Also fix the test, it wasn't updated to use sslverify instead of
ignoressl. This now correctly passes on -dnf and fails on -dnf5 which
will be fixed in the next commit.
During the work on PR#1752 Florian discovered that make_containers()
is broken for nested containers like:
```
with make_container(tmp_path, {"file1": "file1 from base"}) as base_tag:
with make_container(tmp_path, {"file1": "file1 from final layer"}, base_tag) as cont_tag:
```
It errors with:
```
Error: 5b947de461ee21b858dd5b4224e80442b2f65b6410189147f2445884d9e4e3d8: image not known
```
The reason is that we work with hashes for the image and then call
`podman image rm` which by default will also remove all dangling
references. Those are defined by not having a tag and not referenced
anymore. So the inner container cleanup also removes the outter.
There are many ways to fix this, I went with re-adding tags to the
test containers because it also makes it easy for the user to see if
we left any containers (accidently) around.
In PR#1752 Florian noticed that `make_containers` is buggy [0] in
one specific testcase. However the GH actions did not trigger and
uppon inspection the test is skipped:
```
stages/test/test_container_deploy.py::test_container_deploy_integration SKIPPED [ 7%]
```
This commit adds `-rs` to get a summary why the tests are skipped.
This is useful in general, I suspect the test container might miss
podman but this commit will bring clarity.
[0] https://github.com/osbuild/osbuild/pull/1752#discussion_r1578294358
Create a unit using an inline file called -.mount with the following
content:
[Unit]
Before=local-fs.target
After=blockdev@dev-disk-by\x2duuid-af34257d\x2d3e14\x2d4a51\x2db91d\x2dc430a956dcba.target
[Mount]
What=/dev/disk/by-uuid/af34257d-3e14-4a51-b91d-c430a956dcba
Where=/
Type=ext4
Options=rw,noatime
[Install]
RequiredBy=local-fs.target
and enable it in the systemd stage to test that we can enable units with
a - prefix.
Units can start with a -, for example, -.mount. Trying to enable,
disable, or mask a service like that fails with
systemctl: invalid option -- '.'
Hint: to specify units starting with a dash, use "--":
systemctl [OPTIONS...] COMMAND -- -.mount ...
Adding -- to all 'systemctl' calls lets us specify unit files that start
with -.
We run tests using tox to set up environments for different python
versions to test against. The problem is that when a test shells out to
a python script, like osbuild-depsolve-dnf5, it's not run inside the
environment but in the system environment. The `has_dnf5()` check
returns False because it fails to import dnf5 in the tox environment,
even though the script can be run and the test will succeed.
Use `python3 -c "import libdnf5"` to decide if the script is runnable
instead of using `importlib`. This doesn't solve the problem of our
tests running python scripts in a different environment than the one (we
think) we are testing, but it will enable tests of osbuild-depsolve-dnf5
for now.
The JSON output by go will use 'null' for nil slices, so we need to
use a [] when the field is missing, or when it is set to null.
Previously this was handled by checking the value before iterating but
when the code moved for the directory handling it was changed.
This implements the same behavior in a slightly cleaner way.
The go json serialize process takes a nil slice and converts that to a
'null' instead of an '[]' or leaving off the field. This means that the
json generated by python is not representative of what is output by
images/dnfjson and we have not been properly testing
osbuild-depsolve-dnf5
Testing dnf5 depsolving *also* requires that libdnf5 be present in the
environment, which is a separate problem that still needs to be fixed.
Cache files will split the extension, this means that all pyc cache
files looks like we get many clashing `org.osbuild.cpython-py311.pyc
files. Moreover, the cache bytecode invalidation is based on the
timestamp (which is the same after git checkout) and the file size
(which may be the same for two different files). This means that we
can't rely on the cache files.
This issue has been found after the previous commit made the
`org.osbuild.systemd` and `org.osbuild.selinux` stages to have exactly
the same size, which caused the interpreter to reuse the bytecode for
the selinux stage when running unit tests for the systemd stage. This
resulted in consistent and weird failures when the systemd stage
options were passed to the selinux stage code.
The credit for this fix goes to Michael Vogt, who found the cause and
fix. Also thanks to Simon de Vlieger for his help with debugging the
problem.
Co-authored-by: Michael Vogt <michael.vogt@gmail.com>
Signed-off-by: Tomáš Hozza <thozza@redhat.com>
Previously, the SELinux stage would not force full contexts reset when
forcing auto-relabel on first boot. As a result, all files remained
`unconfined_u` after the auto-relabeling on first boot and only the type
part was reset.
We really need to mimic the behavior of `fixfiles -F onboot` command,
which creates the `/.autorelabel` file with "-F" in it.
Signed-off-by: Tomáš Hozza <thozza@redhat.com>
Given that the tests `test_depsolve{,_dnf5}` are identical except
the `command` extract them into a common test that is just parameterized.
This will also help to avoid drift between the two resolvers.
This commit allows use to append kernel commandline options via
the kickstart file. This is useful for e.g. the bootc installer
where we support customizing this via blueprints.
Verifying the systemd unit also checks if any referred systemd units
(Wants, Requires, After) exist and if all commands in Exec exist and are
executable. Without '--root', the systemd-analyze verify command is
testing this against files in the build root, which isn't valid.
Units and binaries might not exist in the build root when referenced in
the image root tree, making the unit fail when when it's valid.
Conversely, the verification can succeed by finding executables in the
build root that don't exist in the image root tree when it should be
failing.
When verifying user units, systemd expects runtime directories.
