Merge pull request containers#3804 from flouthoc/buildah-rootless-cirrus

buildah: test rootless integration

.cirrus.yml

@@ -19,6 +19,8 @@ env:
     CIRRUS_CLONE_DEPTH: 50
     # Unless set by in_podman.sh, default to operating outside of a podman container
     IN_PODMAN: 'false'
+    # root or rootless
+    PRIV_NAME: root
 
     ####
     #### Cache-image names to test with
@@ -250,6 +252,44 @@ integration_task:
         package_versions_script: '$GOSRC/$SCRIPT_BASE/logcollector.sh packages'
         golang_version_script: '$GOSRC/$SCRIPT_BASE/logcollector.sh golang'
 
+integration_rootless_task:
+    name: "Integration rootless $DISTRO_NV w/ $STORAGE_DRIVER"
+    alias: integration_rootless
+    only_if: *not_docs
+    depends_on: *smoke_vendor_cross
+
+    matrix:
+        # Running rootless tests on overlay
+        # OVERLAY
+        - env:
+            DISTRO_NV: "${FEDORA_NAME}"
+            IMAGE_NAME: "${FEDORA_CACHE_IMAGE_NAME}"
+            STORAGE_DRIVER: 'overlay'
+            PRIV_NAME: rootless
+        - env:
+            DISTRO_NV: "${PRIOR_FEDORA_NAME}"
+            IMAGE_NAME: "${PRIOR_FEDORA_CACHE_IMAGE_NAME}"
+            STORAGE_DRIVER: 'overlay'
+            PRIV_NAME: rootless
+        - env:
+            DISTRO_NV: "${UBUNTU_NAME}"
+            IMAGE_NAME: "${UBUNTU_CACHE_IMAGE_NAME}"
+            STORAGE_DRIVER: 'overlay'
+            PRIV_NAME: rootless
+
+    gce_instance:
+        image_name: "$IMAGE_NAME"
+
+    # Separate scripts for separate outputs, makes debugging easier.
+    setup_script: '${SCRIPT_BASE}/setup.sh |& ${_TIMESTAMP}'
+    build_script: '${SCRIPT_BASE}/build.sh |& ${_TIMESTAMP}'
+    integration_test_script: '${SCRIPT_BASE}/test.sh integration |& ${_TIMESTAMP}'
+
+    binary_artifacts:
+        path: ./bin/*
+
+    always:
+        <<: *standardlogs
 
 in_podman_task:
     name: "Containerized Integration"

contrib/cirrus/lib.sh

@@ -87,6 +87,9 @@ ALPINE_FQIN=${ALPINE_FQIN:-docker.io/library/alpine}
 IN_PODMAN_NAME="in_podman_$CIRRUS_TASK_ID"
 IN_PODMAN="${IN_PODMAN:-false}"
 
+# rootless_user
+ROOTLESS_USER="rootlessuser"
+
 # Downloaded, but not installed packages.
 PACKAGE_DOWNLOAD_DIR=/var/cache/download
 
