Use rpmdb-normalize, add rootfs tests

I just saw the sqlite-shm corruption in
https://gitlab.com/redhat/centos-stream/containers/bootc/-/merge_requests/437#note_2372766792
so let's just go ahead and turn on rpmdb_normalize which
also aids the reproducibility of the rpmdb.

While we're here let's also add a long overdue "unit test" for
the rootfs. This operates as a container build that mounts
the container-under-test as part of a multi-stage build.

Signed-off-by: Colin Walters <walters@verbum.org>

.gitlab-ci.yml

@@ -12,12 +12,16 @@ variables:
 
 build-minimal:
   extends: .build-image
-  script: buildah build -f Containerfile --no-cache -t localhost/fedora-bootc:minimal ${PRIV_ARGS} --build-arg=manifest=fedora-minimal .
+  script: |
+    set -xeuo pipefail
+    buildah build -f Containerfile --no-cache -t localhost/fedora-bootc:minimal ${PRIV_ARGS} --build-arg=manifest=fedora-minimal .
+    cd tests/rootfs && buildah build -t localhost/test --from localhost/fedora-bootc:minimal    
 
 standard-build-and-test:
   extends: .build-image
   script: |
     set -xeuo pipefail
     buildah build --no-cache -t localhost/fedora-bootc ${PRIV_ARGS} .
+    (cd tests/rootfs && buildah build -t localhost/test --from localhost/fedora-bootc)
     cd tests
     buildah build -f Containerfile.test-derive --no-cache -t localhost/fedora-bootc-derived ${PRIV_ARGS} .

minimal/postprocess-conf.yaml

@@ -6,12 +6,9 @@ opt-usrlocal: "root"
 # https://github.com/CentOS/centos-bootc/issues/167
 machineid-compat: true
 
-# Note that the default for c9s+ is sqlite; we can't rely on rpm being
-# in the target (it isn't in minimal!) so turn this to host here.  This
-# does break the "hermetic build" aspect a bit.  Maybe eventually
-# what we should do is special case this and actually install RPM temporarily
-# and then remove it...
-rpmdb: host
+rpmdb: target
+# We never want rpmdb.sqlite-shm as it's unreproducible
+rpmdb-normalize: true
 
 ignore-removed-users:
   - root

tests/rootfs/Dockerfile

@@ -0,0 +1,6 @@
+# This should always be replaced with podman build --from.
+FROM localhost/image-to-test as rootfs
+
+FROM quay.io/centos/centos:stream10
+COPY . /src
+RUN --mount=type=bind,from=rootfs,target=/target-rootfs /src/run /target-rootfs

tests/rootfs/README.md

@@ -0,0 +1,4 @@
+# rootfs tests
+
+This is a set of scripts that sanity check the target
+rootfs in a read-only fashion.

tests/rootfs/cases/rpmdb

@@ -0,0 +1,7 @@
+#!/bin/bash
+set -xeuo pipefail
+for d in usr/share/rpm usr/lib/sysimage/rpm; do
+  if test -d "$d"; then
+    test '!' -f "$d/rpmdb.sqlite-shm"
+  fi
+done

tests/rootfs/run

@@ -0,0 +1,13 @@
+#!/bin/bash
+set -euo pipefail
+srcdir=$(cd $(dirname $0) && pwd)
+rootfs=$1
+shift
+cd $rootfs
+for case in ${srcdir}/cases/*; do
+  if test -x "$case"; then
+    echo "Running $case"
+    $case
+    echo "ok $case"
+  fi
+done