[libvirt] [PATCH 2/2] Add support for podman in Makefile.ci

Daniel P. Berrangé berrange at redhat.com
Thu May 9 13:06:18 UTC 2019 

On Tue, May 07, 2019 at 05:45:31PM +0200, Martin Kletzander wrote:
> This way more users can run our CI builds locally.
> 
> Signed-off-by: Martin Kletzander <mkletzan at redhat.com>
> ---
>  Makefile.ci | 125 ++++++++++++++++++++++++++++++++++++++--------------
>  1 file changed, 93 insertions(+), 32 deletions(-)
> 
> diff --git a/Makefile.ci b/Makefile.ci
> index 12a62167cc67..e2989ada313c 100644
> --- a/Makefile.ci
> +++ b/Makefile.ci
> @@ -17,7 +17,7 @@ CI_GIT_ROOT = $(shell git rev-parse --show-toplevel)
>  CI_HOST_SRCDIR = $(CI_SCRATCHDIR)/src
>  
>  # The directory holding the source inside the
> -# container. ie where we told Docker to expose
> +# container. ie where we want to expose
>  # the $(CI_HOST_SRCDIR) directory from the host
>  CI_CONT_SRCDIR = /src
>  
> @@ -46,14 +46,13 @@ CI_CONFIGURE_ARGS =
>  # cloning them
>  CI_SUBMODULES = $(shell git submodule | awk '{ print $$2 }')
>  
> -# Location of the Docker images we're going to pull
> +# Location of the container images we're going to pull
>  # Can be useful to overridde to use a locally built
>  # image instead
>  CI_IMAGE_PREFIX = quay.io/libvirt/buildenv-
>  
> -# Docker defaults to pulling the ':latest' tag but
> -# if the Docker repo above uses different conventions
> -# this can override it
> +# The default tag is ':latest' but if the container
> +# repo above uses different conventions this can override it
>  CI_IMAGE_TAG = :master
>  
>  # We delete the virtual root after completion, set
> @@ -71,24 +70,82 @@ CI_REUSE = 0
>  CI_UID = $(shell id -u)
>  CI_GID = $(shell id -g)
>  
> -# Docker doesn't require the IDs you run as to exist in
> +# Container engine runtime we are going to use, can be overridden per make
> +# invocation, if it is not, we try podman and then default to docker.
> +ifeq ($(CI_CENGINE),)
> +	CI_CENGINE = $(shell podman version >/dev/null && echo podman || echo docker)
> +endif
> +
> +# IDs you run as do not need to exist in
>  # the container's /etc/passwd & /etc/group files, but
> -# if they do not, then libvirt's  'make check' will fail
> +# if they do not, then libvirt's 'make check' will fail
>  # many tests.
> -#
> -# We do not directly mount /etc/{passwd,group} as Docker
> -# is liable to mess with SELinux labelling which will
> -# then prevent the host accessing them. Copying them
> -# first is safer.
> -CI_PWDB_MOUNTS = \
> -	--volume $(CI_SCRATCHDIR)/group:/etc/group:ro,z \
> -	--volume $(CI_SCRATCHDIR)/passwd:/etc/passwd:ro,z \
> -	$(NULL)
> +ifeq ($(CI_CENGINE),podman)
> +	CI_PWDB_MOUNTS = \
> +		--volume /etc/group:/etc/group:ro,z \
> +		--volume /etc/passwd:/etc/passwd:ro,z \
> +		$(NULL)
> +else
> +	# We do not directly mount /etc/{passwd,group} as Docker
> +	# is liable to mess with SELinux labelling which will
> +	# then prevent the host accessing them. Copying them
> +	# first is safer.
> +	CI_PWDB_MOUNTS = \
> +		--volume $(CI_SCRATCHDIR)/group:/etc/group:ro,z \
> +		--volume $(CI_SCRATCHDIR)/passwd:/etc/passwd:ro,z \
> +		$(NULL)
> +endif

Does this need to be conditionalized ?  Wouldn't podman just
work with the existing code.  How does podman end up giving
access to these files if it isn't changing the SELinux label
on them ?


> +
> +ifeq ($(CI_CENGINE),docker)
> +	# Docker containers can have very large ulimits
> +	# for nofiles - as much as 1048576. This makes
> +	# libvirt very slow at exec'ing programs.
> +	CI_ULIMIT_FILES = 1024
> +endif

Again, does this really need to be conditionalized ?

