[libvirt] [PATCH 2/2] Add support for podman in Makefile.ci
Martin Kletzander
mkletzan at redhat.com
Fri May 10 07:07:47 UTC 2019
On Thu, May 09, 2019 at 02:06:18PM +0100, Daniel P. Berrangé wrote:
>On Tue, May 07, 2019 at 05:45:31PM +0200, Martin Kletzander wrote:
>> This way more users can run our CI builds locally.
>>
>> Signed-off-by: Martin Kletzander <mkletzan at redhat.com>
>> ---
>> Makefile.ci | 125 ++++++++++++++++++++++++++++++++++++++--------------
>> 1 file changed, 93 insertions(+), 32 deletions(-)
>>
>> diff --git a/Makefile.ci b/Makefile.ci
>> index 12a62167cc67..e2989ada313c 100644
>> --- a/Makefile.ci
>> +++ b/Makefile.ci
>> @@ -17,7 +17,7 @@ CI_GIT_ROOT = $(shell git rev-parse --show-toplevel)
>> CI_HOST_SRCDIR = $(CI_SCRATCHDIR)/src
>>
>> # The directory holding the source inside the
>> -# container. ie where we told Docker to expose
>> +# container. ie where we want to expose
>> # the $(CI_HOST_SRCDIR) directory from the host
>> CI_CONT_SRCDIR = /src
>>
>> @@ -46,14 +46,13 @@ CI_CONFIGURE_ARGS =
>> # cloning them
>> CI_SUBMODULES = $(shell git submodule | awk '{ print $$2 }')
>>
>> -# Location of the Docker images we're going to pull
>> +# Location of the container images we're going to pull
>> # Can be useful to overridde to use a locally built
>> # image instead
>> CI_IMAGE_PREFIX = quay.io/libvirt/buildenv-
>>
>> -# Docker defaults to pulling the ':latest' tag but
>> -# if the Docker repo above uses different conventions
>> -# this can override it
>> +# The default tag is ':latest' but if the container
>> +# repo above uses different conventions this can override it
>> CI_IMAGE_TAG = :master
>>
>> # We delete the virtual root after completion, set
>> @@ -71,24 +70,82 @@ CI_REUSE = 0
>> CI_UID = $(shell id -u)
>> CI_GID = $(shell id -g)
>>
>> -# Docker doesn't require the IDs you run as to exist in
>> +# Container engine runtime we are going to use, can be overridden per make
>> +# invocation, if it is not, we try podman and then default to docker.
>> +ifeq ($(CI_CENGINE),)
>> + CI_CENGINE = $(shell podman version >/dev/null && echo podman || echo docker)
>> +endif
>> +
>> +# IDs you run as do not need to exist in
>> # the container's /etc/passwd & /etc/group files, but
>> -# if they do not, then libvirt's 'make check' will fail
>> +# if they do not, then libvirt's 'make check' will fail
>> # many tests.
>> -#
>> -# We do not directly mount /etc/{passwd,group} as Docker
>> -# is liable to mess with SELinux labelling which will
>> -# then prevent the host accessing them. Copying them
>> -# first is safer.
>> -CI_PWDB_MOUNTS = \
>> - --volume $(CI_SCRATCHDIR)/group:/etc/group:ro,z \
>> - --volume $(CI_SCRATCHDIR)/passwd:/etc/passwd:ro,z \
>> - $(NULL)
>> +ifeq ($(CI_CENGINE),podman)
>> + CI_PWDB_MOUNTS = \
>> + --volume /etc/group:/etc/group:ro,z \
>> + --volume /etc/passwd:/etc/passwd:ro,z \
>> + $(NULL)
>> +else
>> + # We do not directly mount /etc/{passwd,group} as Docker
>> + # is liable to mess with SELinux labelling which will
>> + # then prevent the host accessing them. Copying them
>> + # first is safer.
>> + CI_PWDB_MOUNTS = \
>> + --volume $(CI_SCRATCHDIR)/group:/etc/group:ro,z \
>> + --volume $(CI_SCRATCHDIR)/passwd:/etc/passwd:ro,z \
>> + $(NULL)
>> +endif
>
>Does this need to be conditionalized ? Wouldn't podman just
>work with the existing code. How does podman end up giving
It would, but it seemed pointless to copy the files when it is not needed.
>access to these files if it isn't changing the SELinux label
>on them ?
>
Oh right, I haven't tried with SELinux. I kind of hope that fuse-overlayfs
would solve that, but they are just starting with these things, so yeah, you're
right, this needs to be there due to SELinux for both podman and docker.
>
>> +
>> +ifeq ($(CI_CENGINE),docker)
>> + # Docker containers can have very large ulimits
>> + # for nofiles - as much as 1048576. This makes
>> + # libvirt very slow at exec'ing programs.
>> + CI_ULIMIT_FILES = 1024
>> +endif
>
>Again, does this really need to be conditionalized ?
>
Not really, it can be left unconditional.
I'll send a clean v2.
>>
>> -# Docker containers can have very large ulimits
>> -# for nofiles - as much as 1048576. This makes
>> -# libvirt very slow at exec'ing programs.
>> -CI_ULIMIT_FILES = 1024
>> +ifeq ($(CI_CENGINE),podman)
>> + # Podman cannot reuse host namespace when running non-root containers. Until
>> + # support for --keep-uid is added we can just create another mapping that will
>> + # do that for us. Beware, that in {uid,git}map=container_id:host_id:range,
>> + # the host_id does actually refer to the uid in the first mapping where 0
>> + # (root) is mapped to the current user and rest is offset.
>> +
>> + # In order to set up this mapping, we need to keep all the user IDs to prevent
>> + # possible errors as some images might expect UIDs up to 90000 (looking at you
>> + # fedora), so we don't want the overflowuid to be used for them. For mapping
>> + # all the other users properly ther eneeds to be some math done. Don't worry,
>> + # it's just addition and subtraction.
>> +
>> + # 65536 ought to be enough (tm), but for really rare cases the maximums might
>> + # need to be higher, but that only happens when your /etc/sub{u,g}id allow
>> + # users to have more IDs. Unless --keep-uid is supported, let's do this in a
>> + # way that should work for everyone.
>> + CI_MAX_UID = $(shell sed -n "s/^$USER:[^:]\+://p" /etc/subuid)
>> + CI_MAX_GID = $(shell sed -n "s/^$USER:[^:]\+://p" /etc/subgid)
>> + ifeq ($(CI_MAX_UID),)
>> + CI_MAX_UID = 65536
>> + endif
>> + ifeq ($(CI_MAX_GID),)
>> + CI_MAX_GID = 65536
>> + endif
>> + CI_UID_OTHER = $(shell echo $$(($(CI_UID)+1)))
>> + CI_GID_OTHER = $(shell echo $$(($(CI_GID)+1)))
>> + CI_UID_OTHER_RANGE = $(shell echo $$(($(CI_MAX_UID)-$(CI_UID))))
>> + CI_GID_OTHER_RANGE = $(shell echo $$(($(CI_MAX_GID)-$(CI_GID))))
>> +
>> + CI_PODMAN_ARGS = \
>> + --uidmap 0:1:$(CI_UID) \
>> + --uidmap $(CI_UID):0:1 \
>> + --uidmap $(CI_UID_OTHER):$(CI_UID_OTHER):$(CI_UID_OTHER_RANGE) \
>> + --gidmap 0:1:$(CI_GID) \
>> + --gidmap $(CI_GID):0:1 \
>> + --gidmap $(CI_GID_OTHER):$(CI_GID_OTHER):$(CI_GID_OTHER_RANGE) \
>> + $(NULL)
>> +else
>> + CI_DOCKER_ARGS = \
>> + --ulimit nofile=$(CI_ULIMIT_FILES):$(CI_ULIMIT_FILES) \
>> + $(NULL)
>> +endif
>>
>> # Args to use when cloning a git repo.
>> # -c stop it complaining about checking out a random hash
>> @@ -100,7 +157,7 @@ CI_GIT_ARGS = \
>> --local \
>> $(NULL)
>>
>> -# Args to use when running the Docker env
>> +# Args to use when running the container
>> # --rm stop inactive containers getting left behind
>> # --user we execute as the same user & group account
>> # as dev so that file ownership matches host
>> @@ -110,27 +167,30 @@ CI_GIT_ARGS = \
>> # --ulimit lower files limit for performance reasons
>> # --interactive
>> # --tty Ensure we have ability to Ctrl-C the build
>> -CI_DOCKER_ARGS = \
>> +CI_CENGINE_ARGS = \
>> --rm \
>> --user $(CI_UID):$(CI_GID) \
>> --interactive \
>> --tty \
>> + $(CI_PODMAN_ARGS) \
>> + $(CI_DOCKER_ARGS) \
>> $(CI_PWDB_MOUNTS) \
>> --volume $(CI_HOST_SRCDIR):$(CI_CONT_SRCDIR):z \
>> --workdir $(CI_CONT_SRCDIR) \
>> - --ulimit nofile=$(CI_ULIMIT_FILES):$(CI_ULIMIT_FILES) \
>> $(NULL)
>
>Regards,
>Daniel
>--
>|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
>|: https://libvirt.org -o- https://fstop138.berrange.com :|
>|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20190510/97936521/attachment-0001.sig>
More information about the libvir-list
mailing list