in a local
context as it checks for a github label.
To fix this remove this check from the validate target and only use it
as part of the CI validate run.
While at it remove old dnf install step, the issue has been closed for a
long time and it should already be part of our base images.
Fixes#22031
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
we are having second thoughts about *requiring* a policy.json on podman
machine hosts. we are concerned that we need to work out some more use
cases to be sure we do not make choices now that limit us in the near
term future. for example, should the policy files be the same for
container images and machine images? And should one live on the host
machine and the other live in the machine?
therefore, if a policy.json *is* present in the correct location, we will use and honor it; however, if it does not, we will allow the machine image to be pulled without a policy.
Signed-off-by: Brent Baude <baude@redhat.com>
Co-authored-by: Paul Holzinger <45212748+Luap99@users.noreply.github.com>
Signed-off-by: Brent Baude <bbaude@redhat.com>
For consistency with linux/osx makefile
I have added the win-gvproxy target as
an alias of win-sshproxy
[NO NEW TESTS NEEDED]
Signed-off-by: Mario Loriedo <mario.loriedo@gmail.com>
- Sets default search location to always be the peer directory
+ make podman-remote now creates binaries that work the same as release zips
- Updates release zip to match expected search location
- Updates win installer to include the file if present in the repo cross-build
archive
[NO NEW TESTS NEEDED]
Signed-off-by: Jason T. Greene <jason.greene@redhat.com>
Lots of small special-case tweaks to logformatter because Macs
have to be different.
Also fix:
- Wrong slash in printf-newline, leading to gray [It] blocks
- echo gitCommit, so we can link to sources
- --image-path is deprecated
Signed-off-by: Ed Santiago <santiago@redhat.com>
Old way: edit commit message, add magic string, re-push
New way: repo maintainer adds a Github label to PR, hits Rerun
I've looked and looked for the history behind this script
and why I didn't do it this way in the first place. I've
concluded that I just never thought of it.
Signed-off-by: Ed Santiago <santiago@redhat.com>
It works (verified in #17831). Imperfectly, because Macs don't
have a useful awk, so we can't get timestamps. I will, in time,
look into adding the timestamp functionality to logformatter
itself.
Also imperfect because it's not linkifying: source code paths
are dead text. I need to fix that, too, in logformatter, by
having it recognize /Users/Mac paths.
Imperfect as it may be, it was quick, and I think could provide
good bang for the buck in these Mac-intensive debugging days.
Signed-off-by: Ed Santiago <santiago@redhat.com>
We used to use ignition to perform any customization required for podman
machine because our input was a generic FCOS image. Now that we are
building our own images, some of this customization can be migrated to
the Containerfile itself and be less of a burden in our code at boot up.
At the time of this PR, the Containerfile can be found at
https://github.com/baude/podman-machine-images/tree/main. It is only
present for a so-called daily image. There is little liklihood that
this would the final location for the Containerfile so consider it a
working version only.
Split WSL and rest apart in the e2e tests so we no longer ppull the
generic FCOS image for testing.
Note: the change to the pull image name is so PRs are not immediately
broken that are already in the queue.
[NO NEW TESTS REQUIRED]
Signed-off-by: Brent Baude <bbaude@redhat.com>
vfkit needs the com.apple.security.virtualization entitlement or it
wont' be able to start virtual machines:
Error: Error Domain=VZErrorDomain Code=2 Description="Invalid virtual machine configuration. The process doesn’t have the “com.apple.security.virtualization” entitlement." UserInfo={
NSLocalizedFailure = "Invalid virtual machine configuration.";
NSLocalizedFailureReason = "The process doesn\U2019t have the \U201ccom.apple.security.virtualization\U201d entitlement.";
}
This fixes https://github.com/containers/podman/issues/21842
Signed-off-by: Christophe Fergeau <cfergeau@redhat.com>
When there is no signing identity to pass to the macOS `codesign` tool,
we can use `-` instead as the identity to perform ad-hoc signing.
From `man codesign`:
> If identity is the single letter "-" (dash), ad-hoc signing is
> performed. Ad-hoc signing does not use an identity at all
This makes it easier to test the sign() code-path in package.sh as
we'll run the same code regardless of `NO_CODESIGN` being set or not.
Signed-off-by: Christophe Fergeau <cfergeau@redhat.com>
Source: https://github.com/containers/automation_images/pull/331#issuecomment-1966677347
Kludgy VM build, because rawhide rc6 kernel is still not stable.
I would like to merge this anyway, because the rawhide hang is
hurting us badly. (I am not guaranteeing that this fixes the hang).
Also: new Windows VM has WiX 3.14 (up from 3.11).
Signed-off-by: Ed Santiago <santiago@redhat.com>
The `Makefile` makes assumptions about git repo. clone details.
Because fixing the `Makefile` would likely be problematic, fix
the clone operation used on the Mac so that it matches what's used
on Linux.
Also, simplify git repo clone operations. At some point in the
distant past, a git identity was required for CI to function properly.
