diff --git a/ci/Dockerfile.cosa-build b/ci/Dockerfile.cosa-build index 75edb031..263fd28f 100644 --- a/ci/Dockerfile.cosa-build +++ b/ci/Dockerfile.cosa-build @@ -18,7 +18,7 @@ FROM build-test-qemu-img:latest ENV COSA_DIR=/tmp/cosa ENV COSA_SKIP_OVERLAY=1 RUN mkdir -p "${COSA_DIR}" && \ - COSA_NO_KVM=1 /src/ci/prow-build.sh && \ + COSA_NO_KVM=1 /src/ci/prow-entrypoint.sh build && \ rm -rf "${COSA_DIR}/cache" # We need to make sure that root can read / write to the COSA_DIR so that # when this container is actually run, we have permissions to read and @@ -32,4 +32,3 @@ RUN chgrp -Rf root "${COSA_DIR}" && \ chmod -Rf g+w "${COSA_DIR}" USER builder WORKDIR /tmp/cosa - diff --git a/ci/Dockerfile.cosa-oci-archive b/ci/Dockerfile.cosa-oci-archive index 5935123c..3e3ccd8a 100644 --- a/ci/Dockerfile.cosa-oci-archive +++ b/ci/Dockerfile.cosa-oci-archive @@ -8,4 +8,3 @@ RUN /src/ci/simplify-ociarchive-path.sh FROM scratch COPY --from=base /tmp/cosa/builds/latest/x86_64/rhcos.x86_64.ociarchive /tmp/cosa/builds/latest/x86_64/rhcos.x86_64.ociarchive - diff --git a/ci/Dockerfile.layering-test b/ci/Dockerfile.layering-test index a3342b7d..f761106b 100644 --- a/ci/Dockerfile.layering-test +++ b/ci/Dockerfile.layering-test @@ -4,4 +4,3 @@ FROM build-test-qemu-img:latest AS base FROM registry.ci.openshift.org/coreos/fedora:35 AS final COPY --from=base /usr/local/bin/layering_test /usr/local/bin/layering_test - diff --git a/ci/Dockerfile.machine-os-oci-content b/ci/Dockerfile.machine-os-oci-content index cf6ee542..ddd831e6 100644 --- a/ci/Dockerfile.machine-os-oci-content +++ b/ci/Dockerfile.machine-os-oci-content @@ -10,4 +10,3 @@ # absolute path to refer to the OCI archive in the build context allows us # to "import" the OCI archive into the CI ImageStream. FROM oci-archive:/tmp/build/inputs/magic/cosa/builds/latest/x86_64/rhcos.x86_64.ociarchive - diff --git a/ci/build-test-qemu.sh b/ci/build-test-qemu.sh index 5c645cd1..bf82cc8b 100755 --- a/ci/build-test-qemu.sh +++ b/ci/build-test-qemu.sh @@ -1,12 +1,2 @@ #!/bin/bash -set -xeuo pipefail -# This script is the entrypoint for PRs to this repo via OpenShift Prow. -dn=$(dirname $0) -# Prow jobs don't support adding emptydir today -export COSA_SKIP_OVERLAY=1 -# Create a temporary cosa workdir if COSA_DIR is not set. -cosa_dir="${COSA_DIR:-$(mktemp -d)}" -echo "Using $cosa_dir for build" -cd "$cosa_dir" -cosa init --transient /src -exec ${dn}/prow-build-test-qemu.sh +true diff --git a/ci/build-test.sh b/ci/build-test.sh deleted file mode 120000 index 98ce07eb..00000000 --- a/ci/build-test.sh +++ /dev/null @@ -1 +0,0 @@ -validate.sh \ No newline at end of file diff --git a/ci/build-test.sh b/ci/build-test.sh new file mode 100755 index 00000000..bf82cc8b --- /dev/null +++ b/ci/build-test.sh @@ -0,0 +1,2 @@ +#!/bin/bash +true diff --git a/ci/prow-build-test-qemu.sh b/ci/prow-build-test-qemu.sh index 11b7a32e..bf82cc8b 100755 --- a/ci/prow-build-test-qemu.sh +++ b/ci/prow-build-test-qemu.sh @@ -1,71 +1,2 @@ #!/bin/bash -set -xeuo pipefail -# This script is called via build-test-qemu.sh which is the main Prow -# entrypoint for PRs to this repo, as well as for PRs on other repos, -# mainly coreos-assembler. It assumes that `cosa init` has been run. - -REDIRECTOR_URL="https://rhcos-redirector.apps.art.xq1c.p1.openshiftapps.com/art/storage/releases/" - -# record information about cosa + rpm-ostree -if test -d /cosa; then - jq . < /cosa/coreos-assembler-git.json -fi -rpm-ostree --version - -# We generate .repo files which write to the source, but -# we captured the source as part of the Docker build. -# In OpenShift default SCC we'll run as non-root, so we need -# to make a new