From e3ba7092fbdc5f49efb763de03aa08705726e30c Mon Sep 17 00:00:00 2001 From: Chris Evich Date: Thu, 12 Nov 2020 09:10:18 -0500 Subject: [PATCH 1/7] Cirrus: Add support for Ubuntu 20.x Previously automation always dropped the minor version number for distributions. This was intended for presentation and conditional simplicity. Bash does not support non-integer comparison natively. With the release of version 20.10, supporting testing with it and the LTS release (20.04) requires scripts to consider minor version numbers for Ubuntu VMs. This is necessary because many times in the past, some behaviors needed to be conditional on the release version number. With this commit, the images and embedded scripts/tooling uses an altered format of `$UBUNTU_NAME', `$PRIOR_UBUNTU_NAME`, and (crucially) `$OS_RELEASE_VER` and `$OS_REL_VER`. Any `.` characters appearing in the official version (from `/etc/os-release`) are dropped, and the result is concatenated. For example the current Ubuntu LTS version is `20.04`. Prior to this commit, `$OS_RELEASE_VER` would have been `20`. With this change, `$OS_RELEASE_VER` will now show `2004`. Similarly `20.10` is shown as `2010`. Signed-off-by: Chris Evich --- .cirrus.yml | 6 +++--- contrib/cirrus/lib.sh | 2 +- contrib/cirrus/logcollector.sh | 4 ++-- contrib/cirrus/runner.sh | 8 +------ contrib/cirrus/setup_environment.sh | 33 ++++++++++++++++------------- 5 files changed, 25 insertions(+), 28 deletions(-) diff --git a/.cirrus.yml b/.cirrus.yml index 8507aa3d2f..cbe8bc757e 100644 --- a/.cirrus.yml +++ b/.cirrus.yml @@ -26,11 +26,11 @@ env: #### FEDORA_NAME: "fedora-33" PRIOR_FEDORA_NAME: "fedora-32" - UBUNTU_NAME: "ubuntu-20" - PRIOR_UBUNTU_NAME: "ubuntu-19" + UBUNTU_NAME: "ubuntu-2010" + PRIOR_UBUNTU_NAME: "ubuntu-2004" # Google-cloud VM Images - IMAGE_SUFFIX: "c4704091098054656" + IMAGE_SUFFIX: "c6233039174893568" FEDORA_CACHE_IMAGE_NAME: "fedora-${IMAGE_SUFFIX}" PRIOR_FEDORA_CACHE_IMAGE_NAME: "prior-fedora-${IMAGE_SUFFIX}" UBUNTU_CACHE_IMAGE_NAME: "ubuntu-${IMAGE_SUFFIX}" diff --git a/contrib/cirrus/lib.sh b/contrib/cirrus/lib.sh index 01e75d9a6a..ea47c554ad 100644 --- a/contrib/cirrus/lib.sh +++ b/contrib/cirrus/lib.sh @@ -41,7 +41,7 @@ fi OS_RELEASE_ID="$(source /etc/os-release; echo $ID)" # GCE image-name compatible string representation of distribution _major_ version -OS_RELEASE_VER="$(source /etc/os-release; echo $VERSION_ID | cut -d '.' -f 1)" +OS_RELEASE_VER="$(source /etc/os-release; echo $VERSION_ID | tr -d '.')" # Combined to ease soe usage OS_REL_VER="${OS_RELEASE_ID}-${OS_RELEASE_VER}" # This is normally set from .cirrus.yml but default is necessary when diff --git a/contrib/cirrus/logcollector.sh b/contrib/cirrus/logcollector.sh index 7bf651b365..323015cef6 100755 --- a/contrib/cirrus/logcollector.sh +++ b/contrib/cirrus/logcollector.sh @@ -53,7 +53,7 @@ case $1 in slirp4netns \ ) case $OS_RELEASE_ID in - fedora*) + fedora) cat /etc/fedora-release PKG_LST_CMD='rpm -q --qf=%{N}-%{V}-%{R}-%{ARCH}\n' PKG_NAMES+=(\ @@ -61,7 +61,7 @@ case $1 in libseccomp \ ) ;; - ubuntu*) + ubuntu) cat /etc/issue