keremet/rpm-ostree
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
9f2db12329
rpm-ostree/.papr.yml
Colin Walters 90f9fe80e4 scripts: Drop most capabilities 
Note this PR requires [bubblewrap 0.2.0](https://github.com/projectatomic/bubblewrap/releases/tag/v0.2.0).

Change our bwrap invocations drop truly dangerous capabilities like
`cap_sys_admin` and `cap_sys_module` just like Docker does today. Because of the
popularity of Docker, we can be pretty sure that most RPM scripts should have
adapted to this (although a problematic area here is that traditional librpm
doesn't actually error out if scripts fail).

There are two reasons to do this:

 - We want "offline" updates by default; updates shouldn't affect the
   running system.  If we prepare the new root in the background, a
   %post shouldn't restart a service for example.  We already "handle"
   this by making `systemctl` a symlink to `/bin/true`, but this approach
   also shuts off `%post`s that do e.g. `insmod`.
 - Protection against accidental system damage

Closes: #1099
Approved by: jlebon
2017-12-05 02:54:23 +00:00

169 lines
3.4 KiB
YAML
Raw Blame History

branches:
- master
- auto
- try
context: f27-primary
required: true
cluster:
hosts:
- name: vmcheck1
distro: fedora/27/atomic
- name: vmcheck2
distro: fedora/27/atomic
- name: vmcheck3
distro: fedora/27/atomic
container:
image: registry.fedoraproject.org/fedora:27
env:
HOSTS: vmcheck1 vmcheck2 vmcheck3
# TODO use -fsanitize=address
CFLAGS: '-fsanitize=undefined -fsanitize-undefined-trap-on-error -O2 -Wp,-D_FORTIFY_SOURCE=2'
ASAN_OPTIONS: 'detect_leaks=0' # Right now we're not fully clean, but this gets us use-after-free etc
CI_PKGS: rsync
tests:
- ci/ci-commitmessage-submodules.sh
- ci/codestyle.sh
- ci/build-check.sh
- make vmcheck
timeout: 60m
artifacts:
- test-suite.log
- config.log
- vmcheck
---
inherit: true
context: c7-primary
required: true
cluster:
hosts:
- name: vmcheck1
distro: centos/7/atomic/smoketested
- name: vmcheck2
distro: centos/7/atomic/smoketested
- name: vmcheck3
distro: centos/7/atomic/smoketested
container:
image: registry.centos.org/centos/centos:7
# We only want the sanitizers on Fedora
env:
HOSTS: vmcheck1 vmcheck2 vmcheck3
CFLAGS: ''
extra-repos:
- name: atomic-centos-continuous
baseurl: https://ci.centos.org/artifacts/sig-atomic/rdgo/centos-continuous/build
gpgcheck: 0
tests:
- yum install -y epel-release
- ci/build-check.sh
- make vmcheck
---
branches:
- master
- auto
- try
# NB: when bumping 27 here, also bump fedora.repo, and compose script
context: f27-compose
build: false
timeout: 40m
required: true
# This test case wants an "unprivileged container with bubblewrap",
# which we don't have right now; so just provision a VM and do a
# docker --privileged run.
host:
distro: fedora/27/atomic
# Copy yum.repos.d to get any injected repos from the host, which
# will point to a closer mirror. Note we substitute $releasever
# since https://github.com/projectatomic/rpm-ostree/pull/875
tests:
- docker run --privileged --rm
-e RPMOSTREE_COMPOSE_TEST_USE_REPOS=/etc/yum.repos.d.host
-v /etc/yum.repos.d:/etc/yum.repos.d.host:ro
-v $(pwd):/srv/code -w /srv/code
registry.fedoraproject.org/fedora:27 /bin/sh -c
"./ci/build.sh && make install && ./tests/compose"
artifacts:
- compose.log
---
branches:
- master
- auto
- try
context: f27-ex-container
build: false
timeout: 30m
required: false
# See the f27-compose context for why we do things this way.
host:
distro: fedora/27/atomic
tests:
- docker run --privileged --rm
-e RPMOSTREE_COMPOSE_TEST_USE_REPOS=/etc/yum.repos.d.host
-v /etc/yum.repos.d:/etc/yum.repos.d.host:ro
-v $(pwd):/srv/code -w /srv/code
registry.fedoraproject.org/fedora:27 /bin/sh -c
"./ci/build.sh && make install && adduser unpriv && setfacl -m u:unpriv:rwX . && runuser -u unpriv ./tests/ex-container"
artifacts:
- ex-container-logs
---
branches:
- master
- auto
- try
cluster:
hosts:
- name: testnode
distro: fedora/27/atomic
container:
image: registry.fedoraproject.org/fedora:27
context: f27-sanity
# https://bugzilla.redhat.com/show_bug.cgi?id=1483553
#packages:
# - ansible
# - git
# - rsync
env:
CI_PKGS: git rsync python-virtualenv
tests:
- ci/build.sh
- git clone https://github.com/projectatomic/atomic-host-tests
- make vmoverlay HOSTS=testnode
- cd atomic-host-tests && ./.test_director
Reference in New Issue View Git Blame Copy Permalink