Add bootc tests #278
Add bootc tests #278
Conversation
Signed-off-by: Jiri Jaburek <[email protected]>
This was originally done because all VMs were snapshotted, and the orig_* names pointed to the original disk images on which snapshots were based. Since only few of our VMs are snapshotted now, drop the prefix, snapshots use 'snapshot_path' anyway. Signed-off-by: Jiri Jaburek <[email protected]>
Signed-off-by: Jiri Jaburek <[email protected]>
(Rather than using util.ssh_keygen + reading file contents manually.) Signed-off-by: Jiri Jaburek <[email protected]>
I originally rejected this because import_image() would be copying the image file if it wasn't in /var/lib/libvirt/images, and it seemed better and more explicit to make the user put the image on the right place (into /var/lib/libvirt/images). However, an alternate view point on "import" is "just use the disk image in-place, wherever it is", which is what the function does now with this change. In that case, passing arguments makes more sense than setting instance- wide variables. Signed-off-by: Jiri Jaburek <[email protected]>
Signed-off-by: Jiri Jaburek <[email protected]>
comps
force-pushed
the
add_bootc_tests
branch
from
f8c5c86
to
b90134e
Compare
|
I've redesigned the bootc-image-builder test quite a bit; turns out we don't really need a |
|
A note for whoever reviews this in the end: # prepare a Container file for making a hardened image
cfile = podman.Containerfile()
cfile += util.dedent(fr'''
FROM {src_image}
RUN dnf -y install dnf-plugins-core
RUN dnf -y copr enable packit/OpenSCAP-openscap-2170 centos-stream-9-x86_64
RUN dnf -y install openscap-utils
COPY remediation-ds.xml /root/.
RUN oscap-bootc --profile '{profile}' /root/remediation-ds.xml
''')
cfile.add_ssh_pubkey(guest.ssh_pubkey)
cfile.write_to('Containerfile')I wanted to de-duplicate this, so it's not copy/pasted across both bootc and anaconda tests, and I implemented a function for it, def build_hardened_image(src_image, datastream, profile):but it turned out to be just about as complicated as the copy/pasta, or likely even more - I had to write So it didn't make things any simpler, and it just obfuscated the logic. So I left the copy/pasta in there, because - if anything - it's much easier to debug the test(s) by commenting sections of code out, or simply by inserting a sleep + checking the generated Containerfile manually, or modifying it, or otherwise playing with it. |
The idea is that install_basic() is a very minimal wrapper for running Anaconda with the provided kickstart, no extra bells. It is then install() that provides OS customizations for testing via RpmPack, installs DNF repositories from the host, etc., etc. I felt this was slightly better than trying to re-introduce the verbatim_kickstart=False flag for install(), or something similar. Splitting the functions also seems more readable, as we can now use 'with' instead of an ExitStack. The class Kickstart (packages, assembly) changes are also related here, as this change is really about making install_basic() as minimal as feasible, without forced %packages. The intended use case is for 'ostreecontainer', where host repositories and RpmPack don't make sense, given that the OS has already been hardened and customized in the podman container. Signed-off-by: Jiri Jaburek <[email protected]>
This came in handy while waiting for a local podman Registry to start responding on the given port, but can easily be used for waiting for ssh. Signed-off-by: Jiri Jaburek <[email protected]>
This logs the place the backup() / restore() was called from, rather than 'lib.util.backup' every time. Signed-off-by: Jiri Jaburek <[email protected]>
Signed-off-by: Jiri Jaburek <[email protected]>
comps
force-pushed
the
add_bootc_tests
branch
from
b90134e
to
f999c70
Compare
The last commit, adding the actual test(s), is still WIP and will change, but all commits under it should be ready for review.