Merge pull request #3399 from rhatdan/dockerfile

Fix handling of --restore shadow-utils

.cirrus.yml

@@ -98,7 +98,7 @@ smoke_task:
     # the git-validate tool which are difficult to debug and fix.
     skip: $CIRRUS_PR == ''
 
-    timeout_in: 10m
+    timeout_in: 30m
 
     setup_script: '${SCRIPT_BASE}/setup.sh |& ${_TIMESTAMP}'
     build_script: '${SCRIPT_BASE}/build.sh |& ${_TIMESTAMP}'

Makefile

@@ -107,6 +107,7 @@ validate: install.tools
 	./tests/validate/git-validation.sh
 	./hack/xref-helpmsgs-manpages
 	./tests/validate/pr-should-include-tests
+	./tests/validate/buildahimages-are-sane
 
 .PHONY: install.tools
 install.tools:

contrib/buildahimage/centos7/Dockerfile

@@ -8,7 +8,7 @@ FROM centos:7
 
 # Remove directories used by yum that are just taking
 # up space.
-RUN useradd build; yum -y update; rpm --restore --quiet shadow-utils; yum -y install buildah fuse-overlayfs xz; rm -rf /var/cache /var/log/dnf* /var/log/yum.*;
+RUN useradd build; yum -y update; rpm --restore shadow-utils 2>/dev/null; yum -y install buildah fuse-overlayfs xz; rm -rf /var/cache /var/log/dnf* /var/log/yum.*;
 
 ADD https://raw.githubusercontent.com/containers/buildah/main/contrib/buildahimage/stable/containers.conf /etc/containers/
 

contrib/buildahimage/stable/Dockerfile

@@ -11,7 +11,7 @@ FROM registry.fedoraproject.org/fedora:latest
 # Don't include container-selinux and remove
 # directories used by yum that are just taking
 # up space.
-RUN useradd build; yum -y update; rpm --restore --quiet shadow-utils; yum -y install buildah fuse-overlayfs xz --exclude container-selinux; rm -rf /var/cache /var/log/dnf* /var/log/yum.*;
+RUN useradd build; yum -y update; rpm --restore shadow-utils 2>/dev/null; yum -y install buildah fuse-overlayfs xz --exclude container-selinux; rm -rf /var/cache /var/log/dnf* /var/log/yum.*;
 
 ADD https://raw.githubusercontent.com/containers/buildah/main/contrib/buildahimage/stable/containers.conf /etc/containers/
 

contrib/buildahimage/stablebyhand/Containerfile.buildahstable

@@ -23,7 +23,7 @@ FROM registry.fedoraproject.org/fedora:latest
 # `podman push quay.io/buildah/stable:v1.14.3 docker://quay.io/buildah/stable:v1.14.3`
 #
 COPY /tmp/buildah-1.14.3-1.fc31.x86_64.rpm /tmp
-RUN useradd build; yum -y update; rpm --restore --quiet shadow-utils; yum -y install /tmp/buildah-1.14.3-1.fc31.x86_64.rpm fuse-overlayfs xz --exclude container-selinux; rm -rf /var/cache /var/log/dnf* /var/log/yum.* /tmp/buildah*.rpm
+RUN useradd build; yum -y update;  rpm --restore shadow-utils 2>/dev/null; yum -y install /tmp/buildah-1.14.3-1.fc31.x86_64.rpm fuse-overlayfs xz --exclude container-selinux; rm -rf /var/cache /var/log/dnf* /var/log/yum.* /tmp/buildah*.rpm
 
