diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 03aa35e5eba0..8f1b49a0e454 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -405,6 +405,17 @@ jobs: name: "vz" runs-on: macos-13 timeout-minutes: 120 + strategy: + fail-fast: false + matrix: + template: + - experimental/vz.yaml + - fedora.yaml + include: + - template: experimental/vz.yaml + name: default + - template: fedora.yaml + name: vz-fedora steps: - uses: actions/checkout@v4 with: @@ -417,7 +428,7 @@ jobs: with: path: ~/Library/Caches/lima/download # hashFiles do not seem to support symlinks - key: ${{ runner.os }}-${{ hashFiles('examples/experimental/vz.yaml') }} + key: ${{ runner.os }}-${{ hashFiles('examples/*.yaml') }} - name: Make run: make - name: Install @@ -425,4 +436,6 @@ jobs: - name: Install test dependencies run: brew install qemu bash coreutils - name: Test - run: ./hack/test-templates.sh templates/experimental/vz.yaml + env: + ARGS: "--vm-type vz --mount-type virtiofs --rosetta --network vzNAT --containerd none" + run: ./hack/test-templates.sh templates/${{ matrix.template }} ${{ matrix.name }} diff --git a/hack/test-selinux.sh b/hack/test-selinux.sh new file mode 100755 index 000000000000..17e6faf358f8 --- /dev/null +++ b/hack/test-selinux.sh @@ -0,0 +1,53 @@ +#!/usr/bin/env bash + +set -eu -o pipefail + +scriptdir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" +# shellcheck source=common.inc.sh +source "${scriptdir}/common.inc.sh" + +if [ "$#" -ne 1 ]; then + ERROR "Usage: $0 NAME" + exit 1 +fi + +NAME="$1" +expected="context=system_u:object_r:container_file_t:s0" +#Skip Rosetta checks for x86 GHA mac runners +if [ "$(arch)" == "arm64" ]; then + INFO "Testing secontext is set for rosetta mounts" + got=$(limactl shell "$NAME" mount | grep "rosetta" | awk '{print $6}') + INFO "secontext rosetta: expected=${expected}, got=${got}" + if [[ $got != *$expected* ]]; then + ERROR "secontext for rosetta mount is not set or Invalid" + exit 1 + fi +fi +INFO "Testing secontext is set for bind mounts" +INFO "Checking in mounts" +got=$(limactl shell "$NAME" mount | grep "$HOME" | awk '{print $6}') +INFO "secontext ${HOME}: expected=${expected}, got=${got}" +if [[ $got != *$expected* ]]; then + ERROR "secontext for \"$HOME\" dir is not set or Invalid" + exit 1 +fi +got=$(limactl shell "$NAME" mount | grep "/tmp/lima" | awk '{print $6}') +INFO "secontext /tmp/lima: expected=${expected}, got=${got}" +if [[ $got != *$expected* ]]; then + ERROR 'secontext for "/tmp/lima" dir is not set or Invalid' + exit 1 +fi +INFO "Checking in fstab file" +expected='context="system_u:object_r:container_file_t:s0"' +got=$(limactl shell "$NAME" cat /etc/fstab | grep "$HOME" | awk '{print $4}') +INFO "secontext ${HOME}: expected=${expected}, got=${got}" +if [[ $got != *$expected* ]]; then + ERROR "secontext for \"$HOME\" dir is not set or Invalid" + exit 1 +fi +got=$(limactl shell "$NAME" cat /etc/fstab | grep "/tmp/lima" | awk '{print $4}') +INFO "secontext /tmp/lima: expected=${expected}, got=${got}" +if [[ $got != *$expected* ]]; then + ERROR 'secontext for "/tmp/lima" dir is not set or Invalid' + exit 1 +fi diff --git a/hack/test-templates.sh b/hack/test-templates.sh index 2f03da3586ea..9b7f05037cd5 100755 --- a/hack/test-templates.sh +++ b/hack/test-templates.sh @@ -5,19 +5,24 @@ scriptdir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" # shellcheck source=common.inc.sh source "${scriptdir}/common.inc.sh" -if [ "$#" -ne 1 ]; then - ERROR "Usage: $0 FILE.yaml" +if [ "$#" -eq 0 ]; then + ERROR "Usage: $0 FILE.yaml VM_NAME" exit 1 fi FILE="$1" -NAME="$(basename -s .yaml "$FILE")" +if [[ $# -eq 2 && $2 != "default" ]]; then + NAME="$2" +else + NAME="$(basename -s .yaml "$FILE")" +fi INFO "Validating \"$FILE\"" limactl validate "$FILE" # --cpus=1 is needed for running vz on GHA: https://github.com/lima-vm/lima/pull/1511#issuecomment-1574937888 LIMACTL_CREATE=(limactl --tty=false create --cpus=1 --memory=1) +LIMACTL_ARGS="" CONTAINER_ENGINE="nerdctl" @@ -34,6 +39,7 @@ declare -A CHECKS=( ["vmnet"]="" ["disk"]="" ["user-v2"]="" + ["vz-selinux"]="" ) case "$NAME" in @@ -67,6 +73,12 @@ case "$NAME" in "docker") CONTAINER_ENGINE="docker" ;; +"vz-fedora") + WARNING "Relaxing systemd tests for vz-fedora (For avoiding CI failure)" + CHECKS["systemd-strict"]= + CHECKS["vz-selinux"]=1 + LIMACTL_ARGS="${ARGS}" + ;; esac if limactl ls -q | grep -q "$NAME"; then @@ -109,7 +121,13 @@ if [[ -n ${CHECKS["disk"]} ]]; then fi set -x -"${LIMACTL_CREATE[@]}" "$FILE" +# shellcheck disable=SC2128 +if [ "${LIMACTL_ARGS}" == "" ]; then + "${LIMACTL_CREATE[@]}" "$FILE" +else + # shellcheck disable=SC2086 + "${LIMACTL_CREATE[@]}" ${LIMACTL_ARGS} --name "$NAME" "$FILE" +fi set +x INFO "Starting \"$NAME\"" @@ -223,7 +241,7 @@ if [[ -n ${CHECKS["port-forwards"]} ]]; then if [ "${NAME}" = "debian" ]; then limactl shell "$NAME" sudo apt-get install -y netcat-openbsd fi - if [ "${NAME}" = "fedora" ]; then + if [[ ${NAME} == *"fedora"* ]]; then limactl shell "$NAME" sudo dnf install -y nc fi if [ "${NAME}" = "opensuse" ]; then @@ -389,6 +407,10 @@ if [[ -n ${CHECKS["snapshot-offline"]} ]]; then limactl start "$NAME" fi +if [[ -n ${CHECKS["vz-selinux"]} ]]; then + "${scriptdir}"/test-selinux.sh "$NAME" +fi + INFO "Stopping \"$NAME\"" limactl stop "$NAME" sleep 3 diff --git a/pkg/cidata/cidata.TEMPLATE.d/boot/05-lima-mounts.sh b/pkg/cidata/cidata.TEMPLATE.d/boot/05-lima-mounts.sh new file mode 100755 index 000000000000..e72c8cd35fc7 --- /dev/null +++ b/pkg/cidata/cidata.TEMPLATE.d/boot/05-lima-mounts.sh @@ -0,0 +1,25 @@ +#!/bin/bash + +set -eux -o pipefail + +# Check if mount type is virtiofs and vm type as vz +if ! [[ ${LIMA_CIDATA_VMTYPE} == "vz" && ${LIMA_CIDATA_MOUNTTYPE} == "virtiofs" ]]; then + exit 0 +fi + +# Update fstab entries and unmount/remount the volumes with secontext options +# when selinux is enabled in kernel +if [ -d /sys/fs/selinux ]; then + # shellcheck disable=SC2013 + for line in $(grep -n virtiofs