containers · openshift-merge-robot · Aug 18, 2021 · Jun 17, 2021 · Jul 16, 2021 · Aug 2, 2021
diff --git a/.cirrus.yml b/.cirrus.yml
@@ -30,20 +30,17 @@ env:
     PRIOR_UBUNTU_NAME: "ubuntu-2010"
 
     # Google-cloud VM Images
-    # TODO: At the time of this comment, an selinux-policy regression is blocking use of updated
-    # Fedora VM images: https://bugzilla.redhat.com/show_bug.cgi?id=1965743
-    IMAGE_SUFFIX_UBUNTU: "c5521575421149184"
-    IMAGE_SUFFIX: "c5348179051806720"
+    IMAGE_SUFFIX: "c6737534580424704"
     FEDORA_CACHE_IMAGE_NAME: "fedora-${IMAGE_SUFFIX}"
     PRIOR_FEDORA_CACHE_IMAGE_NAME: "prior-fedora-${IMAGE_SUFFIX}"
-    UBUNTU_CACHE_IMAGE_NAME: "ubuntu-${IMAGE_SUFFIX_UBUNTU}"
-    PRIOR_UBUNTU_CACHE_IMAGE_NAME: "prior-ubuntu-${IMAGE_SUFFIX_UBUNTU}"
+    UBUNTU_CACHE_IMAGE_NAME: "ubuntu-${IMAGE_SUFFIX}"
+    PRIOR_UBUNTU_CACHE_IMAGE_NAME: "prior-ubuntu-${IMAGE_SUFFIX}"
 
     # Container FQIN's
     FEDORA_CONTAINER_FQIN: "quay.io/libpod/fedora_podman:${IMAGE_SUFFIX}"
     PRIOR_FEDORA_CONTAINER_FQIN: "quay.io/libpod/prior-fedora_podman:${IMAGE_SUFFIX}"
-    UBUNTU_CONTAINER_FQIN: "quay.io/libpod/ubuntu_podman:${IMAGE_SUFFIX_UBUNTU}"
-    PRIOR_UBUNTU_CONTAINER_FQIN: "quay.io/libpod/prior-ubuntu_podman:${IMAGE_SUFFIX_UBUNTU}"
+    UBUNTU_CONTAINER_FQIN: "quay.io/libpod/ubuntu_podman:${IMAGE_SUFFIX}"
+    PRIOR_UBUNTU_CONTAINER_FQIN: "quay.io/libpod/prior-ubuntu_podman:${IMAGE_SUFFIX}"
 
     ####
     #### Control variables that determine what to run and how to run it.
@@ -671,18 +668,11 @@ meta_task:
         image: quay.io/libpod/imgts:$IMAGE_SUFFIX
     env:
         # Space-separated list of images used by this repository state
-        # TODO: Protect commonly tagged ubuntu images from puning in case
-        # workaround for BZ1965743 remains in use beyond the 30-days.
-        # Ref sha 404d5edb155
         IMGNAMES: >-
             ${FEDORA_CACHE_IMAGE_NAME}
             ${PRIOR_FEDORA_CACHE_IMAGE_NAME}
             ${UBUNTU_CACHE_IMAGE_NAME}
             ${PRIOR_UBUNTU_CACHE_IMAGE_NAME}
-            fedora-${IMAGE_SUFFIX_UBUNTU}
-            prior-fedora-${IMAGE_SUFFIX_UBUNTU}
-            ubuntu-${IMAGE_SUFFIX}
-            prior-ubuntu-${IMAGE_SUFFIX}
         BUILDID: "${CIRRUS_BUILD_ID}"
         REPOREF: "${CIRRUS_REPO_NAME}"
         GCPJSON: ENCRYPTED[3a198350077849c8df14b723c0f4c9fece9ebe6408d35982e7adf2105a33f8e0e166ed3ed614875a0887e1af2b8775f4]