PKG_LST_CMD='dpkg-query --show --showformat=${Package}-${Version}-${Architecture}\n' PKG_NAMES+=(\ diff --git a/contrib/cirrus/runner.sh b/contrib/cirrus/runner.sh index cc6d155f9a..7f9afd1fd3 100755 --- a/contrib/cirrus/runner.sh +++ b/contrib/cirrus/runner.sh @@ -41,7 +41,7 @@ function _run_automation() { req_env_vars CI DEST_BRANCH IMAGE_SUFFIX TEST_FLAVOR TEST_ENVIRON \ PODBIN_NAME PRIV_NAME DISTRO_NV CONTAINER USER HOME \ UID AUTOMATION_LIB_PATH SCRIPT_BASE OS_RELEASE_ID \ - OS_RELEASE_VER CG_FS_TYPE + CG_FS_TYPE bigto ooe.sh dnf install -y ShellCheck # small/quick addition $SCRIPT_BASE/shellcheck.sh } @@ -64,12 +64,6 @@ function _run_unit() { } function _run_apiv2() { - # TODO Remove once VM's with dependency - if [[ "$OS_RELEASE_ID" == "fedora" ]]; then - dnf install -y python3-docker - else - apt-get -qq -y install python3-docker - fi make localapiv2 |& logformatter } diff --git a/contrib/cirrus/setup_environment.sh b/contrib/cirrus/setup_environment.sh index a3c0f9a136..5c6f05ac0b 100755 --- a/contrib/cirrus/setup_environment.sh +++ b/contrib/cirrus/setup_environment.sh @@ -73,7 +73,9 @@ case "$CG_FS_TYPE" in if ((CONTAINER==0)); then warn "Forcing testing with runc instead of crun" if [[ "$OS_RELEASE_ID" == "ubuntu" ]]; then - echo "OCI_RUNTIME=/usr/lib/cri-o-runc/sbin/runc" >> /etc/ci_environment + # Need b/c using cri-o-runc package from OBS + echo "OCI_RUNTIME=/usr/lib/cri-o-runc/sbin/runc" \ + >> /etc/ci_environment else echo "OCI_RUNTIME=runc" >> /etc/ci_environment fi @@ -102,8 +104,8 @@ fi # Which distribution are we testing on. case "$OS_RELEASE_ID" in - ubuntu*) ;; - fedora*) + ubuntu) ;; + fedora) if ((CONTAINER==0)); then msg "Configuring / Expanding host storage." # VM is setup to allow flexibility in testing alternate storage. @@ -123,10 +125,15 @@ esac # shellcheck disable=SC2154 case "$TEST_ENVIRON" in host) - if [[ "$OS_RELEASE_ID" == "fedora" ]]; then - # The e2e tests wrongly guess `--cgroup-manager cgroupfs` + # The e2e tests wrongly guess `--cgroup-manager` option + # shellcheck disable=SC2154 + if [[ "$CG_FS_TYPE" == "cgroup2fs" ]] || [[ "$PRIV_NAME" == "root" ]] + then warn "Forcing CGROUP_MANAGER=systemd" echo "CGROUP_MANAGER=systemd" >> /etc/ci_environment + else + warn "Forcing CGROUP_MANAGER=cgroupfs" + echo "CGROUP_MANAGER=cgroupfs" >> /etc/ci_environment fi ;; container) @@ -138,25 +145,21 @@ case "$TEST_ENVIRON" in modprobe ip6table_nat || : modprobe iptable_nat || : else - # The e2e tests wrongly guess `--cgroup-manager systemd` warn "Forcing CGROUP_MANAGER=cgroupfs" echo "CGROUP_MANAGER=cgroupfs" >> /etc/ci_environment - fi - ;; - *) die_unknown TEST_ENVIRON -esac -# Required to be defined by caller: Are we testing as root or a regular user -# shellcheck disable=SC2154 -case "$PRIV_NAME" in - root) - if [[ "$TEST_ENVIRON" == "container" ]] && ((container)); then # There's no practical way to detect userns w/in a container # affected/related tests are sensitive to this variable. warn "Disabling usernamespace integration testing" echo "SKIP_USERNS=1" >> /etc/ci_environment fi ;; + *) die_unknown TEST_ENVIRON +esac + +# Required to be defined by caller: Are we testing as root or a regular user +case "$PRIV_NAME" in + root) ;; rootless) # Needs to exist for setup_rootless() ROOTLESS_USER="${ROOTLESS_USER:-some${RANDOM}dude}" From e6ab56657479456cf7dafc655e504b6100dd7374 Mon Sep 17 00:00:00 2001 From: Chris Evich Date: Wed, 9 Dec 2020 13:32:56 -0500 Subject: [PATCH 2/7] Disable blkio.weight test on Ubuntu These tests fail with `Error: opening file `io.bfq.weight` for writing: Permission denied: OCI permission denied`. Upon examination of the VMs, it was found the kernel and OS lacks support for the `BFQ` scheduler (which supplies the `weight` option). The only available schedulers are `none` and `mq-deadline`. Note: Recently updated F32 (prior-fedora) and Ubuntu 20.04 (prior-ubuntu) VMs always use CGroupsV1 with runc. F33 and Ubuntu 20.10 were updated to always use CGroupsV2 with crun. Signed-off-by: Chris Evich --- test/e2e/run_test.go | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/test/e2e/run_test.go b/test/e2e/run_test.go index dbdd6a0729..c324466635 100644 --- a/test/e2e/run_test.go +++ b/test/e2e/run_test.go @@ -493,7 +493,9 @@ USER bin` Skip("Kernel does not support blkio.weight") } } - + if podmanTest.Host.Distribution == "ubuntu" { + Skip("Ubuntu <= 20.10 lacks BFQ scheduler") + } if CGROUPSV2 { // convert linearly from [10-1000] to [1-10000] session := podmanTest.Podman([]string{"run", "--rm", "--blkio-weight=15", ALPINE, "sh", "-c", "cat /sys/fs/cgroup/$(sed -e 's|0::||' < /proc/self/cgroup)/io.bfq.weight"}) From 8997a2d106a26fa1c643824b0c2638aedd05159a Mon Sep 17 00:00:00 2001 From: Chris Evich Date: Thu, 10 Dec 2020 11:48:36 -0500 Subject: [PATCH 3/7] Disable pod stats tests in containerized Fedora w/ CGroupsV1 Nearly/all of the 'podman stats' tests fail on Fedora when executing testing inside a container, and CGroupsV1 is used on the host. The typical failure message is of the form `Error: unable to load cgroup at /machine.slice/.../: cgroup deleted`. Note: Recently updated F32 (prior-fedora) and Ubuntu 20.04 (prior-ubuntu) VMs always use CGroupsV1 with runc. F33 and Ubuntu 20.10 were updated to always use CGroupsV2 with crun. Signed-off-by: Chris Evich --- test/e2e/pod_stats_test.go | 3 +++ 1 file changed, 3 insertions(+) diff --git a/test/e2e/pod_stats_test.go b/test/e2e/pod_stats_test.go index 41fc59267b..85a60b29bf 100644 --- a/test/e2e/pod_stats_test.go +++ b/test/e2e/pod_stats_test.go @@ -20,6 +20,9 @@ var _ = Describe("Podman pod stats", func() { if os.Geteuid() != 0 { SkipIfCgroupV2("--cgroup-manager=cgroupfs which doesn't work in rootless mode") } + if isContainerized() { + SkipIfCgroupV1("All tests fail Error: unable to load cgroup at ...: cgroup deleted") + } tempdir, err = CreateTempDirInTempDir() if err != nil { From e6fbc15f26b2a609936dfc11732037c70ee14cba Mon Sep 17 00:00:00 2001 From: Chris Evich Date: Fri, 11 Dec 2020 13:52:29 -0500 Subject: [PATCH 4/7] Disable CGv1 pod stats on net=host post This should be addressed by PR https://github.com/containers/podman/pull/8685 Note: Recently updated F32 (prior-fedora) and