From cdb79e852e22da21d4bec3617ce8553173aeb896 Mon Sep 17 00:00:00 2001 From: Colin Walters Date: Fri, 23 Jan 2026 15:50:54 -0500 Subject: [PATCH] ci: Build as user and copy images to root's podman storage The install-tests CI job was failing because running `cargo xtask` as root (via sudojust) modified ~/.cargo files with root ownership, causing later cargo commands to fail with permission errors. This change builds container images as the regular user and copies them to root's podman storage using `podman save | sudo podman load`. This avoids cargo cache permission issues while still making images available for privileged tests. Add two new Justfile recipes: - copy-to-rootful: Copy a single image from user to root storage - copy-lbi-to-rootful: Copy all bound images (LBI) to root storage Assisted-by: OpenCode (Opus 4.5) Signed-off-by: Colin Walters --- .github/workflows/ci.yml | 16 +++++++-------- Justfile | 44 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 52 insertions(+), 8 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index dece75b3..f9db2adb 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -65,16 +65,16 @@ jobs: - name: Integration tests run: | set -xeu - # Build images to test; TODO investigate doing single container builds - # via GHA and pushing to a temporary registry to share among workflows? - # Preserve rustup/cargo environment for sudo (rustup needs RUSTUP_HOME to find toolchains) - sudojust() { sudo env PATH="$PATH" CARGO_HOME="${CARGO_HOME:-$HOME/.cargo}" RUSTUP_HOME="${RUSTUP_HOME:-$HOME/.rustup}" just "$@"; } - sudojust build - sudojust build-install-test-image + # Build images as regular user, then copy to root's podman storage + # This avoids cargo cache permission issues when running cargo as root + just build + just build-install-test-image + just copy-to-rootful localhost/bootc + just copy-to-rootful localhost/bootc-install + # Copy bound images (LBI) to root's storage for tests that need them + just copy-lbi-to-rootful sudo podman build -t localhost/bootc-fsverity -f ci/Containerfile.install-fsverity - # Grant permission - sudo chown -R "$(id -u):$(id -g)" /home/runner/work/bootc/bootc # TODO move into a container, and then have this tool run other containers cargo build --release -p tests-integration diff --git a/Justfile b/Justfile index e3997ba9..dc865a38 100644 --- a/Justfile +++ b/Justfile @@ -282,3 +282,47 @@ _keygen: _build-upgrade-image: cat tmt/tests/Dockerfile.upgrade | podman build -t {{upgrade_img}} --from={{base_img}} - + +# Copy an image from user podman storage to root's podman storage +# This allows building as regular user then running privileged tests +[group('testing')] +copy-to-rootful $image: + #!/bin/bash + set -euxo pipefail + + # If already running as root, nothing to do + if [[ "${UID}" -eq "0" ]]; then + echo "Already root, no need to copy image" + exit 0 + fi + + # Check if the image exists in user storage + if ! podman image exists "${image}"; then + echo "Image ${image} not found in user podman storage" >&2 + exit 1 + fi + + # Get the image ID from user storage + USER_IMG_ID=$(podman images --filter reference="${image}" --format '{{{{.ID}}') + + # Check if the same image ID exists in root storage + ROOT_IMG_ID=$(sudo podman images --filter reference="${image}" --format '{{{{.ID}}' 2>/dev/null || true) + + if [[ "${USER_IMG_ID}" == "${ROOT_IMG_ID}" ]] && [[ -n "${ROOT_IMG_ID}" ]]; then + echo "Image ${image} already exists in root storage with same ID" + exit 0 + fi + + # Copy the image from user to root storage + # Use podman save/load via pipe (works on systems without machinectl) + podman save "${image}" | sudo podman load + echo "Copied ${image} to root podman storage" + +# Copy all LBI (bound) images to root's podman storage +[group('testing')] +copy-lbi-to-rootful: + #!/bin/bash + set -euxo pipefail + for img in {{lbi_images}}; do + just copy-to-rootful "$img" + done