 ADD https://raw.githubusercontent.com/containers/buildah/main/contrib/buildahimage/stable/containers.conf /etc/containers/
 

contrib/buildahimage/testing/Dockerfile

@@ -13,7 +13,7 @@ FROM registry.fedoraproject.org/fedora:latest
 # Don't include container-selinux and remove
 # directories used by yum that are just taking
 # up space.
-RUN useradd build; yum -y update; rpm --restore --quiet shadow-utils; yum -y install buildah fuse-overlayfs xz --exclude container-selinux --enablerepo updates-testing; rm -rf /var/cache /var/log/dnf* /var/log/yum.*
+RUN useradd build; yum -y update;  rpm --restore shadow-utils 2>/dev/null; yum -y install buildah fuse-overlayfs xz --exclude container-selinux --enablerepo updates-testing; rm -rf /var/cache /var/log/dnf* /var/log/yum.*
 
 ADD https://raw.githubusercontent.com/containers/buildah/main/contrib/buildahimage/stable/containers.conf /etc/containers/
 

contrib/buildahimage/upstream/Dockerfile

@@ -17,7 +17,7 @@ ENV GOPATH=/root/buildah
 # to the container.
 # Finally remove the buildah directory and a few other packages
 # that are needed for building but not running Buildah
-RUN useradd build; yum -y update; rpm --restore --quiet shadow-utils; yum -y install --enablerepo=updates-testing \
+RUN useradd build; yum -y update;  rpm --restore shadow-utils 2>/dev/null; yum -y install --enablerepo=updates-testing \
      make \
      golang \
      bats \

tests/validate/buildahimages-are-sane

@@ -0,0 +1,67 @@
+#!/bin/bash
+#
+# buildahimages-are-sane - validate changes against buildah-images Dockerfiles
+#
+ME=$(basename $0)
+
+# HEAD should be good enough, but the CIRRUS envariable allows us to test
+head=${CIRRUS_CHANGE_IN_REPO:-HEAD}
+# Base of this PR. Here we absolutely rely on cirrus.
+base=$(git merge-base ${GITVALIDATE_EPOCH:-main} $head)
+
+# Sanity check:
+if [[ -z "$base" ]]; then
+    echo "$(basename $0): internal error: could not determine merge-base"
+    echo "   head                  = $head"
+    echo "   CIRRUS_CHANGE_IN_REPO = $CIRRUS_CHANGE_IN_REPO"
+    echo "   GITVALIDATE_EPOCH     = $GITVALIDATE_EPOCH"
+    exit 1
+fi
+
+# Helper function: confirms that shadow-utils is sane in the built image
+function build_and_check() {
+    local dir=$1
+
+    echo "$ME: Checking $dir"
+
+    # Clean up preexisting image
+    bin/buildah rmi -f buildah &>/dev/null || true
+
+    # Quiet by default, but show logs if anything fails.
+    logfile=$(mktemp --tmpdir $ME.build.XXXXXXX)
+    bin/buildah bud -t buildah $dir > $logfile 2>&1
+    if [[ $? -ne 0 ]]; then
+        echo "$ME: buildah-bud failed:"
+        sed -e 's/^/  /' <$logfile
+        exit 1
+    fi
+
+    ctr=$(bin/buildah from buildah)
+    rpmqv=$(bin/buildah run $ctr rpm -qV shadow-utils)
+    if [[ -n "$rpmqv" ]]; then
+        echo "$ME: rpm-qv failed on $dir:"
+        echo "  $rpmqv"
+        exit 1
+    fi
+
+    bin/buildah rm $ctr &>/dev/null
+    bin/buildah rmi buildah &>/dev/null
+}
+
+# This gives us a list of files touched in all commits, e.g.
+#    A    file1
+#    M    subdir/file2
+# We look for Added or Modified files under contrib/buildahimage; if there
+# aren't any, we have nothing to do.
+#
+# Notes:
+#    --no-renames ensures that renamed files show up as 'A'dded.
+#    we omit 'stablebyhand' because it does not have a Containerfile
+touched=$(git diff --name-status --no-renames $base $head |\
+              grep -v /stablebyhand |\
+              sed -n -E -e 's;^[AM][[:space:]]+(contrib/buildahimage/[^/]+)/.*;\1;p' |\
+              uniq)
+
+for dir in $touched; do
+    build_and_check $dir
+done