Various cleanups

.github/workflows/tests.yml

@@ -46,10 +46,10 @@ jobs:
       - name: Check which containers changed
         id: containers_changed
         run: |
-          tasks=$(git diff --name-only origin/main..HEAD -- tasks/ | grep -Ev 'run-local.sh|openssl.cnf|README' || true)
+          tasks=$(git diff --name-only origin/main..HEAD -- tasks/ | grep -Ev 'run-local.sh|openssl.cnf|README|mock-github-pr|.yaml' || true)
           # print for debugging
           echo "tasks: $tasks"
-          [ -z "$tasks" ] || echo "::set-output name=tasks::true"
+          [ -z "$tasks" ] || echo "tasks=true" >> "$GITHUB_OUTPUT"
 
       - name: Build tasks container if it changed
         if: steps.containers_changed.outputs.tasks

ansible/roles/webhook/cockpituous-webhook.service

@@ -11,29 +11,29 @@ TimeoutStopSec=70
 ExecStart=-/usr/bin/podman pod rm -f cockpituous
 
 ExecStart=/usr/bin/podman run \
-	--cgroups=no-conmon \
-	--rm \
-	-d \
-	--name cockpituous-rabbitmq \
-	--pod=new:cockpituous \
-	--pull=always \
-	--publish 5671:5671 \
-	--publish 80:8080 \
-	--tmpfs /var/lib/rabbitmq \
-	-v /etc/rabbitmq:/etc/rabbitmq:ro,z \
-	-v /var/lib/cockpit-secrets/webhook:/run/secrets/webhook:ro,z \
-	docker.io/rabbitmq
+    --cgroups=no-conmon \
+    --rm \
+    -d \
+    --name cockpituous-rabbitmq \
+    --pod=new:cockpituous \
+    --pull=always \
+    --publish 5671:5671 \
+    --publish 80:8080 \
+    --tmpfs /var/lib/rabbitmq \
+    -v /etc/rabbitmq:/etc/rabbitmq:ro,z \
+    -v /var/lib/cockpit-secrets/webhook:/run/secrets/webhook:ro,z \
+    docker.io/rabbitmq
 
 ExecStart=/usr/bin/podman run \
-	--cgroups=no-conmon \
-	--rm \
-	-d \
-	--name cockpituous-webhook \
-	--pod=cockpituous \
-	--pull=always \
-	-e AMQP_SERVER=localhost:5671 \
-	-v /var/lib/cockpit-secrets/webhook:/run/secrets/webhook:ro,z \
-	quay.io/cockpit/tasks webhook
+    --cgroups=no-conmon \
+    --rm \
+    -d \
+    --name cockpituous-webhook \
+    --pod=cockpituous \
+    --pull=always \
+    -e AMQP_SERVER=localhost:5671 \
+    -v /var/lib/cockpit-secrets/webhook:/run/secrets/webhook:ro,z \
+    quay.io/cockpit/tasks webhook
 
 ExecStop=/usr/bin/podman pod rm -f cockpituous
 

push-container

@@ -7,8 +7,8 @@ ID=$($DOCKER images -q $IMAGE:latest | head -n1)
 
 TAGS=$($DOCKER images --format '{{.Tag}}   {{.ID}}' $IMAGE | sort -u | grep $ID | awk '{print $1}')
 if [ $(echo "$TAGS" | wc -w) -ne "2" ]; then
-	echo "Expected exactly two tags for the image to push: latest and one other"
-	exit 1
+    echo "Expected exactly two tags for the image to push: latest and one other"
+    exit 1
 fi
 for PUSHTAG in $TAGS; do
     $DOCKER push "$IMAGE:$PUSHTAG"

