Pre-F35 and U2110 updates

.cirrus.yml

@@ -3,7 +3,7 @@
 # Main collection of env. vars to set for all tasks and scripts.
 env:
     # Name of the ultimate destination branch for this CI run, PR or post-merge.
-    DEST_BRANCH: "master"
+    DEST_BRANCH: "main"
     # Shell used to execute all script commands
     CIRRUS_SHELL: "/bin/bash"
     # No need to go crazy, but grab enough to cover most PRs
@@ -12,11 +12,6 @@ env:
     PACKER_VERSION: &PACKER_VERSION "1.7.0"
     # Unique suffix label to use for all images produced by _this_ run (build)
     IMG_SFX: "${CIRRUS_BUILD_ID}"
-    # Google Application Credentials (JSON) with access to create
-    # Note: Actual authZ specified by service-account roles.
-    # Ref: https://cloud.google.com/compute/docs/access/service-accounts?&_ga=2.102552833.-1670000616.1540407237#accesscopesiam
-    GAC_JSON: ENCRYPTED[7fba7fb26ab568ae39f799ab58a476123206576b0135b3d1019117c6d682391370c801e149f29324ff4b50133012aed9]
-
 
 gcp_credentials: ENCRYPTED[823fdbc2fee3c27fa054ba1e9cfca084829b5e71572f1703a28e0746b1a924ee5860193f931adce197d40bf89e7027fe]
 
@@ -60,6 +55,10 @@ image_builder_task:
         memory: "2G"
         docker_arguments:
             PACKER_VERSION: *PACKER_VERSION
+    env:
+      # Google Application Credentials (JSON) with access to create VM images
+      GAC_JSON: ENCRYPTED[7fba7fb26ab568ae39f799ab58a476123206576b0135b3d1019117c6d682391370c801e149f29324ff4b50133012aed9]
+
     script: "ci/make_image_builder.sh"
     manifest_artifacts:
         path: image_builder/manifest.json
@@ -160,6 +159,8 @@ base_images_task:
         - <<: *base_image
           env:
             PACKER_BUILDS: "ubuntu"
+    env:
+      GAC_JSON: ENCRYPTED[7fba7fb26ab568ae39f799ab58a476123206576b0135b3d1019117c6d682391370c801e149f29324ff4b50133012aed9]
     script: "ci/make_base_images.sh"
     manifest_artifacts:
         path: base_images/manifest.json
@@ -194,6 +195,8 @@ cache_images_task:
         - <<: *cache_image
           env:
             PACKER_BUILDS: "ubuntu"
+    env:
+      GAC_JSON: ENCRYPTED[7fba7fb26ab568ae39f799ab58a476123206576b0135b3d1019117c6d682391370c801e149f29324ff4b50133012aed9]
     script: "ci/make_cache_images.sh"
     manifest_artifacts:
         path: cache_images/manifest.json

Makefile

@@ -93,6 +93,7 @@ ci_debug: $(_TEMPDIR)/ci_debug.tar ## Build and enter container for local develo
 # Takes 4 arguments: export filepath, FQIN, context dir, package cache key
 define podman_build
 	podman build -t $(2) \
+		--security-opt seccomp=unconfined \
 		-v $(_TEMPDIR)/.cache/$(4):/var/cache/dnf:Z \
 		-v $(_TEMPDIR)/.cache/$(4):/var/cache/apt:Z \
 		--build-arg PACKER_VERSION=$(call err_if_empty,PACKER_VERSION) \
@@ -221,6 +222,7 @@ ubuntu_podman:  ## Build Ubuntu podman development container
 
 $(_TEMPDIR)/%_podman.tar: podman/Containerfile podman/setup.sh $(wildcard base_images/*.sh) $(wildcard cache_images/*.sh) $(_TEMPDIR)/.cache/%
 	podman build -t $*_podman:$(call err_if_empty,IMG_SFX) \
+		--security-opt seccomp=unconfined \
 		--build-arg=BASE_NAME=$(subst prior-,,$*) \
 		--build-arg=BASE_TAG=$(call err_if_empty,BASE_TAG) \
 		--build-arg=PACKER_BUILD_NAME=$(subst _podman,,$*) \
@@ -234,6 +236,7 @@ $(_TEMPDIR)/%_podman.tar: podman/Containerfile podman/setup.sh $(wildcard base_i
 skopeo_cidev: $(_TEMPDIR)/skopeo_cidev.tar  ## Build Skopeo development and CI container
 $(_TEMPDIR)/skopeo_cidev.tar: podman/fedora_release $(wildcard skopeo_base/*) $(_TEMPDIR)/.cache/fedora
 	podman build -t skopeo_cidev:$(call err_if_empty,IMG_SFX) \
+		--security-opt seccomp=unconfined \
 		--build-arg=BASE_TAG=$(_fedora_podman_release) \
 		-v $(_TEMPDIR)/.cache/fedora:/var/cache/dnf:Z \
 		skopeo_cidev

