Implement the bootc provision plugin
#3161
Conversation
ckyrouac
requested review from
psss,
lukaszachy,
happz,
thrix and
janhavlin
as code owners
|
@cgwalters fyi |
|
There was a problem hiding this comment.
I'm still trying to speedrun reading/learning all things bootc (and tmt provisioning plugins), but fwiw, looks cool to me.
@happz about the container plugin support - Fedora docs says:
for fully-fledged tests it is not recommended to run a bootable container via, for instance, podman-run. One reason among others is that the filesystem is writable when being executed as an OCI container while most of the filesystem is mounted read-only on a deployed bootc system. That means the running container behaves differently than a deployed system. Yet, if you desire to run some quick tests it is recommended to run the container in detached mode.
From what I understand, podman-bootc could be pretty cool to use, once available.
I agree, it's not a perfect 1:1 substitution, but, exactly: for quick tests or basic test development, it may give me results faster than VM. I for one work on binutils and C/C++ toolchain in general, and my area of focus is fairly simple - compile this, run |
Thank you for the insight in your development process. I hope I can see it in more detail one day. |
ckyrouac
force-pushed
the
bootc-provision
branch
from
641a411
to
78e86f3
Compare
I think the existing container plugin will handle this case without any additional code. The bootc image is just another container that can be run like a typical image. |
ckyrouac
force-pushed
the
bootc-provision
branch
2 times, most recently
from
e3058f9
to
44ff728
Compare
|
@happz This is ready for a review. I added some docs, tests, and code to cleanup the container images. |
|
/packit build |
ckyrouac
force-pushed
the
bootc-provision
branch
from
7d63c51
to
1b06357
Compare
|
/packit build |
|
The tests are failing with |
I ran into this before locally while trying to run the bootc tmt tests, I solved it with |
Tests depend on additional setup, shouldn't we add a dedicated plan & let it run in the @psss does it make sense? It does look like another provision-foo plan is needed, and I think we can add it to the same Github check as |
ckyrouac
force-pushed
the
bootc-provision
branch
from
8fc5094
to
125f5d6
Compare
|
@happz added a prepare step to the bootc plan. Could you trigger another test run? |
|
/packit build |
Yes, this definitely makes sense. Let's have this handled in a consistent way. |
|
If I understand this right, I believe this was already in place. The prepare step just wasn’t in place yet but is now. Now the bootc tests pass but there is an avc failure that I don’t understand. Any ideas? |
ckyrouac
force-pushed
the
bootc-provision
branch
from
125f5d6
to
98b8349
Compare
This creates a new provision plugin that is built on top of the existing TestCloud (virtual) plugin. It adds new parameters to pass a Containerfile or container image. The plugin will then build a container image (if necessary) then build a bootc disk image from the container image using bootc image builder. Currently, bootc requires podman to be run as root when building a disk image. This is typically handled by running a podman machine as root. An additional parameter "add-deps" toggles building a derived container image with the tmt test requirements. Signed-off-by: Chris Kyrouac <[email protected]>
Signed-off-by: Chris Kyrouac <[email protected]>
When the podman connection is rootless=True, this will automatically start a new rootful podman-machine to be used for the bootc disk creation. Signed-off-by: Chris Kyrouac <[email protected]>
Ensures the /var/tmp/tmt directory exists before creating the temp directories. This directory might not exist in the CI environment. It usually exists when running locally. Signed-off-by: Chris Kyrouac <[email protected]>
Signed-off-by: Chris Kyrouac <[email protected]>
ckyrouac
force-pushed
the
bootc-provision
branch
from
98b8349
to
9d4d5f2
Compare
A rebase should help, the problem has been addressed in #3355 |
|
/packit build |
I'm guessing it's the usage of /var, nosuid transition: I can see |
It has been reported for bootc image builder, see osbuild/bootc-image-builder#645. It does look like something bootc either should not do, or ask selinux-policy maintainers to allow. |
|
Hmm that probably relates to our initialization of containers/storage at bootc install time. But I am confused as to why we may only be seeing this here. It may relate somehow to the host policy? We do have some coverage for this in other CI tests…
Long story short if this theory is right then we need to suppress the domain transition or maybe just switch to skopeo which we probably want to do anyways.
|
Thanks, |
|
I will be afk on paternity leave soon (most likely in a week), so I won't be able to work on this much for a few months. So, unless someone else can pick up the work, I think merging as-is makes the most sense. |
Congratulations in advance sir! |
Ok, then I suggest to mark the |
There was a problem hiding this comment.