tasks/Containerfile

@@ -57,7 +57,7 @@ RUN dnf -y update && \
         valgrind \
         vim-enhanced \
         virt-install \
-	&& \
+        && \
     curl -o /tmp/cockpit.spec -s https://raw.githubusercontent.com/cockpit-project/cockpit/main/tools/cockpit.spec && \
     dnf -y builddep --setopt=install_weak_deps=False /tmp/cockpit.spec && \
     rm /tmp/cockpit.spec && \
@@ -69,7 +69,7 @@ COPY cockpit-tasks install-service webhook github_handler.py /usr/local/bin/
 RUN groupadd -g 1111 -r user && useradd -r -g user -u 1111 user --home-dir /work && \
     groupadd -g 1001 -r github && useradd -r --no-create-home -g github -u 1001 github && \
     mkdir -p /usr/local/bin /cache/images /cache/github && \
-    mkdir -p /work/.config /work/.config/cockpit-dev /work/.ssh /work/.cache /work/.rhel && \
+    mkdir -p /work/.ssh /work/.cache && \
     printf '[user]\n\t\nemail = cockpituous@cockpit-project.org\n\tname = Cockpituous\n[cockpit "bots"]\n\timages-data-dir = /cache/images\n' >/work/.gitconfig && \
     chmod g=u /etc/passwd && \
     chmod -R ugo+w /cache /work && \

tasks/install-service

@@ -63,12 +63,12 @@ ExecStart=/usr/bin/podman run --name=cockpit-tasks-%i --hostname=${CONTAINER_HOS
     --volume=\${TEST_CACHE}/images:/cache/images:rw \
     --volume=\${TEST_SECRETS}/tasks:/run/secrets/tasks:ro \
     --volume=\${TEST_SECRETS}/webhook:/run/secrets/webhook:ro \
-    --volume=${IMAGE_STORES}:/work/.config/cockpit-dev/image-stores:ro \
+    --volume=${IMAGE_STORES}:/config/image-stores:ro \
     --volume=/etc/npmrc:/etc/npmrc:ro \
     --volume=%t/podman/podman.sock:/podman.sock:rw \
     --env=COCKPIT_GITHUB_TOKEN_FILE=/run/secrets/webhook/.config--github-token \
     --env=COCKPIT_S3_KEY_DIR=/run/secrets/tasks/s3-keys \
-    --env=CONTAINER_HOST=unix:///podman.sock \
+    --env=COCKPIT_IMAGE_STORES_FILE=/config/image-stores \
     --env=TEST_JOBS=\${TEST_JOBS} \
     --env=TEST_NOTIFICATION_MX=\${TEST_NOTIFICATION_MX} \
     --env=TEST_NOTIFICATION_TO=\${TEST_NOTIFICATION_TO} \

tasks/run-local.sh

@@ -87,12 +87,8 @@ EOF
         (mkdir -p webhook; cd webhook; $MYDIR/credentials/webhook/generate.sh)
         (mkdir -p tasks; cd tasks; $ROOTDIR/local-s3/generate-s3-cert.sh)
 
-        # dummy token
-        if [ -z "$TOKEN" ]; then
-            echo 0123abc > webhook/.config--github-token
-        else
-            cp -fv "$TOKEN" webhook/.config--github-token
-        fi
+        # default to dummy token, tests need to opt into real one
+        echo 0123abc > webhook/.config--github-token
 
         # minio S3 key
         mkdir tasks/s3-keys
@@ -123,23 +119,26 @@ launch_containers() {
 
     # start podman and run RabbitMQ in the background
     podman run -d --name cockpituous-rabbitmq --pod=new:cockpituous \
+        --security-opt=label=disable \
         --publish $IMAGE_PORT:8080 \
         --publish $S3_PORT:9000 \
         --publish 9001:9001 \
-        -v "$RABBITMQ_CONFIG":/etc/rabbitmq:ro,z \
-        -v "$SECRETS"/webhook:/run/secrets/webhook:ro,z \
+        -v "$RABBITMQ_CONFIG":/etc/rabbitmq:ro \
+        -v "$SECRETS"/webhook:/run/secrets/webhook:ro \
         docker.io/rabbitmq
 