base_images/cloud-init/fedora/cloud.cfg.d/40_defuser.cfg

@@ -0,0 +1 @@
+../../ubuntu/cloud.cfg.d/40_defuser.cfg

base_images/cloud-init/fedora/cloud.cfg.d/40_enable_root.cfg

@@ -0,0 +1 @@
+../../ubuntu/cloud.cfg.d/40_enable_root.cfg

base_images/cloud-init/ubuntu/cloud.cfg.d/40_defuser.cfg

@@ -0,0 +1,2 @@
+# Avoid adding any users to the system by default.  GCP OSLogin will do it at runtime.
+users: {}

base_images/fedora_base-setup.sh

@@ -38,12 +38,9 @@ fi
 
 install_automation_tooling
 
-# There is a race that can happen on boot between the GCE services configuring
-# the VM, and cloud-init trying to do similar activities.  Use a customized
-# unit file to make sure cloud-init starts after the google-compute-* services.
-cp -v $SCRIPT_DIRPATH/fedora-cloud-init.service /etc/systemd/system/
-
 if ! ((CONTAINER)); then
+    custom_cloud_init
+
     # ref: https://cloud.google.com/compute/docs/startupscript
     # The mechanism used by Cirrus-CI to execute tasks on the system is through an
     # "agent" process launched as a GCP startup-script (from the metadata service).
@@ -54,7 +51,7 @@ if ! ((CONTAINER)); then
     METADATA_SERVICE_CTX=unconfined_u:unconfined_r:unconfined_t:s0
     METADATA_SERVICE_PATH=systemd/system/google-startup-scripts.service
     sed -r -e \
-        "s/Type=oneshot/Type=oneshot\nSELinuxContext=$METADATA_SERVICE_CTX/" \
+        "s/^Type=oneshot/Type=oneshot\nSELinuxContext=$METADATA_SERVICE_CTX/" \
         /lib/$METADATA_SERVICE_PATH > /etc/$METADATA_SERVICE_PATH
 fi
 

base_images/gce.yml

@@ -21,10 +21,9 @@ variables:  # Empty value means it must be passed in on command-line
     # to build from - just as the sources below are the base-images to
     # start from building VM images.
 
-    # Upstream source for Ubuntu image duplication (prevents expiration)
-    # Look these up in the console by searching images for
-    # "Created by: Canonical"
-    UBUNTU_BASE_IMAGE: 'ubuntu-2104-hirsute-v20210511a'
+    # Upstream source for Ubuntu image to duplicate (prevents expiration).
+    # Use the most recent image based on this family name.
+    UBUNTU_BASE_FAMILY: 'ubuntu-2104'
 
     # Latest Fedora release download URL
     FEDORA_IMAGE_URL: "https://dl.fedoraproject.org/pub/fedora/linux/releases/34/Cloud/x86_64/images/Fedora-Cloud-Base-34-1.2.x86_64.qcow2"
@@ -86,13 +85,12 @@ builders:
       iso_url: '{{user `PRIOR_FEDORA_IMAGE_URL`}}'
       iso_checksum: 'file:{{user `PRIOR_FEDORA_CSUM_URL`}}'
 
