Merge pull request #950 from cgwalters/ci-ostree-deploy

Cover ostree-ext in ci

.github/workflows/ci.yml

@@ -67,8 +67,6 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
-      - name: Ensure host skopeo is disabled
-        run: sudo rm -f /bin/skopeo /usr/bin/skopeo
       - name: Free up disk space on runner
         run: sudo ./ci/clean-gha-runner.sh
       - name: Integration tests
@@ -81,6 +79,9 @@ jobs:
           sudo install -m 0755 target/release/tests-integration /usr/bin/bootc-integration-tests
           rm target -rf
           df -h /
+          # The ostree-container tests
+          sudo podman run --privileged --pid=host -v /:/run/host -v $(pwd):/src:ro -v /var/tmp:/var/tmp \
+            -v /run/dbus:/run/dbus -v /run/systemd:/run/systemd localhost/bootc /src/ostree-ext/ci/priv-integration.sh
           # Nondestructive but privileged tests
           sudo bootc-integration-tests host-privileged localhost/bootc
           # Finally the install-alongside suite

Makefile

@@ -34,14 +34,15 @@ install-ostree-hooks:
 	  ln -sf ../../../bin/bootc $(DESTDIR)$(prefix)/libexec/libostree/ext/$$x; \
 	done
 
-install-with-tests: install
+# Install the main binary, the ostree hooks, and the integration test suite.
+install-all: install install-ostree-hooks
 	install -D -m 0755 target/release/tests-integration $(DESTDIR)$(prefix)/bin/bootc-integration-tests 
 
 bin-archive: all
 	$(MAKE) install DESTDIR=tmp-install && $(TAR_REPRODUCIBLE) --zstd -C tmp-install -cf target/bootc.tar.zst . && rm tmp-install -rf
 
 test-bin-archive: all
-	$(MAKE) install-with-tests DESTDIR=tmp-install && $(TAR_REPRODUCIBLE) --zstd -C tmp-install -cf target/bootc.tar.zst . && rm tmp-install -rf
+	$(MAKE) install-all DESTDIR=tmp-install && $(TAR_REPRODUCIBLE) --zstd -C tmp-install -cf target/bootc.tar.zst . && rm tmp-install -rf
 
 test-tmt:
 	cargo xtask test-tmt

ostree-ext/.github/workflows/bootc.yml

@@ -1,65 +0,0 @@
-name: bootc
-
-permissions:
-  actions: read
-
-on:
-  push:
-    branches: [main]
-  pull_request:
-    branches: [main]
-  workflow_dispatch: {}
-
-jobs:
-  build-c9s:
-    runs-on: ubuntu-latest
-    container: quay.io/centos/centos:stream9
-    steps:
-      - run: dnf -y install git-core
-      - uses: actions/checkout@v3
-        with:
-          repository: containers/bootc
-          path: bootc
-      - uses: actions/checkout@v3
-        with:
-          path: ostree-rs-ext
-      - name: Patch bootc to use ostree-rs-ext
-        run: |
-          set -xeuo pipefail
-          cd bootc
-          cat >> Cargo.toml << 'EOF'
-          [patch.crates-io]
-          ostree-ext = { path = "../ostree-rs-ext/lib" }
-          EOF
-      - name: Install deps
-        run: ./bootc/ci/installdeps.sh
-      - name: Cache Dependencies
-        uses: Swatinem/rust-cache@v2
-        with:
-          key: "build-bootc-c9s"
-          workspaces: bootc
-      - name: Build
-        run: cd bootc && make test-bin-archive
-      - name: Upload binary
-        uses: actions/upload-artifact@v4
-        with:
-          name: bootc-c9s.tar.zst
-          path: bootc/target/bootc.tar.zst
-  privtest-alongside:
-    name: "Test install-alongside"
-    needs: build-c9s
-    runs-on: ubuntu-latest
-    steps:
-      - name: Download
-        uses: actions/download-artifact@v4.1.8
-        with:
-          name: bootc-c9s.tar.zst
-      - name: Install
-        run: tar -xvf bootc.tar.zst
-      - name: Integration tests
-        run: |
-          set -xeuo pipefail
-          sudo podman run --rm -ti --privileged -v ./usr/bin/bootc:/usr/bin/bootc --pid=host --security-opt label=disable \
-            quay.io/centos-bootc/centos-bootc-dev:stream9 bootc install to-filesystem \
-            --karg=foo=bar --disable-selinux --replace=alongside /target
-