     # S3
     local admin_password="$(dd if=/dev/urandom bs=10 count=1 status=none | base64)"
     podman run -d --name cockpituous-s3 --pod=cockpituous \
+        --security-opt=label=disable \
         -e MINIO_ROOT_USER="minioadmin" \
         -e MINIO_ROOT_PASSWORD="$admin_password" \
         -v "$SECRETS"/tasks/s3-server.key:/root/.minio/certs/private.key:ro \
         -v "$SECRETS"/tasks/s3-server.pem:/root/.minio/certs/public.crt:ro \
         quay.io/minio/minio server /data --console-address :9001
     # wait until it started, create bucket
     podman run -d --interactive --name cockpituous-mc --pod=cockpituous \
+        --security-opt=label=disable \
         -v "$SECRETS"/ca.pem:/etc/pki/ca-trust/source/anchors/ca.pem:ro \
         --entrypoint /bin/sh quay.io/minio/mc
     read s3user s3key < "$SECRETS/tasks/s3-keys/localhost.localdomain"
@@ -160,7 +159,8 @@ EOF
     if [ -n "$INTERACTIVE" ]; then
         [ -z "$TOKEN" ] || cp -fv "$TOKEN" "$SECRETS"/webhook/.config--github-token
         podman run -d --name cockpituous-webhook --pod=cockpituous --user user \
-            -v "$SECRETS"/webhook:/run/secrets/webhook:ro,z \
+            --security-opt=label=disable \
+            -v "$SECRETS"/webhook:/run/secrets/webhook:ro \
             --env=AMQP_SERVER=$AMQP_POD \
             --env=COCKPIT_GITHUB_TOKEN_FILE=/run/secrets/webhook/.config--github-token \
             --env=COCKPIT_GITHUB_WEBHOOK_TOKEN_FILE=/run/secrets/webhook/.config--github-webhook-token \
@@ -174,13 +174,13 @@ EOF
         sleep 3
     done
 
-    # Run tasks container in the backgroud
+    # Run tasks container in the background
     # use bash as pid 1 to mop up zombies
     podman run -d -it --name cockpituous-tasks --pod=cockpituous \
-        -v "$SECRETS"/tasks:/run/secrets/tasks:ro,z \
-        -v "$SECRETS"/webhook:/run/secrets/webhook:ro,z \
+        --security-opt=label=disable \
+        -v "$SECRETS"/tasks:/run/secrets/tasks:ro \
+        -v "$SECRETS"/webhook:/run/secrets/webhook:ro \
         -v "${XDG_RUNTIME_DIR:-/run}/podman/podman.sock:/podman.sock" \
-        --env=CONTAINER_HOST=unix:///podman.sock \
         --env=COCKPIT_GITHUB_TOKEN_FILE=/run/secrets/webhook/.config--github-token \
         --env=COCKPIT_CA_PEM=/run/secrets/webhook/ca.pem \
         --env=COCKPIT_BOTS_REPO=${COCKPIT_BOTS_REPO:-} \
@@ -200,7 +200,7 @@ EOF
 cleanup_containers() {
     echo "Cleaning up..."
 
-    # clean up dummy token, so that image-prune does not try to use it
+    # clean up token, so that image-prune does not try to use it
     rm "$SECRETS"/webhook/.config--github-token
 
     # revert podman socket permission change
@@ -281,7 +281,8 @@ test_mock_pr() {
     echo "--------------- mock PR test log -----------------"
     echo  "$LOG"
     echo "--------------- mock PR test log end -------------"
-    assert_in 'Test run finished' "$LOG"
+    assert_in 'Test run finished, return code: 0\|Job ran successfully' "$LOG"
+    assert_in 'Running on:.*cockpituous' "$LOG"
 }
 
 test_pr() {
@@ -331,7 +332,7 @@ test_pr() {
     echo "--------------- test log end -------------"
     assert_in '<html>' "$LOG_HTML"
     assert_in 'Running on:.*cockpituous' "$LOG"
-    assert_in 'Test run finished, return code: 0' "$LOG"
+    assert_in 'Test run finished, return code: 0\|Job ran successfully' "$LOG"
     # validate test attachment if we ran cockpituous' own tests
     if [ "${PR_REPO%/cockpituous}" != "$PR_REPO" ]; then
         BOGUS_LOG=$($CURL ${LOG_URL%/log}/bogus.log)
@@ -348,9 +349,9 @@ test_queue() {
 test_podman() {
     # tasks can connect to host's podman service
     # this will be covered implicitly by job-runner, but as a more basal plumbing test this is easier to debug
-    out="$(podman exec -i cockpituous-tasks podman-remote ps)"
+    out="$(podman exec -i cockpituous-tasks podman-remote --url unix:///podman.sock ps)"
     assert_in 'cockpituous-tasks' "$out"
-    out="$(podman exec -i cockpituous-tasks podman-remote run -it --rm quay.io/cockpit/tasks:latest whoami)"
+    out="$(podman exec -i cockpituous-tasks podman-remote --url unix:///podman.sock run -it --rm quay.io/cockpit/tasks:latest whoami)"
     assert_in '^user' "$out"
 }