@@ -257,3 +260,77 @@ execute_local_registry() {
 
     verify_local_registry
 }
+
+setup_rootless() {
+    req_env_vars GOPATH GOSRC SECRET_ENV_RE
+
+    local rootless_uid
+    local rootless_gid
+    local env_var_val
+    local akfilepath
+    local sshcmd
+
+    # Only do this once; established by setup_environment.sh
+    # shellcheck disable=SC2154
+    if passwd --status $ROOTLESS_USER
+    then
+        if [[ $PRIV_NAME = "rootless" ]]; then
+            msg "Updating $ROOTLESS_USER user permissions on possibly changed libpod code"
+            chown -R $ROOTLESS_USER:$ROOTLESS_USER "$GOPATH" "$GOSRC"
+            return 0
+        fi
+    fi
+    msg "************************************************************"
+    msg "Setting up rootless user '$ROOTLESS_USER'"
+    msg "************************************************************"
+    cd $GOSRC || exit 1
+    # Guarantee independence from specific values
+    rootless_uid=$[RANDOM+1000]
+    rootless_gid=$[RANDOM+1000]
+    msg "creating $rootless_uid:$rootless_gid $ROOTLESS_USER user"
+    groupadd -g $rootless_gid $ROOTLESS_USER
+    useradd -g $rootless_gid -u $rootless_uid --no-user-group --create-home $ROOTLESS_USER
+
+    # We also set up rootless user for image-scp tests (running as root)
+    if [[ $PRIV_NAME = "rootless" ]]; then
+        chown -R $ROOTLESS_USER:$ROOTLESS_USER "$GOPATH" "$GOSRC"
+    fi
+    echo "$ROOTLESS_USER ALL=(root) NOPASSWD: ALL" > /etc/sudoers.d/ci-rootless
+
+    mkdir -p "$HOME/.ssh" "/home/$ROOTLESS_USER/.ssh"
+
+    msg "Creating ssh key pairs"
+    [[ -r "$HOME/.ssh/id_rsa" ]] || \
+        ssh-keygen -t rsa -P "" -f "$HOME/.ssh/id_rsa"
+    ssh-keygen -t ed25519 -P "" -f "/home/$ROOTLESS_USER/.ssh/id_ed25519"
+    ssh-keygen -t rsa -P "" -f "/home/$ROOTLESS_USER/.ssh/id_rsa"
+
+    msg "Setup authorized_keys"
+    cat $HOME/.ssh/*.pub /home/$ROOTLESS_USER/.ssh/*.pub >> $HOME/.ssh/authorized_keys
+    cat $HOME/.ssh/*.pub /home/$ROOTLESS_USER/.ssh/*.pub >> /home/$ROOTLESS_USER/.ssh/authorized_keys
+
+    msg "Ensure the ssh daemon is up and running within 5 minutes"
+    systemctl start sshd
+    lilto systemctl is-active sshd
+
+    msg "Configure ssh file permissions"
+    chmod -R 700 "$HOME/.ssh"
+    chmod -R 700 "/home/$ROOTLESS_USER/.ssh"
+    chown -R $ROOTLESS_USER:$ROOTLESS_USER "/home/$ROOTLESS_USER/.ssh"
+
+    msg "   setup known_hosts for $USER"
+    ssh -q root@localhost \
+        -o UserKnownHostsFile=/root/.ssh/known_hosts \
+        -o UpdateHostKeys=yes \
+        -o StrictHostKeyChecking=no \
+        -o CheckHostIP=no \
+        true
+
+    msg "   setup known_hosts for $ROOTLESS_USER"
+    su $ROOTLESS_USER -c "ssh -q $ROOTLESS_USER@localhost \
+        -o UserKnownHostsFile=/home/$ROOTLESS_USER/.ssh/known_hosts \
+        -o UpdateHostKeys=yes \
+        -o StrictHostKeyChecking=no \
+        -o CheckHostIP=no \
+        true"
+}

contrib/cirrus/setup.sh

@@ -48,6 +48,23 @@ EOF
         ;;
 esac
 
+# Required to be defined by caller: Are we testing as root or a regular user
+case "$PRIV_NAME" in
+    root)
+        if [[ "$TEST_FLAVOR" = "sys" ]]; then
+            # Used in local image-scp testing
+            setup_rootless
+        fi
+        ;;
+    rootless)
+        # load kernel modules since the rootless user has no permission to do so
+        modprobe ip6_tables || :
+        modprobe ip6table_nat || :
+        setup_rootless
+        ;;
+    *) die_unknown PRIV_NAME
+esac
+
 # Previously, golang was not installed
 source $(dirname $0)/lib.sh
 

