diff --git a/.packit.yaml b/.packit.yaml index 363614f6de..64da4547cf 100644 --- a/.packit.yaml +++ b/.packit.yaml @@ -29,8 +29,6 @@ packages: crun-centos: pkg_tool: centpkg specfile_path: rpm/crun.spec - crun-rhel: - specfile_path: rpm/crun.spec crun-eln: specfile_path: rpm/crun.spec @@ -79,14 +77,6 @@ jobs: centos-stream-10-x86_64: {} centos-stream-10-aarch64: {} - - job: copr_build - trigger: pull_request - packages: [crun-rhel] - notifications: *copr_build_failure_notification - targets: - - epel-9-x86_64 - - epel-9-aarch64 - # Run on commit to main branch - job: copr_build trigger: commit @@ -124,26 +114,6 @@ jobs: - type: repository-file id: https://copr.fedorainfracloud.org/coprs/rhcontainerbot/podman-next/repo/centos-stream-$releasever/rhcontainerbot-podman-next-centos-stream-$releasever.repo - # Podman system tests for RHEL - - job: tests - trigger: pull_request - packages: [crun-rhel] - use_internal_tf: true - notifications: *podman_system_test_fail_notification - targets: - epel-9-x86_64: - distros: [RHEL-9.4.0-Nightly,RHEL-9-Nightly] - epel-9-aarch64: - distros: [RHEL-9.4.0-Nightly,RHEL-9-Nightly] - #TODO: Enable RHEL10 targets once epel-10 copr target is available - tf_extra_params: - environments: - - artifacts: - - type: repository-file - id: https://copr.fedorainfracloud.org/coprs/rhcontainerbot/podman-next/repo/epel-$releasever/rhcontainerbot-podman-next-epel-$releasever.repo - - type: repository-file - id: https://src.fedoraproject.org/rpms/epel-release/raw/epel9/f/epel.repo - - job: propose_downstream trigger: release packages: [crun-fedora] diff --git a/NEWS b/NEWS index 40762f3d7e..4704fdb9d2 100644 --- a/NEWS +++ b/NEWS @@ -1,7 +1,19 @@ +* crun-1.19.1 + +- linux: fix a hang if there are no reads from the tty. Use non + blocking sockets to read and write from the tty so that the "crun + exec" process doesn't hang when the terminal is not consuming any + data. +- linux: remove the workaround needed to mount a cgroup on top of + another cgroup mount. The workaround had the disadvantage to + temporarily leak a mount on the host. The alternative that is + currently used is to mount a temporary tmpfs between the two cgroup + mounts. + * crun-1.19 - wasm: add new handler wamr. -- criu: allow passing network lock method to libcriu +- criu: allow passing network lock method to libcriu. - linux: honor exec cpu affinity mask. - build: fix build with musl libc. - crun: use mount API to self-clone. diff --git a/plans/main.fmf b/plans/main.fmf index b56d319ebe..d87b1f75d6 100644 --- a/plans/main.fmf +++ b/plans/main.fmf @@ -2,19 +2,39 @@ discover: how: fmf execute: how: tmt +adjust: + - when: initiator == packit + because: "We need to test with updated packages from rhcontainerbot/podman-next copr" + prepare+: + how: shell + script: | + sed -i -n '/^priority=/!p;$apriority=1' /etc/yum.repos.d/*podman-next*.repo + dnf -y upgrade --allowerasing + # FIXME: Use epel10 once bats is available there + - when: distro == centos-stream-10 or distro == rhel-10 + because: "bats isn't yet available on epel10" + prepare+: + how: install + copr: rhcontainerbot/bats-el10 + package: bats + - when: distro == centos-stream-9 or distro == rhel-9 + because: "bats is present on EPEL on rhel9 / c9s" + prepare+: + how: feature + epel: enabled /upstream: summary: Run crun specific Podman system tests on upstream PRs discover+: filter: tag:upstream adjust+: - enabled: false - when: initiator is not defined or initiator != packit + - enabled: false + when: initiator is not defined or initiator != packit /downstream: summary: Run crun specific Podman system tests on bodhi / errata and dist-git PRs discover+: filter: tag:downstream adjust+: - enabled: false - when: initiator == packit + - enabled: false + when: initiator == packit diff --git a/rpm/gating.yaml b/rpm/gating.yaml index dbb1d9132c..4efb29f80b 100644 --- a/rpm/gating.yaml +++ b/rpm/gating.yaml @@ -1,7 +1,9 @@ --- !Policy product_versions: - fedora-* -decision_context: bodhi_update_push_stable +decision_context: + - bodhi_update_push_stable + - bodhi_update_push_testing rules: - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.tier0.functional} @@ -9,4 +11,5 @@ rules: product_versions: - rhel-* decision_context: osci_compose_gate -rules: [] +rules: + - !PassingTestCaseRule {test_case_name: osci.brew-build.tier0.functional} diff --git a/tests/tmt/Makefile b/tests/tmt/Makefile deleted file mode 100644 index b57ba2cebd..0000000000 --- a/tests/tmt/Makefile +++ /dev/null @@ -1,3 +0,0 @@ -.PHONY: podman_system_test -podman_system_test: - bash ./podman-tests.sh diff --git a/tests/tmt/main.fmf b/tests/tmt/main.fmf deleted file mode 100644 index b0db6173c4..0000000000 --- a/tests/tmt/main.fmf +++ /dev/null @@ -1,13 +0,0 @@ -# Only common dependencies that are NOT required to run podman-tests.sh are -# specified here. Everything else is in podman-tests.sh. -require: - - make - -adjust: - duration: 10m - when: arch == aarch64 - -/podman_system_test: - tag: [ upstream, downstream ] - summary: Run crun specific Podman tests - test: make podman_system_test diff --git a/tests/tmt/podman-tests.sh b/tests/tmt/podman-tests.sh deleted file mode 100644 index 9d091c742e..0000000000 --- a/tests/tmt/podman-tests.sh +++ /dev/null @@ -1,22 +0,0 @@ -#!/usr/bin/env bash - -set -exo pipefail - -if [[ "$(id -u)" -ne 0 ]];then - echo "Please run this script as superuser" - exit 1 -fi - -# Remove testing-farm repos if they exist because they interfere with the -# podman-next copr. The default distro repos will not be removed and can be -# used wherever relevant. -rm -f /etc/yum.repos.d/tag-repository.repo - -dnf -y install bats conmon podman podman-tests -dnf -y update --allowerasing - -cat /etc/redhat-release -rpm -q conmon containers-common crun podman podman-tests - -# Run crun specific podman tests -bats /usr/share/podman/test/system/030-run.bats diff --git a/tests/tmt/podman/system-test.fmf b/tests/tmt/podman/system-test.fmf new file mode 100644 index 0000000000..9beb3c9ac1 --- /dev/null +++ b/tests/tmt/podman/system-test.fmf @@ -0,0 +1,15 @@ +require: + - bats + - conmon + - crun + - make + - podman-tests + +adjust: + duration: 10m + when: arch == aarch64 + +/system_test: + tag: [ upstream, downstream ] + summary: Run crun specific Podman tests + test: bash ./system-test.sh diff --git a/tests/tmt/podman/system-test.sh b/tests/tmt/podman/system-test.sh new file mode 100644 index 0000000000..4d04562283 --- /dev/null +++ b/tests/tmt/podman/system-test.sh @@ -0,0 +1,16 @@ +#!/usr/bin/env bash + +set -exo pipefail + +if [[ "$(id -u)" -ne 0 ]];then + echo "Please run this script as superuser" + exit 1 +fi + +cat /etc/redhat-release +rpm -q conmon containers-common crun podman podman-tests + +# Run crun specific podman tests +bats -t /usr/share/podman/test/system/030-run.bats +bats -t /usr/share/podman/test/system/075-exec.bats +bats -t /usr/share/podman/test/system/280-update.bats diff --git a/tests/tmt/sanity/config.json b/tests/tmt/sanity/config.json new file mode 100644 index 0000000000..3a1f225e8c --- /dev/null +++ b/tests/tmt/sanity/config.json @@ -0,0 +1,180 @@ +{ + "ociVersion": "1.0.0", + "process": { + "terminal": false, + "user": { + "uid": 0, + "gid": 0 + }, + "args": [ + "sleep", "10" + ], + "env": [ + "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", + "TERM=xterm" + ], + "cwd": "/", + "capabilities": { + "bounding": [ + "CAP_AUDIT_WRITE", + "CAP_KILL", + "CAP_NET_BIND_SERVICE" + ], + "effective": [ + "CAP_AUDIT_WRITE", + "CAP_KILL", + "CAP_NET_BIND_SERVICE" + ], + "inheritable": [ + ], + "permitted": [ + "CAP_AUDIT_WRITE", + "CAP_KILL", + "CAP_NET_BIND_SERVICE" + ], + "ambient": [ + "CAP_AUDIT_WRITE", + "CAP_KILL", + "CAP_NET_BIND_SERVICE" + ] + }, + "rlimits": [ + { + "type": "RLIMIT_NOFILE", + "hard": 1024, + "soft": 1024 + } + ], + "noNewPrivileges": true + }, + "root": { + "path": "rootfs", + "readonly": true + }, + "hostname": "crun", + "mounts": [ + { + "destination": "/proc", + "type": "proc", + "source": "proc" + }, + { + "destination": "/dev", + "type": "tmpfs", + "source": "tmpfs", + "options": [ + "nosuid", + "strictatime", + "mode=755", + "size=65536k" + ] + }, + { + "destination": "/dev/pts", + "type": "devpts", + "source": "devpts", + "options": [ + "nosuid", + "noexec", + "newinstance", + "ptmxmode=0666", + "mode=0620", + "gid=5" + ] + }, + { + "destination": "/dev/shm", + "type": "tmpfs", + "source": "shm", + "options": [ + "nosuid", + "noexec", + "nodev", + "mode=1777", + "size=65536k" + ] + }, + { + "destination": "/dev/mqueue", + "type": "mqueue", + "source": "mqueue", + "options": [ + "nosuid", + "noexec", + "nodev" + ] + }, + { + "destination": "/sys", + "type": "sysfs", + "source": "sysfs", + "options": [ + "nosuid", + "noexec", + "nodev", + "ro" + ] + }, + { + "destination": "/sys/fs/cgroup", + "type": "cgroup", + "source": "cgroup", + "options": [ + "nosuid", + "noexec", + "nodev", + "relatime", + "ro" + ] + } + ], + "linux": { + "resources": { + "devices": [ + { + "allow": false, + "access": "rwm" + } + ] + }, + "namespaces": [ + { + "type": "pid" + }, + { + "type": "network" + }, + { + "type": "ipc" + }, + { + "type": "uts" + }, + { + "type": "cgroup" + }, + { + "type": "mount" + } + ], + "maskedPaths": [ + "/proc/acpi", + "/proc/asound", + "/proc/kcore", + "/proc/keys", + "/proc/latency_stats", + "/proc/timer_list", + "/proc/timer_stats", + "/proc/sched_debug", + "/sys/firmware", + "/proc/scsi" + ], + "readonlyPaths": [ + "/proc/bus", + "/proc/fs", + "/proc/irq", + "/proc/sys", + "/proc/sysrq-trigger" + ] + } +} diff --git a/tests/tmt/sanity/main.fmf b/tests/tmt/sanity/main.fmf new file mode 100644 index 0000000000..f4303510ae --- /dev/null +++ b/tests/tmt/sanity/main.fmf @@ -0,0 +1,5 @@ +require: [crun, podman] +summary: Sanity test for crun +tag: ['upstream', 'downstream'] +test: bash ./runtest.sh +duration: 10m diff --git a/tests/tmt/sanity/runtest.sh b/tests/tmt/sanity/runtest.sh new file mode 100644 index 0000000000..d1d453cd4c --- /dev/null +++ b/tests/tmt/sanity/runtest.sh @@ -0,0 +1,91 @@ +#!/usr/bin/env bash + +set -exo pipefail + +TEMPDIR=$(mktemp -d) +TESTIMG="quay.io/libpod/busybox" +CNAME="mycont-$RANDOM" + +cat /etc/redhat-release +uname -r +rpm -q crun criu + +crun --version +[ $? -ne 0 ] && exit 1 + +crun features +[ $? -ne 0 ] && exit 1 + +crun list +[ $? -ne 0 ] && exit 1 + +# create the top most bundle and rootfs directory +mkdir -p $TEMPDIR/rootfs + +# export busybox via podman into the rootfs directory +podman export $(podman create $TESTIMG) | tar -C $TEMPDIR/rootfs -xvf - +[ $? -ne 0 ] && exit 1 + +# use existing spec +cp ./config.json $TEMPDIR +ls $TEMPDIR +cd $TEMPDIR + +crun create $CNAME +[ $? -ne 0 ] && exit 1 + +crun list +[ $? -ne 0 ] && exit 1 + +crun start $CNAME +[ $? -ne 0 ] && exit 1 + +crun list +[ $? -ne 0 ] && exit 1 + +crun state $CNAME +[ $? -ne 0 ] && exit 1 + +crun ps $CNAME +[ $? -ne 0 ] && exit 1 + +ret=$(crun exec $CNAME pwd) +[ $? -ne 0 ] || [ $ret != '/' ] && exit 1 + +crun pause $CNAME +[ $? -ne 0 ] && exit 1 + +crun state $CNAME +[ $? -ne 0 ] && exit 1 + +crun resume $CNAME +[ $? -ne 0 ] && exit 1 + +crun state $CNAME +[ $? -ne 0 ] && exit 1 + +ret=$(crun exec $CNAME pwd) +[ $? -ne 0 ] || [ $ret != '/' ] && exit 1 + +crun delete --force $CNAME +[ $? -ne 0 ] && exit 1 + +crun list +[ $? -ne 0 ] && exit 1 + +crun run $CNAME & +[ $? -ne 0 ] && exit 1 + +crun list +[ $? -ne 0 ] && exit 1 + +# make sure the container is running state +sleep 2 + +ret=$(crun exec $CNAME echo 'ok') +[ $? -ne 0 ] || [ $ret != 'ok' ] && exit 1 + +crun kill $CNAME +[ $? -ne 0 ] && exit 1 + +exit 0