ci: Use bcvk

Make builds unprivileged by default and start using bcvk in
our own CI, the same way we expect people to do so locally
now.

Signed-off-by: Colin Walters <[email protected]>

Author: cgwalters

.github/actions/bootc-ubuntu-setup/action.yml

@@ -65,5 +65,17 @@ runs:
       if: ${{ inputs.libvirt == 'true' }}
       shell: bash
       run: |
-        set -eux
-        sudo apt install -y libkrb5-dev pkg-config libvirt-dev genisoimage qemu-utils qemu-kvm qemu-utils libvirt-daemon-system
+        set -xeuo pipefail
+        sudo apt install -y libkrb5-dev pkg-config libvirt-dev genisoimage qemu-utils qemu-kvm virtiofsd libvirt-daemon-system
+        # Something in the stack is overriding this, but we want session right now for bcvk
+        echo LIBVIRT_DEFAULT_URI=qemu:///session >> $GITHUB_ENV
+        td=$(mktemp -d)
+        cd $td
+        # Install bcvk
+        curl -LO https://github.com/bootc-dev/bcvk/releases/download/v0.5.1/bcvk-x86_64-unknown-linux-gnu.tar.gz
+        echo '1c9bb9e2b1e39d64c93b847350dd028832da27e7f7b0296b14ebfc2fb66b5c2c  bcvk-x86_64-unknown-linux-gnu.tar.gz' > sums
+        sha256sum -c sums
+        tar zxvf bcvk*.tar.gz
+        sudo install -T bcvk-$(arch)-*linux-gnu /usr/bin/bcvk
+        cd -
+        rm -rf "$td"

.github/workflows/ci.yml

@@ -19,6 +19,9 @@ on:
 
 env:
   CARGO_TERM_COLOR: always
+  # Something seems to be setting this in the default GHA runners, which breaks bcvk
+  # as the default runner user doesn't have access
+  LIBVIRT_DEFAULT_URI: "qemu:///session"
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
@@ -135,11 +138,11 @@ jobs:
 
       - name: Build container and disk image
         run: |
-          sudo tests/build.sh ${{ matrix.test_os }}
+          tests/build.sh ${{ matrix.test_os }}
 
       - name: Run container tests
         run:
-          sudo just test-container
+          just test-container
 
       - name: Archive disk image
         uses: actions/upload-artifact@v4

Justfile

@@ -24,38 +24,7 @@ build-install-test-image: build-integration-test-image
     cd hack && podman build -t localhost/bootc-integration-install -f Containerfile.drop-lbis
 
 build-disk-image container target:
-    #!/bin/bash
-    set -xeuo pipefail
-    SIZE=20G
-    bcvk=$(which bcvk 2>/dev/null || true)
-    if test -z "${bcvk}" && test "$(id -u)" != 0; then
-        echo "This task currently requires full root"; exit 1
-    fi
-    # testcloud barfs on .raw
-    if test -n "${bcvk}"; then
-      bcvk to-disk --format=qcow2 --disk-size "${SIZE}" --filesystem ext4 {{container}} {{target}}
-    else
-      TMPDISK={{target}}.raw
-      truncate -s "${SIZE}" "${TMPDISK}"
-      podman run \
-        --rm \
-        --privileged \
-        --pid=host \
-        --security-opt label=type:unconfined_t \
-        -v /var/lib/containers:/var/lib/containers \
-        -v /dev:/dev \
-        -v $(pwd)/target:/target \
-        localhost/bootc-integration \
-        bootc install to-disk \
-        --filesystem "ext4" \
-        --karg=console=ttyS0,115200n8 \
-        --generic-image \
-        --via-loopback \
-        /target/$(basename ${TMPDISK})
-      qemu-img convert -f raw -O qcow2 ${TMPDISK} {{target}}
-      rm -f "${TMPDISK}"
-    fi
-
+    bcvk to-disk --format=qcow2 --disk-size 20G --filesystem ext4 {{container}} {{target}}
 
 # These tests accept the container image as input, and may spawn it.
 run-container-external-tests: