CI: unprivileged in-container tasks

Add unprivileged versions of the test-in-a-container task that help
ensure that we're not missing expected functionality.  Test with both
overlay and regular vfs when unprivileged.

Signed-off-by: Nalin Dahyabhai <[email protected]>

Author: nalind

.cirrus.yml

@@ -389,7 +389,7 @@ non_blocking_integration_rootless_task:
         <<: *standardlogs
 
 in_podman_task:
-    name: "Containerized Integration"
+    name: "Containerized Integration (privileged=$PODMAN_PRIVILEGED) w/ $STORAGE_DRIVER"
     alias: in_podman
     skip: *not_build_docs
     depends_on: *smoke_vendor
@@ -398,11 +398,25 @@ in_podman_task:
         cpu: 8
         memory: "8G"
 
-    env:
-        # This is key, cause the scripts to re-execute themselves inside a container.
-        IN_PODMAN: 'true'
-        BUILDAH_ISOLATION: 'chroot'
-        STORAGE_DRIVER: 'vfs'
+    matrix:
+        - env:
+              # Setting IN_PODMAN tells the scripts to re-execute themselves inside a container.
+              IN_PODMAN: 'true'
+              BUILDAH_ISOLATION: 'chroot'
+              STORAGE_DRIVER: 'vfs'
+              PODMAN_PRIVILEGED: 'true'
+        - env:
+              # Setting IN_PODMAN tells the scripts to re-execute themselves inside a container.
+              IN_PODMAN: 'true'
+              BUILDAH_ISOLATION: 'chroot'
+              STORAGE_DRIVER: 'vfs'
+              PODMAN_PRIVILEGED: 'false'
+        - env:
+              # Setting IN_PODMAN tells the scripts to re-execute themselves inside a container.
+              IN_PODMAN: 'true'
+              BUILDAH_ISOLATION: 'chroot'
+              STORAGE_DRIVER: 'overlay'
+              PODMAN_PRIVILEGED: 'false'
 
     # Separate scripts for separate outputs, makes debugging easier.
     setup_script: '${SCRIPT_BASE}/setup.sh |& ${_TIMESTAMP}'

contrib/cirrus/lib.sh

@@ -100,7 +100,30 @@ REGISTRY_FQIN=${REGISTRY_FQIN:-quay.io/libpod/registry:2.8.2}
 ALPINE_FQIN=${ALPINE_FQIN:-quay.io/libpod/alpine}
 
 # for in-container testing
-IN_PODMAN_NAME="in_podman_$CIRRUS_TASK_ID"
+podman_privilege_level() {
+    if [[ "$PODMAN_PRIVILEGED" == "false" ]] ; then
+        echo unprivileged
+    else
+        echo privileged
+    fi
+}
+podman_cgroup_flags() {
+    # fixme: eventually test unprivileged with these flags, too;
+    # as of 20215-08-15, selinux policy has the host's cgroupfs
+    # as system_u:object_r:cgroup_t:s0 and container_t can't
+    # 'remount' it, even if only to make it read-only
+    if [[ $(podman_privilege_level) == privileged ]] ; then
+        echo --cgroupns=host -v /sys/fs/cgroup:/sys/fs/cgroup:rw
+    fi
+}
+podman_privileged_flag() {
+    if [[ $(podman_privilege_level) == privileged ]] ; then
+        echo --privileged
+    fi
+}
+
+PODMAN_PRIVILEGE_LEVEL=$(podman_privilege_level)
+IN_PODMAN_NAME="in_podman_${PODMAN_PRIVILEGE_LEVEL}_$CIRRUS_TASK_ID"
 IN_PODMAN="${IN_PODMAN:-false}"
 
 # rootless_user
@@ -194,19 +217,18 @@ in_podman() {
 
     showrun podman run -i --name="$IN_PODMAN_NAME" \
                    --net=host \
-                   --privileged \
-                   --cgroupns=host \
+                   $(podman_privileged_flag) \
+                   $(podman_cgroup_flags) \
                    "${envargs[@]}" \
                    -e BUILDAH_ISOLATION \
                    -e STORAGE_DRIVER \
                    -e "IN_PODMAN=false" \
                    -e "CONTAINER=podman" \
                    -e "CGROUP_MANAGER=cgroupfs" \
                    -v "$HOME/auth:$HOME/auth:ro,z" \
-                   -v /sys/fs/cgroup:/sys/fs/cgroup:rw \
                    -v "/etc/containers/certs.d:/etc/containers/certs.d:O" \
                    --device /dev/fuse:rwm \
-                   -v "$GOSRC:$GOSRC:z" \
+                   -v "$GOSRC:$GOSRC:U,z" \
                    --workdir "$GOSRC" \
                    "$@"
 }
@@ -215,26 +237,26 @@ verify_local_registry(){
     # On the unexpected/rare chance of a name-clash
     local CUSTOM_FQIN=localhost:5000/my-alpine-$RANDOM
     echo "Verifying local 'registry' container is operational"
-    showrun podman version
-    showrun podman info
-    showrun podman ps --all
-    showrun podman images
+    showrun buildah version
+    showrun buildah --log-level=debug info
+    showrun buildah ps --all
+    showrun buildah images
     showrun ls -alF $HOME/auth
     mkdir -p /etc/containers/certs.d/localhost:5000
     cp -v $HOME/auth/domain.crt /etc/containers/certs.d/localhost:5000/ca.crt
-    showrun podman pull $ALPINE_FQIN
-    showrun podman login localhost:5000 --username testuser --password testpassword
-    showrun podman tag $ALPINE_FQIN $CUSTOM_FQIN
-    showrun podman push --creds=testuser:testpassword $CUSTOM_FQIN
-    showrun podman ps --all
-    showrun podman images
-    showrun podman rmi $ALPINE_FQIN
-    showrun podman rmi $CUSTOM_FQIN
-    showrun podman pull --creds=testuser:testpassword $CUSTOM_FQIN
-    showrun podman ps --all
-    showrun podman images
+    showrun buildah pull $ALPINE_FQIN
+    showrun buildah login localhost:5000 --username testuser --password testpassword
+    showrun buildah tag $ALPINE_FQIN $CUSTOM_FQIN
+    showrun buildah push --creds=testuser:testpassword $CUSTOM_FQIN
+    showrun buildah ps --all
+    showrun buildah images
+    showrun buildah rmi $ALPINE_FQIN
+    showrun buildah rmi $CUSTOM_FQIN
+    showrun buildah pull --creds=testuser:testpassword $CUSTOM_FQIN
+    showrun buildah ps --all
+    showrun buildah images
     echo "Success, local registry is working, cleaning up."
-    showrun podman rmi $CUSTOM_FQIN
+    showrun buildah rmi $CUSTOM_FQIN
 }
 
 execute_local_registry() {
@@ -262,7 +284,7 @@ execute_local_registry() {
 
     echo "Starting up the local 'registry' container"
     showrun podman run -d -p 5000:5000 --name registry \
-        -v $authdirpath:$authdirpath:Z \
+        -v $authdirpath:$authdirpath:ro,z \
         -e "REGISTRY_AUTH=htpasswd" \
         -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
         -e REGISTRY_AUTH_HTPASSWD_PATH=$authdirpath/htpasswd \

contrib/cirrus/setup.sh

@@ -13,6 +13,9 @@ req_env_vars OS_RELEASE_ID OS_RELEASE_VER GOSRC IN_PODMAN_IMAGE CIRRUS_CHANGE_TI
 msg "Running df."
 df -hT
 
+msg "Showing /proc/self/mountinfo."
+cat /proc/self/mountinfo
+
 msg "Disabling git repository owner-check system-wide."
 # Newer versions of git bark if repo. files are unexpectedly owned.
 # This mainly affects rootless and containerized testing.  But

tests/add.bats

@@ -14,6 +14,8 @@ load helpers
 }
 
 @test "add-local-plain" {
+  skip_if_unable_to_mount
+
   createrandom ${TEST_SCRATCH_DIR}/randomfile
   createrandom ${TEST_SCRATCH_DIR}/other-randomfile
 
@@ -59,6 +61,8 @@ load helpers
 }
 
 @test "add-local-archive" {
+  skip_if_unable_to_mount
+
   createrandom ${TEST_SCRATCH_DIR}/randomfile
   createrandom ${TEST_SCRATCH_DIR}/other-randomfile
 
@@ -201,6 +205,8 @@ load helpers
 }
 
 @test "add --ignorefile" {
+  skip_if_unable_to_mount
+
   mytest=${TEST_SCRATCH_DIR}/mytest
   mkdir -p ${mytest}
   touch ${mytest}/mystuff
@@ -234,6 +240,8 @@ stuff/mystuff"
 }
 
 @test "add quietly" {
+  skip_if_unable_to_mount
+
   _prefetch busybox
   createrandom ${TEST_SCRATCH_DIR}/randomfile
   run_buildah from --quiet $WITH_POLICY_JSON busybox
@@ -246,6 +254,8 @@ stuff/mystuff"
 }
 
 @test "add from container" {
+  skip_if_unable_to_mount
+
   _prefetch busybox
   createrandom ${TEST_SCRATCH_DIR}/randomfile
   run_buildah from --quiet $WITH_POLICY_JSON busybox
@@ -265,6 +275,8 @@ stuff/mystuff"
 }
 
 @test "add from image" {
+  skip_if_unable_to_mount
+
   _prefetch busybox ubuntu
   run_buildah from --quiet $WITH_POLICY_JSON busybox
   cid=$output
@@ -394,26 +406,28 @@ EOF
 }
 
 @test "add-link-flag" {
+  skip_if_unable_to_mount
+
   createrandom ${TEST_SCRATCH_DIR}/randomfile
   createrandom ${TEST_SCRATCH_DIR}/other-randomfile
 
   run_buildah from $WITH_POLICY_JSON scratch
   cid=$output
   run_buildah mount $cid
   root=$output
-  
+
   run_buildah config --workingdir=/ $cid
-  
+
   # Test 1: Simple add
   run_buildah add --link $cid ${TEST_SCRATCH_DIR}/randomfile
-  
+
   # Test 2: Add with rename (file to file with different name)
   run_buildah add --link $cid ${TEST_SCRATCH_DIR}/randomfile /renamed-file
-  
+
   # Test 3: Multiple files to directory
   mkdir $root/subdir
   run_buildah add --link $cid ${TEST_SCRATCH_DIR}/randomfile ${TEST_SCRATCH_DIR}/other-randomfile /subdir
-  
+
   run_buildah unmount $cid
   run_buildah commit $WITH_POLICY_JSON $cid add-link-image
 
@@ -430,34 +444,36 @@ EOF
   newcid=$output
   run_buildah mount $newcid
   newroot=$output
-  
+
   test -s $newroot/randomfile
   cmp ${TEST_SCRATCH_DIR}/randomfile $newroot/randomfile
-  
+
   test -s $newroot/renamed-file
   cmp ${TEST_SCRATCH_DIR}/randomfile $newroot/renamed-file
-  
+
   test -s $newroot/subdir/randomfile
   cmp ${TEST_SCRATCH_DIR}/randomfile $newroot/subdir/randomfile
   test -s $newroot/subdir/other-randomfile
   cmp ${TEST_SCRATCH_DIR}/other-randomfile $newroot/subdir/other-randomfile
 }
 
 @test "add-link-archive" {
+  skip_if_unable_to_mount
+
   createrandom ${TEST_SCRATCH_DIR}/file1
   createrandom ${TEST_SCRATCH_DIR}/file2
-  
+
   tar -c -C ${TEST_SCRATCH_DIR} -f ${TEST_SCRATCH_DIR}/archive.tar file1 file2
 
   run_buildah from $WITH_POLICY_JSON scratch
   cid=$output
-  
+
   run_buildah config --workingdir=/ $cid
-  
+
   run_buildah add --link $cid ${TEST_SCRATCH_DIR}/archive.tar
-  
+
   run_buildah add --link $cid ${TEST_SCRATCH_DIR}/archive.tar /destdir/
-  
+
   run_buildah commit $WITH_POLICY_JSON $cid add-link-archive-image
 
   run_buildah inspect --type=image add-link-archive-image
@@ -471,41 +487,43 @@ EOF
   newcid=$output
   run_buildah mount $newcid
   newroot=$output
-  
+
   test -s $newroot/file1
   cmp ${TEST_SCRATCH_DIR}/file1 $newroot/file1
   test -s $newroot/file2
   cmp ${TEST_SCRATCH_DIR}/file2 $newroot/file2
-  
+
   test -s $newroot/destdir/file1
   cmp ${TEST_SCRATCH_DIR}/file1 $newroot/destdir/file1
   test -s $newroot/destdir/file2
   cmp ${TEST_SCRATCH_DIR}/file2 $newroot/destdir/file2
 }
 
 @test "add-link-directory" {
+  skip_if_unable_to_mount
+
   mkdir -p ${TEST_SCRATCH_DIR}/testdir/subdir
   createrandom ${TEST_SCRATCH_DIR}/testdir/file1
   createrandom ${TEST_SCRATCH_DIR}/testdir/subdir/file2
 
   run_buildah from $WITH_POLICY_JSON scratch
   cid=$output
-  
+
   run_buildah config --workingdir=/ $cid
-  
+
   run_buildah add --link $cid ${TEST_SCRATCH_DIR}/testdir /testdir
-  
+
   run_buildah commit $WITH_POLICY_JSON $cid add-link-dir-image
 
   run_buildah from $WITH_POLICY_JSON add-link-dir-image
   newcid=$output
   run_buildah mount $newcid
   newroot=$output
-  
+
   test -d $newroot/testdir
   test -s $newroot/testdir/file1
   test -s $newroot/testdir/subdir/file2
-  
+
   cmp ${TEST_SCRATCH_DIR}/testdir/file1 $newroot/testdir/file1
   cmp ${TEST_SCRATCH_DIR}/testdir/subdir/file2 $newroot/testdir/subdir/file2
 }

tests/basic.bats

@@ -36,6 +36,8 @@ load helpers
 }
 
 @test "mount" {
+  skip_if_unable_to_mount
+
   run_buildah from $WITH_POLICY_JSON scratch
   cid=$output
   run_buildah mount $cid
@@ -49,6 +51,8 @@ load helpers
 }
 
 @test "by-name" {
+  skip_if_unable_to_mount
+
   run_buildah from $WITH_POLICY_JSON --name scratch-working-image-for-test scratch
   cid=$output
   run_buildah mount scratch-working-image-for-test
@@ -58,6 +62,8 @@ load helpers
 }
 
 @test "commit" {
+  skip_if_unable_to_mount
+
   createrandom ${TEST_SCRATCH_DIR}/randomfile
   createrandom ${TEST_SCRATCH_DIR}/other-randomfile