ostree-ext/.github/workflows/rust.yml

@@ -128,24 +128,6 @@ jobs:
         run: install ostree-ext-cli /usr/bin && rm -v ostree-ext-cli
       - name: Integration tests
         run: ./ci/ima.sh
-  privtest:
-    name: "Privileged testing"
-    needs: build
-    runs-on: ubuntu-latest
-    container:
-      image: quay.io/fedora/fedora-coreos:testing-devel
-      options: "--privileged --pid=host -v /var/tmp:/var/tmp -v /run/dbus:/run/dbus -v /run/systemd:/run/systemd -v /:/run/host"
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v3
-      - name: Download
-        uses: actions/download-artifact@v4.1.8
-        with:
-          name: ostree-ext-cli
-      - name: Install
-        run: install ostree-ext-cli /usr/bin && rm -v ostree-ext-cli
-      - name: Integration tests
-        run: ./ci/priv-integration.sh
   privtest-cockpit:
     name: "Privileged testing (cockpit)"
     needs: build

ostree-ext/ci/priv-integration.sh

@@ -28,21 +28,21 @@ if test '!' -d "${sysroot}/ostree/deploy/${stateroot}"; then
     ostree admin os-init "${stateroot}" --sysroot "${sysroot}"
 fi
 # Should be no images pruned
-ostree-ext-cli container image prune-images --sysroot "${sysroot}"
+ostree container image prune-images --sysroot "${sysroot}"
 # Test the syntax which uses full imgrefs.
-ostree-ext-cli container image deploy --sysroot "${sysroot}" \
+ostree container image deploy --sysroot "${sysroot}" \
     --stateroot "${stateroot}" --imgref "${imgref}"
 ostree admin --sysroot="${sysroot}" status
-ostree-ext-cli container image metadata --repo "${sysroot}/ostree/repo" registry:"${image}" > manifest.json
+ostree container image metadata --repo "${sysroot}/ostree/repo" registry:"${image}" > manifest.json
 jq '.schemaVersion' < manifest.json
-ostree-ext-cli container image remove --repo "${sysroot}/ostree/repo" registry:"${image}"
+ostree container image remove --repo "${sysroot}/ostree/repo" registry:"${image}"
 ostree admin --sysroot="${sysroot}" undeploy 0
 # Now test the new syntax which has a nicer --image that defaults to registry.
-ostree-ext-cli container image deploy --transport registry --sysroot "${sysroot}" \
+ostree container image deploy --transport registry --sysroot "${sysroot}" \
     --stateroot "${stateroot}" --image "${image}"
 ostree admin --sysroot="${sysroot}" status
 ostree admin --sysroot="${sysroot}" undeploy 0
-if ostree-ext-cli container image deploy --transport registry --sysroot "${sysroot}" \
+if ostree container image deploy --transport registry --sysroot "${sysroot}" \
     --stateroot "${stateroot}" --image "${image}" --enforce-container-sigpolicy 2>err.txt; then
     echo "Deployment with enforced verification succeeded unexpectedly" 1>&2
     exit 1
@@ -52,16 +52,16 @@ if ! grep -Ee 'insecureAcceptAnything.*refusing usage' err.txt; then
     cat err.txt
 fi
 # Now we should prune it
-ostree-ext-cli container image prune-images --sysroot "${sysroot}"
-ostree-ext-cli container image list --repo "${sysroot}/ostree/repo" > out.txt
+ostree container image prune-images --sysroot "${sysroot}"
+ostree container image list --repo "${sysroot}/ostree/repo" > out.txt
 test $(stat -c '%s' out.txt) = 0
 