That has since changed, so remove the unnecessary complexities.
Signed-off-by: Chris Evich <cevich@redhat.com>
There's are sometimes conflicting purposes in podman CI:
1. Have the pipeline proceed in an orderly and progressive manner
to sometimes save resources and unnecessary runtime.
2. Complete all testing as quickly as possible in support of
human-developers moving on to other areas of work.
3. Ideally/hopefully, accomplish both items above safely,
preventing untested and/or unintended changes from merging.
This commit shifts the balance of these slightly more toward the second
point. It rearranges most CI tasks into essentially three buckets with
a single (new) aggregation task in-between the first two:
1. Build + Verify all the things
2. Test all the things
3. Minor/accessory things
The intention is that while we may unnecessarily spin some number of
testing tasks while others have failed, the best-case scenario
(everything passes) has a much shorter runtime. In other words, it
potentially wastes more resources in favor of a chance to have
developers wait less.
Signed-off-by: Chris Evich <cevich@redhat.com>
aardvark-dns, netavark and passt are installed on both debian and
fedora. cri-o-runc is not installed anymore and it just uses the normal
runc package on debian. containers-common is called
golang-github-containers-common on debian and also uses
golang-github-containers-image for further config files from c/image.
This makes sure we correctly log all the package versions on debian
correctly.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
According to https://go.dev/ref/mod#module-cache golang will leave
behind read-only bits. It was observed that these cause the find/rm
cleanup operations to fail fail with `permission denied` on thousands
of files. This is preventing cleanup of cruft from unrelated Cirrus-tasks
leading to unnecessary occupation of critical, local-ssd storage space.
Fix this by ensuring the user has at least write access to the entire
contents of `$TMPDIR` and `$HOME`, `ci` subdirs.
Signed-off-by: Chris Evich <cevich@redhat.com>
Ref:
https://github.com/containers/podman/pull/21570#issuecomment-1935709148
This tool is really intended/best used from git pre-commit on developers
local machines, to prevent addition of secret leaks. When used as a
check against PRs, it tends to turn up more false-positives than helpful
warnings. There's no good way to fix this, and maintaining the scanner
is an additional burden. Rather than continue struggling to improve/fix
the situation, let's just remove the tool entirely.
Signed-off-by: Chris Evich <cevich@redhat.com>
Fixes: #21574
The documentation for this image references a quay repository that
doesn't exist. It doesn't appear any of these files have been touched
since late 2022. Instead of updating the docs, let's just remove the
source. It's trivial to recreate if anybody actually needs it for
something.
Users needing to access remote podman can simply use the `podman` binary
present in existing images `quay.io/containers/podman`,
`quay.io/podman/stable`, etc.
Signed-off-by: Chris Evich <cevich@redhat.com>
No longer bother testing any 2.x or 3.x. Only 4.1 and above.
Remove all CNI-related code. CNI is gone.
Add DatabaseBackend tests, confirming that we can handle
both boltdb and sqlite.
Require BATS >= 1.8.0, and use "run -0" to do exit-status checks.
Update docs.
Signed-off-by: Ed Santiago <santiago@redhat.com>
As of this commit, there are several pages worth of lint findings for
windows. Once they're all addressed, this commit may be reverted to
enable continuous checking.
Signed-off-by: Chris Evich <cevich@redhat.com>
Podman v5 will not support cgroups-v1. This commit will print a warning
if it detects a cgroups-v1 system. The warning can be hidden by setting
envvar `PODMAN_CGROUPSV1_WARNING`.
This warning is patched out for RHEL 9 builds as cgroups-v1 will still
be supported on RHEL 9 systems.
Resolves: https://issues.redhat.com/browse/RUN-1957
[NO NEW TESTS NEEDED]
Co-authored-by: Ed Santiago <santiago@redhat.com>
Co-authored-by: Sascha Grunert <sgrunert@redhat.com>
Co-authored-by: Giuseppe Scrivano <gscrivan@redhat.com>
Signed-off-by: Lokesh Mandvekar <lsm5@redhat.com>
CNI is deprecated and is build tagged out for 5.0. Don't test it in our CI.
This commit also disables upgrade tests for now - those need more work since the old version of Podman only uses CNI. Upgrade tests will be re-vamped in a later commit.
Signed-off-by: Ashley Cui <acui@redhat.com>
From https://github.com/containers/automation_images/pull/325
Major change: netavark and aardvark are now included in prior-fedora,
so CNI can be fully eliminated from CI (#21410)
FIXME FIXME FIXME: skip two e2e tests, waiting for new netavark
Signed-off-by: Ed Santiago <santiago@redhat.com>
This updates the Windows installer and macOS installer to ship the newer
binaries, as well as the vendored gvisor-tap-vsock code.
[NO NEW TESTS NEEDED]
Signed-off-by: Christophe Fergeau <cfergeau@redhat.com>
Because the podman machine tests normally run at the end of the chain,
it's time consuming for developers to validate machine-only changes.
Support a special CI runtime mode, only when a PR is marked as a draft.
Update related documentation
Also: Only run machine tests on PRs, never for branches or new tags.
Signed-off-by: Chris Evich <cevich@redhat.com>
crun-wasm depends on the same epoch:version-release as crun so
overriding `crun` but not `crun-wasm` will cause installation issues
like:
```
error: Could not depsolve transaction; 1 problem detected:
Problem: package crun-wasm-1.11.1-1.fc39.x86_64 from @System requires crun = 1.11.1-1.fc39, but none of the providers can be installed
- cannot install both crun-102:1.12-1.20231205201336970037.main.19.g90b21dd.fc39.x86_64 from @commandline and crun-1.11.1-1.fc39.x86_64 from @System
- cannot install both crun-102:1.12-1.20231205201336970037.main.19.g90b21dd.fc39.x86_64 from @commandline and crun-1.11.1-1.fc39.x86_64 from updates-archive
- conflicting requests
```
This commit overrides both crun and crun-wasm from what's found in
podman-next.
Signed-off-by: Lokesh Mandvekar <lsm5@redhat.com>
A simple regression was introduced to the test suite that overrode the
default image for hyperv testing.
Signed-off-by: Brent Baude <bbaude@redhat.com>
- Modified Check-Exit to take a relative stack postition so that reusing
functions like Run-Command report on their callers as opposed to the source
position of the wrapper.
- Record and print the last command executed as it likely scrolled off with
test output.
[NO NEW TESTS NEEDED]
Signed-off-by: Jason T. Greene <jason.greene@redhat.com>
Issue Ref: #20853
Allow the tests to fail, but don't block merging PRs.
This commit should be reverted when #20853 is resolved.
Signed-off-by: Chris Evich <cevich@redhat.com>
Setup and execute podman machine testing on bare-metal M1 Macs
using a pool of shared and semi-persistent hosts. Automated
and manual processes outside this repository are responsible
for providing and maintaining all hosts. Ref.
https://github.com/containers/automation/tree/main/mac_pw_pool
Update the `localmachine` make target to standardize execution
across platforms. Update/simplify podman-machine e2e README to
reflect current reality.
Warning: This CI setup and supporting infrastructure was developed
in favor of expediency vs reliability and stability. There are
many possible failure-modes (known and unknown) which may lead
to undefined test behaviors. Future work may address some of
these as they are encountered or discovered.
[NO NEW TESTS NEEDED]
Signed-off-by: Chris Evich <cevich@redhat.com>
For whatever reason (I don't understand this stuff well) the
`win-podman-machine-main.ps1` script exits successfully despite the
final `Check-Exit` showing a non-zero exit code was detected. Attempt
to fix this by throwing an exception instead of calling `Exit`.
Signed-off-by: Chris Evich <cevich@redhat.com>
Intended to serve as motivation to fix them. Removed from status
aggregator so the failures don't block PR merging. Updated comment text
to reference related open issue, #20548.
Signed-off-by: Chris Evich <cevich@redhat.com>
We're only testing vfs in CI. That's bad. #18822 tried to
remedy that but that only worked on system tests, not e2e.
Here we introduce CI_DESIRED_STORAGE, to be set in .cirrus.yml
in the same vein as all the other CI_DESIRED_X. Since it's 2023
we default to overlay, testing vfs only in priorfedora.
Fixes required:
- e2e tests:
- in cleanup, umount ROOT/overlay to avoid leaking mounts
- system tests:
- fix a few badly-written tests that assumed/hardcoded overlay
- buildx test: add weird exception to device-number test
- mount tests: add special case code for vfs
- unprivileged test: disable one section that is N/A on vfs
Signed-off-by: Ed Santiago <santiago@redhat.com>
This change will allow RHEL subscriptions from the host to flow
to internal containers.
Fixes: https://github.com/containers/common/issues/1735
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Followup to #20318: now that sqlite is the podman default,
enforce that in CI as well. Test boltdb only in Prior Fedora.
In the process, discovered & cleaned up some duplication
and unused YAML anchors.
Signed-off-by: Ed Santiago <santiago@redhat.com>
The podman in `ubuntu-latest` environment apparently is too old to
support `--userns=keep-id:uid=1000,gid=1000`. Employ workaround in GHA
workflow and in `prebuild.sh` check.
Signed-off-by: Chris Evich <cevich@redhat.com>
Paul Holzinger
Ed Santiago
openshift-merge-bot[bot]
Chris Evich
Sergio Lopez
Colin Walters
Urvashi Mohnani
Mario Loriedo
Ashley Cui
Brent Baude
Brent Baude
Jason T. Greene
Christophe Fergeau
Matt Heon
Jake Correnti
Lokesh Mandvekar
Anjan Nath
Daniel J Walsh
Łukasz Stolcman
Sander Maijers
Giuseppe Scrivano
Chris Evich