Added a couple of comments. I tried the minimal example but ended up with the following error:
Command 'podman machine start podman-machine-tmt' returned 125.
# stdout (1/1 lines)
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Starting machine "podman-machine-tmt"
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# stderr (2/2 lines)
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
time="2024-11-15T14:33:33+01:00" level=error msg="process 419571 has not ended"
Error: failed to find virtiofsd: exec: "virtiofsd": executable file not found in $PATH
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
I tried this under a regular user. Do I understand it correctly that it is necessary to always run this under root?
|
|
||
| provision: | ||
| how: bootc | ||
| containerimage: quay.io/fedora/fedora-bootc:40 |
There was a problem hiding this comment.
Throughout the tmt specification we consistently use dashes to separate words in multi-word keys. Would it be ok if we used container-image here? Similar for other multiword keys.
| containerfile: "./my-custom-image.containerfile" | ||
| containerfile-workdir: . | ||
| image_builder: quay.io/centos-bootc/bootc-image-builder:stream9 |
There was a problem hiding this comment.
| containerfile: "./my-custom-image.containerfile" | |
| containerfile-workdir: . | |
| image_builder: quay.io/centos-bootc/bootc-image-builder:stream9 | |
| container-file: "./my-custom-image.containerfile" | |
| container-file-workdir: . | |
| image-builder: quay.io/centos-bootc/bootc-image-builder:stream9 |
|
|
||
| provision: | ||
| how: bootc | ||
| add_deps: false |
There was a problem hiding this comment.
| add_deps: false | |
| add-tmt-dependencies: true |
Perhaps it would be good to make the name a bit more specific? And I guess the example should use true?
| @@ -0,0 +1,39 @@ | |||
| summary: Bootc virtual machine via testcloud | |||
There was a problem hiding this comment.
| rlPhaseStartTest "Image that already includes dependencies" | ||
| rlRun "podman build . -f $CONTAINERFILE_INCLUDES_DEPS -t $IMAGE_INCLUDES_DEPS" | ||
| rlRun "cp $IMAGE_INCLUDES_DEPS_PLAN ." | ||
| rlRun "tmt -vvvvv run -i $run" |
There was a problem hiding this comment.
If reusing the same run --id it's better to use tmt run --scratch to remove previous run content before executing a new run. Otherwise this results into following tmt runs to just report done.
| rlJournalStart | ||
| rlPhaseStartSetup | ||
| # cleanup previous runs | ||
| test -d /var/tmp/tmt/testcloud && rlRun "rm -rf /var/tmp/tmt/testcloud" |
There was a problem hiding this comment.
If we need to do a complete cleanup, what about using TMT_WORKDIR_ROOT instead to choose a different workdir root? We're trying to write tests so that they can be easily/safely executed on user laptop as well. This would remove for example all fetched images.
| Provides: tmt-provision-bootc == %{version}-%{release} | ||
| %if 0%{?fedora} < 40 | ||
| Obsoletes: tmt-provision-bootc < %{version}-%{release} | ||
| %endif |
There was a problem hiding this comment.
There was no tmt-provision-bootc package before, so I think we can drop the Obsoletes here.
| ).run(cwd=self.workdir, stream_output=True, logger=self._logger) | ||
| except BaseException: | ||
| self._logger.debug( | ||
| "Unable to remove podman machine {PODMAN_MACHINE_NAME}, it might not exist") |
There was a problem hiding this comment.
| "Unable to remove podman machine {PODMAN_MACHINE_NAME}, it might not exist") | |
| "Unable to remove podman machine '{PODMAN_MACHINE_NAME}', it might not exist.") |
This creates a new provision plugin that is built on top of the existing TestCloud (virtual) plugin. It adds new parameters to pass a Containerfile or container image. The plugin will then build a container image (if necessary) then build a bootc disk image from the container image using bootc image builder. Currently, bootc requires podman to be run as root when building a disk image. This is typically handled by running a podman machine as root.
An additional parameter "add-deps" toggles building a derived container image with the tmt test requirements.
Resolves #3013
Pull Request Checklist
This is a work in progress. I'm opening this PR early to get feedback on the high level design. I will add tests, docs, etc. after we solidify the higher level design.
If you want to try running the code here is an example fmf plan: