diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index d3e725be..ad2ae93c 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -46,10 +46,10 @@ jobs: - name: Check which containers changed id: containers_changed run: | - tasks=$(git diff --name-only origin/main..HEAD -- tasks/ | grep -Ev 'run-local.sh|openssl.cnf|README' || true) + tasks=$(git diff --name-only origin/main..HEAD -- tasks/ | grep -Ev 'run-local.sh|openssl.cnf|README|mock-github-pr|.yaml' || true) # print for debugging echo "tasks: $tasks" - [ -z "$tasks" ] || echo "::set-output name=tasks::true" + [ -z "$tasks" ] || echo "tasks=true" >> "$GITHUB_OUTPUT" - name: Build tasks container if it changed if: steps.containers_changed.outputs.tasks diff --git a/ansible/roles/webhook/cockpituous-webhook.service b/ansible/roles/webhook/cockpituous-webhook.service index 548eabf1..f00595e1 100644 --- a/ansible/roles/webhook/cockpituous-webhook.service +++ b/ansible/roles/webhook/cockpituous-webhook.service @@ -11,29 +11,29 @@ TimeoutStopSec=70 ExecStart=-/usr/bin/podman pod rm -f cockpituous ExecStart=/usr/bin/podman run \ - --cgroups=no-conmon \ - --rm \ - -d \ - --name cockpituous-rabbitmq \ - --pod=new:cockpituous \ - --pull=always \ - --publish 5671:5671 \ - --publish 80:8080 \ - --tmpfs /var/lib/rabbitmq \ - -v /etc/rabbitmq:/etc/rabbitmq:ro,z \ - -v /var/lib/cockpit-secrets/webhook:/run/secrets/webhook:ro,z \ - docker.io/rabbitmq + --cgroups=no-conmon \ + --rm \ + -d \ + --name cockpituous-rabbitmq \ + --pod=new:cockpituous \ + --pull=always \ + --publish 5671:5671 \ + --publish 80:8080 \ + --tmpfs /var/lib/rabbitmq \ + -v /etc/rabbitmq:/etc/rabbitmq:ro,z \ + -v /var/lib/cockpit-secrets/webhook:/run/secrets/webhook:ro,z \ + docker.io/rabbitmq ExecStart=/usr/bin/podman run \ - --cgroups=no-conmon \ - --rm \ - -d \ - --name cockpituous-webhook \ - --pod=cockpituous \ - --pull=always \ - -e AMQP_SERVER=localhost:5671 \ - -v /var/lib/cockpit-secrets/webhook:/run/secrets/webhook:ro,z \ - quay.io/cockpit/tasks webhook + --cgroups=no-conmon \ + --rm \ + -d \ + --name cockpituous-webhook \ + --pod=cockpituous \ + --pull=always \ + -e AMQP_SERVER=localhost:5671 \ + -v /var/lib/cockpit-secrets/webhook:/run/secrets/webhook:ro,z \ + quay.io/cockpit/tasks webhook ExecStop=/usr/bin/podman pod rm -f cockpituous diff --git a/push-container b/push-container index 554b0ebf..a855abe7 100755 --- a/push-container +++ b/push-container @@ -7,8 +7,8 @@ ID=$($DOCKER images -q $IMAGE:latest | head -n1) TAGS=$($DOCKER images --format '{{.Tag}} {{.ID}}' $IMAGE | sort -u | grep $ID | awk '{print $1}') if [ $(echo "$TAGS" | wc -w) -ne "2" ]; then - echo "Expected exactly two tags for the image to push: latest and one other" - exit 1 + echo "Expected exactly two tags for the image to push: latest and one other" + exit 1 fi for PUSHTAG in $TAGS; do $DOCKER push "$IMAGE:$PUSHTAG" diff --git a/tasks/Containerfile b/tasks/Containerfile index 1386df01..7b95ee18 100644 --- a/tasks/Containerfile +++ b/tasks/Containerfile @@ -57,7 +57,7 @@ RUN dnf -y update && \ valgrind \ vim-enhanced \ virt-install \ - && \ + && \ curl -o /tmp/cockpit.spec -s https://raw.githubusercontent.com/cockpit-project/cockpit/main/tools/cockpit.spec && \ dnf -y builddep --setopt=install_weak_deps=False /tmp/cockpit.spec && \ rm /tmp/cockpit.spec && \ @@ -69,7 +69,7 @@ COPY cockpit-tasks install-service webhook github_handler.py /usr/local/bin/ RUN groupadd -g 1111 -r user && useradd -r -g user -u 1111 user --home-dir /work && \ groupadd -g 1001 -r github && useradd -r --no-create-home -g github -u 1001 github && \ mkdir -p /usr/local/bin /cache/images /cache/github && \ - mkdir -p /work/.config /work/.config/cockpit-dev /work/.ssh /work/.cache /work/.rhel && \ + mkdir -p /work/.ssh /work/.cache && \ printf '[user]\n\t\nemail = cockpituous@cockpit-project.org\n\tname = Cockpituous\n[cockpit "bots"]\n\timages-data-dir = /cache/images\n' >/work/.gitconfig && \ chmod g=u /etc/passwd && \ chmod -R ugo+w /cache /work && \ diff --git a/tasks/install-service b/tasks/install-service index 62c3c225..88f01293 100755 --- a/tasks/install-service +++ b/tasks/install-service @@ -63,12 +63,12 @@ ExecStart=/usr/bin/podman run --name=cockpit-tasks-%i --hostname=${CONTAINER_HOS --volume=\${TEST_CACHE}/images:/cache/images:rw \ --volume=\${TEST_SECRETS}/tasks:/run/secrets/tasks:ro \ --volume=\${TEST_SECRETS}/webhook:/run/secrets/webhook:ro \ - --volume=${IMAGE_STORES}:/work/.config/cockpit-dev/image-stores:ro \ + --volume=${IMAGE_STORES}:/config/image-stores:ro \ --volume=/etc/npmrc:/etc/npmrc:ro \ --volume=%t/podman/podman.sock:/podman.sock:rw \ --env=COCKPIT_GITHUB_TOKEN_FILE=/run/secrets/webhook/.config--github-token \ --env=COCKPIT_S3_KEY_DIR=/run/secrets/tasks/s3-keys \ - --env=CONTAINER_HOST=unix:///podman.sock \ + --env=COCKPIT_IMAGE_STORES_FILE=/config/image-stores \ --env=TEST_JOBS=\${TEST_JOBS} \ --env=TEST_NOTIFICATION_MX=\${TEST_NOTIFICATION_MX} \ --env=TEST_NOTIFICATION_TO=\${TEST_NOTIFICATION_TO} \ diff --git a/tasks/run-local.sh b/tasks/run-local.sh index 934abb6a..c26b3ecd 100755 --- a/tasks/run-local.sh +++ b/tasks/run-local.sh @@ -87,12 +87,8 @@ EOF (mkdir -p webhook; cd webhook; $MYDIR/credentials/webhook/generate.sh) (mkdir -p tasks; cd tasks; $ROOTDIR/local-s3/generate-s3-cert.sh) - # dummy token - if [ -z "$TOKEN" ]; then - echo 0123abc > webhook/.config--github-token - else - cp -fv "$TOKEN" webhook/.config--github-token - fi + # default to dummy token, tests need to opt into real one + echo 0123abc > webhook/.config--github-token # minio S3 key mkdir tasks/s3-keys @@ -123,16 +119,18 @@ launch_containers() { # start podman and run RabbitMQ in the background podman run -d --name cockpituous-rabbitmq --pod=new:cockpituous \ + --security-opt=label=disable \ --publish $IMAGE_PORT:8080 \ --publish $S3_PORT:9000 \ --publish 9001:9001 \ - -v "$RABBITMQ_CONFIG":/etc/rabbitmq:ro,z \ - -v "$SECRETS"/webhook:/run/secrets/webhook:ro,z \ + -v "$RABBITMQ_CONFIG":/etc/rabbitmq:ro \ + -v "$SECRETS"/webhook:/run/secrets/webhook:ro \ docker.io/rabbitmq # S3 local admin_password="$(dd if=/dev/urandom bs=10 count=1 status=none | base64)" podman run -d --name cockpituous-s3 --pod=cockpituous \ + --security-opt=label=disable \ -e MINIO_ROOT_USER="minioadmin" \ -e MINIO_ROOT_PASSWORD="$admin_password" \ -v "$SECRETS"/tasks/s3-server.key:/root/.minio/certs/private.key:ro \ @@ -140,6 +138,7 @@ launch_containers() { quay.io/minio/minio server /data --console-address :9001 # wait until it started, create bucket podman run -d --interactive --name cockpituous-mc --pod=cockpituous \ + --security-opt=label=disable \ -v "$SECRETS"/ca.pem:/etc/pki/ca-trust/source/anchors/ca.pem:ro \ --entrypoint /bin/sh quay.io/minio/mc read s3user s3key < "$SECRETS/tasks/s3-keys/localhost.localdomain" @@ -160,7 +159,8 @@ EOF if [ -n "$INTERACTIVE" ]; then [ -z "$TOKEN" ] || cp -fv "$TOKEN" "$SECRETS"/webhook/.config--github-token podman run -d --name cockpituous-webhook --pod=cockpituous --user user \ - -v "$SECRETS"/webhook:/run/secrets/webhook:ro,z \ + --security-opt=label=disable \ + -v "$SECRETS"/webhook:/run/secrets/webhook:ro \ --env=AMQP_SERVER=$AMQP_POD \ --env=COCKPIT_GITHUB_TOKEN_FILE=/run/secrets/webhook/.config--github-token \ --env=COCKPIT_GITHUB_WEBHOOK_TOKEN_FILE=/run/secrets/webhook/.config--github-webhook-token \ @@ -174,13 +174,13 @@ EOF sleep 3 done - # Run tasks container in the backgroud + # Run tasks container in the background # use bash as pid 1 to mop up zombies podman run -d -it --name cockpituous-tasks --pod=cockpituous \ - -v "$SECRETS"/tasks:/run/secrets/tasks:ro,z \ - -v "$SECRETS"/webhook:/run/secrets/webhook:ro,z \ + --security-opt=label=disable \ + -v "$SECRETS"/tasks:/run/secrets/tasks:ro \ + -v "$SECRETS"/webhook:/run/secrets/webhook:ro \ -v "${XDG_RUNTIME_DIR:-/run}/podman/podman.sock:/podman.sock" \ - --env=CONTAINER_HOST=unix:///podman.sock \ --env=COCKPIT_GITHUB_TOKEN_FILE=/run/secrets/webhook/.config--github-token \ --env=COCKPIT_CA_PEM=/run/secrets/webhook/ca.pem \ --env=COCKPIT_BOTS_REPO=${COCKPIT_BOTS_REPO:-} \ @@ -200,7 +200,7 @@ EOF cleanup_containers() { echo "Cleaning up..." - # clean up dummy token, so that image-prune does not try to use it + # clean up token, so that image-prune does not try to use it rm "$SECRETS"/webhook/.config--github-token # revert podman socket permission change @@ -281,7 +281,8 @@ test_mock_pr() { echo "--------------- mock PR test log -----------------" echo "$LOG" echo "--------------- mock PR test log end -------------" - assert_in 'Test run finished' "$LOG" + assert_in 'Test run finished, return code: 0\|Job ran successfully' "$LOG" + assert_in 'Running on:.*cockpituous' "$LOG" } test_pr() { @@ -331,7 +332,7 @@ test_pr() { echo "--------------- test log end -------------" assert_in '' "$LOG_HTML" assert_in 'Running on:.*cockpituous' "$LOG" - assert_in 'Test run finished, return code: 0' "$LOG" + assert_in 'Test run finished, return code: 0\|Job ran successfully' "$LOG" # validate test attachment if we ran cockpituous' own tests if [ "${PR_REPO%/cockpituous}" != "$PR_REPO" ]; then BOGUS_LOG=$($CURL ${LOG_URL%/log}/bogus.log) @@ -348,9 +349,9 @@ test_queue() { test_podman() { # tasks can connect to host's podman service # this will be covered implicitly by job-runner, but as a more basal plumbing test this is easier to debug - out="$(podman exec -i cockpituous-tasks podman-remote ps)" + out="$(podman exec -i cockpituous-tasks podman-remote --url unix:///podman.sock ps)" assert_in 'cockpituous-tasks' "$out" - out="$(podman exec -i cockpituous-tasks podman-remote run -it --rm quay.io/cockpit/tasks:latest whoami)" + out="$(podman exec -i cockpituous-tasks podman-remote --url unix:///podman.sock run -it --rm quay.io/cockpit/tasks:latest whoami)" assert_in '^user' "$out" }