Skip to content

Commit

Permalink
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
ci: Run the ostree-ext deploy tests
Browse files Browse the repository at this point in the history
Signed-off-by: Colin Walters <[email protected]>
cgwalters committed Dec 8, 2024
1 parent cf58890 commit 54f8abb
Showing 3 changed files with 23 additions and 38 deletions.
3 changes: 3 additions & 0 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
@@ -81,6 +81,9 @@ jobs:
sudo install -m 0755 target/release/tests-integration /usr/bin/bootc-integration-tests
rm target -rf
df -h /
# The ostree-container tests
sudo podman run --privileged --pid=host -v /:/run/host -v $(pwd):/src:ro -v /var/tmp:/var/tmp \
-v /run/dbus:/run/dbus -v /run/systemd/journal:/run/systemd/journal localhost/bootc /src/ostree-ext/ci/priv-integration.sh
# Nondestructive but privileged tests
sudo bootc-integration-tests host-privileged localhost/bootc
# Finally the install-alongside suite
18 changes: 0 additions & 18 deletions ostree-ext/.github/workflows/rust.yml
Original file line number Diff line number Diff line change
@@ -128,24 +128,6 @@ jobs:
run: install ostree-ext-cli /usr/bin && rm -v ostree-ext-cli
- name: Integration tests
run: ./ci/ima.sh
privtest:
name: "Privileged testing"
needs: build
runs-on: ubuntu-latest
container:
image: quay.io/fedora/fedora-coreos:testing-devel
options: "--privileged --pid=host -v /var/tmp:/var/tmp -v /run/dbus:/run/dbus -v /run/systemd:/run/systemd -v /:/run/host"
steps:
- name: Checkout repository
uses: actions/checkout@v3
- name: Download
uses: actions/[email protected]
with:
name: ostree-ext-cli
- name: Install
run: install ostree-ext-cli /usr/bin && rm -v ostree-ext-cli
- name: Integration tests
run: ./ci/priv-integration.sh
privtest-cockpit:
name: "Privileged testing (cockpit)"
needs: build
40 changes: 20 additions & 20 deletions ostree-ext/ci/priv-integration.sh
Original file line number Diff line number Diff line change
@@ -28,21 +28,21 @@ if test '!' -d "${sysroot}/ostree/deploy/${stateroot}"; then
ostree admin os-init "${stateroot}" --sysroot "${sysroot}"
fi
# Should be no images pruned
ostree-ext-cli container image prune-images --sysroot "${sysroot}"
ostree container image prune-images --sysroot "${sysroot}"
# Test the syntax which uses full imgrefs.
ostree-ext-cli container image deploy --sysroot "${sysroot}" \
ostree container image deploy --sysroot "${sysroot}" \
--stateroot "${stateroot}" --imgref "${imgref}"
ostree admin --sysroot="${sysroot}" status
ostree-ext-cli container image metadata --repo "${sysroot}/ostree/repo" registry:"${image}" > manifest.json
ostree container image metadata --repo "${sysroot}/ostree/repo" registry:"${image}" > manifest.json
jq '.schemaVersion' < manifest.json
ostree-ext-cli container image remove --repo "${sysroot}/ostree/repo" registry:"${image}"
ostree container image remove --repo "${sysroot}/ostree/repo" registry:"${image}"
ostree admin --sysroot="${sysroot}" undeploy 0
# Now test the new syntax which has a nicer --image that defaults to registry.
ostree-ext-cli container image deploy --transport registry --sysroot "${sysroot}" \
ostree container image deploy --transport registry --sysroot "${sysroot}" \
--stateroot "${stateroot}" --image "${image}"
ostree admin --sysroot="${sysroot}" status
ostree admin --sysroot="${sysroot}" undeploy 0
if ostree-ext-cli container image deploy --transport registry --sysroot "${sysroot}" \
if ostree container image deploy --transport registry --sysroot "${sysroot}" \
--stateroot "${stateroot}" --image "${image}" --enforce-container-sigpolicy 2>err.txt; then
echo "Deployment with enforced verification succeeded unexpectedly" 1>&2
exit 1
@@ -52,16 +52,16 @@ if ! grep -Ee 'insecureAcceptAnything.*refusing usage' err.txt; then
cat err.txt
fi
# Now we should prune it
ostree-ext-cli container image prune-images --sysroot "${sysroot}"
ostree-ext-cli container image list --repo "${sysroot}/ostree/repo" > out.txt
ostree container image prune-images --sysroot "${sysroot}"
ostree container image list --repo "${sysroot}/ostree/repo" > out.txt
test $(stat -c '%s' out.txt) = 0

