Add bootc tests #278
Merged
Add bootc tests #278
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Jiri Jaburek <comps@nomail.dom>
This was originally done because all VMs were snapshotted, and the orig_* names pointed to the original disk images on which snapshots were based. Since only few of our VMs are snapshotted now, drop the prefix, snapshots use 'snapshot_path' anyway. Signed-off-by: Jiri Jaburek <comps@nomail.dom>
Signed-off-by: Jiri Jaburek <comps@nomail.dom>
comps
force-pushed
the
add_bootc_tests
branch
from
f8c5c86
to
b90134e
Compare
|
I've redesigned the bootc-image-builder test quite a bit; turns out we don't really need a |
|
A note for whoever reviews this in the end: # prepare a Container file for making a hardened image
cfile = podman.Containerfile()
cfile += util.dedent(fr'''
FROM {src_image}
RUN dnf -y install dnf-plugins-core
RUN dnf -y copr enable packit/OpenSCAP-openscap-2170 centos-stream-9-x86_64
RUN dnf -y install openscap-utils
COPY remediation-ds.xml /root/.
RUN oscap-bootc --profile '{profile}' /root/remediation-ds.xml
''')
cfile.add_ssh_pubkey(guest.ssh_pubkey)
cfile.write_to('Containerfile')I wanted to de-duplicate this, so it's not copy/pasted across both bootc and anaconda tests, and I implemented a function for it, def build_hardened_image(src_image, datastream, profile):but it turned out to be just about as complicated as the copy/pasta, or likely even more - I had to write So it didn't make things any simpler, and it just obfuscated the logic. So I left the copy/pasta in there, because - if anything - it's much easier to debug the test(s) by commenting sections of code out, or simply by inserting a sleep + checking the generated Containerfile manually, or modifying it, or otherwise playing with it. |
comps
force-pushed
the
add_bootc_tests
branch
from
b90134e
to
f999c70
Compare
|
I'll be submitting the |
comps
force-pushed
the
add_bootc_tests
branch
from
f999c70
to
bfacf4c
Compare
|
This should be now ready for review. |
comps
force-pushed
the
add_bootc_tests
branch
3 times, most recently
from
480a94c
to
71c28af
Compare
(Rather than using util.ssh_keygen + reading file contents manually.) Signed-off-by: Jiri Jaburek <comps@nomail.dom>
I originally rejected this because import_image() would be copying the image file if it wasn't in /var/lib/libvirt/images, and it seemed better and more explicit to make the user put the image on the right place (into /var/lib/libvirt/images). However, an alternate view point on "import" is "just use the disk image in-place, wherever it is", which is what the function does now with this change. In that case, passing arguments makes more sense than setting instance- wide variables. Signed-off-by: Jiri Jaburek <comps@nomail.dom>
Signed-off-by: Jiri Jaburek <comps@nomail.dom>
comps
force-pushed
the
add_bootc_tests
branch
from
71c28af
to
f8e1533
Compare
The idea is that install_basic() is a very minimal wrapper for running Anaconda with the provided kickstart, no extra bells. It is then install() that provides OS customizations for testing via RpmPack, installs DNF repositories from the host, etc., etc. I felt this was slightly better than trying to re-introduce the verbatim_kickstart=False flag for install(), or something similar. Splitting the functions also seems more readable, as we can now use 'with' instead of an ExitStack. The class Kickstart (packages, assembly) changes are also related here, as this change is really about making install_basic() as minimal as feasible, without forced %packages. The intended use case is for 'ostreecontainer', where host repositories and RpmPack don't make sense, given that the OS has already been hardened and customized in the podman container. Signed-off-by: Jiri Jaburek <comps@nomail.dom>
This allows the caller of util.subprocess_* to transparently log the source file / code line of its own caller, instead of itself, transforming ie. podman.Container:123 Signed-off-by: Jiri Jaburek <comps@nomail.dom>
This came in handy while waiting for a local podman Registry to start responding on the given port, but can easily be used for waiting for ssh. Signed-off-by: Jiri Jaburek <comps@nomail.dom>
This logs the place the backup() / restore() was called from, rather than 'lib.util.backup' every time. Signed-off-by: Jiri Jaburek <comps@nomail.dom>
Signed-off-by: Jiri Jaburek <comps@nomail.dom>
Signed-off-by: Jiri Jaburek <comps@nomail.dom>
Signed-off-by: Jiri Jaburek <comps@nomail.dom>
comps
force-pushed
the
add_bootc_tests
branch
from
f8e1533
to
bc10bdd
Compare
This gets rid of 'bp_verbatim' and fixes virt.Guest.PACKAGES dependency. Signed-off-by: Jiri Jaburek <comps@nomail.dom>
matusmarhefka
approved these changes
Nov 18, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The last commit, adding the actual test(s), is still WIP and will change, but all commits under it should be ready for review.