TMT: enable podman reverse dependency tests

Resolves: RHEL-71388

Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>

.fmf/version

@@ -0,0 +1 @@
+1

.packit.yaml

@@ -0,0 +1,130 @@
+---
+# See the documentation for more information:
+# https://packit.dev/docs/configuration/
+
+downstream_package_name: container-selinux
+upstream_tag_template: v{version}
+
+# Ref: https://packit.dev/docs/configuration#files_to_sync
+files_to_sync:
+  - src: rpm/gating.yaml
+    dest: gating.yaml
+    delete: true
+  - src: plans/
+    dest: plans/
+    delete: true
+  - src: test/
+    dest: test/
+    delete: true
+  - src: .fmf/
+    dest: .fmf/
+    delete: true
+  - .packit.yaml
+
+packages:
+  container-selinux-fedora:
+    pkg_tool: fedpkg
+    specfile_path: rpm/container-selinux.spec
+  container-selinux-centos:
+    pkg_tool: centpkg
+    specfile_path: rpm/container-selinux.spec
+  container-selinux-eln:
+    specfile_path: rpm/container-selinux.spec
+
+srpm_build_deps:
+  - make
+
+jobs:
+  - job: copr_build
+    trigger: pull_request
+    packages: [container-selinux-fedora]
+    notifications: &copr_build_failure_notification
+      failure_comment:
+        message: "Ephemeral COPR build failed. @containers/packit-build please check."
+    enable_net: true
+    # container-selinux is noarch so we only need to test on one arch
+    targets: &fedora_copr_targets
+      - fedora-development
+      - fedora-latest
+      - fedora-ltest-stable
+      - fedora-40
+
+  - job: copr_build
+    trigger: pull_request
+    packages: [container-selinux-eln]
+    notifications: *copr_build_failure_notification
+    enable_net: true
+    targets:
+      - fedora-eln
+
+  - job: copr_build
+    trigger: pull_request
+    packages: [container-selinux-centos]
+    notifications: *copr_build_failure_notification
+    enable_net: true
+    targets: &centos_copr_targets
+      - centos-stream-9
+      - centos-stream-10
+
+  # Run on commit to main branch
+  # Build targets managed in copr settings
+  - job: copr_build
+    trigger: commit
+    packages: [container-selinux-fedora]
+    notifications:
+      failure_comment:
+        message: "podman-next COPR build failed. @containers/packit-build please check."
+    branch: main
+    owner: rhcontainerbot
+    project: podman-next
+    enable_net: true
+
+  # All tests specified in the `/plans/` subdir
+  # Tests for Fedora
+  - job: tests
+    trigger: pull_request
+    packages: [container-selinux-fedora]
+    notifications: &test_failure_notification
+      failure_comment:
+        message: "Tests failed. @containers/packit-build please check."
+    targets: *fedora_copr_targets
+    tf_extra_params:
+      environments:
+        - artifacts:
+          - type: repository-file
+            id: https://copr.fedorainfracloud.org/coprs/rhcontainerbot/podman-next/repo/fedora-$releasever/rhcontainerbot-podman-next-fedora-$releasever.repo
+
+  # Tests for CentOS Stream
+  - job: tests
+    trigger: pull_request
+    packages: [container-selinux-centos]
+    notifications: *test_failure_notification
+    targets: *centos_copr_targets
+    tf_extra_params:
+      environments:
+        - artifacts:
+          - type: repository-file
+            id: https://copr.fedorainfracloud.org/coprs/rhcontainerbot/podman-next/repo/centos-stream-$releasever/rhcontainerbot-podman-next-centos-stream-$releasever.repo
+
+  - job: propose_downstream
+    trigger: release
+    packages: [container-selinux-fedora]
+    dist_git_branches: &fedora_targets
+      - fedora-all
+
+  - job: propose_downstream
+    trigger: release
+    packages: [container-selinux-centos]
+    dist_git_branches:
+      - c10s
+
+  - job: koji_build
+    trigger: commit
+    packages: [container-selinux-fedora]
+    dist_git_branches: *fedora_targets
+
+  - job: bodhi_update
+    trigger: commit
+    packages: [container-selinux-fedora]
+    dist_git_branches:
+      - fedora-branched # rawhide updates are created automatically

gating.yaml

@@ -1,6 +1,13 @@
-# recipients: jnovy, lsm5, santiago
 --- !Policy
 product_versions:
-  - rhel-9
+  - fedora-*
+decision_context: bodhi_update_push_stable
+rules:
+  - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.tier0.functional}
+
+--- !Policy
+product_versions:
+  - rhel-*
 decision_context: osci_compose_gate
-rules: []
+rules:
+  - !PassingTestCaseRule {test_case_name: osci.brew-build.tier0.functional}

plans/main.fmf

@@ -0,0 +1,34 @@
+discover:
+    how: fmf
+execute:
+    how: tmt
+prepare:
+    how: shell
+    script: cp -f $TMT_TREE/test/tag-repository.repo /etc/yum.repos.d/.
+adjust:
+    - when: initiator == packit
+      because: "We need to test with updated packages from rhcontainerbot/podman-next copr"
+      prepare+:
+        how: shell
+        script: sed -i -n '/^priority=/!p;$apriority=5' /etc/yum.repos.d/*:rhcontainerbot:podman-next.repo
+    - when: distro == centos-stream or distro == rhel
+      because: "bats package is present in epel"
+      prepare+:
+        how: feature
+        epel: enabled
+
+/upstream:
+    summary: Run SELinux specific Podman tests on upstream PRs
+    discover+:
+        filter: tag:upstream
+    adjust+:
+        - when: initiator is not defined or initiator != packit
+          enabled: false
+
+/downstream:
+    summary: Run SELinux specific Podman tests on bodhi / errata and dist-git PRs
+    discover+:
+        filter: tag:downstream
+    adjust+:
+        - when: initiator == packit
+          enabled: false

test/Makefile

@@ -0,0 +1,16 @@
+.PHONY: basic_check
+basic_check:
+	semodule --list=full | grep container
+	semodule -B
+	rpm -Vqf /var/lib/selinux/*/active/modules/200/container
+
+.PHONY: podman_e2e_test
+podman_e2e_test:
+	bash ./podman-tests.sh e2e
+
+.PHONY: podman_system_test
+podman_system_test:
+	bash ./podman-tests.sh system
+
+clean:
+	rm -rf podman-*dev* podman.spec

test/main.fmf

@@ -0,0 +1,24 @@
+# Only common dependencies that are NOT required to run podman-tests.sh are
+# specified here. Everything else is in podman-tests.sh.
+require:
+    - bats
+    - container-selinux
+    - cpio
+    - golang
+    - make
+    - policycoreutils
+
+/basic_check:
+    tag: [ upstream, downstream ]
+    summary: Run basic checks
+    test: make basic_check
+
+/podman_e2e_test:
+    tag: [ upstream, downstream ]
+    summary: Run SELinux specific Podman e2e tests
+    test: make podman_e2e_test
+
+/podman_system_test:
+    tag: [ upstream, downstream ]
+    summary: Run SELinux specific Podman system tests
+    test: make podman_system_test

test/podman-tests.sh

@@ -0,0 +1,72 @@
+#!/usr/bin/env bash
+
+set -exo pipefail
+
+cat /etc/redhat-release
+
+if [[ "$(id -u)" -ne 0 ]];then
+    echo "Please run as superuser"
+    exit 1
+fi
+
+if [[ -z "$1" ]]; then
+    echo -e "Usage: $(basename ${BASH_SOURCE[0]}) TEST_TYPE\nTEST_TYPE can be 'e2e' or 'system'\n"
+    exit 1
+fi
+
+TEST_TYPE=$1
+
+# Fetch and extract latest podman source from the highest priority dnf repo
+# NOTE: On upstream pull-requests, the srpm will be fetched from the
+# podman-next copr while on bodhi updates, it will be fetched from Fedora's
+# official repos.
+PODMAN_DIR=$(mktemp -d)
+pushd $PODMAN_DIR
+
+# Download podman and podman-tests rpms, along with podman srpm
+dnf download podman podman-tests
+# Download srpm, srpm opts differ between dnf and dnf5
+rpm -q dnf5 && dnf download --srpm podman || dnf download --source podman
+
+# Ensure podman-tests RPM and podman SRPM version-release match
+# NOTE: podman RPM and podman-tests RPM matching is ensured by podman.spec so
+# matching podman-tests and podman srpm is sufficient here.
+PODMAN_TESTS_VERSION=$(ls podman-tests* | sed -e "s/.$(uname -m).rpm//" -e "s/podman-tests-//")
+PODMAN_SRPM_VERSION=$(ls podman*.src.rpm | sed -e "s/.src.rpm//" -e "s/podman-//")
+if [[ "$PODMAN_TESTS_VERSION" != "$PODMAN_SRPM_VERSION" ]]; then
+    echo "podman-tests and podman srpm version-release don't match"
+    exit 1
+fi
+
+# Install downloaded podman and podman-tests rpms
+dnf -y install ./podman*.$(uname -m).rpm
+
+# Extract and untar podman source from srpm
+rpm2cpio $(ls podman*.src.rpm) | cpio -di
+# podman.spec on CentOS Stream fetches multiple source tarballs
+for file in *.tar.gz; do tar -zxf "$file"; done
+
+popd
+
+# Print versions of distro and installed packages
+rpm -q bats container-selinux golang podman podman-tests selinux-policy
+
+if [[ "$TEST_TYPE" == "e2e" ]]; then
+    # /tmp is often unsufficient
+    export TMPDIR=/var/tmp
+
+    # dnf5 contains breaking changes
+    # Either of `dnf` OR `dnf5` will be installed, never both.
+    # To fetch srpm, dnf uses `--source`, dnf5 uses `--srpm`.
+    #rpm -q dnf5 && SRPM_OPTS="--srpm" || SRPM_OPTS="--source"
+
+    # Run podman e2e tests
+    pushd $PODMAN_DIR/podman-*/test/e2e
+    PODMAN_BINARY=/usr/bin/podman go test -v config.go config_amd64.go common_test.go libpod_suite_test.go run_selinux_test.go
+    popd
+fi
+
+if [[ "$TEST_TYPE" == "system" ]]; then
+    # Run podman system tests
+    bats /usr/share/podman/test/system/410-selinux.bats
+fi

test/tag-repository.repo

@@ -0,0 +1,10 @@
+[testing-farm-tag-repository]
+name=Tag repository for c9s-build
+baseurl=https://kojihub.stream.centos.org/kojifiles/repos/c9s-build/latest/$basearch/
+gpgcheck=0
+enabled=1
+priority=9
+skip_if_unavailable=True
+# See TFT-847 - glibc32*
+# See TFT-1284 - beakerlib
+exclude=glibc32* beakerlib