diff --git a/.cirrus.yml b/.cirrus.yml index 73ab4fc117..860d258b28 100644 --- a/.cirrus.yml +++ b/.cirrus.yml @@ -98,7 +98,7 @@ smoke_task: # the git-validate tool which are difficult to debug and fix. skip: $CIRRUS_PR == '' - timeout_in: 10m + timeout_in: 30m setup_script: '${SCRIPT_BASE}/setup.sh |& ${_TIMESTAMP}' build_script: '${SCRIPT_BASE}/build.sh |& ${_TIMESTAMP}' diff --git a/Makefile b/Makefile index 245f1ad50a..2fa5020ee1 100644 --- a/Makefile +++ b/Makefile @@ -107,6 +107,7 @@ validate: install.tools ./tests/validate/git-validation.sh ./hack/xref-helpmsgs-manpages ./tests/validate/pr-should-include-tests + ./tests/validate/buildahimages-are-sane .PHONY: install.tools install.tools: diff --git a/contrib/buildahimage/centos7/Dockerfile b/contrib/buildahimage/centos7/Dockerfile index f398e94941..412f796245 100644 --- a/contrib/buildahimage/centos7/Dockerfile +++ b/contrib/buildahimage/centos7/Dockerfile @@ -8,7 +8,7 @@ FROM centos:7 # Remove directories used by yum that are just taking # up space. -RUN useradd build; yum -y update; rpm --restore --quiet shadow-utils; yum -y install buildah fuse-overlayfs xz; rm -rf /var/cache /var/log/dnf* /var/log/yum.*; +RUN useradd build; yum -y update; rpm --restore shadow-utils 2>/dev/null; yum -y install buildah fuse-overlayfs xz; rm -rf /var/cache /var/log/dnf* /var/log/yum.*; ADD https://raw.githubusercontent.com/containers/buildah/main/contrib/buildahimage/stable/containers.conf /etc/containers/ diff --git a/contrib/buildahimage/stable/Dockerfile b/contrib/buildahimage/stable/Dockerfile index 66b060f06b..7d0c843620 100644 --- a/contrib/buildahimage/stable/Dockerfile +++ b/contrib/buildahimage/stable/Dockerfile @@ -11,7 +11,7 @@ FROM registry.fedoraproject.org/fedora:latest # Don't include container-selinux and remove # directories used by yum that are just taking # up space. -RUN useradd build; yum -y update; rpm --restore --quiet shadow-utils; yum -y install buildah fuse-overlayfs xz --exclude container-selinux; rm -rf /var/cache /var/log/dnf* /var/log/yum.*; +RUN useradd build; yum -y update; rpm --restore shadow-utils 2>/dev/null; yum -y install buildah fuse-overlayfs xz --exclude container-selinux; rm -rf /var/cache /var/log/dnf* /var/log/yum.*; ADD https://raw.githubusercontent.com/containers/buildah/main/contrib/buildahimage/stable/containers.conf /etc/containers/ diff --git a/contrib/buildahimage/stablebyhand/Containerfile.buildahstable b/contrib/buildahimage/stablebyhand/Containerfile.buildahstable index 0415c0c260..649be03c88 100644 --- a/contrib/buildahimage/stablebyhand/Containerfile.buildahstable +++ b/contrib/buildahimage/stablebyhand/Containerfile.buildahstable @@ -23,7 +23,7 @@ FROM registry.fedoraproject.org/fedora:latest # `podman push quay.io/buildah/stable:v1.14.3 docker://quay.io/buildah/stable:v1.14.3` # COPY /tmp/buildah-1.14.3-1.fc31.x86_64.rpm /tmp -RUN useradd build; yum -y update; rpm --restore --quiet shadow-utils; yum -y install /tmp/buildah-1.14.3-1.fc31.x86_64.rpm fuse-overlayfs xz --exclude container-selinux; rm -rf /var/cache /var/log/dnf* /var/log/yum.* /tmp/buildah*.rpm +RUN useradd build; yum -y update; rpm --restore shadow-utils 2>/dev/null; yum -y install /tmp/buildah-1.14.3-1.fc31.x86_64.rpm fuse-overlayfs xz --exclude container-selinux; rm -rf /var/cache /var/log/dnf* /var/log/yum.* /tmp/buildah*.rpm ADD https://raw.githubusercontent.com/containers/buildah/main/contrib/buildahimage/stable/containers.conf /etc/containers/ diff --git a/contrib/buildahimage/testing/Dockerfile b/contrib/buildahimage/testing/Dockerfile index b0d6f97189..bfe96109ac 100644 --- a/contrib/buildahimage/testing/Dockerfile +++ b/contrib/buildahimage/testing/Dockerfile @@ -13,7 +13,7 @@ FROM registry.fedoraproject.org/fedora:latest # Don't include container-selinux and remove # directories used by yum that are just taking # up space. -RUN useradd build; yum -y update; rpm --restore --quiet shadow-utils; yum -y install buildah fuse-overlayfs xz --exclude container-selinux --enablerepo updates-testing; rm -rf /var/cache /var/log/dnf* /var/log/yum.* +RUN useradd build; yum -y update; rpm --restore shadow-utils 2>/dev/null; yum -y install buildah fuse-overlayfs xz --exclude container-selinux --enablerepo updates-testing; rm -rf /var/cache /var/log/dnf* /var/log/yum.* ADD https://raw.githubusercontent.com/containers/buildah/main/contrib/buildahimage/stable/containers.conf /etc/containers/ diff --git a/contrib/buildahimage/upstream/Dockerfile b/contrib/buildahimage/upstream/Dockerfile index c924b12288..7703c70ac4 100644 --- a/contrib/buildahimage/upstream/Dockerfile +++ b/contrib/buildahimage/upstream/Dockerfile @@ -17,7 +17,7 @@ ENV GOPATH=/root/buildah # to the container. # Finally remove the buildah directory and a few other packages # that are needed for building but not running Buildah -RUN useradd build; yum -y update; rpm --restore --quiet shadow-utils; yum -y install --enablerepo=updates-testing \ +RUN useradd build; yum -y update; rpm --restore shadow-utils 2>/dev/null; yum -y install --enablerepo=updates-testing \ make \ golang \ bats \ diff --git a/tests/validate/buildahimages-are-sane b/tests/validate/buildahimages-are-sane new file mode 100755 index 0000000000..2de60b79fc --- /dev/null +++ b/tests/validate/buildahimages-are-sane @@ -0,0 +1,67 @@ +#!/bin/bash +# +# buildahimages-are-sane - validate changes against buildah-images Dockerfiles +# +ME=$(basename $0) + +# HEAD should be good enough, but the CIRRUS envariable allows us to test +head=${CIRRUS_CHANGE_IN_REPO:-HEAD} +# Base of this PR. Here we absolutely rely on cirrus. +base=$(git merge-base ${GITVALIDATE_EPOCH:-main} $head) + +# Sanity check: +if [[ -z "$base" ]]; then + echo "$(basename $0): internal error: could not determine merge-base" + echo " head = $head" + echo " CIRRUS_CHANGE_IN_REPO = $CIRRUS_CHANGE_IN_REPO" + echo " GITVALIDATE_EPOCH = $GITVALIDATE_EPOCH" + exit 1 +fi + +# Helper function: confirms that shadow-utils is sane in the built image +function build_and_check() { + local dir=$1 + + echo "$ME: Checking $dir" + + # Clean up preexisting image + bin/buildah rmi -f buildah &>/dev/null || true + + # Quiet by default, but show logs if anything fails. + logfile=$(mktemp --tmpdir $ME.build.XXXXXXX) + bin/buildah bud -t buildah $dir > $logfile 2>&1 + if [[ $? -ne 0 ]]; then + echo "$ME: buildah-bud failed:" + sed -e 's/^/ /' <$logfile + exit 1 + fi + + ctr=$(bin/buildah from buildah) + rpmqv=$(bin/buildah run $ctr rpm -qV shadow-utils) + if [[ -n "$rpmqv" ]]; then + echo "$ME: rpm-qv failed on $dir:" + echo " $rpmqv" + exit 1 + fi + + bin/buildah rm $ctr &>/dev/null + bin/buildah rmi buildah &>/dev/null +} + +# This gives us a list of files touched in all commits, e.g. +# A file1 +# M subdir/file2 +# We look for Added or Modified files under contrib/buildahimage; if there +# aren't any, we have nothing to do. +# +# Notes: +# --no-renames ensures that renamed files show up as 'A'dded. +# we omit 'stablebyhand' because it does not have a Containerfile +touched=$(git diff --name-status --no-renames $base $head |\ + grep -v /stablebyhand |\ + sed -n -E -e 's;^[AM][[:space:]]+(contrib/buildahimage/[^/]+)/.*;\1;p' |\ + uniq) + +for dir in $touched; do + build_and_check $dir +done