.gitignore

@@ -0,0 +1,2 @@
+artifacts
+tests/packages

READONLY

@@ -0,0 +1 @@
+Branch locked: RHELBLD-12123

SOURCES/modulemd.src.txt

@@ -1,100 +0,0 @@
----
-document: modulemd
-version: 2
-data:
-  name: container-tools
-  stream: 1.0
-  summary: >-
-    Stable versions of podman 1.0, buildah 1.5, skopeo 0.1, runc, conmon, CRIU,
-    Udica, etc as well as dependencies such as container-selinux built and
-    tested together, and supported for 24 months.
-  description: >-
-    Stable versions of podman 1.0 , buildah 1.5, skopeo 0.1, runc, conmon,
-    CRIU, Udica, etc as well as dependencies such as container-selinux built
-    and tested together. Released with RHEL 8.0 and supported for 24 months.
-    During the support lifecycle, back ports of important, critical
-    vulnerabilities (CVEs, RHSAs) and bug fixes (RHBAs) are provided to this
-    stream, and versions do not move forward. For more information see:
-    https://access.redhat.com/support/policy/updates/containertools
-  license:
-    module:
-    - MIT
-  dependencies:
-  - buildrequires:
-      go-toolset: [rhel8]
-      golang-ecosystem: [1.0]
-      platform: [el8]
-    requires:
-      platform: [el8]
-  references:
-    community: https://github.com/projectatomic
-    documentation: https://projectatomic.io
-    tracker: https://github.com/projectatomic
-  profiles:
-    common:
-      rpms:
-      - buildah
-      - container-selinux
-      - containernetworking-plugins
-      - criu
-      - fuse-overlayfs
-      - oci-systemd-hook
-      - oci-umount
-      - podman
-      - runc
-      - skopeo
-      - slirp4netns
-  api:
-    rpms:
-    - buildah
-    - container-selinux
-    - containernetworking-plugins
-    - containers-common
-    - fuse-overlayfs
-    - oci-systemd-hook
-    - oci-umount
-    - podman
-    - podman-docker
-    - runc
-    - skopeo
-    - slirp4netns
-  buildopts:
-    rpms:
-      macros: |
-        %_with_ignore_tests 1
-  components:
-    rpms:
-      buildah:
-        rationale: Primary component of this module
-        ref: stream-container-tools-1.0-rhel-8.3.0
-      container-selinux:
-        rationale: Primary component of this module
-        ref: stream-container-tools-1.0-rhel-8.3.0
-      containernetworking-plugins:
-        rationale: Primary component of this module
-        ref: stream-container-tools-1.0-rhel-8.3.0
-      criu:
-        rationale: Primary component of this module
-        ref: stream-container-tools-1.0-rhel-8.3.0
-      fuse-overlayfs:
-        rationale: Primary component of this module
-        ref: stream-container-tools-1.0-rhel-8.3.0
-      oci-systemd-hook:
-        rationale: Primary component of this module
-        ref: stream-container-tools-1.0-rhel-8.3.0
-      oci-umount:
-        rationale: Primary component of this module
-        ref: stream-container-tools-1.0-rhel-8.3.0
-      podman:
-        rationale: Primary component of this module
-        ref: stream-container-tools-1.0-rhel-8.3.0
-      runc:
-        rationale: Primary component of this module
-        ref: stream-container-tools-1.0-rhel-8.3.0
-      skopeo:
-        rationale: Primary component of this module
-        ref: stream-container-tools-1.0-rhel-8.3.0
-      slirp4netns:
-        rationale: Primary component of this module
-        ref: stream-container-tools-1.0-rhel-8.3.0
-...

