[libvirt] [PATCH 2/2] Add support for podman in Makefile.ci
Daniel P. Berrangé
berrange at redhat.com
Thu May 9 13:06:18 UTC 2019
On Tue, May 07, 2019 at 05:45:31PM +0200, Martin Kletzander wrote:
> This way more users can run our CI builds locally.
>
> Signed-off-by: Martin Kletzander <mkletzan at redhat.com>
> ---
> Makefile.ci | 125 ++++++++++++++++++++++++++++++++++++++--------------
> 1 file changed, 93 insertions(+), 32 deletions(-)
>
> diff --git a/Makefile.ci b/Makefile.ci
> index 12a62167cc67..e2989ada313c 100644
> --- a/Makefile.ci
> +++ b/Makefile.ci
> @@ -17,7 +17,7 @@ CI_GIT_ROOT = $(shell git rev-parse --show-toplevel)
> CI_HOST_SRCDIR = $(CI_SCRATCHDIR)/src
>
> # The directory holding the source inside the
> -# container. ie where we told Docker to expose
> +# container. ie where we want to expose
> # the $(CI_HOST_SRCDIR) directory from the host
> CI_CONT_SRCDIR = /src
>
> @@ -46,14 +46,13 @@ CI_CONFIGURE_ARGS =
> # cloning them
> CI_SUBMODULES = $(shell git submodule | awk '{ print $$2 }')
>
> -# Location of the Docker images we're going to pull
> +# Location of the container images we're going to pull
> # Can be useful to overridde to use a locally built
> # image instead
> CI_IMAGE_PREFIX = quay.io/libvirt/buildenv-
>
> -# Docker defaults to pulling the ':latest' tag but
> -# if the Docker repo above uses different conventions
> -# this can override it
> +# The default tag is ':latest' but if the container
> +# repo above uses different conventions this can override it
> CI_IMAGE_TAG = :master
>
> # We delete the virtual root after completion, set
> @@ -71,24 +70,82 @@ CI_REUSE = 0
> CI_UID = $(shell id -u)
> CI_GID = $(shell id -g)
>
> -# Docker doesn't require the IDs you run as to exist in
> +# Container engine runtime we are going to use, can be overridden per make
> +# invocation, if it is not, we try podman and then default to docker.
> +ifeq ($(CI_CENGINE),)
> + CI_CENGINE = $(shell podman version >/dev/null && echo podman || echo docker)
> +endif
> +
> +# IDs you run as do not need to exist in
> # the container's /etc/passwd & /etc/group files, but
> -# if they do not, then libvirt's 'make check' will fail
> +# if they do not, then libvirt's 'make check' will fail
> # many tests.
> -#
> -# We do not directly mount /etc/{passwd,group} as Docker
> -# is liable to mess with SELinux labelling which will
> -# then prevent the host accessing them. Copying them
> -# first is safer.
> -CI_PWDB_MOUNTS = \
> - --volume $(CI_SCRATCHDIR)/group:/etc/group:ro,z \
> - --volume $(CI_SCRATCHDIR)/passwd:/etc/passwd:ro,z \
> - $(NULL)
> +ifeq ($(CI_CENGINE),podman)
> + CI_PWDB_MOUNTS = \
> + --volume /etc/group:/etc/group:ro,z \
> + --volume /etc/passwd:/etc/passwd:ro,z \
> + $(NULL)
> +else
> + # We do not directly mount /etc/{passwd,group} as Docker
> + # is liable to mess with SELinux labelling which will
> + # then prevent the host accessing them. Copying them
> + # first is safer.
> + CI_PWDB_MOUNTS = \
> + --volume $(CI_SCRATCHDIR)/group:/etc/group:ro,z \
> + --volume $(CI_SCRATCHDIR)/passwd:/etc/passwd:ro,z \
> + $(NULL)
> +endif
Does this need to be conditionalized ? Wouldn't podman just
work with the existing code. How does podman end up giving
access to these files if it isn't changing the SELinux label
on them ?
> +
> +ifeq ($(CI_CENGINE),docker)
> + # Docker containers can have very large ulimits
> + # for nofiles - as much as 1048576. This makes
> + # libvirt very slow at exec'ing programs.
> + CI_ULIMIT_FILES = 1024
> +endif
Again, does this really need to be conditionalized ?
>
> -# Docker containers can have very large ulimits
> -# for nofiles - as much as 1048576. This makes
> -# libvirt very slow at exec'ing programs.
> -CI_ULIMIT_FILES = 1024
> +ifeq ($(CI_CENGINE),podman)
> + # Podman cannot reuse host namespace when running non-root containers. Until
> + # support for --keep-uid is added we can just create another mapping that will
> + # do that for us. Beware, that in {uid,git}map=container_id:host_id:range,
> + # the host_id does actually refer to the uid in the first mapping where 0
> + # (root) is mapped to the current user and rest is offset.
> +
> + # In order to set up this mapping, we need to keep all the user IDs to prevent
> + # possible errors as some images might expect UIDs up to 90000 (looking at you
> + # fedora), so we don't want the overflowuid to be used for them. For mapping
> + # all the other users properly ther eneeds to be some math done. Don't worry,
> + # it's just addition and subtraction.
> +
> + # 65536 ought to be enough (tm), but for really rare cases the maximums might
> + # need to be higher, but that only happens when your /etc/sub{u,g}id allow
> + # users to have more IDs. Unless --keep-uid is supported, let's do this in a
> + # way that should work for everyone.
> + CI_MAX_UID = $(shell sed -n "s/^$USER:[^:]\+://p" /etc/subuid)
> + CI_MAX_GID = $(shell sed -n "s/^$USER:[^:]\+://p" /etc/subgid)
> + ifeq ($(CI_MAX_UID),)
> + CI_MAX_UID = 65536
> + endif
> + ifeq ($(CI_MAX_GID),)
> + CI_MAX_GID = 65536
> + endif
> + CI_UID_OTHER = $(shell echo $$(($(CI_UID)+1)))
> + CI_GID_OTHER = $(shell echo $$(($(CI_GID)+1)))
> + CI_UID_OTHER_RANGE = $(shell echo $$(($(CI_MAX_UID)-$(CI_UID))))
> + CI_GID_OTHER_RANGE = $(shell echo $$(($(CI_MAX_GID)-$(CI_GID))))
> +
> + CI_PODMAN_ARGS = \
> + --uidmap 0:1:$(CI_UID) \
> + --uidmap $(CI_UID):0:1 \
> + --uidmap $(CI_UID_OTHER):$(CI_UID_OTHER):$(CI_UID_OTHER_RANGE) \
> + --gidmap 0:1:$(CI_GID) \
> + --gidmap $(CI_GID):0:1 \
> + --gidmap $(CI_GID_OTHER):$(CI_GID_OTHER):$(CI_GID_OTHER_RANGE) \
> + $(NULL)
> +else
> + CI_DOCKER_ARGS = \
> + --ulimit nofile=$(CI_ULIMIT_FILES):$(CI_ULIMIT_FILES) \
> + $(NULL)
> +endif
>
> # Args to use when cloning a git repo.
> # -c stop it complaining about checking out a random hash
> @@ -100,7 +157,7 @@ CI_GIT_ARGS = \
> --local \
> $(NULL)
>
> -# Args to use when running the Docker env
> +# Args to use when running the container
> # --rm stop inactive containers getting left behind
> # --user we execute as the same user & group account
> # as dev so that file ownership matches host
> @@ -110,27 +167,30 @@ CI_GIT_ARGS = \
> # --ulimit lower files limit for performance reasons
> # --interactive
> # --tty Ensure we have ability to Ctrl-C the build
> -CI_DOCKER_ARGS = \
> +CI_CENGINE_ARGS = \
> --rm \
> --user $(CI_UID):$(CI_GID) \
> --interactive \
> --tty \
> + $(CI_PODMAN_ARGS) \
> + $(CI_DOCKER_ARGS) \
> $(CI_PWDB_MOUNTS) \
> --volume $(CI_HOST_SRCDIR):$(CI_CONT_SRCDIR):z \
> --workdir $(CI_CONT_SRCDIR) \
> - --ulimit nofile=$(CI_ULIMIT_FILES):$(CI_ULIMIT_FILES) \
> $(NULL)
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
More information about the libvir-list
mailing list