contrib/cirrus/test.sh

@@ -6,6 +6,29 @@ source $(dirname $0)/lib.sh
 
 req_env_vars IN_PODMAN IN_PODMAN_NAME GOSRC 1
 
+# shellcheck disable=SC2154
+if [[ "$PRIV_NAME" == "rootless" ]] && [[ "$UID" -eq 0 ]]; then
+    # Remove /var/lib/cni, it is not required for rootless cni.
+    # We have to test that it works without this directory.
+    # https://github.com/containers/podman/issues/10857
+    rm -rf /var/lib/cni
+
+    # change permission of go src and cache directory
+    # so rootless user can access it
+    chown -R $ROOTLESS_USER:root /var/tmp/go
+    chmod -R g+rwx /var/tmp/go
+
+    req_env_vars ROOTLESS_USER
+    msg "Re-executing test through ssh as user '$ROOTLESS_USER'"
+    msg "************************************************************"
+    set -x
+    exec ssh $ROOTLESS_USER@localhost \
+            -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no \
+            -o CheckHostIP=no $GOSRC/$SCRIPT_BASE/test.sh $1
+    # Does not return!
+fi
+# else: not running rootless, do nothing special
+
 if [[ "$IN_PODMAN" == "true" ]]
 then
     cd $GOSRC
@@ -51,11 +74,6 @@ else
             showrun make test-conformance
             ;;
         integration)
-            # FIXME: drop the `rm` below once containers.conf has been fixed.
-            # It complains about failing to "to decode the keys ["secret"
-            # "secret.opts"]" which is in process of getting fixed but will
-            # take a while until it hits all distributions.
-            showrun rm /usr/share/containers/containers.conf
             showrun make test-integration
             ;;
         *)

go.mod

@@ -8,7 +8,7 @@ require (
 	github.com/containers/common v0.47.4
 	github.com/containers/image/v5 v5.20.0
 	github.com/containers/ocicrypt v1.1.2
-	github.com/containers/storage v1.38.2
+	github.com/containers/storage v1.38.3-0.20220308085612-93ce26691863
 	github.com/docker/distribution v2.8.0+incompatible
 	github.com/docker/docker v20.10.12+incompatible
 	github.com/docker/go-units v0.4.0