container-tools.yaml

@@ -0,0 +1,122 @@
+---
+document: modulemd
+version: 2
+data:
+  name: container-tools
+  stream: 3.0
+  summary: >-
+    Stable versions of podman 3.0, buildah 1.19, skopeo 1.2, runc, conmon, CRIU,
+    Udica, etc as well as dependencies such as container-selinux built and tested
+    together, and supported as documented on the Application Stream lifecycle page.
+  description: >-
+    Stable versions of podman 3.0, buildah 1.19, skopeo 1.2, runc, conmon, CRIU,
+    Udica, etc as well as dependencies such as container-selinux built and tested
+    together. Released with RHEL 8.4 and supported for 24 months. During the
+    support lifecycle, back ports of important, critical vulnerabilities (CVEs,
+    RHSAs) and bug fixes (RHBAs) are provided to this stream, and versions do not
+    move forward. For more information see:
+    https://access.redhat.com/support/policy/updates/containertools
+  license:
+    module:
+    - MIT
+  dependencies:
+  - buildrequires:
+      go-toolset: [rhel8]
+      golang-ecosystem: [1.0]
+      platform: [el8]
+    requires:
+      platform: [el8]
+  references:
+    community: https://github.com/projectatomic
+    documentation: https://projectatomic.io
+    tracker: https://github.com/projectatomic
+  profiles:
+    common:
+      rpms:
+      - buildah
+      - cockpit-podman
+      - conmon
+      - container-selinux
+      - containernetworking-plugins
+      - criu
+      - crun
+      - fuse-overlayfs
+      - libslirp
+      - podman
+      - runc
+      - skopeo
+      - slirp4netns
+      - toolbox
+      - udica
+  api:
+    rpms:
+    - buildah
+    - conmon
+    - container-selinux
+    - containernetworking-plugins
+    - containers-common
+    - fuse-overlayfs
+    - libslirp
+    - podman
+    - podman-docker
+    - podman-manpages
+    - podman-remote
+    - runc
+    - skopeo
+    - slirp4netns
+  buildopts:
+    rpms:
+      macros: |
+        %_with_ignore_tests 1
+  components:
+    rpms:
+      buildah:
+        rationale: Primary component of this module
+        ref: stream-container-tools-3.0-rhel-8.10.0
+      cockpit-podman:
+        rationale: Primary component of this module
+        ref: stream-container-tools-3.0-rhel-8.10.0
+      conmon:
+        rationale: Primary component of this module
+        ref: stream-container-tools-3.0-rhel-8.10.0
+      container-selinux:
+        rationale: Primary component of this module
+        ref: stream-container-tools-3.0-rhel-8.10.0
+      containernetworking-plugins:
+        rationale: Primary component of this module
+        ref: stream-container-tools-3.0-rhel-8.10.0
+      criu:
+        rationale: Primary component of this module
+        ref: stream-container-tools-3.0-rhel-8.10.0
+      crun:
+        rationale: Primary component of this module
+        ref: stream-container-tools-3.0-rhel-8.10.0
+      fuse-overlayfs:
+        rationale: Primary component of this module
+        ref: stream-container-tools-3.0-rhel-8.10.0
+      libslirp:
+        rationale: Primary component of this module
+        ref: stream-container-tools-3.0-rhel-8.10.0
+        buildorder: -1
+      oci-seccomp-bpf-hook:
+        rationale: Primary component of this module
+        ref: stream-container-tools-3.0-rhel-8.10.0
+      podman:
+        rationale: Primary component of this module
+        ref: stream-container-tools-3.0-rhel-8.10.0
+      runc:
+        rationale: Primary component of this module
+        ref: stream-container-tools-3.0-rhel-8.10.0
+      skopeo:
+        rationale: Primary component of this module
+        ref: stream-container-tools-3.0-rhel-8.10.0
+      slirp4netns:
+        rationale: Primary component of this module
+        ref: stream-container-tools-3.0-rhel-8.10.0
+      toolbox:
+        rationale: Primary component of this module
+        ref: stream-container-tools-3.0-rhel-8.10.0
+      udica:
+        rationale: Primary component of this module
+        ref: stream-container-tools-3.0-rhel-8.10.0
+...

gating.yaml

@@ -0,0 +1,8 @@
+# recipients: jnovy, santiago, lsm5
+--- !Policy
+product_versions:
+  - rhel-8
+decision_context: osci_compose_gate_modules
+subject_type: redhat-module
+rules:
+  - !PassingTestCaseRule {test_case_name: baseos-ci.redhat-module.tier0.functional}

tests/roles/bats_installed/tasks/main.yml

@@ -0,0 +1,12 @@
+---
+# Sigh; RHEL8 doesn't have BATS
+- name: bats | fetch and unpack tarball
+  unarchive:
+    src: https://github.com/bats-core/bats-core/archive/v1.1.0.tar.gz
+    dest: /root
+    remote_src: true
+
+- name: bats | install
+  command: ./install.sh /usr/local
+  args:
+    chdir: /root/bats-core-1.1.0

tests/roles/fetch_pkg/tasks/main.yml

@@ -0,0 +1,36 @@
+# standard role for fetching a package dist-git into the Ansible controller for running its tests
+# variables:
+# - package: dist-git source package name
+# - modulemd: file name of module metadata description, for getting correct branch name
+---
+- name: Install git
+  dnf: name=git state=installed
+
+- name: Clone package dist-git
+  git:
+    repo: git://pkgs.devel.redhat.com/rpms/{{ package }}
+    # read package branch from module md file
+    version: "{{ (lookup('file', modulemd) | from_yaml)['data']['components']['rpms'][package]['ref'] }}"
+    dest: "/tmp/packages/{{ package }}"
+
+# fetch can only get a single file, so we have to do this in a loop
+- name: Get package test file list
+  find:
+    paths: "/tmp/packages/{{ package }}/tests"
+    recurse: yes
+  register: test_files_to_fetch
+
+- name: Copy package test files to controller
+  fetch:
+    src: "{{ item.path }}"
+    # strip off /tmp/ prefix
+    dest: "{{ playbook_dir }}/{{ item.path[5:] }}"
+    flat: yes
+  with_items: "{{ test_files_to_fetch.files }}"
+
+- name: Copy package files
+  fetch:
+    src: "/tmp/packages/{{ package }}/{{ item }}"
+    dest: "{{ playbook_dir }}/packages/{{ package }}/"
+    flat: yes
+  with_items: ["{{ package }}.spec", "sources"]

tests/roles/nonroot_user/tasks/main.yml

@@ -0,0 +1,7 @@
+---
+- name: create nonroot user
+  user:
+    name: testuser
+    shell: /bin/bash
+- name: enable linger
+  command: loginctl enable-linger testuser

tests/roles/run_bats_tests/files/helper.buildah-root.sh

@@ -0,0 +1,37 @@
+#!/bin/bash
+#
+# setup and teardown helpers for buildah test
+#
+
+function setup() {
+    REGISTRY_FQIN=quay.io/libpod/registry:2
+
+    AUTHDIR=/tmp/buildah-tests-auth.$$
+    mkdir -p $AUTHDIR
+
+    CERT=$AUTHDIR/domain.crt
+    if [ ! -e $CERT ]; then
+        openssl req -newkey rsa:4096 -nodes -sha256 \
+                -keyout $AUTHDIR/domain.key -x509 -days 2 \
+                -out $AUTHDIR/domain.crt \
+                -subj "/C=US/ST=Foo/L=Bar/O=Red Hat, Inc./CN=localhost"
+    fi
+
+    if [ ! -e $AUTHDIR/htpasswd ]; then
+        htpasswd -Bbn testuser testpassword > $AUTHDIR/htpasswd
+    fi
+
+    podman run -d -p 5000:5000 \
+           --name registry \
+           -v $AUTHDIR:/auth:Z \
+           -e "REGISTRY_AUTH=htpasswd" \
+           -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
+           -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
+           -e REGISTRY_HTTP_TLS_CERTIFICATE=/auth/domain.crt \
+           -e REGISTRY_HTTP_TLS_KEY=/auth/domain.key \
+           $REGISTRY_FQIN
+}
+
+function teardown() {
+    podman rm -f registry
+}

tests/roles/run_bats_tests/files/run_bats_tests.sh

@@ -0,0 +1,101 @@
+#!/bin/bash
+#
+# Run bats tests for a given $TEST_PACKAGE, e.g. buildah, podman
+#
+# This is invoked by the 'run_bats_tests' role; we assume that
+# the package foo has a foo-tests subpackage which provides the
+# directory /usr/share/foo/test/system, containing one or more .bats
+# test files.
+#
+
+export PATH=/usr/local/bin:/usr/sbin:/usr/bin
+
+# Keep all logs in /tmp/artifacts - this seems to be an undocumented
+# (and therefore dangerous and unreliable) convention of the Standard
+# Test Roles package. As of 2020-05 we have to coexist with cockpit
+# which uses standard-test-basic, which means we need to conform to
+# its conventions.
+# We rely on our parent playbook to create /tmp/artifacts and make it
+# world-writable so nonroot tests can use it.
+TEST_LOG_TXT=/tmp/artifacts/test.log
+TEST_LOG_YML=/tmp/artifacts/results.yml
+
+# "podman root" -> "podman-root"
+testname_oneword=${TEST_NAME// /-}
+
+FULL_LOG=/tmp/artifacts/test.${testname_oneword}.debug.log
+BATS_LOG=/tmp/artifacts/test.${testname_oneword}.bats.log
+rm -f $FULL_LOG $BATS_LOG
+touch $FULL_LOG $BATS_LOG
+
+exec &> $FULL_LOG
+
+# Log program versions
+echo "Packages:"
+rpm -qa |\
+    egrep 'buildah|conmon|container|crun|iptable|podman|runc|skopeo|slirp|systemd' |\
+    sort |\
+    sed -e 's/^/  /'
+
+echo "------------------------------"
+printenv | sort
+
+testdir=/usr/share/${TEST_PACKAGE}/test/system
+
+if ! cd $testdir; then
+    echo "FAIL ${TEST_NAME} : cd $testdir"      >> $TEST_LOG_TXT
+    echo "- { test: '${TEST_NAME}', result: error, logs: [ $(basename $FULL_LOG) ] }" >> $TEST_LOG_YML
+    exit 0
+fi
+
+if [ -e /tmp/helper.sh ]; then
+    echo "------------------------------"
+    echo ". /tmp/helper.sh"
+    . /tmp/helper.sh
+fi
+
+if [ "$(type -t setup)" = "function" ]; then
+    echo "------------------------------"
+    echo "\$ setup"
+    setup
+    if [ $? -ne 0 ]; then
+        echo "FAIL ${TEST_NAME} : setup"       >> $TEST_LOG_TXT
+        echo "- { test: '${TEST_NAME}', result: error, logs: [ $(basename $FULL_LOG) ] }" >> $TEST_LOG_YML
+        exit 0
+    fi
+fi
+
+echo "------------------------------"
+echo "\$ bats ."
+bats . &> $BATS_LOG
+rc=$?
+
+echo "------------------------------"
+echo "bats completed with status $rc"
+
+status=PASS
+if [ $rc -ne 0 ]; then
+    status=FAIL
+fi
+
+echo "${status} ${TEST_NAME}" >> $TEST_LOG_TXT
+
+# Append a stanza to results.yml
+(
+    echo "- test: ${TEST_NAME}"
+    # pass/fail - the ',,' (comma comma) converts to lower-case
+    echo "  result: ${status,,}"
+    echo "  logs:"
+    echo "  - $(basename $BATS_LOG)"
+    echo "  - $(basename $FULL_LOG)"
+)  >> $TEST_LOG_YML
+
+
+if [ "$(type -t teardown)" = "function" ]; then
+    echo "------------------------------"
+    echo "\$ teardown"
+    teardown
+fi
+
+# FIXME: for CI purposes, always exit 0. This allows subsequent tests.
+exit 0

tests/roles/run_bats_tests/tasks/main.yml

@@ -0,0 +1,50 @@
+---
+# Create a directory for artifacts on remote host
+- name: create remote artifacts directory
+  file:
+    path: /tmp/artifacts
+    state: directory
+    mode: 0777
+
+# Create empty results file, world-writable so rootless test can log to it
+- name: initialize test.log file
+  copy: dest=/tmp/artifacts/test.log content='' force=yes mode=0666
+
+# Same with results.yml file
+- name: initialize results.yml file
+  copy: dest=/tmp/artifacts/results.yml content='results:\n' force=yes mode=0666
+
+- name: execute tests
+  include: run_one_test.yml
+  with_items: "{{ tests }}"
+  loop_control:
+    loop_var: test
+
+- name: pull test.log and results.yml
+  fetch:
+    src: "{{ item }}"
+    dest: "{{ artifacts }}/"
+    flat: yes
+  with_items:
+    - /tmp/artifacts/test.log
+    - /tmp/artifacts/results.yml
+
+# Copied from standard-test-basic
+- name: check results
+  shell: grep "^FAIL" /tmp/artifacts/test.log
+  register: test_fails
+  # Never fail at this step. Just store result of tests.
+  failed_when: False
+
+- name: preserve results
+  set_fact:
+    role_result_failed: "{{ (test_fails.stdout|d|length > 0) or (test_fails.stderr|d|length > 0) }}"
+    role_result_msg: "{{ test_fails.stdout|d('tests failed.') }}"
+
+- name: display results
+  vars:
+    msg: |
+       Tests failed: {{ role_result_failed|d('Undefined') }}
+       Tests msg: {{ role_result_msg|d('None') }}
+  debug:
+    msg: "{{ msg.split('\n') }}"

tests/roles/run_bats_tests/tasks/run_one_test.yml

@@ -0,0 +1,52 @@
+---
+- name: "{{ test.name }} | install test packages"
+  dnf: name="{{ test.package }}-tests" state=installed
+
+- name: "{{ test.name }} | define helper variables"
+  set_fact:
+    test_name_oneword: "{{ test.name | replace(' ','-') }}"
+
+# UGH. This is necessary because our caller sets some environment variables
+# and we need to set a few more based on other caller variables; then we
+# need to combine the two dicts when running the test. This seems to be
+# the only way to do it in ansible.
+- name: "{{ test.name }} | define local environment"
+  set_fact:
+    local_environment:
+      TEST_NAME:    "{{ test.name }}"
+      TEST_PACKAGE: "{{ test.package }}"
+      TEST_ENV:     "{{ test.environment }}"
+
+- name: "{{ test.name }} | setup/teardown helper | see if exists"
+  local_action: stat path={{ role_path }}/files/helper.{{ test_name_oneword }}.sh
+  register: helper
+
+- name: "{{ test.name }} | setup/teardown helper | install"
+  copy: src=helper.{{ test_name_oneword }}.sh dest=/tmp/helper.sh
+  when: helper.stat.exists
+
+- name: "{{ test.name }} | run test"
+  script: ./run_bats_tests.sh
+  args:
+    chdir: /usr/share/{{ test.package }}/test/system
+  become: "{{ true if test.become is defined else false }}"
+  become_user: testuser
+  environment: "{{ local_environment | combine(test.environment) }}"
+
+- name: "{{ test.name }} | pull logs"
+  fetch:
+    src: "/tmp/artifacts/test.{{ test_name_oneword }}.{{ item }}.log"
+    dest: "{{ artifacts }}/"
+    flat: yes
+  with_items:
+    - bats
+    - debug
+
+- name: "{{ test.name }} | remove remote logs and helpers"
+  file:
+    dest=/tmp/{{ item }}
+    state=absent
+  with_items:
+    - artifacts/test.{{ test_name_oneword }}.bats.log
+    - artifacts/test.{{ test_name_oneword }}.debug.log
+    - helper.sh

tests/tests.yml

@@ -0,0 +1,47 @@
+---
+- hosts: localhost
+  tags:  classic
+  vars:
+  - artifacts: ./artifacts
+  roles:
+  - role: bats_installed
+  - role: nonroot_user
+  - role: run_bats_tests
+    tests:
+    - name:    podman root
+      package: podman
+      environment:
+        PODMAN: /usr/bin/podman
+
+    - name:    podman nonroot
+      package: podman
+      environment:
+        PODMAN: /usr/bin/podman
+      become:  true
+
+      #- name:    podman-remote root
+      #package: podman
+      #environment:
+      #  PODMAN: /usr/bin/podman-remote
+
+    - name:    buildah root
+      package: buildah
+      environment:
+        BUILDAH_BINARY: /usr/bin/buildah
+        IMGTYPE_BINARY: /usr/bin/buildah-imgtype
+
+    - name:    skopeo root
+      package: skopeo
+      environment:
+        SKOPEO_BINARY: /usr/bin/skopeo
+
+  # cockpit-podman
+  - role: fetch_pkg
+    package: cockpit-podman
+    modulemd: ../container-tools.yaml
+  tasks:
+  - include_role:
+      name: ./packages/cockpit-podman/tests/roles/test
+    vars:
+      pkgdir: ./packages/cockpit-podman/
+      test_script_dir: tests