Ubuntu 20.04 (prior-ubuntu) VMs always use CGroupsV1 with runc. F33 and Ubuntu 20.10 were updated to always use CGroupsV2 with crun. Signed-off-by: Chris Evich --- test/e2e/pod_stats_test.go | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/test/e2e/pod_stats_test.go b/test/e2e/pod_stats_test.go index 85a60b29bf..9af410fcc3 100644 --- a/test/e2e/pod_stats_test.go +++ b/test/e2e/pod_stats_test.go @@ -179,7 +179,8 @@ var _ = Describe("Podman pod stats", func() { It("podman stats on net=host post", func() { // --net=host not supported for rootless pods at present - SkipIfRootlessCgroupsV1("Pause stats not supported in cgroups v1") + // problem with sysctls being passed to containers of the pod. + SkipIfCgroupV1("Bug: Error: sysctl net.ipv4.ping_group_range is not allowed in the hosts network namespace: OCI runtime error") podName := "testPod" podCreate := podmanTest.Podman([]string{"pod", "create", "--net=host", "--name", podName}) podCreate.WaitWithDefaultTimeout() From 0bb865e6c24942afec3757abd7ea6375be182190 Mon Sep 17 00:00:00 2001 From: Chris Evich Date: Thu, 10 Dec 2020 14:07:46 -0500 Subject: [PATCH 5/7] Disable rootless pod stats tests w/ CgroupV1 When running as rootless, on a CgroupV1 host these tests all report: `Error: pod stats is not supported in rootless mode without cgroups v2` Note: Recently updated F32 (prior-fedora) and Ubuntu 20.04 (prior-ubuntu) VMs always use CGroupsV1 with runc. F33 and Ubuntu 20.10 were updated to always use CGroupsV2 with crun. Signed-off-by: Chris Evich --- test/e2e/pod_stats_test.go | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/test/e2e/pod_stats_test.go b/test/e2e/pod_stats_test.go index 9af410fcc3..a034ec2d1f 100644 --- a/test/e2e/pod_stats_test.go +++ b/test/e2e/pod_stats_test.go @@ -17,9 +17,7 @@ var _ = Describe("Podman pod stats", func() { ) BeforeEach(func() { - if os.Geteuid() != 0 { - SkipIfCgroupV2("--cgroup-manager=cgroupfs which doesn't work in rootless mode") - } + SkipIfRootless("Tests fail with both CGv1/2 + required --cgroup-manager=cgroupfs") if isContainerized() { SkipIfCgroupV1("All tests fail Error: unable to load cgroup at ...: cgroup deleted") } From 427731ab9c977f1b89b49ff23d3adcffb6212f49 Mon Sep 17 00:00:00 2001 From: Chris Evich Date: Fri, 11 Dec 2020 10:19:22 -0500 Subject: [PATCH 6/7] Disable incompatible rootless + CGroupsV1 tests These tests simply will not work under these conditions. Note: Recently updated F32 (prior-fedora) and Ubuntu 20.04 (prior-ubuntu) VMs always use CGroupsV1 with runc. F33 and Ubuntu 20.10 were updated to always use CGroupsV2 with crun. Signed-off-by: Chris Evich --- test/e2e/containers_conf_test.go | 2 ++ test/e2e/generate_kube_test.go | 1 + test/e2e/pod_infra_container_test.go | 1 + test/e2e/pod_kill_test.go | 1 + test/e2e/pod_ps_test.go | 1 + test/e2e/run_ns_test.go | 2 ++ test/e2e/run_selinux_test.go | 1 + test/e2e/toolbox_test.go | 1 + 8 files changed, 10 insertions(+) diff --git a/test/e2e/containers_conf_test.go b/test/e2e/containers_conf_test.go index 28672cfc60..719ac9fac8 100644 --- a/test/e2e/containers_conf_test.go +++ b/test/e2e/containers_conf_test.go @@ -82,6 +82,7 @@ var _ = Describe("Podman run", func() { }) It("podman Capabilities in containers.conf", func() { + SkipIfRootlessCgroupsV1("Not supported for rootless + CGroupsV1") cap := podmanTest.Podman([]string{"run", ALPINE, "grep", "CapEff", "/proc/self/status"}) cap.WaitWithDefaultTimeout() Expect(cap.ExitCode()).To(Equal(0)) @@ -121,6 +122,7 @@ var _ = Describe("Podman run", func() { }) verifyNSHandling := func(nspath, option string) { + SkipIfRootlessCgroupsV1("Not supported for rootless + CGroupsV1") os.Setenv("CONTAINERS_CONF", "config/containers-ns.conf") if IsRemote() { podmanTest.RestartRemoteService() diff --git a/test/e2e/generate_kube_test.go b/test/e2e/generate_kube_test.go index 0950a93215..239817e6cb 100644 --- a/test/e2e/generate_kube_test.go +++ b/test/e2e/generate_kube_test.go @@ -471,6 +471,7 @@ var _ = Describe("Podman generate kube", func() { }) It("podman generate kube multiple pods should fail", func() { + SkipIfRootlessCgroupsV1("Not supported for rootless + CGroupsV1") pod1 := podmanTest.Podman([]string{"run", "-dt", "--pod", "new:pod1", ALPINE, "top"}) pod1.WaitWithDefaultTimeout() Expect(pod1.ExitCode()).To(Equal(0)) diff --git a/test/e2e/pod_infra_container_test.go b/test/e2e/pod_infra_container_test.go index 7ec36b2f82..452a3de21b 100644 --- a/test/e2e/pod_infra_container_test.go +++ b/test/e2e/pod_infra_container_test.go @@ -225,6 +225,7 @@ var _ = Describe("Podman pod create", func() { }) It("podman pod container can override pod pid NS", func() { + SkipIfRootlessCgroupsV1("Not supported for rootless + CGroupsV1") session := podmanTest.Podman([]string{"pod", "create", "--share", "pid"}) session.WaitWithDefaultTimeout() Expect(session.ExitCode()).To(Equal(0)) diff --git a/test/e2e/pod_kill_test.go b/test/e2e/pod_kill_test.go index f968f73a66..710147893f 100644 --- a/test/e2e/pod_kill_test.go +++ b/test/e2e/pod_kill_test.go @@ -127,6 +127,7 @@ var _ = Describe("Podman pod kill", func() { }) It("podman pod kill all", func() { + SkipIfRootlessCgroupsV1("Not supported for rootless + CGroupsV1") _, ec, podid := podmanTest.CreatePod("") Expect(ec).To(Equal(0)) diff --git a/test/e2e/pod_ps_test.go b/test/e2e/pod_ps_test.go index ea8d10e78c..225da785cc 100644 --- a/test/e2e/pod_ps_test.go +++ b/test/e2e/pod_ps_test.go @@ -157,6 +157,7 @@ var _ = Describe("Podman ps", func() { }) It("podman pod ps --ctr-names", func() { + SkipIfRootlessCgroupsV1("Not supported for rootless + CGroupsV1") _, ec, podid := podmanTest.CreatePod("") Expect(ec).To(Equal(0)) diff --git a/test/e2e/run_ns_test.go b/test/e2e/run_ns_test.go index 5242e04d20..51657cb1e5 100644 --- a/test/e2e/run_ns_test.go +++ b/test/e2e/run_ns_test.go @@ -35,6 +35,7 @@ var _ = Describe("Podman run ns", func() { }) It("podman run pidns test", func() { + SkipIfRootlessCgroupsV1("Not supported for rootless + CGroupsV1") session := podmanTest.Podman([]string{"run", fedoraMinimal, "bash", "-c", "echo $$"}) session.WaitWithDefaultTimeout() Expect(session.ExitCode()).To(Equal(0)) @@ -105,6 +106,7 @@ var _ = Describe("Podman run