diff --git a/.fmf/version b/.fmf/version new file mode 100644 index 0000000..d00491f --- /dev/null +++ b/.fmf/version @@ -0,0 +1 @@ +1 diff --git a/.packit.yaml b/.packit.yaml new file mode 100644 index 0000000..c9b56ad --- /dev/null +++ b/.packit.yaml @@ -0,0 +1,130 @@ +--- +# See the documentation for more information: +# https://packit.dev/docs/configuration/ + +downstream_package_name: container-selinux +upstream_tag_template: v{version} + +# Ref: https://packit.dev/docs/configuration#files_to_sync +files_to_sync: + - src: rpm/gating.yaml + dest: gating.yaml + delete: true + - src: plans/ + dest: plans/ + delete: true + - src: test/ + dest: test/ + delete: true + - src: .fmf/ + dest: .fmf/ + delete: true + - .packit.yaml + +packages: + container-selinux-fedora: + pkg_tool: fedpkg + specfile_path: rpm/container-selinux.spec + container-selinux-centos: + pkg_tool: centpkg + specfile_path: rpm/container-selinux.spec + container-selinux-eln: + specfile_path: rpm/container-selinux.spec + +srpm_build_deps: + - make + +jobs: + - job: copr_build + trigger: pull_request + packages: [container-selinux-fedora] + notifications: &copr_build_failure_notification + failure_comment: + message: "Ephemeral COPR build failed. @containers/packit-build please check." + enable_net: true + # container-selinux is noarch so we only need to test on one arch + targets: &fedora_copr_targets + - fedora-development + - fedora-latest + - fedora-ltest-stable + - fedora-40 + + - job: copr_build + trigger: pull_request + packages: [container-selinux-eln] + notifications: *copr_build_failure_notification + enable_net: true + targets: + - fedora-eln + + - job: copr_build + trigger: pull_request + packages: [container-selinux-centos] + notifications: *copr_build_failure_notification + enable_net: true + targets: ¢os_copr_targets + - centos-stream-9 + - centos-stream-10 + + # Run on commit to main branch + # Build targets managed in copr settings + - job: copr_build + trigger: commit + packages: [container-selinux-fedora] + notifications: + failure_comment: + message: "podman-next COPR build failed. @containers/packit-build please check." + branch: main + owner: rhcontainerbot + project: podman-next + enable_net: true + + # All tests specified in the `/plans/` subdir + # Tests for Fedora + - job: tests + trigger: pull_request + packages: [container-selinux-fedora] + notifications: &test_failure_notification + failure_comment: + message: "Tests failed. @containers/packit-build please check." + targets: *fedora_copr_targets + tf_extra_params: + environments: + - artifacts: + - type: repository-file + id: https://copr.fedorainfracloud.org/coprs/rhcontainerbot/podman-next/repo/fedora-$releasever/rhcontainerbot-podman-next-fedora-$releasever.repo + + # Tests for CentOS Stream + - job: tests + trigger: pull_request + packages: [container-selinux-centos] + notifications: *test_failure_notification + targets: *centos_copr_targets + tf_extra_params: + environments: + - artifacts: + - type: repository-file + id: https://copr.fedorainfracloud.org/coprs/rhcontainerbot/podman-next/repo/centos-stream-$releasever/rhcontainerbot-podman-next-centos-stream-$releasever.repo + + - job: propose_downstream + trigger: release + packages: [container-selinux-fedora] + dist_git_branches: &fedora_targets + - fedora-all + + - job: propose_downstream + trigger: release + packages: [container-selinux-centos] + dist_git_branches: + - c10s + + - job: koji_build + trigger: commit + packages: [container-selinux-fedora] + dist_git_branches: *fedora_targets + + - job: bodhi_update + trigger: commit + packages: [container-selinux-fedora] + dist_git_branches: + - fedora-branched # rawhide updates are created automatically diff --git a/gating.yaml b/gating.yaml index dfc23d3..293f395 100644 --- a/gating.yaml +++ b/gating.yaml @@ -1,6 +1,13 @@ -# recipients: jnovy, lsm5, santiago --- !Policy product_versions: - - rhel-9 + - fedora-* +decision_context: bodhi_update_push_stable +rules: + - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.tier0.functional} + +--- !Policy +product_versions: + - rhel-* decision_context: osci_compose_gate -rules: [] +rules: + - !PassingTestCaseRule {test_case_name: osci.brew-build.tier0.functional} diff --git a/plans/main.fmf b/plans/main.fmf new file mode 100644 index 0000000..34eb453 --- /dev/null +++ b/plans/main.fmf @@ -0,0 +1,34 @@ +discover: + how: fmf +execute: + how: tmt +prepare: + how: shell + script: cp -f $TMT_TREE/test/tag-repository.repo /etc/yum.repos.d/. +adjust: + - when: initiator == packit + because: "We need to test with updated packages from rhcontainerbot/podman-next copr" + prepare+: + how: shell + script: sed -i -n '/^priority=/!p;$apriority=5' /etc/yum.repos.d/*:rhcontainerbot:podman-next.repo + - when: distro == centos-stream or distro == rhel + because: "bats package is present in epel" + prepare+: + how: feature + epel: enabled + +/upstream: + summary: Run SELinux specific Podman tests on upstream PRs + discover+: + filter: tag:upstream + adjust+: + - when: initiator is not defined or initiator != packit + enabled: false + +/downstream: + summary: Run SELinux specific Podman tests on bodhi / errata and dist-git PRs + discover+: + filter: tag:downstream + adjust+: + - when: initiator == packit + enabled: false diff --git a/test/Makefile b/test/Makefile new file mode 100644 index 0000000..9088bd9 --- /dev/null +++ b/test/Makefile @@ -0,0 +1,16 @@ +.PHONY: basic_check +basic_check: + semodule --list=full | grep container + semodule -B + rpm -Vqf /var/lib/selinux/*/active/modules/200/container + +.PHONY: podman_e2e_test +podman_e2e_test: + bash ./podman-tests.sh e2e + +.PHONY: podman_system_test +podman_system_test: + bash ./podman-tests.sh system + +clean: + rm -rf podman-*dev* podman.spec diff --git a/test/main.fmf b/test/main.fmf new file mode 100644 index 0000000..4e78ba0 --- /dev/null +++ b/test/main.fmf @@ -0,0 +1,24 @@ +# Only common dependencies that are NOT required to run podman-tests.sh are +# specified here. Everything else is in podman-tests.sh. +require: + - bats + - container-selinux + - cpio + - golang + - make + - policycoreutils + +/basic_check: + tag: [ upstream, downstream ] + summary: Run basic checks + test: make basic_check + +/podman_e2e_test: + tag: [ upstream, downstream ] + summary: Run SELinux specific Podman e2e tests + test: make podman_e2e_test + +/podman_system_test: + tag: [ upstream, downstream ] + summary: Run SELinux specific Podman system tests + test: make podman_system_test diff --git a/test/podman-tests.sh b/test/podman-tests.sh new file mode 100644 index 0000000..7f262b6 --- /dev/null +++ b/test/podman-tests.sh @@ -0,0 +1,72 @@ +#!/usr/bin/env bash + +set -exo pipefail + +cat /etc/redhat-release + +if [[ "$(id -u)" -ne 0 ]];then + echo "Please run as superuser" + exit 1 +fi + +if [[ -z "$1" ]]; then + echo -e "Usage: $(basename ${BASH_SOURCE[0]}) TEST_TYPE\nTEST_TYPE can be 'e2e' or 'system'\n" + exit 1 +fi + +TEST_TYPE=$1 + +# Fetch and extract latest podman source from the highest priority dnf repo +# NOTE: On upstream pull-requests, the srpm will be fetched from the +# podman-next copr while on bodhi updates, it will be fetched from Fedora's +# official repos. +PODMAN_DIR=$(mktemp -d) +pushd $PODMAN_DIR + +# Download podman and podman-tests rpms, along with podman srpm +dnf download podman podman-tests +# Download srpm, srpm opts differ between dnf and dnf5 +rpm -q dnf5 && dnf download --srpm podman || dnf download --source podman + +# Ensure podman-tests RPM and podman SRPM version-release match +# NOTE: podman RPM and podman-tests RPM matching is ensured by podman.spec so +# matching podman-tests and podman srpm is sufficient here. +PODMAN_TESTS_VERSION=$(ls podman-tests* | sed -e "s/.$(uname -m).rpm//" -e "s/podman-tests-//") +PODMAN_SRPM_VERSION=$(ls podman*.src.rpm | sed -e "s/.src.rpm//" -e "s/podman-//") +if [[ "$PODMAN_TESTS_VERSION" != "$PODMAN_SRPM_VERSION" ]]; then + echo "podman-tests and podman srpm version-release don't match" + exit 1 +fi + +# Install downloaded podman and podman-tests rpms +dnf -y install ./podman*.$(uname -m).rpm + +# Extract and untar podman source from srpm +rpm2cpio $(ls podman*.src.rpm) | cpio -di +# podman.spec on CentOS Stream fetches multiple source tarballs +for file in *.tar.gz; do tar -zxf "$file"; done + +popd + +# Print versions of distro and installed packages +rpm -q bats container-selinux golang podman podman-tests selinux-policy + +if [[ "$TEST_TYPE" == "e2e" ]]; then + # /tmp is often unsufficient + export TMPDIR=/var/tmp + + # dnf5 contains breaking changes + # Either of `dnf` OR `dnf5` will be installed, never both. + # To fetch srpm, dnf uses `--source`, dnf5 uses `--srpm`. + #rpm -q dnf5 && SRPM_OPTS="--srpm" || SRPM_OPTS="--source" + + # Run podman e2e tests + pushd $PODMAN_DIR/podman-*/test/e2e + PODMAN_BINARY=/usr/bin/podman go test -v config.go config_amd64.go common_test.go libpod_suite_test.go run_selinux_test.go + popd +fi + +if [[ "$TEST_TYPE" == "system" ]]; then + # Run podman system tests + bats /usr/share/podman/test/system/410-selinux.bats +fi diff --git a/test/tag-repository.repo b/test/tag-repository.repo new file mode 100644 index 0000000..13c828b --- /dev/null +++ b/test/tag-repository.repo @@ -0,0 +1,10 @@ +[testing-farm-tag-repository] +name=Tag repository for c9s-build +baseurl=https://kojihub.stream.centos.org/kojifiles/repos/c9s-build/latest/$basearch/ +gpgcheck=0 +enabled=1 +priority=9 +skip_if_unavailable=True +# See TFT-847 - glibc32* +# See TFT-1284 - beakerlib +exclude=glibc32* beakerlib