Merge pull request #3599 from cevich/update_to_f35

Cirrus: Bump up to Fedora 35 & Ubuntu 21.10
containers · Nov 18, 2021 · b71ccf3 · b71ccf3
2 parents 4c40e8e + 0b3e75a
commit b71ccf3
Show file tree

Hide file tree

Showing 6 changed files with 42 additions and 76 deletions.
diff --git a/.cirrus.yml b/.cirrus.yml
@@ -25,11 +25,11 @@ env:
     ####
     # GCE project where images live
     IMAGE_PROJECT: "libpod-218412"
-    FEDORA_NAME: "fedora-34"
-    PRIOR_FEDORA_NAME: "fedora-33"
-    UBUNTU_NAME: "ubuntu-2104"
+    FEDORA_NAME: "fedora-35"
+    PRIOR_FEDORA_NAME: "fedora-34"
+    UBUNTU_NAME: "ubuntu-2110"
 
-    IMAGE_SUFFIX: "c6431352024203264"
+    IMAGE_SUFFIX: "c6226133906620416"
     FEDORA_CACHE_IMAGE_NAME: "fedora-${IMAGE_SUFFIX}"
     PRIOR_FEDORA_CACHE_IMAGE_NAME: "prior-fedora-${IMAGE_SUFFIX}"
     UBUNTU_CACHE_IMAGE_NAME: "ubuntu-${IMAGE_SUFFIX}"
@@ -216,9 +216,6 @@ static_build_task:
     init_script: |
         set -ex
         setenforce 0
-        growpart /dev/sda 1 || true
-        resize2fs /dev/sda1 || true
-        yum -y install podman
 
     nix_cache:
       folder: '.cache'

diff --git a/chroot/run_test.go b/chroot/run_test.go
@@ -38,6 +38,9 @@ func testMinimal(t *testing.T, modify func(g *generate.Generator, rootDir, bundl
 	if err != nil {
 		t.Fatalf("generate.New(%q): %v", "linux", err)
 	}
+	if err = setupSeccomp(g.Config, ""); err != nil {
+		t.Fatalf("setupSeccomp(%q): %v", "", err)
+	}
 
 	tempDir, err := ioutil.TempDir("", "chroot-test")
 	if err != nil {

diff --git a/chroot/seccomp.go b/chroot/seccomp.go
@@ -3,6 +3,9 @@
 package chroot
 
 import (
+	"io/ioutil"
+
+	"github.com/containers/common/pkg/seccomp"
 	specs "github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/pkg/errors"
 	libseccomp "github.com/seccomp/libseccomp-golang"
@@ -171,3 +174,27 @@ func setSeccomp(spec *specs.Spec) error {
 	}
 	return nil
 }
+
+func setupSeccomp(spec *specs.Spec, seccompProfilePath string) error {
+	switch seccompProfilePath {
+	case "unconfined":
+		spec.Linux.Seccomp = nil
+	case "":
+		seccompConfig, err := seccomp.GetDefaultProfile(spec)
+		if err != nil {
+			return errors.Wrapf(err, "loading default seccomp profile failed")
+		}
+		spec.Linux.Seccomp = seccompConfig
+	default:
+		seccompProfile, err := ioutil.ReadFile(seccompProfilePath)
+		if err != nil {
+			return errors.Wrapf(err, "opening seccomp profile (%s) failed", seccompProfilePath)
+		}
+		seccompConfig, err := seccomp.LoadProfile(string(seccompProfile), spec)
+		if err != nil {
+			return errors.Wrapf(err, "loading seccomp profile (%s) failed", seccompProfilePath)
+		}
+		spec.Linux.Seccomp = seccompConfig
+	}
+	return nil
+}
diff --git a/chroot/seccomp_unsupported.go b/chroot/seccomp_unsupported.go
@@ -13,3 +13,11 @@ func setSeccomp(spec *specs.Spec) error {
 	}
 	return nil
 }
+
+func setupSeccomp(spec *specs.Spec, seccompProfilePath string) error {
+	if spec.Linux != nil {
+		// runtime-tools may have supplied us with a default filter
+		spec.Linux.Seccomp = nil
+	}
+	return nil
+}
diff --git a/contrib/cirrus/add_second_partition.sh b/contrib/cirrus/add_second_partition.sh
diff --git a/contrib/cirrus/setup.sh b/contrib/cirrus/setup.sh
@@ -14,12 +14,6 @@ echo "Setting up $OS_RELEASE_ID $OS_RELEASE_VER"
 cd $GOSRC
 case "$OS_RELEASE_ID" in
     fedora)
-        # Not executing IN_PODMAN container
-        if [[ -z "$CONTAINER" ]]; then
-            warn "Adding secondary testing partition & growing root filesystem"
-            bash $SCRIPT_BASE/add_second_partition.sh
-        fi
-
         warn "Hard-coding podman to use crun"
         cat > /etc/containers/containers.conf <<EOF
 [engine]