[libvirt] [PATCH 2/2] Add support for podman in Makefile.ci

Martin Kletzander mkletzan at redhat.com
Fri May 10 07:07:47 UTC 2019 

On Thu, May 09, 2019 at 02:06:18PM +0100, Daniel P. Berrangé wrote:
>On Tue, May 07, 2019 at 05:45:31PM +0200, Martin Kletzander wrote:
>> This way more users can run our CI builds locally.
>>
>> Signed-off-by: Martin Kletzander <mkletzan at redhat.com>
>> ---
>>  Makefile.ci | 125 ++++++++++++++++++++++++++++++++++++++--------------
>>  1 file changed, 93 insertions(+), 32 deletions(-)
>>
>> diff --git a/Makefile.ci b/Makefile.ci
>> index 12a62167cc67..e2989ada313c 100644
>> --- a/Makefile.ci
>> +++ b/Makefile.ci
>> @@ -17,7 +17,7 @@ CI_GIT_ROOT = $(shell git rev-parse --show-toplevel)
>>  CI_HOST_SRCDIR = $(CI_SCRATCHDIR)/src
>>
>>  # The directory holding the source inside the
>> -# container. ie where we told Docker to expose
>> +# container. ie where we want to expose
>>  # the $(CI_HOST_SRCDIR) directory from the host
>>  CI_CONT_SRCDIR = /src
>>
>> @@ -46,14 +46,13 @@ CI_CONFIGURE_ARGS =
>>  # cloning them
>>  CI_SUBMODULES = $(shell git submodule | awk '{ print $$2 }')
>>
>> -# Location of the Docker images we're going to pull
>> +# Location of the container images we're going to pull
>>  # Can be useful to overridde to use a locally built
>>  # image instead
>>  CI_IMAGE_PREFIX = quay.io/libvirt/buildenv-
>>
>> -# Docker defaults to pulling the ':latest' tag but
>> -# if the Docker repo above uses different conventions
>> -# this can override it
>> +# The default tag is ':latest' but if the container
>> +# repo above uses different conventions this can override it
>>  CI_IMAGE_TAG = :master
>>
>>  # We delete the virtual root after completion, set
>> @@ -71,24 +70,82 @@ CI_REUSE = 0
>>  CI_UID = $(shell id -u)
>>  CI_GID = $(shell id -g)
>>
>> -# Docker doesn't require the IDs you run as to exist in
>> +# Container engine runtime we are going to use, can be overridden per make
>> +# invocation, if it is not, we try podman and then default to docker.
>> +ifeq ($(CI_CENGINE),)
>> +	CI_CENGINE = $(shell podman version >/dev/null && echo podman || echo docker)
>> +endif
>> +
>> +# IDs you run as do not need to exist in
>>  # the container's /etc/passwd & /etc/group files, but
>> -# if they do not, then libvirt's  'make check' will fail
>> +# if they do not, then libvirt's 'make check' will fail
>>  # many tests.
>> -#
>> -# We do not directly mount /etc/{passwd,group} as Docker
>> -# is liable to mess with SELinux labelling which will
>> -# then prevent the host accessing them. Copying them
>> -# first is safer.
>> -CI_PWDB_MOUNTS = \
>> -	--volume $(CI_SCRATCHDIR)/group:/etc/group:ro,z \
>> -	--volume $(CI_SCRATCHDIR)/passwd:/etc/passwd:ro,z \
>> -	$(NULL)
>> +ifeq ($(CI_CENGINE),podman)
>> +	CI_PWDB_MOUNTS = \
>> +		--volume /etc/group:/etc/group:ro,z \
>> +		--volume /etc/passwd:/etc/passwd:ro,z \
>> +		$(NULL)
>> +else
>> +	# We do not directly mount /etc/{passwd,group} as Docker
>> +	# is liable to mess with SELinux labelling which will
>> +	# then prevent the host accessing them. Copying them
>> +	# first is safer.
>> +	CI_PWDB_MOUNTS = \
>> +		--volume $(CI_SCRATCHDIR)/group:/etc/group:ro,z \
>> +		--volume $(CI_SCRATCHDIR)/passwd:/etc/passwd:ro,z \
>> +		$(NULL)
>> +endif
>
>Does this need to be conditionalized ?  Wouldn't podman just
>work with the existing code.  How does podman end up giving

It would, but it seemed pointless to copy the files when it is not needed.

>access to these files if it isn't changing the SELinux label
>on them ?
>

Oh right, I haven't tried with SELinux.  I kind of hope that fuse-overlayfs
would solve that, but they are just starting with these things, so yeah, you're
right, this needs to be there due to SELinux for both podman and docker.

>
>> +
>> +ifeq ($(CI_CENGINE),docker)
>> +	# Docker containers can have very large ulimits
>> +	# for nofiles - as much as 1048576. This makes
>> +	# libvirt very slow at exec'ing programs.
>> +	CI_ULIMIT_FILES = 1024
>> +endif
>
>Again, does this really need to be conditionalized ?
>

Not really, it can be left unconditional.

I'll send a clean v2.

>>
>> -# Docker containers can have very large ulimits
>> -# for nofiles - as much as 1048576. This makes
>> -# libvirt very slow at exec'ing programs.
>> -CI_ULIMIT_FILES = 1024
>> +ifeq ($(CI_CENGINE),podman)
>> +	# Podman cannot reuse host namespace when running non-root containers.  Until
>> +	# support for --keep-uid is added we can just create another mapping that will
>> +	# do that for us.  Beware, that in {uid,git}map=container_id:host_id:range,
>> +	# the host_id does actually refer to the uid in the first mapping where 0
>> +	# (root) is mapped to the current user and rest is offset.
>> +
>> +	# In order to set up this mapping, we need to keep all the user IDs to prevent
>> +	# possible errors as some images might expect UIDs up to 90000 (looking at you
>> +	# fedora), so we don't want the overflowuid to be used for them.  For mapping
>> +	# all the other users properly ther eneeds to be some math done.  Don't worry,
>> +	# it's just addition and subtraction.
>> +
>> +	# 65536 ought to be enough (tm), but for really rare cases the maximums might
>> +	# need to be higher, but that only happens when your /etc/sub{u,g}id allow
>> +	# users to have more IDs.  Unless --keep-uid is supported, let's do this in a
>> +	# way that should work for everyone.
>> +	CI_MAX_UID = $(shell sed -n "s/^$USER:[^:]\+://p" /etc/subuid)
>> +	CI_MAX_GID = $(shell sed -n "s/^$USER:[^:]\+://p" /etc/subgid)
>> +	ifeq ($(CI_MAX_UID),)
>> +		CI_MAX_UID = 65536
>> +	endif
>> +	ifeq ($(CI_MAX_GID),)
>> +		CI_MAX_GID = 65536
>> +	endif
>> +	CI_UID_OTHER = $(shell echo $$(($(CI_UID)+1)))
>> +	CI_GID_OTHER = $(shell echo $$(($(CI_GID)+1)))
>> +	CI_UID_OTHER_RANGE = $(shell echo $$(($(CI_MAX_UID)-$(CI_UID))))
>> +	CI_GID_OTHER_RANGE = $(shell echo $$(($(CI_MAX_GID)-$(CI_GID))))
>> +
>> +	CI_PODMAN_ARGS = \
>> +		--uidmap 0:1:$(CI_UID) \
>> +		--uidmap $(CI_UID):0:1 \
>> +		--uidmap $(CI_UID_OTHER):$(CI_UID_OTHER):$(CI_UID_OTHER_RANGE) \
>> +		--gidmap 0:1:$(CI_GID) \
>> +		--gidmap $(CI_GID):0:1 \
>> +		--gidmap $(CI_GID_OTHER):$(CI_GID_OTHER):$(CI_GID_OTHER_RANGE) \
>> +		$(NULL)
>> +else
>> +	CI_DOCKER_ARGS = \
>> +		--ulimit nofile=$(CI_ULIMIT_FILES):$(CI_ULIMIT_FILES) \
>> +		$(NULL)
>> +endif
>>
>>  # Args to use when cloning a git repo.
>>  #  -c  stop it complaining about checking out a random hash
>> @@ -100,7 +157,7 @@ CI_GIT_ARGS = \
>>  	--local  \
>>  	$(NULL)
>>
>> -# Args to use when running the Docker env
>> +# Args to use when running the container
>>  #   --rm      stop inactive containers getting left behind
>>  #   --user    we execute as the same user & group account
>>  #             as dev so that file ownership matches host
>> @@ -110,27 +167,30 @@ CI_GIT_ARGS = \
>>  #   --ulimit  lower files limit for performance reasons
>>  #   --interactive
>>  #   --tty     Ensure we have ability to Ctrl-C the build
>> -CI_DOCKER_ARGS = \
>> +CI_CENGINE_ARGS = \
>>  	--rm \
>>  	--user $(CI_UID):$(CI_GID) \
>>  	--interactive \
>>  	--tty \
>> +	$(CI_PODMAN_ARGS) \
>> +	$(CI_DOCKER_ARGS) \
>>  	$(CI_PWDB_MOUNTS) \
>>  	--volume $(CI_HOST_SRCDIR):$(CI_CONT_SRCDIR):z \
>>  	--workdir $(CI_CONT_SRCDIR) \
>> -	--ulimit nofile=$(CI_ULIMIT_FILES):$(CI_ULIMIT_FILES) \
>>  	$(NULL)
>
>Regards,
>Daniel
>-- 
>|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
>|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
>|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20190510/97936521/attachment-0001.sig>

More information about the libvir-list mailing list