All of this makes it quite difficult to verify systemd units properly
when building an image. The call is useful for making sure the unit is
structured properly, but the user unit verification setup is difficult
to accomplish in a general way while building.
Remove the systemd-analyze verify step from the stage. Move it to the
unit test so that we have some assurance that our unit file structure is
correct and things work as expected. Create referenced unit files and
commands to make the unit valid.
Add test values for Wants, Requires, and After.
Adding multiple values to test that arrays work and made sure they're
all different.
The units need to be valid, real unit names otherwise the
'systemd-analyze verify' check will fail.
The current `make test-all` will only run tests under `test/`. This
is no longer the only place we have tests so update the code to
just run `pytest` to collect all tests.
We currently do not set the `--target-imgref` and do not allow to
override it. This means that on a fresh deploy it is set to an
incorrect value. This commit allows to set it via the
org.osbuild.bootc.install-to-filesystem stage.
Only py3.7+ has ThreadingHTTPServer and SimpleHTTPRequestHandler
that can take a directory argument. We could reimplement this
on py36 (easy for threading, harder for missing directory) but
instead this commit just skips tests that try to use a
ThreadingHTTPServer.
Remove once we no longer support py3.6.
Run only two jobs in the GH runner for the unittest. The `test_stage.py`
because it takes a very long time and needs to run in parallel and
all the other tests.
This split avoid that we forget to add new unittests to the matrix
as we did before (see e.g. https://github.com/osbuild/osbuild/pull/1731)
and it will also enable the tests in:
- sources/test
- inputs/tests
- mounts/test
to run.
This will reduce the "granularity" of the test output a bit, in the
GH runner we only see two unit test matrix jobs now. However that
should not be too bad because the non-stage tests are really quick
to run.
Using an environ for passing the tests is a bit of a headache when
it comes to quoting which is important when trying to write something
like: `-k "not test_stages.py"`.
I (personally) also find it slightly nicer/more intuitive to be able to do:
```
$ tox -e py36 -- ./test/mod
```
compared to
```
$ TEST_CATEGORY="./test/mod" tox -e py36
```
With the new `bootc install to-filesystem` support many stages
will need a devices/mount setup to bind mount the deployment root
from the bootc deployment root of the generated image. To make
this globally available just allow "devices/mounts" for all stages
in the schema validation.
Note that `mounts` is already globally allowed so this just adds
devices (this was added in `7e776a076` with ostree as the use-case).
Nothing will change for the filesystem stages that already define
"devices" in a more specialized way.
str.removeprefix() is not available in Python 3.6, which we need to
support EL8.
Instead of removing the prefix from the original path string, take the
path property of the parsed URL. Since we're dealing with file paths,
there will be no params, query, or fragment strings so the path should
be all we need.
So that we see any error output during the tests in "realtime". With
subprocess check=True and capture_output=True on exit_code != 0 no
stderr as part of the exception by default so this change helps
seeing issues from depsolve-dnf more easily.
Add a new line to after a successful build and before the final output
is printed to the terminal. Since the final build output and the
"manifest finished successfully" line were being printed to the same
line.
Originally, I made releasever required only when root_dir was set. This
was initially done to maintain backwards compatibility but we broke that
already and osbuild/images will always include releasever in the
request.
Extract make_dnf_scafolding as a helper, mostly so that the config_combos()
function is easier to read. It seems one core concept here is the iteration
of "combo[0]" and "combo[1]" so having them symetrical at the same indent
level feel easier to read to me.
This adds a new `org.osbuild.bind` mount feature to the osbuild
mount modules. This allows to (r)bind mount parts of another mount
into the tree (or replace the default tree for a stage entirely).
The use case is the `bootc install to-filesystem` where we get
a populated disk and need to do customizations directly there
without going through an intermediate tree.
Note that right now only "--rbind" is supported and used but
we could trivially change that to become an option in either
direction. Given that the main use-case right now is to be
paried with `org.osbuild.ostree.deployment` and here the
`rbind` is crucial I would leave that the default.
Here is an example what this looks like:
```json
{
"type": "org.osbuild.users",
"options": {
"users": {
"alice": {
"home": "/home/alice",
"groups": [
"wheel"
],
"password": "$6$NV3P7UzUqP3xb1ML$3qnHpWs037VRTaOc.kirQ4.RwNz4gu9dkhAhpBYVCkHw8CMhpBKnegyyqw0QfURowarZnRnQi.jo4JEzIOvPO/",
"key": "ssh-rsa AAA ... user@email.com"
}
}
},
"devices": {
"disk": {
"type": "org.osbuild.loopback",
"options": {
"filename": "disk.raw",
"partscan": true
}
}
},
"mounts": [
{
"name": "part4",
"type": "org.osbuild.ext4",
"source": "disk",
"target": "/",
"partition": 4
},
...
{
"name": "ostree.deployment",
"type": "org.osbuild.ostree.deployment",
"options": {
"source": "mount",
"deployment": {
"default": true
}
}
},
{
"name": "bind",
"type": "org.osbuild.bind",
"target": "tree://",
"options": {
"source": "mount://"
}
}
]
},
```
Similar to `stages` and `sources` we need some basic infrastructure
so that we can use a `mounts_module` fixture for the coming tests
to the mount modules.
The "main" branch is failing right now in tests. The reason is
that we do not have a merge queue and when
https://github.com/osbuild/osbuild/pull/1715
was merged we had no test for `osbuild-depsolve-dnf` yet.
We have one now (THANK YOU achilleas-k) and it shows an issue :)
This commit fixes the issue.