-    - &imgcopy
-      name: 'ubuntu'
+    - name: 'ubuntu'
       type: 'googlecompute'
       # Prefix IMG_SFX with "b" so this is never confused with a cache_image name
       image_name: 'ubuntu-b{{user `IMG_SFX`}}'
       image_family: '{{build_name}}-base'
-      source_image: '{{user `UBUNTU_BASE_IMAGE`}}'
+      source_image_family: '{{user `UBUNTU_BASE_FAMILY`}}'
       source_image_project_id: 'ubuntu-os-cloud'
       project_id: '{{user `GCP_PROJECT_ID`}}'
       # Can't use env. var for this, googlecompute-import only supports filepath
@@ -102,9 +100,11 @@ builders:
       # Identify the instance
       labels:
         sfx: '{{user `IMG_SFX`}}'
-        src: '{{user `UBUNTU_BASE_IMAGE`}}'
+        src: '{{user `UBUNTU_BASE_FAMILY`}}'
       # Gotcha: https://www.packer.io/docs/builders/googlecompute#gotchas
       ssh_username: 'packer'
+      temporary_key_pair_type: ed25519
+      ssh_clear_authorized_keys: true
 
 provisioners:  # Ubuntu images come bundled with GCE integrations provisioned
     - type: 'shell'

base_images/ubuntu_base-setup.sh

@@ -28,7 +28,14 @@ PKGS=( \
 )
 
 $SUDO apt-get -qq -y update
-$SUDO apt-get -qq -y upgrade apt dpkg
+
+# At the time of this commit, upgrading past the stock
+# cloud-init (21.3-1-g6803368d-0ubuntu1~21.04.3) causes
+# failure of login w/ new ssh key after reset + reboot.
+if ! ((CONTAINER)); then
+    $SUDO apt-mark hold cloud-init
+fi
+
 $SUDO apt-get -qq -y upgrade
 $SUDO apt-get -qq -y install "${PKGS[@]}"
 
@@ -38,4 +45,8 @@ $SUDO DEBCONF_DB_OVERRIDE='File{'$SCRIPT_DIRPATH/no_dash.dat'}' \
 
 install_automation_tooling
 
+if ! ((CONTAINER)); then
+    custom_cloud_init
+fi
+
 finalize

cache_images/fedora_packaging.sh

@@ -174,9 +174,6 @@ fi
 # Download these package files, but don't install them; Any tests
 # wishing to, may install them using their native tools at runtime.
 DOWNLOAD_PACKAGES=(\
-    "cri-o-$(get_kubernetes_version)*"
-    cri-tools
-    "kubernetes-$(get_kubernetes_version)*"
     oci-umount
     parallel
     podman-docker
@@ -187,10 +184,8 @@ DOWNLOAD_PACKAGES=(\
 echo "Installing general build/test dependencies"
 bigto $SUDO dnf install -y $EXARG "${INSTALL_PACKAGES[@]}"
 
-if [[ ${#DOWNLOAD_PACKAGES[@]} -gt 0 ]]; then
+if ((CONTAINER==0)) && [[ ${#DOWNLOAD_PACKAGES[@]} -gt 0 ]]; then
     echo "Downloading packages for optional installation at runtime, as needed."
-    # Required for cri-o
-    ooe.sh $SUDO dnf -y module enable cri-o:$(get_kubernetes_version)
     $SUDO mkdir -p "$PACKAGE_DOWNLOAD_DIR"
     cd "$PACKAGE_DOWNLOAD_DIR"
     lilto ooe.sh $SUDO dnf install -y 'dnf-command(download)'

cache_images/fedora_setup.sh

@@ -9,8 +9,10 @@ SCRIPT_FILEPATH=$(realpath "${BASH_SOURCE[0]}")
 SCRIPT_DIRPATH=$(dirname "$SCRIPT_FILEPATH")
 REPO_DIRPATH=$(realpath "$SCRIPT_DIRPATH/../")
 
-# Run as quickly as possible after boot
-/bin/bash $REPO_DIRPATH/systemd_banish.sh
+if ! ((CONTAINER)); then
+    # Run as quickly as possible after boot
+    /bin/bash $REPO_DIRPATH/systemd_banish.sh
+fi
 
 # shellcheck source=./lib.sh
 source "$REPO_DIRPATH/lib.sh"
@@ -26,8 +28,6 @@ if ! ((CONTAINER)); then
     ooe.sh $SUDO setsebool -P container_manage_cgroup true
 fi
 
-custom_cloud_init
-
 # shellcheck disable=SC2154
 if ! ((CONTAINER)) && [[ "$PACKER_BUILD_NAME" =~ prior ]]; then
     warn "Disabling CgroupsV2 kernel command-line option for systemd"

cache_images/gce.yml

@@ -38,6 +38,7 @@ builders:
       ssh_username: packer  # arbitrary, packer will create & setup w/ temp. keypair
       ssh_pty: 'true'
       temporary_key_pair_type: ed25519
+      ssh_clear_authorized_keys: true
       # Permit running nested VM's to support specialized testing
       image_licenses: ["projects/vm-options/global/licenses/enable-vmx"]
 

cache_images/podman_tooling.sh

@@ -5,7 +5,7 @@
 # not be used for any other purpose or from any other context.
 