copy of the source. TODO fix cosa to be happy -# if src/config already exists instead of wanting to reference -# it or clone it. Or we could write our .repo files to a separate -# place. -if test '!' -w src/config; then - git clone --recurse src/config src/config.writable - rm src/config -rf - mv src/config.writable src/config -fi - -# -# NOTE: If you are adjusting how the repos are fetched in this script, you -# must also make the same change in the `prow-build.sh` script -# -# Grab the raw value of `mutate-os-release` and use sed to convert the value -# to X-Y format -ocpver=$(rpm-ostree compose tree --print-only src/config/manifest.yaml | jq -r '.["mutate-os-release"]') -ocpver_mut=$(rpm-ostree compose tree --print-only src/config/manifest.yaml | jq -r '.["mutate-os-release"]' | sed 's|\.|-|') -prev_build_url=${REDIRECTOR_URL}/rhcos-${ocpver}/ -# we want to use RHEL 8.5 for testing until we can start using 8.6 -# see https://github.com/openshift/release/pull/26193 -curl -L http://base-"${ocpver_mut}"-rhel85.ocp.svc.cluster.local > src/config/ocp.repo -# fetch the 8.6 appstream repo to enable building of extensions -# see: https://github.com/openshift/os/issues/795 -curl -Ls http://base-"${ocpver_mut}"-rhel86.ocp.svc.cluster.local | grep -A 3 rhel-8-appstream | sed '1,3 s/rhel-8-appstream/rhel-86-appstream/g' >> src/config/ocp.repo -cosa buildfetch --url=${prev_build_url} -cosa fetch -cosa build -cosa buildextend-extensions -cosa kola --basic-qemu-scenarios -kola run-upgrade -b rhcos -v --find-parent-image --qemu-image-dir tmp/ --output-dir tmp/kola-upgrade -cosa kola run --parallel 2 -# Build metal + installer now so we can test them -cosa buildextend-metal -cosa buildextend-metal4k -cosa buildextend-live -# compress the metal and metal4k images now so we're testing -# installs with the image format we ship -cosa compress --artifact=metal --artifact=metal4k -# Running testiso scenarios on metal artifact -# Skip the following scenarios: iso-install,iso-offline-install,iso-live-login,iso-as-disk -# See: https://github.com/openshift/os/issues/666 -kola testiso -S --scenarios pxe-install,pxe-offline-install --output-dir tmp/kola-metal -# iso-install scenario to sanity-check the metal4k media -# Skip all the testiso scenarios for metal4k + UEFI -# See: https://github.com/openshift/os/issues/666 -# kola testiso -S --qemu-native-4k --qemu-multipath --scenarios iso-install --output-dir tmp/kola-metal4k -# if [ $(uname -i) = x86_64 ] || [ $(uname -i) = aarch64 ]; then -# mkdir -p tmp/kola-uefi -# kola testiso -S --qemu-firmware uefi --scenarios iso-live-login,iso-as-disk --output-dir tmp/kola-uefi/insecure -# if [ $(uname -i) = x86_64 ]; then -# kola testiso -S --qemu-firmware uefi-secure --scenarios iso-live-login,iso-as-disk --output-dir tmp/kola-uefi/secure -# fi -# fi +true diff --git a/ci/prow-build.sh b/ci/prow-build.sh index 99a0381b..bf82cc8b 100755 --- a/ci/prow-build.sh +++ b/ci/prow-build.sh @@ -1,53 +1,2 @@ #!/bin/bash -set -xeuo pipefail - -# Prow jobs don't support adding emptydir today -export COSA_SKIP_OVERLAY=1 -# Create a temporary cosa workdir if COSA_DIR is not set. -cosa_dir="${COSA_DIR:-$(mktemp -d)}" -echo "Using $cosa_dir for build" -cd "$cosa_dir" -cosa init --transient /src - -# This script is called via build.sh which is the main Prow -# entrypoint for PRs to this repo, as well as for PRs on other repos, -# mainly coreos-assembler. It assumes that `cosa init` has been run. - -REDIRECTOR_URL="https://rhcos-redirector.apps.art.xq1c.p1.openshiftapps.com/art/storage/releases/" - -# record information about cosa + rpm-ostree -if test -d /cosa; then - jq . < /cosa/coreos-assembler-git.json -fi -rpm-ostree --version - -# We generate .repo files which write to the source, but -# we captured the source as part of the Docker build. -# In OpenShift default SCC we'll run as non-root, so we need -# to make a new copy of the source. TODO fix cosa to be happy -# if src/config already exists instead of wanting to reference -# it or clone it. Or we could write our .repo files to a separate -# place. -if test '!' -w src/config; then - git clone --recurse src/config src/config.writable - rm src/config -rf - mv src/config.writable src/config -fi - -# -# NOTE: If you are adjusting how the repos are fetched in this script, you -# must also make the same change in the `prow-build-test-qemu.sh` script -# -# Grab the raw value of `mutate-os-release` and use sed to convert the value -# to X-Y format -ocpver=$(rpm-ostree compose tree --print-only src/config/manifest.yaml | jq -r '.["mutate-os-release"]') -ocpver_mut=$(rpm-ostree compose tree --print-only src/config/manifest.yaml | jq -r '.["mutate-os-release"]' | sed 's|\.|-|') -prev_build_url=${REDIRECTOR_URL}/rhcos-${ocpver}/ - -# Fetch RHEL 8.6 repos -curl -L http://base-"${ocpver_mut}"-rhel86.ocp.svc.cluster.local > src/config/ocp.repo - -cosa buildfetch --url=${prev_build_url} -cosa fetch -cosa build -cosa buildextend-extensions +true diff --git a/ci/prow-entrypoint.sh b/ci/prow-entrypoint.sh new file mode 100755 index 00000000..c81d0752 --- /dev/null +++ b/ci/prow-entrypoint.sh @@ -0,0 +1,193 @@ +#!/bin/bash +set -xeuo pipefail + +# Main script acting as entrypoint for all Prow jobs building RHCOS images + +# Global variables +REDIRECTOR_URL="https://rhcos-redirector.apps.art.xq1c.p1.openshiftapps.com/art/storage/releases/" + +# This function is used to update the /etc/passwd file within the COSA container +# at test-time. The need for this comes from the fact that OpenShift will run a +# container with a randomized user ID by default to enhance security. Because +# COSA runs with an unprivileged user ("builder") instead of (container) root, +# this presents special challenges for file and disk permissions. This particular +# pattern was inspired by: +# - https://cloud.redhat.com/blog/jupyter-on-openshift-part-6-running-as-an-assigned-user-id +# - https://cloud.redhat.com/blog/a-guide-to-openshift-and-uids +setup_user() { + user_id="$(id -u)" + group_id="$(id -g)" + + grep -v "^builder" /etc/passwd > /tmp/passwd + echo "builder:x:${user_id}:${group_id}::/home/builder:/bin/bash" >> /tmp/passwd + cat /tmp/passwd > /etc/passwd + rm /tmp/passwd + + # Not strictly required, but nice for debugging. + id + whoami +} + +cosa_init() { + # Always create a writable copy of the source repo + tmp_src="$(mktemp -d)" + cp -a /src "${tmp_src}/os" + + # Either use the COSA_DIR prepared for us or create a temporary cosa workdir + cosa_dir="${COSA_DIR:-$(mktemp -d)}" + echo "Using $cosa_dir for build" + cd "$cosa_dir" + + # Setup source tree + cosa init --transient "${tmp_src}/os" +} + +# Do a cosa build & cosa build-extensions only +# This is called both as part of the build phase and test phase in Prow thus we +# can not do any kola testing in this function. +cosa_build() { + # Grab the raw value of `mutate-os-release` and use sed to convert the value + # to X-Y format + ocpver=$(rpm-ostree compose tree --print-only src/config/manifest.yaml | jq -r '.["mutate-os-release"]') + ocpver_mut=$(rpm-ostree compose tree --print-only src/config/manifest.yaml | jq -r '.["mutate-os-release"]' | sed 's|\.|-|') + prev_build_url=${REDIRECTOR_URL}/rhcos-${ocpver}/ + # Fetch the previous build + cosa buildfetch --url="${prev_build_url}" + + # Fetch the repos corresponding to the release we are building + rhelver=$(rpm-ostree compose tree --print-only src/config/manifest.yaml | jq -r '.