Merge pull request #1318 from t-woerner/testing_container_create_enable_cap_sys_admin

infra/image: Use SYS_ADMIN capability for server deployment

Merge pull request #1318 from t-woerner/testing_container_create_enable_cap_sys_admin
8fc2de16 · Rafael Guterres Jeffman · GitHub · 489f4d57 · 8d74fe34 · 8fc2de16
Unverified Commit 8fc2de16 authored 6 months ago by Rafael Guterres Jeffman Committed by GitHub 6 months ago
--- a/infra/azure/azure-pipelines.yml
+++ b/infra/azure/azure-pipelines.yml
@@ -9,7 +9,7 @@ variables:
  ansible_version: "-core >=2.16,<2.17"
  ansible_latest: "-core"
  ansible_minimum: "-core <2.16"
-  distros: "fedora-latest,c9s,fedora-rawhide"
+  distros: "fedora-latest,c9s,c10s,fedora-rawhide"
 stages:

--- a/infra/azure/build-containers.yml
+++ b/infra/azure/build-containers.yml
@@ -12,7 +12,7 @@ trigger: none
 pool:
  vmImage: 'ubuntu-24.04'
-variables: { distros: "fedora-latest,fedora-rawhide,c9s" }
+variables: { distros: "fedora-latest,fedora-rawhide,c9s,c10s" }
 stages:

--- a/infra/azure/nightly.yml
+++ b/infra/azure/nightly.yml
@@ -14,8 +14,8 @@ pool:
 variables:
  # We need to have two sets, as c8s is not supported by all ansible versions
-  recent_distros: "fedora-latest,fedora-rawhide,c9s"
+  recent_distros: "fedora-latest,fedora-rawhide,c10s,c9s"
-  distros: "fedora-latest,fedora-rawhide,c9s,c8s"
+  distros: "fedora-latest,fedora-rawhide,c10s,c9s,c8s"
  ansible_latest: "-core"
  ansible_minimum: "-core <2.16"
  ansible_version: "-core >=2.16,<2.17"

--- a/infra/azure/pr-pipeline.yml
+++ b/infra/azure/pr-pipeline.yml
@@ -6,7 +6,7 @@ pool:
  vmImage: 'ubuntu-20.04'
 variables:
-  distros: "fedora-latest,c9s,c8s,fedora-rawhide"
+  distros: "fedora-latest,c10s,c9s,c8s,fedora-rawhide"
  ansible_version: "-core >=2.15,<2.16"
 stages:

--- a/infra/azure/templates/build_container.yml
+++ b/infra/azure/templates/build_container.yml
@@ -23,7 +23,7 @@ jobs:
  - script: ansible-galaxy collection install containers.podman
    displayName: Install Ansible Galaxy collections
-  - script: infra/image/build.sh -p -s ${{ parameters.distro }}
+  - script: infra/image/build.sh -s ${{ parameters.distro }}
    displayName: Build ${{ parameters.distro }} base image
    env:
      ANSIBLE_ROLES_PATH: "${PWD}/roles"

--- a/infra/azure/templates/variables_c10s.yaml
+++ b/infra/azure/templates/variables_c10s.yaml
+#
+# Variables must be defined as comma separated lists.
+# For easier management of items to enable/disable,
+# use one test/module on each line, followed by a comma.
+#
+# Example:
+#
+# ipa_disabled_modules: >-
+#   dnsconfig,
+#   group,
+#   hostgroup
+#
+# If no variables are set, set "empty: true" as at least
+# one item is needed in the set.
+---
+variables:
+  empty: true
+#   ipa_enabled_modules: >-
+#   ipa_enabled_tests: >-
+#   ipa_disabled_modules: >-
+#   ipa_disabled_tests: >-
--- a/infra/image/build.sh
+++ b/infra/image/build.sh
@@ -15,7 +15,7 @@ valid_distro() {
 usage() {
    local prog="${0##*/}"
    cat << EOF
-usage: ${prog} [-h] [-p] [-n HOSTNAME] [-s] distro
+usage: ${prog} [-h] [-n HOSTNAME] [-s] distro
    ${prog} build a container image to test ansible-freeipa.
 EOF
 }
@@ -41,14 +41,14 @@ cpus="2"
 memory="3g"
 quayname="quay.io/ansible-freeipa/upstream-tests"
 deploy_server="N"
-privileged=""
+deploy_capabilities="SYS_ADMIN,SYSLOG"
+capabilities=""
-while getopts ":hn:ps" option
+while getopts ":hn:s" option
 do
    case "${option}" in
        h) help && exit 0 ;;
        n) hostname="${OPTARG}" ;;
-        p) privileged="privileged" ;;
        s) deploy_server="Y" ;;
        *) die -u "Invalid option: ${option}" ;;
    esac
@@ -66,6 +66,8 @@ container_check
 if [ "${deploy_server}" == "Y" ]
 then
+    capabilities="${deploy_capabilities}"
    [ -n "$(command -v "ansible-playbook")" ] || die "ansible-playbook is required to install FreeIPA."
    deploy_playbook="${TOPDIR}/playbooks/install-server.yml"
@@ -89,7 +91,7 @@ container_create "${name}" "${tag}" \
    "hostname=${hostname}" \
    "memory=${memory}" \
    "cpus=${cpus}" \
-    "${privileged}"
+    "${capabilities:+capabilities=$capabilities}"
 container_commit "${name}" "${quayname}:${tag}"
 if [ "${deploy_server}" == "Y" ]

--- a/infra/image/dockerfile/c10s
+++ b/infra/image/dockerfile/c10s
@@ -13,12 +13,6 @@ dnf --assumeyes install \
    hostname; \
 rm -rf /var/cache/dnf/;
-# Prepare for basic ipa-server-install in container
-# Address failing nis-domainname.service in the ipa-client-install step
-RUN mv /usr/bin/nisdomainname /usr/bin/nisdomainname.orig
-ADD utils/hostnamectl-wrapper /usr/bin/nisdomainname
-RUN chmod a+rx /usr/bin/nisdomainname
 RUN (cd /lib/systemd/system/; \
    if [ -e dbus-broker.service ] && [ ! -e dbus.service ]; then \
       ln -s dbus-broker.service dbus.service; \

--- a/infra/image/shcontainer
+++ b/infra/image/shcontainer
@@ -18,7 +18,7 @@ container_create() {
            hostname=*) extra_opts+=("--${opt}") ;;
            cpus=*) extra_opts+=("--${opt}") ;;
            memory=*) extra_opts+=("--${opt}") ;;
-            privileged) extra_opts+=("--${opt}") ;;
+            capabilities=*) extra_opts+=("--cap-add=${opt##*=}") ;;
            *) log error "container_create: Invalid option: ${opt}" ;;
        esac
    done

--- a/infra/image/utils/hostnamectl-wrapper
+++ b/infra/image/utils/hostnamectl-wrapper
-#!/bin/bash -eu
-if setpriv --dump | grep -q sys_admin ; then
-	if [[ "$( basename $0 )" =~ "domainname" ]] ; then
-		/usr/bin/hostname -y "$@"
-	else
-		$0.orig "$@"
-	fi
-else
-	echo "Skipping invocation of $0 $@ in unprivileged container." >&2
-	exit
-fi