 echo "Installing runtime tooling"
-export GOPATH
+export GOPATH="${GOPATH:/var/tmp/go}"
 export GOSRC=/var/tmp/go/src/github.com/containers/podman
 export GOCACHE="${GOCACHE:-/root/.cache/go-build}"
 lilto git clone --quiet https://github.com/containers/podman.git "$GOSRC"
@@ -21,6 +21,7 @@ if [[ "$OS_RELEASE_ID" == "ubuntu" ]]; then
     lilto $SUDO make install.libseccomp.sudo
 fi
 
-# Make pristine for other runtime usage/expectations
-$SUDO rm -rf "$GOSRC"
+# Make pristine for other runtime usage/expectations also save a bit
+# of space in the images.
+$SUDO rm -rf "$GOPATH/src" "$GOCACHE"
 $SUDO chown -R root.root /var/tmp/go

cache_images/ubuntu_packaging.sh

@@ -164,16 +164,22 @@ DOWNLOAD_PACKAGES=(\
     docker-ce
     docker-ce-cli
 )
+
 curl --fail --silent --location \
     --url  https://download.docker.com/linux/ubuntu/gpg | \
     gpg --dearmor | \
     $SUDO tee /etc/apt/trusted.gpg.d/docker_com.gpg &> /dev/null
 echo "deb https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | \
     ooe.sh $SUDO tee /etc/apt/sources.list.d/docker.list &> /dev/null
-lilto $SUDO apt-get -q -y update
-echo "Downloading packages for optional installation at runtime."
-$SUDO ln -s /var/cache/apt/archives "$PACKAGE_DOWNLOAD_DIR"
-bigto $SUDO apt-get -q -y install --download-only "${DOWNLOAD_PACKAGES[@]}"
+
+if ((CONTAINER==0)) && [[ ${#DOWNLOAD_PACKAGES[@]} -gt 0 ]]; then
+    $SUDO apt-get clean  # no reason to keep previous downloads around
+    # Needed to install .deb files + resolve dependencies
+    lilto $SUDO apt-get -q -y update
+    echo "Downloading packages for optional installation at runtime."
+    $SUDO ln -s /var/cache/apt/archives "$PACKAGE_DOWNLOAD_DIR"
+    bigto $SUDO apt-get -q -y install --download-only "${DOWNLOAD_PACKAGES[@]}"
+fi
 
 echo "Configuring Go environment"
 # There are multiple (otherwise conflicting) versions of golang available

cache_images/ubuntu_setup.sh

@@ -32,8 +32,6 @@ if ! ((CONTAINER)); then
     ooe.sh $SUDO update-grub
 fi
 
-custom_cloud_init
-
 nm_ignore_cni
 
 finalize

get_ci_vm/bad_repo_test/hack/get_ci_vm.sh

@@ -52,9 +52,6 @@ cleanup() {
     set +e
     wait
 
-    # set GCLOUD_DEBUG to leave tmpdir behind for postmortem
-    test -z "$GCLOUD_DEBUG" && rm -rf $TMPDIR
-
     # Not always called from an exit handler, but should always exit when called
     exit $RET
 }
@@ -116,7 +113,6 @@ parse_args(){
         show_usage "No image-name specified."
     fi
 
-    ENVS="$ENVS SPECIALMODE=\"$SPECIALMODE\""
     SETUP_CMD="env $ENVS $GOSRC/contrib/cirrus/setup.sh"
     VMNAME="${VMNAME:-${USER}-${IMAGE_NAME}}"
     CREATE_CMD="$PGCLOUD compute instances create --zone=$ZONE --image-project=libpod-218412 --image=${IMAGE_NAME} --custom-cpu=$CPUS --custom-memory=$MEMORY --boot-disk-size=$DISK --labels=in-use-by=$USER $VMNAME"