["automatic-version-prefix"]' | cut -f2 -d.) + id + whoami + ls -alh "src/config/" + curl -L "http://base-${ocpver_mut}-rhel${rhelver}.ocp.svc.cluster.local" -o "src/config/ocp.repo" + + # Build RHCOS & extensions + cosa fetch + cosa build + cosa buildextend-extensions +} + +# Make sure the image is at least booting before runnning expensive tests +kola_test_basic() { + cosa kola run basic +} + +kola_test_basic_scenarios() { + cosa kola --basic-qemu-scenarios +} + +kola_test_upgrade() { + kola run-upgrade -b rhcos -v --find-parent-image --qemu-image-dir tmp/ --output-dir tmp/kola-upgrade +} + +kola_test_run() { + cosa kola run --parallel 2 +} + +kola_test_metal() { + # Build metal + installer now so we can test them + cosa buildextend-metal && cosa buildextend-metal4k && cosa buildextend-live + + # Compress the metal and metal4k images now so we're testing + # installs with the image format we ship + cosa compress --artifact=metal --artifact=metal4k + + # Run all testiso scenarios on metal artifact + kola testiso -S --scenarios pxe-install,pxe-offline-install,iso-install,iso-offline-install,iso-live-login,iso-as-disk,miniso-install --output-dir tmp/kola-metal + + # Run only the iso-install scenario to sanity-check the metal4k media + kola testiso -S --qemu-native-4k --qemu-multipath --scenarios iso-install --output-dir tmp/kola-metal4k + + # Run some uefi & secure boot tests + if [[ "$(uname -i)" == "x86_64" ]] || [[ "$(uname -i)" == "aarch64" ]]; then + mkdir -p tmp/kola-uefi + kola testiso -S --qemu-firmware uefi --scenarios iso-live-login,iso-as-disk --output-dir tmp/kola-uefi/insecure + if [[ "$(uname -i)" == "x86_64" ]]; then + kola testiso -S --qemu-firmware uefi-secure --scenarios iso-live-login,iso-as-disk --output-dir tmp/kola-uefi/secure + fi + fi +} + +# Basic syntaxt validation for manifests +validate() { + # Create a temporary copy + workdir="$(mktemp -d)" + echo "Using $workdir as working directory" + + # Figure out if we are running from the COSA image or directly from the Prow src image + if [[ -d /src/github.com/openshift/os ]]; then + cd "$workdir" + git clone /src/github.com/openshift/os os + elif [[ -d ./.git ]]; then + srcdir="${PWD}" + cd "$workdir" + git clone "${srcdir}" os + else + echo "Could not found source directory" + exit 1 + fi + cd os + + # First ensure submodules are initialized + git submodule update --init --recursive + # Basic syntax check + ./fedora-coreos-config/ci/validate +} + +main () { + if [[ "${#}" -ne 1 ]]; then + echo "This script is expected to be called by Prow with the name of the build phase or test to run" + exit 1 + fi + + # Record information about cosa + rpm-ostree + if [[ -d /cosa ]]; then + jq . < /cosa/coreos-assembler-git.json + fi + rpm-ostree --version + + case "${1}" in + "validate") + validate + ;; + "build") + cosa_init + cosa_build + ;; + "build-test-qemu-kola-basic") + setup_user + cosa_init + cosa_build + kola_test_basic + kola_test_basic_scenarios + ;; + "build-test-qemu-kola-all") + setup_user + cosa_init + cosa_build + kola_test_basic + kola_test_run + ;; + "build-test-qemu-kola-upgrade") + setup_user + cosa_init + cosa_build + kola_test_basic + kola_test_upgrade + ;; + "build-test-qemu-kola-metal") + setup_user + cosa_init + cosa_build + kola_test_basic + kola_test_metal + ;; + *) + echo "Unknown test name" + exit 1 + ;; + esac +} + +main "${@}" + diff --git a/ci/prow-thisrepo-entrypoint.sh b/ci/prow-thisrepo-entrypoint.sh deleted file mode 120000 index e2e8d59a..00000000 --- a/ci/prow-thisrepo-entrypoint.sh +++ /dev/null @@ -1 +0,0 @@ -build-test-qemu.sh \ No newline at end of file diff --git a/ci/set-openshift-user.sh b/ci/set-openshift-user.sh index 5953337c..bf82cc8b 100755 --- a/ci/set-openshift-user.sh +++ b/ci/set-openshift-user.sh @@ -1,30 +1,2 @@ #!