ns", func() { }) It("podman run --ipc=host --pid=host", func() { + SkipIfRootlessCgroupsV1("Not supported for rootless + CGroupsV1") cmd := exec.Command("ls", "-l", "/proc/self/ns/pid") res, err := cmd.Output() Expect(err).To(BeNil()) diff --git a/test/e2e/run_selinux_test.go b/test/e2e/run_selinux_test.go index 3294f6d3b0..2e9d38e2df 100644 --- a/test/e2e/run_selinux_test.go +++ b/test/e2e/run_selinux_test.go @@ -274,6 +274,7 @@ var _ = Describe("Podman run", func() { }) It("podman test --pid=host", func() { + SkipIfRootlessCgroupsV1("Not supported for rootless + CGroupsV1") session := podmanTest.Podman([]string{"run", "--pid=host", ALPINE, "cat", "/proc/self/attr/current"}) session.WaitWithDefaultTimeout() Expect(session.ExitCode()).To(Equal(0)) diff --git a/test/e2e/toolbox_test.go b/test/e2e/toolbox_test.go index 6f04ce48c9..6de7759834 100644 --- a/test/e2e/toolbox_test.go +++ b/test/e2e/toolbox_test.go @@ -121,6 +121,7 @@ var _ = Describe("Toolbox-specific testing", func() { if podmanTest.RemoteTest { Skip("Shm size check does not work with a remote client") } + SkipIfRootlessCgroupsV1("Not supported for rootless + CGroupsV1") var session *PodmanSessionIntegration var cmd *exec.Cmd var hostShmSize, containerShmSize int From f66ecc882df822260e41de24b1c5f44a1ba3c3ad Mon Sep 17 00:00:00 2001 From: Chris Evich Date: Wed, 16 Dec 2020 08:55:16 -0500 Subject: [PATCH 7/7] Fix: unpause not supported for CGv1 rootless Thanks Ed Santiago for the fix. Signed-off-by: Chris Evich --- test/system/600-completion.bats | 22 ++++++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) diff --git a/test/system/600-completion.bats b/test/system/600-completion.bats index 1e43cdc411..39906704ee 100644 --- a/test/system/600-completion.bats +++ b/test/system/600-completion.bats @@ -8,6 +8,17 @@ load helpers +# Returns true if we are able to podman-pause +function _can_pause() { + # Even though we're just trying completion, not an actual unpause, + # podman barfs with: + # Error: unpause is not supported for cgroupv1 rootless containers + if is_rootless && is_cgroupsv1; then + return 1 + fi + return 0 +} + function check_shell_completion() { local count=0 @@ -70,8 +81,13 @@ function check_shell_completion() { ;; *CONTAINER*) + # podman unpause fails early on rootless cgroupsv1 + if [[ $cmd = "unpause" ]] && ! _can_pause; then + continue 2 + fi + run_completion "$@" $cmd "${extra_args[@]}" "" - is "$output" ".*-$random_container_name${nl}" "Found expected container in suggestions" + is "$output" ".*-$random_container_name${nl}" "Found expected container in suggestions for '$cmd'" match=true # resume @@ -212,7 +228,9 @@ function _check_completion_end() { run_podman create --name created-$random_container_name $IMAGE run_podman run --name running-$random_container_name -d $IMAGE top run_podman run --name pause-$random_container_name -d $IMAGE top - run_podman pause pause-$random_container_name + if _can_pause; then + run_podman pause pause-$random_container_name + fi run_podman run --name exited-$random_container_name -d $IMAGE echo exited # create pods for each state