for img in "${image}"; do
ostree-ext-cli container image deploy --sysroot "${sysroot}" \
ostree container image deploy --sysroot "${sysroot}" \
--stateroot "${stateroot}" --imgref ostree-unverified-registry:"${img}"
ostree admin --sysroot="${sysroot}" status
initial_refs=$(ostree --repo="${sysroot}/ostree/repo" refs | wc -l)
ostree-ext-cli container image remove --repo "${sysroot}/ostree/repo" registry:"${img}"
ostree container image remove --repo "${sysroot}/ostree/repo" registry:"${img}"
pruned_refs=$(ostree --repo="${sysroot}/ostree/repo" refs | wc -l)
# Removing the image should only drop the image reference, not its layers
test "$(($initial_refs - 1))" = "$pruned_refs"
@@ -70,29 +70,29 @@ for img in "${image}"; do
n_commits=$(find ${sysroot}/ostree/repo -name '*.commit' | wc -l)
test "${n_commits}" -gt 0
# But right now this still doesn't prune *content*
ostree-ext-cli container image prune-layers --repo="${sysroot}/ostree/repo"
ostree container image prune-layers --repo="${sysroot}/ostree/repo"
ostree --repo="${sysroot}/ostree/repo" refs > refs.txt
if test "$(wc -l < refs.txt)" -ne 0; then
echo "found refs"
cat refs.txt
exit 1
fi
# And this one should GC the objects too
ostree-ext-cli container image prune-images --full --sysroot="${sysroot}" > out.txt
ostree container image prune-images --full --sysroot="${sysroot}" > out.txt
n_commits=$(find ${sysroot}/ostree/repo -name '*.commit' | wc -l)
test "${n_commits}" -eq 0
done

# Verify we have systemd journal messages
nsenter -m -t 1 journalctl _COMM=ostree-ext-cli > logs.txt
nsenter -m -t 1 journalctl _COMM=bootc > logs.txt
grep 'layers already present: ' logs.txt

podman pull ${image}
ostree --repo="${sysroot}/ostree/repo" init --mode=bare-user
ostree-ext-cli container image pull ${sysroot}/ostree/repo ostree-unverified-image:containers-storage:${image}
ostree container image pull ${sysroot}/ostree/repo ostree-unverified-image:containers-storage:${image}
echo "ok pulled from containers storage"

ostree-ext-cli container compare ${imgref} ${imgref} > compare.txt
ostree container compare ${imgref} ${imgref} > compare.txt
grep "Removed layers: *0 *Size: 0 bytes" compare.txt
grep "Added layers: *0 *Size: 0 bytes" compare.txt

@@ -114,22 +114,22 @@ ostree refs ostree/container/image --delete
repo="${sysroot}/ostree/repo"
images=$(ostree container image list --repo "${repo}" | wc -l)
test "${images}" -eq 1
ostree-ext-cli container image deploy --sysroot "${sysroot}" \
ostree container image deploy --sysroot "${sysroot}" \
--stateroot "${stateroot}" --imgref ostree-unverified-image:"${derived_img}"
imgref=$(ostree refs --repo=${repo} ostree/container/image | head -1)
img_commit=$(ostree --repo=${repo} rev-parse ostree/container/image/${imgref})
ostree-ext-cli container image remove --repo "${repo}" "${derived_img}"
ostree container image remove --repo "${repo}" "${derived_img}"

ostree-ext-cli container image deploy --sysroot "${sysroot}" \
ostree container image deploy --sysroot "${sysroot}" \
--stateroot "${stateroot}" --imgref ostree-unverified-image:"${derived_img}"
img_commit2=$(ostree --repo=${repo} rev-parse ostree/container/image/${imgref})
test "${img_commit}" = "${img_commit2}"
echo "ok deploy derived container identical revs"

ostree-ext-cli container image deploy --sysroot "${sysroot}" \
ostree container image deploy --sysroot "${sysroot}" \
--stateroot "${stateroot}" --imgref ostree-unverified-image:"${derived_img_dir}"
echo "ok deploy derived container from local dir"
ostree-ext-cli container image remove --repo "${repo}" "${derived_img_dir}"
ostree container image remove --repo "${repo}" "${derived_img_dir}"
rm -rf /var/tmp/derived.dir

# Verify policy

0 comments on commit 54f8abb

Please sign in to comment.