Merge pull request #1635 from xw19/sync-branch

Sync branch
containers · Jan 7, 2025 · 6cecb36 · 6cecb36
2 parents 64deb62 + bd4f773
commit 6cecb36
Show file tree

Hide file tree

Showing 12 changed files with 349 additions and 75 deletions.
diff --git a/.packit.yaml b/.packit.yaml
@@ -29,8 +29,6 @@ packages:
   crun-centos:
     pkg_tool: centpkg
     specfile_path: rpm/crun.spec
-  crun-rhel:
-    specfile_path: rpm/crun.spec
   crun-eln:
     specfile_path: rpm/crun.spec
 
@@ -79,14 +77,6 @@ jobs:
       centos-stream-10-x86_64: {}
       centos-stream-10-aarch64: {}
 
-  - job: copr_build
-    trigger: pull_request
-    packages: [crun-rhel]
-    notifications: *copr_build_failure_notification
-    targets:
-      - epel-9-x86_64
-      - epel-9-aarch64
-
   # Run on commit to main branch
   - job: copr_build
     trigger: commit
@@ -124,26 +114,6 @@ jobs:
           - type: repository-file
             id: https://copr.fedorainfracloud.org/coprs/rhcontainerbot/podman-next/repo/centos-stream-$releasever/rhcontainerbot-podman-next-centos-stream-$releasever.repo
 
-  # Podman system tests for RHEL
-  - job: tests
-    trigger: pull_request
-    packages: [crun-rhel]
-    use_internal_tf: true
-    notifications: *podman_system_test_fail_notification
-    targets:
-      epel-9-x86_64:
-        distros: [RHEL-9.4.0-Nightly,RHEL-9-Nightly]
-      epel-9-aarch64:
-        distros: [RHEL-9.4.0-Nightly,RHEL-9-Nightly]
-    #TODO: Enable RHEL10 targets once epel-10 copr target is available
-    tf_extra_params:
-      environments:
-        - artifacts:
-          - type: repository-file
-            id: https://copr.fedorainfracloud.org/coprs/rhcontainerbot/podman-next/repo/epel-$releasever/rhcontainerbot-podman-next-epel-$releasever.repo
-          - type: repository-file
-            id: https://src.fedoraproject.org/rpms/epel-release/raw/epel9/f/epel.repo
-
   - job: propose_downstream
     trigger: release
     packages: [crun-fedora]

diff --git a/NEWS b/NEWS
@@ -1,7 +1,19 @@
+* crun-1.19.1
+
+- linux: fix a hang if there are no reads from the tty.  Use non
+  blocking sockets to read and write from the tty so that the "crun
+  exec" process doesn't hang when the terminal is not consuming any
+  data.
+- linux: remove the workaround needed to mount a cgroup on top of
+  another cgroup mount.  The workaround had the disadvantage to
+  temporarily leak a mount on the host.  The alternative that is
+  currently used is to mount a temporary tmpfs between the two cgroup
+  mounts.
+
 * crun-1.19
 
 - wasm: add new handler wamr.
-- criu: allow passing network lock method to libcriu
+- criu: allow passing network lock method to libcriu.
 - linux: honor exec cpu affinity mask.
 - build: fix build with musl libc.
 - crun: use mount API to self-clone.

diff --git a/plans/main.fmf b/plans/main.fmf
@@ -2,19 +2,39 @@ discover:
     how: fmf
 execute:
     how: tmt
+adjust:
+    - when: initiator == packit
+      because: "We need to test with updated packages from rhcontainerbot/podman-next copr"
+      prepare+:
+        how: shell
+        script: |
+            sed -i -n '/^priority=/!p;$apriority=1' /etc/yum.repos.d/*podman-next*.repo
+            dnf -y upgrade --allowerasing
+    # FIXME: Use epel10 once bats is available there
+    - when: distro == centos-stream-10 or distro == rhel-10
+      because: "bats isn't yet available on epel10"
+      prepare+:
+        how: install
+        copr: rhcontainerbot/bats-el10
+        package: bats
+    - when: distro == centos-stream-9 or distro == rhel-9
+      because: "bats is present on EPEL on rhel9 / c9s"
+      prepare+:
+        how: feature
+        epel: enabled
 
 /upstream:
     summary: Run crun specific Podman system tests on upstream PRs
     discover+:
         filter: tag:upstream
     adjust+:
-        enabled: false
-        when: initiator is not defined or initiator != packit
+        - enabled: false
+          when: initiator is not defined or initiator != packit
 
 /downstream:
     summary: Run crun specific Podman system tests on bodhi / errata and dist-git PRs
     discover+:
         filter: tag:downstream
     adjust+:
-        enabled: false
-        when: initiator == packit
+        - enabled: false
+          when: initiator == packit
diff --git a/rpm/gating.yaml b/rpm/gating.yaml
@@ -1,12 +1,15 @@
 --- !Policy
 product_versions:
   - fedora-*
-decision_context: bodhi_update_push_stable
+decision_context:
+  - bodhi_update_push_stable
+  - bodhi_update_push_testing
 rules:
   - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.tier0.functional}
 