diff --git a/contrib/cirrus/setup_environment.sh b/contrib/cirrus/setup_environment.sh
@@ -77,6 +77,13 @@ case "$CG_FS_TYPE" in
             else
                 echo "OCI_RUNTIME=runc" >> /etc/ci_environment
             fi
+
+            # As a general policy CGv1 + runc should coincide with the "older"
+            # VM Images in CI.  Verify this is the case.
+            if [[ -n "$VM_IMAGE_NAME" ]] && [[ ! "$VM_IMAGE_NAME" =~ prior ]]
+            then
+                die "Most recent distro. version should never run with CGv1"
+            fi
         fi
         ;;
     cgroup2fs)
@@ -85,6 +92,13 @@ case "$CG_FS_TYPE" in
             # which uses runc as the default.
             warn "Forcing testing with crun instead of runc"
             echo "OCI_RUNTIME=crun" >> /etc/ci_environment
+
+            # As a general policy CGv2 + crun should coincide with the "newer"
+            # VM Images in CI.  Verify this is the case.
+            if [[ -n "$VM_IMAGE_NAME" ]] && [[ "$VM_IMAGE_NAME" =~ prior ]]
+            then
+                die "Least recent distro. version should never run with CGv2"
+            fi
         fi
         ;;
     *) die_unknown CG_FS_TYPE
@@ -208,7 +222,7 @@ case "$TEST_FLAVOR" in
     unit) ;;
     apiv2) ;&  # use next item
     compose)
-        dnf install -y $PACKAGE_DOWNLOAD_DIR/podman-docker*
+        rpm -ivh $PACKAGE_DOWNLOAD_DIR/podman-docker*
         ;&  # continue with next item
     int) ;&
     sys) ;&

diff --git a/test/buildah-bud/apply-podman-deltas b/test/buildah-bud/apply-podman-deltas
@@ -165,14 +165,6 @@ skip "FIXME FIXME FIXME: this passes on Ed's laptop, fails in CI??" \
 skip "buildah runs with --cgroup-manager=cgroupfs, podman with systemd" \
      "bud with --cgroup-parent"
 
-# see https://github.com/containers/podman/pull/10829
-skip "FIXME FIXME FIXME - requires updated CI images (#10829)" \
-     "bud with --runtime and --runtime-flag"
-
-###############################################################################
-# BEGIN tests which are skipped due to actual podman bugs.
-
-
 ###############################################################################
 # BEGIN tests which are skipped because they make no sense under podman-remote
 

diff --git a/test/compose/mount_and_label/docker-compose.yml b/test/compose/mount_and_label/docker-compose.yml
@@ -6,5 +6,7 @@ services:
       - '5000:5000'
     volumes:
       - /tmp/data:/data:ro
+    security_opt:
+      - label=disable
     labels:
       - "io.podman=the_best"
diff --git a/test/e2e/common_test.go b/test/e2e/common_test.go
@@ -645,9 +645,13 @@ func isRootless() bool {
 	return os.Geteuid() != 0
 }
 
+func isCgroupsV1() bool {
+	return !CGROUPSV2
+}
+
 func SkipIfCgroupV1(reason string) {
 	checkReason(reason)
-	if !CGROUPSV2 {
+	if isCgroupsV1() {
 		Skip(reason)
 	}
 }

diff --git a/test/e2e/login_logout_test.go b/test/e2e/login_logout_test.go
@@ -79,9 +79,9 @@ var _ = Describe("Podman login and logout", func() {
 
 		session = podmanTest.Podman([]string{"run", "-d", "-p", strings.Join([]string{strconv.Itoa(port), strconv.Itoa(port)}, ":"),
 			"-e", strings.Join([]string{"REGISTRY_HTTP_ADDR=0.0.0.0", strconv.Itoa(port)}, ":"), "--name", "registry", "-v",
-			strings.Join([]string{authPath, "/auth"}, ":"), "-e", "REGISTRY_AUTH=htpasswd", "-e",
+			strings.Join([]string{authPath, "/auth:Z"}, ":"), "-e", "REGISTRY_AUTH=htpasswd", "-e",
 			"REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm", "-e", "REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd",
-			"-v", strings.Join([]string{certPath, "/certs"}, ":"), "-e", "REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt",
+			"-v", strings.Join([]string{certPath, "/certs:Z"}, ":"), "-e", "REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt",
 			"-e", "REGISTRY_HTTP_TLS_KEY=/certs/domain.key", "registry:2.6"})
 		session.WaitWithDefaultTimeout()
 		Expect(session).Should(Exit(0))
@@ -235,10 +235,13 @@ var _ = Describe("Podman login and logout", func() {
 		setup.WaitWithDefaultTimeout()
 		defer os.RemoveAll(certDir)
 
+		// N/B: This second registry container shares the same auth and cert dirs
+		//      as the registry started from BeforeEach().  Since this one starts
+		//      second, re-labeling the volumes should keep SELinux happy.
 		session := podmanTest.Podman([]string{"run", "-d", "-p", "9001:9001", "-e", "REGISTRY_HTTP_ADDR=0.0.0.0:9001", "--name", "registry1", "-v",
-			strings.Join([]string{authPath, "/auth"}, ":"), "-e", "REGISTRY_AUTH=htpasswd", "-e",
+			strings.Join([]string{authPath, "/auth:z"}, ":"), "-e", "REGISTRY_AUTH=htpasswd", "-e",
 			"REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm", "-e", "REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd",
-			"-v", strings.Join([]string{certPath, "/certs"}, ":"), "-e", "REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt",
+			"-v", strings.Join([]string{certPath, "/certs:z"}, ":"), "-e", "REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt",
 			"-e", "REGISTRY_HTTP_TLS_KEY=/certs/domain.key", "registry:2.6"})
 		session.WaitWithDefaultTimeout()
 		Expect(session).Should(Exit(0))

diff --git a/test/e2e/run_test.go b/test/e2e/run_test.go
@@ -946,7 +946,7 @@ USER mail`, BB)
 		Expect(err).To(BeNil())
 		mountpoint := "/myvol/"
 
-		session := podmanTest.Podman([]string{"create", "--volume", vol + ":" + mountpoint, ALPINE, "cat", mountpoint + filename})
+		session := podmanTest.Podman([]string{"create", "--volume", vol + ":" + mountpoint + ":z", ALPINE, "cat", mountpoint + filename})
 		session.WaitWithDefaultTimeout()
 		Expect(session).Should(Exit(0))
 		ctrID := session.OutputToString()

diff --git a/test/e2e/stats_test.go b/test/e2e/stats_test.go
@@ -22,6 +22,9 @@ var _ = Describe("Podman stats", func() {
 
 	BeforeEach(func() {
 		SkipIfRootlessCgroupsV1("stats not supported on cgroupv1 for rootless users")
+		if isContainerized() {
+			SkipIfCgroupV1("stats not supported inside cgroupv1 container environment")
+		}
 		var err error
 		tempdir, err = CreateTempDirInTempDir()
 		if err != nil {

diff --git a/test/e2e/systemd_test.go b/test/e2e/systemd_test.go
@@ -6,7 +6,6 @@ import (
 	"strings"
 	"time"
 
-	"github.com/containers/podman/v3/pkg/rootless"
 	. "github.com/containers/podman/v3/test/utils"
 	. "github.com/onsi/ginkgo"
 	. "github.com/onsi/gomega"
@@ -118,11 +117,13 @@ WantedBy=multi-user.target
 		Expect(len(conData)).To(Equal(1))
 		Expect(conData[0].Config.SystemdMode).To(BeTrue())
 
-		if CGROUPSV2 || !rootless.IsRootless() {
-			stats := podmanTest.Podman([]string{"stats", "--no-stream", ctrName})
-			stats.WaitWithDefaultTimeout()
-			Expect(stats).Should(Exit(0))
+		// stats not supported w/ CGv1 rootless or containerized
+		if isCgroupsV1() && (isRootless() || isContainerized()) {
+			return
 		}
+		stats := podmanTest.Podman([]string{"stats", "--no-stream", ctrName})
+		stats.WaitWithDefaultTimeout()
+		Expect(stats).Should(Exit(0))
 	})
 
 	It("podman create container with systemd entrypoint triggers systemd mode", func() {