lib.sh

@@ -67,13 +67,16 @@ install_automation_tooling() {
 
 custom_cloud_init() {
     #shellcheck disable=SC2154
-    CUSTOM_CLOUD_CONFIG_DEFAULTS="$SCRIPT_DIRPATH/cloud-init/$OS_RELEASE_ID/cloud.cfg.d"
-    if [[ -n "$SCRIPT_DIRPATH" ]] && [[ -d "$CUSTOM_CLOUD_CONFIG_DEFAULTS" ]]
+    CUSTOM_CLOUD_CONFIG_DEFAULTS="$REPO_DIRPATH/base_images/cloud-init/$OS_RELEASE_ID/cloud.cfg.d"
+    if [[ -d "$CUSTOM_CLOUD_CONFIG_DEFAULTS" ]]
     then
         echo "Installing custom cloud-init defaults"
-        $SUDO cp -v "$CUSTOM_CLOUD_CONFIG_DEFAULTS"/* /etc/cloud/cloud.cfg.d/
+        $SUDO cp -v --dereference \
+            "$CUSTOM_CLOUD_CONFIG_DEFAULTS"/* \
+            /etc/cloud/cloud.cfg.d/
     else
         echo "Could not find any files in $CUSTOM_CLOUD_CONFIG_DEFAULTS"
+        exit 1
     fi
 }
 
@@ -95,20 +98,6 @@ set_gac_filepath(){
     unset GAC_JSON;
 }
 
-get_kubernetes_version() {
-    local KUBERNETES_VERSION
-    case "$OS_REL_VER" in
-        fedora-32)
-            KUBERNETES_VERSION="1.15" ;;
-        fedora-33)
-            KUBERNETES_VERSION="1.18" ;;
-        fedora-34)
-            KUBERNETES_VERSION="1.20" ;;
-        *) die "Unknown/Unsupported \$OS_REL_VER '$OS_REL_VER'"
-    esac
-    echo "$KUBERNETES_VERSION"
-}
-
 # Warning: DO NOT USE the following functions willy-nilly!
 # They are only intended to be called by other setup scripts, as the very
 # last step during the build process.  They're purpose is to "reset" the
@@ -158,6 +147,10 @@ common_finalize() {
     cd /
     clean_automatic_users
     $SUDO cloud-init clean --logs
+    if ! ((CONTAINER)); then
+        # Prevent periodically activated services interfering with testing
+        /bin/bash $(dirname ${BASH_SOURCE[0]})/systemd_banish.sh
+    fi
     $SUDO rm -rf /var/lib/cloud/instanc*
     $SUDO rm -rf /root/.ssh/*
     $SUDO rm -rf /etc/ssh/*key*
@@ -166,13 +159,19 @@ common_finalize() {
     echo -n "" | $SUDO tee /etc/machine-id
     $SUDO sync
     if ! ((CONTAINER)); then
+        # This helps when google goes to compress the image
         $SUDO fstrim -av
     fi
 }
 
 # Called during VM Image setup, not intended for general use.
 rh_finalize() {
     set +e  # Don't fail at the very end
+    if ((CONTAINER)); then  # try to save a little space
+        msg "Cleaning up packaging metadata and cache"
+        $SUDO dnf clean all
+        $SUDO rm -rf /var/cache/dnf
+    fi
     set -x
     # Packaging cache is preserved across builds of container images
     $SUDO rm -f /etc/udev/rules.d/*-persistent-*.rules
@@ -183,6 +182,11 @@ rh_finalize() {
 # Called during VM Image setup, not intended for general use.
 ubuntu_finalize() {
     set +e  # Don't fail at the very end
+    if ((CONTAINER)); then  # try to save a little space
+        msg "Cleaning up packaging metadata and cache"
+        $SUDO apt-get clean
+        $SUDO rm -rf /var/cache/apt
+    fi
     set -x
     # Packaging cache is preserved across builds of container images
     common_finalize

skopeo_cidev/setup.sh

@@ -61,7 +61,7 @@ cd "$REG_GOSRC"
 git clone --depth 1 -b "$OSO_TAG" "$OSO_REPO" "$OSO_GOSRC"
 cd "$OSO_GOSRC"
 
-# Edit out a "go < 1.5" check which works incorrectly with go ≥ 1.10.
+# Edit out a "go < 1.5" check which works incorrectly with go >= 1.10.
 sed -i -e 's/\[\[ "\${go_version\[2]}" < "go1.5" ]]/false/' ./hack/common.sh
 
 # Fix a bug in 'options' line processing of resolv.conf when an option is