 for img in "${image}"; do
-    ostree-ext-cli container image deploy --sysroot "${sysroot}" \
+    ostree container image deploy --sysroot "${sysroot}" \
         --stateroot "${stateroot}" --imgref ostree-unverified-registry:"${img}"
     ostree admin --sysroot="${sysroot}" status
     initial_refs=$(ostree --repo="${sysroot}/ostree/repo" refs | wc -l)
-    ostree-ext-cli container image remove --repo "${sysroot}/ostree/repo" registry:"${img}"
+    ostree container image remove --repo "${sysroot}/ostree/repo" registry:"${img}"
     pruned_refs=$(ostree --repo="${sysroot}/ostree/repo" refs | wc -l)
     # Removing the image should only drop the image reference, not its layers
     test "$(($initial_refs - 1))" = "$pruned_refs"
@@ -70,7 +70,7 @@ for img in "${image}"; do
     n_commits=$(find ${sysroot}/ostree/repo -name '*.commit' | wc -l)
     test "${n_commits}" -gt 0
     # But right now this still doesn't prune *content*
-    ostree-ext-cli container image prune-layers --repo="${sysroot}/ostree/repo"
+    ostree container image prune-layers --repo="${sysroot}/ostree/repo"
     ostree --repo="${sysroot}/ostree/repo" refs > refs.txt
     if test "$(wc -l < refs.txt)" -ne 0; then
         echo "found refs"
@@ -78,21 +78,24 @@ for img in "${image}"; do
         exit 1
     fi
     # And this one should GC the objects too
-    ostree-ext-cli container image prune-images --full --sysroot="${sysroot}" > out.txt
+    ostree container image prune-images --full --sysroot="${sysroot}" > out.txt
     n_commits=$(find ${sysroot}/ostree/repo -name '*.commit' | wc -l)
     test "${n_commits}" -eq 0
 done
 
 # Verify we have systemd journal messages
-nsenter -m -t 1 journalctl _COMM=ostree-ext-cli > logs.txt
-grep 'layers already present: ' logs.txt
+nsenter -m -t 1 journalctl _COMM=bootc > logs.txt
+if ! grep 'layers already present: ' logs.txt; then
+    cat logs.txt
+    exit 1
+fi
 
 podman pull ${image}
 ostree --repo="${sysroot}/ostree/repo" init --mode=bare-user
-ostree-ext-cli container image pull ${sysroot}/ostree/repo ostree-unverified-image:containers-storage:${image}
+ostree container image pull ${sysroot}/ostree/repo ostree-unverified-image:containers-storage:${image}
 echo "ok pulled from containers storage"
 
-ostree-ext-cli container compare ${imgref} ${imgref} > compare.txt
+ostree container compare ${imgref} ${imgref} > compare.txt
 grep "Removed layers: *0 *Size: 0 bytes" compare.txt
 grep "Added layers: *0 *Size: 0 bytes" compare.txt
 
@@ -114,22 +117,22 @@ ostree refs ostree/container/image --delete
 repo="${sysroot}/ostree/repo"
 images=$(ostree container image list --repo "${repo}" | wc -l)
 test "${images}" -eq 1
-ostree-ext-cli container image deploy --sysroot "${sysroot}" \
+ostree container image deploy --sysroot "${sysroot}" \
         --stateroot "${stateroot}" --imgref ostree-unverified-image:"${derived_img}"
 imgref=$(ostree refs --repo=${repo} ostree/container/image | head -1)
 img_commit=$(ostree --repo=${repo} rev-parse ostree/container/image/${imgref})
-ostree-ext-cli container image remove --repo "${repo}" "${derived_img}"
+ostree container image remove --repo "${repo}" "${derived_img}"
 
-ostree-ext-cli container image deploy --sysroot "${sysroot}" \
+ostree container image deploy --sysroot "${sysroot}" \
         --stateroot "${stateroot}" --imgref ostree-unverified-image:"${derived_img}"
 img_commit2=$(ostree --repo=${repo} rev-parse ostree/container/image/${imgref})
 test "${img_commit}" = "${img_commit2}"
 echo "ok deploy derived container identical revs"
 
-ostree-ext-cli container image deploy --sysroot "${sysroot}" \
+ostree container image deploy --sysroot "${sysroot}" \
         --stateroot "${stateroot}" --imgref ostree-unverified-image:"${derived_img_dir}"
 echo "ok deploy derived container from local dir"
-ostree-ext-cli container image remove --repo "${repo}" "${derived_img_dir}"
+ostree container image remove --repo "${repo}" "${derived_img_dir}"
 rm -rf /var/tmp/derived.dir
 
 # Verify policy