>  
> -# Docker containers can have very large ulimits
> -# for nofiles - as much as 1048576. This makes
> -# libvirt very slow at exec'ing programs.
> -CI_ULIMIT_FILES = 1024
> +ifeq ($(CI_CENGINE),podman)
> +	# Podman cannot reuse host namespace when running non-root containers.  Until
> +	# support for --keep-uid is added we can just create another mapping that will
> +	# do that for us.  Beware, that in {uid,git}map=container_id:host_id:range,
> +	# the host_id does actually refer to the uid in the first mapping where 0
> +	# (root) is mapped to the current user and rest is offset.
> +
> +	# In order to set up this mapping, we need to keep all the user IDs to prevent
> +	# possible errors as some images might expect UIDs up to 90000 (looking at you
> +	# fedora), so we don't want the overflowuid to be used for them.  For mapping
> +	# all the other users properly ther eneeds to be some math done.  Don't worry,
> +	# it's just addition and subtraction.
> +
> +	# 65536 ought to be enough (tm), but for really rare cases the maximums might
> +	# need to be higher, but that only happens when your /etc/sub{u,g}id allow
> +	# users to have more IDs.  Unless --keep-uid is supported, let's do this in a
> +	# way that should work for everyone.
> +	CI_MAX_UID = $(shell sed -n "s/^$USER:[^:]\+://p" /etc/subuid)
> +	CI_MAX_GID = $(shell sed -n "s/^$USER:[^:]\+://p" /etc/subgid)
> +	ifeq ($(CI_MAX_UID),)
> +		CI_MAX_UID = 65536
> +	endif
> +	ifeq ($(CI_MAX_GID),)
> +		CI_MAX_GID = 65536
> +	endif
> +	CI_UID_OTHER = $(shell echo $$(($(CI_UID)+1)))
> +	CI_GID_OTHER = $(shell echo $$(($(CI_GID)+1)))
> +	CI_UID_OTHER_RANGE = $(shell echo $$(($(CI_MAX_UID)-$(CI_UID))))
> +	CI_GID_OTHER_RANGE = $(shell echo $$(($(CI_MAX_GID)-$(CI_GID))))
> +
> +	CI_PODMAN_ARGS = \
> +		--uidmap 0:1:$(CI_UID) \
> +		--uidmap $(CI_UID):0:1 \
> +		--uidmap $(CI_UID_OTHER):$(CI_UID_OTHER):$(CI_UID_OTHER_RANGE) \
> +		--gidmap 0:1:$(CI_GID) \
> +		--gidmap $(CI_GID):0:1 \
> +		--gidmap $(CI_GID_OTHER):$(CI_GID_OTHER):$(CI_GID_OTHER_RANGE) \
> +		$(NULL)
> +else
> +	CI_DOCKER_ARGS = \
> +		--ulimit nofile=$(CI_ULIMIT_FILES):$(CI_ULIMIT_FILES) \
> +		$(NULL)
> +endif
>  
>  # Args to use when cloning a git repo.
>  #  -c  stop it complaining about checking out a random hash
> @@ -100,7 +157,7 @@ CI_GIT_ARGS = \
>  	--local  \
>  	$(NULL)
>  
> -# Args to use when running the Docker env
> +# Args to use when running the container
>  #   --rm      stop inactive containers getting left behind
>  #   --user    we execute as the same user & group account
>  #             as dev so that file ownership matches host
> @@ -110,27 +167,30 @@ CI_GIT_ARGS = \
>  #   --ulimit  lower files limit for performance reasons
>  #   --interactive
>  #   --tty     Ensure we have ability to Ctrl-C the build
> -CI_DOCKER_ARGS = \
> +CI_CENGINE_ARGS = \
>  	--rm \
>  	--user $(CI_UID):$(CI_GID) \
>  	--interactive \
>  	--tty \
> +	$(CI_PODMAN_ARGS) \
> +	$(CI_DOCKER_ARGS) \
>  	$(CI_PWDB_MOUNTS) \
>  	--volume $(CI_HOST_SRCDIR):$(CI_CONT_SRCDIR):z \
>  	--workdir $(CI_CONT_SRCDIR) \
> -	--ulimit nofile=$(CI_ULIMIT_FILES):$(CI_ULIMIT_FILES) \
>  	$(NULL)

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

More information about the libvir-list mailing list