/bin/bash - -# This script is used to update the /etc/passwd file within the COSA container -# at test-time. The need for this comes from the fact that OpenShift will run a -# container with a randomized user ID by default to enhance security. Because -# COSA runs with an unprivileged user ("builder") instead of (container) root, -# this presents special challenges for file and disk permissions. This particular -# pattern was inspired by: -# - https://cloud.redhat.com/blog/jupyter-on-openshift-part-6-running-as-an-assigned-user-id -# - https://cloud.redhat.com/blog/a-guide-to-openshift-and-uids - -set -xeuo - -user_id="$(id -u)" -group_id="$(id -g)" - -cat /etc/passwd | grep -v "^builder" > /tmp/passwd -echo "builder:x:${user_id}:${group_id}::/home/builder:/bin/bash" >> /tmp/passwd -cat /tmp/passwd > /etc/passwd -rm /tmp/passwd - -# Not strictly required, but nice for debugging. -id -whoami - -# Workaround for how we cache the cosa builds in Prow and juggle users, -# see also https://github.com/actions/checkout/issues/760#issuecomment-1097461496 -if test -d src/config; then - git config --global --add safe.directory $PWD/src/config -fi +true diff --git a/ci/test-qemu-firmware-uefi.sh b/ci/test-qemu-firmware-uefi.sh index 23115ec5..121d870d 100755 --- a/ci/test-qemu-firmware-uefi.sh +++ b/ci/test-qemu-firmware-uefi.sh @@ -1,6 +1,3 @@ #!/bin/bash set -xeuo -/src/ci/set-openshift-user.sh -/src/ci/prow-build.sh -cosa kola run --qemu-firmware=uefi basic - +/src/ci/prow-entrypoint.sh "build-test-qemu-kola-basic" diff --git a/ci/test-qemu-kola-upgrade.sh b/ci/test-qemu-kola-upgrade.sh index 750fed64..8e087b5a 100755 --- a/ci/test-qemu-kola-upgrade.sh +++ b/ci/test-qemu-kola-upgrade.sh @@ -1,6 +1,3 @@ #!/bin/bash set -xeuo -/src/ci/set-openshift-user.sh -/src/ci/prow-build.sh -kola run-upgrade -b rhcos -v --find-parent-image --qemu-image-dir tmp/ --output-dir tmp/kola-upgrade - +/src/ci/prow-entrypoint.sh "build-test-qemu-kola-upgrade" diff --git a/ci/test-qemu-kola.sh b/ci/test-qemu-kola.sh index ee252b20..4d0df394 100755 --- a/ci/test-qemu-kola.sh +++ b/ci/test-qemu-kola.sh @@ -1,6 +1,3 @@ #!/bin/bash set -xeuo -/src/ci/set-openshift-user.sh -/src/ci/prow-build.sh -cosa kola run --parallel 2 - +/src/ci/prow-entrypoint.sh "build-test-qemu-kola-all" diff --git a/ci/test-qemu-metal.sh b/ci/test-qemu-metal.sh index d0c14456..8060b9a3 100755 --- a/ci/test-qemu-metal.sh +++ b/ci/test-qemu-metal.sh @@ -1,8 +1,3 @@ #!/bin/bash set -xeuo -/src/ci/set-openshift-user.sh -/src/ci/prow-build.sh -cosa buildextend-metal && cosa buildextend-metal4k && cosa buildextend-live -cosa compress --artifact=metal --artifact=metal4k -kola testiso -S --scenarios pxe-install,pxe-offline-install --output-dir tmp/kola-metal - +/src/ci/prow-entrypoint.sh "build-test-qemu-kola-metal" diff --git a/ci/test-qemu-nvme.sh b/ci/test-qemu-nvme.sh index 19ea9cbe..2e06e213 100755 --- a/ci/test-qemu-nvme.sh +++ b/ci/test-qemu-nvme.sh @@ -1,6 +1,3 @@ #!/bin/bash set -xeuo -/src/ci/set-openshift-user.sh -/src/ci/prow-build.sh -cosa kola run --qemu-nvme=true basic - +true diff --git a/ci/validate.sh b/ci/validate.sh index d5e68ea6..fdd4042c 100755 --- a/ci/validate.sh +++ b/ci/validate.sh @@ -1,6 +1,3 @@ #!/bin/bash -set -xeuo pipefail -# First ensure submodules are initialized -git submodule update --init --recursive -# Basic syntax check -./fedora-coreos-config/ci/validate +set -xeuo +./ci/prow-entrypoint.sh "validate"