go.sum

@@ -277,8 +277,9 @@ github.com/containerd/nri v0.0.0-20210316161719-dbaa18c31c14/go.mod h1:lmxnXF6oM
 github.com/containerd/nri v0.1.0/go.mod h1:lmxnXF6oMkbqs39FiCt1s0R2HSMhcLel9vNL3m4AaeY=
 github.com/containerd/stargz-snapshotter/estargz v0.4.1/go.mod h1:x7Q9dg9QYb4+ELgxmo4gBUeJB0tl5dqH1Sdz0nJU1QM=
 github.com/containerd/stargz-snapshotter/estargz v0.9.0/go.mod h1:aE5PCyhFMwR8sbrErO5eM2GcvkyXTTJremG883D4qF0=
-github.com/containerd/stargz-snapshotter/estargz v0.11.0 h1:t0IW5kOmY7AXDAWRUs2uVzDhijAUOAYVr/dyRhOQvBg=
 github.com/containerd/stargz-snapshotter/estargz v0.11.0/go.mod h1:/KsZXsJRllMbTKFfG0miFQWViQKdI9+9aSXs+HN0+ac=
+github.com/containerd/stargz-snapshotter/estargz v0.11.2 h1:0P0vWmfrEeTtZ4BBRrpuyu/HxR9HPBLfeljGOra5f6g=
+github.com/containerd/stargz-snapshotter/estargz v0.11.2/go.mod h1:rjbdAXaytDSIrAy2WAy2kUrJ4ehzDS0eUQLlIb5UCY0=
 github.com/containerd/ttrpc v0.0.0-20190828154514-0e0f228740de/go.mod h1:PvCDdDGpgqzQIzDW1TphrGLssLDZp2GuS+X5DkEJB8o=
 github.com/containerd/ttrpc v0.0.0-20190828172938-92c8520ef9f8/go.mod h1:PvCDdDGpgqzQIzDW1TphrGLssLDZp2GuS+X5DkEJB8o=
 github.com/containerd/ttrpc v0.0.0-20191028202541-4f1b8fe65a5c/go.mod h1:LPm1u0xBw8r8NOKoOdNMeVHSawSsltak+Ihv+etqsE8=
@@ -317,8 +318,9 @@ github.com/containers/ocicrypt v1.1.1/go.mod h1:Dm55fwWm1YZAjYRaJ94z2mfZikIyIN4B
 github.com/containers/ocicrypt v1.1.2 h1:Ez+GAMP/4GLix5Ywo/fL7O0nY771gsBIigiqUm1aXz0=
 github.com/containers/ocicrypt v1.1.2/go.mod h1:Dm55fwWm1YZAjYRaJ94z2mfZikIyIN4B0oB3dj3jFxY=
 github.com/containers/storage v1.37.0/go.mod h1:kqeJeS0b7DO2ZT1nVWs0XufrmPFbgV3c+Q/45RlH6r4=
-github.com/containers/storage v1.38.2 h1:8bAIxnVBGKzMw5EWCivVj24bztQT6IkDp4uHiyhnzwE=
 github.com/containers/storage v1.38.2/go.mod h1:INP0RPLHWBxx+pTsO5uiHlDUGHDFvWZPWprAbAlQWPQ=
+github.com/containers/storage v1.38.3-0.20220308085612-93ce26691863 h1:10k6Dl+Bm9zgsxP7qv0mnrhd7+XlCmgQWKgkydwZ7vQ=
+github.com/containers/storage v1.38.3-0.20220308085612-93ce26691863/go.mod h1:uhf9mPUP+uYajC2/S0A9NaCVa2JJ6+1C254ue4Edv2g=
 github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk=
 github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
 github.com/coreos/etcd v3.3.13+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
@@ -693,8 +695,9 @@ github.com/klauspost/compress v1.11.3/go.mod h1:aoV0uJVorq1K+umq18yTdKaF57EivdYs
 github.com/klauspost/compress v1.11.13/go.mod h1:aoV0uJVorq1K+umq18yTdKaF57EivdYsUV+/s2qKfXs=
 github.com/klauspost/compress v1.13.6/go.mod h1:/3/Vjq9QcHkK5uEr5lBEmyoZ1iFhe47etQ6QUkpK6sk=
 github.com/klauspost/compress v1.14.2/go.mod h1:/3/Vjq9QcHkK5uEr5lBEmyoZ1iFhe47etQ6QUkpK6sk=
-github.com/klauspost/compress v1.14.4 h1:eijASRJcobkVtSt81Olfh7JX43osYLwy5krOJo6YEu4=
 github.com/klauspost/compress v1.14.4/go.mod h1:/3/Vjq9QcHkK5uEr5lBEmyoZ1iFhe47etQ6QUkpK6sk=
+github.com/klauspost/compress v1.15.0 h1:xqfchp4whNFxn5A4XFyyYtitiWI8Hy5EW59jEwcyL6U=
+github.com/klauspost/compress v1.15.0/go.mod h1:/3/Vjq9QcHkK5uEr5lBEmyoZ1iFhe47etQ6QUkpK6sk=
 github.com/klauspost/pgzip v1.2.5 h1:qnWYvvKqedOF2ulHpMG72XQol4ILEJ8k2wwRl/Km8oE=
 github.com/klauspost/pgzip v1.2.5/go.mod h1:Ch1tH69qFZu15pkjo5kYi6mth2Zzwzt50oCQKQE9RUs=
 github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
@@ -775,8 +778,9 @@ github.com/moby/sys/mount v0.2.0 h1:WhCW5B355jtxndN5ovugJlMFJawbUODuW8fSnEH6SSM=
 github.com/moby/sys/mount v0.2.0/go.mod h1:aAivFE2LB3W4bACsUXChRHQ0qKWsetY4Y9V7sxOougM=
 github.com/moby/sys/mountinfo v0.4.0/go.mod h1:rEr8tzG/lsIZHBtN/JjGG+LMYx9eXgW2JI+6q0qou+A=
 github.com/moby/sys/mountinfo v0.4.1/go.mod h1:rEr8tzG/lsIZHBtN/JjGG+LMYx9eXgW2JI+6q0qou+A=
-github.com/moby/sys/mountinfo v0.5.0 h1:2Ks8/r6lopsxWi9m58nlwjaeSzUX9iiL1vj5qB/9ObI=
 github.com/moby/sys/mountinfo v0.5.0/go.mod h1:3bMD3Rg+zkqx8MRYPi7Pyb0Ie97QEBmdxbhnCLlSvSU=
+github.com/moby/sys/mountinfo v0.6.0 h1:gUDhXQx58YNrpHlK4nSL+7y2pxFZkUcXqzFDKWdC0Oo=
+github.com/moby/sys/mountinfo v0.6.0/go.mod h1:3bMD3Rg+zkqx8MRYPi7Pyb0Ie97QEBmdxbhnCLlSvSU=
 github.com/moby/sys/signal v0.6.0/go.mod h1:GQ6ObYZfqacOwTtlXvcmh9A26dVRul/hbOZn88Kg8Tg=
 github.com/moby/sys/symlink v0.1.0/go.mod h1:GGDODQmbFOjFsXvfLVn3+ZRxkch54RkSiGqsZeMYowQ=
 github.com/moby/sys/symlink v0.2.0/go.mod h1:7uZVF2dqJjG/NsClqul95CqKOBRQyYSNnJ6BMgR/gFs=