 --- !Policy
 product_versions:
   - rhel-*
 decision_context: osci_compose_gate
-rules: []
+rules:
+  - !PassingTestCaseRule {test_case_name: osci.brew-build.tier0.functional}
diff --git a/tests/tmt/Makefile b/tests/tmt/Makefile
diff --git a/tests/tmt/main.fmf b/tests/tmt/main.fmf
diff --git a/tests/tmt/podman-tests.sh b/tests/tmt/podman-tests.sh
diff --git a/tests/tmt/podman/system-test.fmf b/tests/tmt/podman/system-test.fmf
@@ -0,0 +1,15 @@
+require:
+    - bats
+    - conmon
+    - crun
+    - make
+    - podman-tests
+
+adjust:
+    duration: 10m
+    when: arch == aarch64
+
+/system_test:
+    tag: [ upstream, downstream ]
+    summary: Run crun specific Podman tests
+    test: bash ./system-test.sh
diff --git a/tests/tmt/podman/system-test.sh b/tests/tmt/podman/system-test.sh
@@ -0,0 +1,16 @@
+#!/usr/bin/env bash
+
+set -exo pipefail
+
+if [[ "$(id -u)" -ne 0 ]];then
+    echo "Please run this script as superuser"
+    exit 1
+fi
+
+cat /etc/redhat-release
+rpm -q conmon containers-common crun podman podman-tests
+
+# Run crun specific podman tests
+bats -t /usr/share/podman/test/system/030-run.bats
+bats -t /usr/share/podman/test/system/075-exec.bats
+bats -t /usr/share/podman/test/system/280-update.bats
diff --git a/tests/tmt/sanity/config.json b/tests/tmt/sanity/config.json
@@ -0,0 +1,180 @@
+{
+	"ociVersion": "1.0.0",
+	"process": {
+		"terminal": false,
+		"user": {
+			"uid": 0,
+			"gid": 0
+		},
+		"args": [
+			"sleep", "10"
+		],
+		"env": [
+			"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
+			"TERM=xterm"
+		],
+		"cwd": "/",
+		"capabilities": {
+			"bounding": [
+				"CAP_AUDIT_WRITE",
+				"CAP_KILL",
+				"CAP_NET_BIND_SERVICE"
+			],
+			"effective": [
+				"CAP_AUDIT_WRITE",
+				"CAP_KILL",
+				"CAP_NET_BIND_SERVICE"
+			],
+			"inheritable": [
+			],
+			"permitted": [
+				"CAP_AUDIT_WRITE",
+				"CAP_KILL",
+				"CAP_NET_BIND_SERVICE"
+			],
+			"ambient": [
+				"CAP_AUDIT_WRITE",
+				"CAP_KILL",
+				"CAP_NET_BIND_SERVICE"
+			]
+		},
+		"rlimits": [
+			{
+				"type": "RLIMIT_NOFILE",
+				"hard": 1024,
+				"soft": 1024
+			}
+		],
+		"noNewPrivileges": true
+	},
+	"root": {
+		"path": "rootfs",
+		"readonly": true
+	},
+	"hostname": "crun",
+	"mounts": [
+		{
+			"destination": "/proc",
+			"type": "proc",
+			"source": "proc"
+		},
+		{
+			"destination": "/dev",
+			"type": "tmpfs",
+			"source": "tmpfs",
+			"options": [
+				"nosuid",
+				"strictatime",
+				"mode=755",
+				"size=65536k"
+			]
+		},
+		{
+			"destination": "/dev/pts",
+			"type": "devpts",
+			"source": "devpts",
+			"options": [
+				"nosuid",
+				"noexec",
+				"newinstance",
+				"ptmxmode=0666",
+				"mode=0620",
+				"gid=5"
+			]
+		},
+		{
+			"destination": "/dev/shm",
+			"type": "tmpfs",
+			"source": "shm",
+			"options": [
+				"nosuid",
+				"noexec",
+				"nodev",
+				"mode=1777",
+				"size=65536k"
+			]
+		},
+		{
+			"destination": "/dev/mqueue",
+			"type": "mqueue",
+			"source": "mqueue",
+			"options": [
+				"nosuid",
+				"noexec",
+				"nodev"
+			]
+		},
+		{
+			"destination": "/sys",
+			"type": "sysfs",
+			"source": "sysfs",
+			"options": [
+				"nosuid",
+				"noexec",
+				"nodev",
+				"ro"
+			]
+		},
+		{
+			"destination": "/sys/fs/cgroup",
+			"type": "cgroup",
+			"source": "cgroup",
+			"options": [
+				"nosuid",
+				"noexec",
+				"nodev",
+				"relatime",
+				"ro"
+			]
+		}
+	],
+	"linux": {
+		"resources": {
+			"devices": [
+				{
+					"allow": false,
+					"access": "rwm"
+				}
+			]
+		},
+		"namespaces": [
+			{
+				"type": "pid"
+			},
+			{
+				"type": "network"
+			},
+			{
+				"type": "ipc"
+			},
+			{
+				"type": "uts"
+			},
+			{
+				"type": "cgroup"
+			},
+			{
+				"type": "mount"
+			}
+		],
+		"maskedPaths": [
+			"/proc/acpi",
+			"/proc/asound",
+			"/proc/kcore",
+			"/proc/keys",
+			"/proc/latency_stats",
+			"/proc/timer_list",
+			"/proc/timer_stats",
+			"/proc/sched_debug",
+			"/sys/firmware",
+			"/proc/scsi"
+		],
+		"readonlyPaths": [
+			"/proc/bus",
+			"/proc/fs",
+			"/proc/irq",
+			"/proc/sys",
+			"/proc/sysrq-trigger"
+		]
+	}
+}
diff --git a/tests/tmt/sanity/main.fmf b/tests/tmt/sanity/main.fmf
@@ -0,0 +1,5 @@
+require: [crun, podman]
+summary: Sanity test for crun
+tag: ['upstream', 'downstream']
+test: bash ./runtest.sh
+duration: 10m