Add an integration test for systemd in a container

[mheon]

We regressed really badly here. Add a test so we don't do it again.

[openshift-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: mheon

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [mheon]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[mheon]

I fully expect this is failing right now. Will merge once master is fixed.

[rhatdan]

LGTM

[TomSweeneyRedHat]

LGTM once tests are happy

[giuseppe]

LGTM, PR to fix the issue here: #3731

[lslebodn]

IIUC, this line requires oci-systemd-hook to be instalelld on system.

What do you think about another test-case with without that hook? (or with env oci-systemd-hook=disabled)

[rhatdan]

podman should not require oci-systemd-hook at all.

[lslebodn]

ok; tahnk you for explanation.

[mheon]

Rebased. Hopefully will go green now.

[rhatdan]

@mheon Could you rebase this and see if we can get it merged.

[mheon]

Alright, should be getting actual logs out of the tests now - so we should know where this is failing. I suspect it's CGroups related but not 100%.

[mheon]

�[0;1;31mFailed to create /machine.slice/libpod-2a66ed884c8a8266f8c9874afad98bc1533541f00c143814031a2e6ece3ada8a.scope/init.scope control group: Permission denied�[0m �[0;1;31mFailed to allocate manager object: Permission denied�[0m [�[0;1;31m!!!!!!�[0m] Failed to allocate manager object. �[0;1;31mExiting PID 1...�[0m

Some broken characters - encoding on our CI logs seems a bit messed up? - but it looks like a CGroup error setting up systemd on every test that isn't remote and actually uses CGroups.

[mheon]

I think this might be a legitimate issue on Podman's side?

[mheon]

Aug 26 17:03:44 cirrus-task-5556945475338240 audit[9996]: AVC avc: denied { write } for pid=9996 comm="systemd" name="libpod-7035b3c10c07caf8cdf8f13e9ad4af80e30150007016f798b3af48ab1c07e04b.scope" dev="cgroup" ino=4713 scontext=system_u:system_r:container_t:s0:c219,c823 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir permissive=0

[mheon]

Well, damn. It's the container manage CGroups SEBool. For everything that's not ubuntu.

[mheon]

@cevich PTAL at the last commit - that look like a good place for SELinux config for the tests?

[mheon]

Squashed everything down. Hopefully will go green now.

[mheon]

Everything is passing except CGroups v2

[mheon]

[+0966s] Error: writing file '/sys/fs/cgroup//machine.slice/libpod-dfeb5085da36bb458491e7e3311d0845f8ace4699d1a88b67824c6611fd623f5.scope/cgroup.procs': Device or resource busy: OCI runtime error

I feel like this is an actual error with our V2 support
@giuseppe PTAL when you get back from PTO

[rhatdan]

Can we tell the tests to not run with cgroupsV2 and get this merged and then open an issue for @giuseppe to fix the cgroupsV2 issue.

[mheon]

I'll look into it - should be possible

[rhatdan]

cgroupsv2, _ := cgroups.IsCgroup2UnifiedMode()
if cgroupv2 {
        skip("systemd does not work in cgroups V2 mode yet")
}

[mheon]

Done. Let's see if things go green now.

[cevich]

Please leave original comment or update to clarify: CentOS-7 is never used for testing (we would use RHEL instead). This condition is needed because the cache-image building VM shares setup_environment.sh (hence the comment) and 'exit 0' to avoid doing any actual setup for testing.

[mheon]

Ack, I'll restore the original

[cevich]

Yep this is perfectly fine place to do this.

[mheon]

/retest

[mheon]

@baude @rhatdan @vrothberg @TomSweeneyRedHat PTAL

[TomSweeneyRedHat]

LGTM and all green test buttons.

[baude]

/lgtm