tests/add.bats

@@ -14,6 +14,7 @@ load helpers
 }
 
 @test "add-local-plain" {
+  skip_if_rootless_environment
   createrandom ${TESTDIR}/randomfile
   createrandom ${TESTDIR}/other-randomfile
 
@@ -59,6 +60,7 @@ load helpers
 }
 
 @test "add-local-archive" {
+  skip_if_rootless_environment
   createrandom ${TESTDIR}/randomfile
   createrandom ${TESTDIR}/other-randomfile
 
@@ -201,6 +203,7 @@ load helpers
 }
 
 @test "add --ignorefile" {
+  skip_if_rootless_environment
   mytest=${TESTDIR}/mytest
   mkdir -p ${mytest}
   touch ${mytest}/mystuff
@@ -234,6 +237,7 @@ stuff/mystuff"
 }
 
 @test "add quietly" {
+  skip_if_rootless_environment
   _prefetch busybox
   createrandom ${TESTDIR}/randomfile
   run_buildah from --quiet --signature-policy ${TESTSDIR}/policy.json busybox
@@ -246,6 +250,7 @@ stuff/mystuff"
 }
 
 @test "add from container" {
+  skip_if_rootless_environment
   _prefetch busybox
   createrandom ${TESTDIR}/randomfile
   run_buildah from --quiet --signature-policy ${TESTSDIR}/policy.json busybox
@@ -265,6 +270,7 @@ stuff/mystuff"
 }
 
 @test "add from image" {
+  skip_if_rootless_environment
   _prefetch busybox
   run_buildah from --quiet --signature-policy ${TESTSDIR}/policy.json busybox
   cid=$output

tests/basic.bats

@@ -36,6 +36,7 @@ load helpers
 }
 
 @test "mount" {
+  skip_if_rootless_environment
   run_buildah from --signature-policy ${TESTSDIR}/policy.json scratch
   cid=$output
   run_buildah mount $cid
@@ -49,6 +50,7 @@ load helpers
 }
 
 @test "by-name" {
+  skip_if_rootless_environment
   run_buildah from --signature-policy ${TESTSDIR}/policy.json --name scratch-working-image-for-test scratch
   cid=$output
   run_buildah mount scratch-working-image-for-test
@@ -58,6 +60,7 @@ load helpers
 }
 
 @test "commit" {
+  skip_if_rootless_environment
   createrandom ${TESTDIR}/randomfile
   createrandom ${TESTDIR}/other-randomfile