Merge pull request #60 from rancher/e2e

Add initial E2E structure for validating SELinux policies

.github/workflows/tests.yml

@@ -20,3 +20,42 @@ jobs:
         go-version: 'stable'
 
     - run: make build DRY_RUN=true
+
+  e2e:
+    strategy:
+      matrix:
+        distro: [centos8, centos9]
+
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+
+    # https://lima-vm.io/docs/examples/gha/
+    - name: "Install QEMU"
+      run: |
+        set -eux
+        sudo apt-get update
+        sudo apt-get install -y --no-install-recommends ovmf qemu-system-x86 qemu-utils
+        sudo modprobe kvm
+        sudo chown $(whoami) /dev/kvm        
+
+    - name: "Install Lima"
+      run: |
+        set -eux
+        LIMA_VERSION=$(curl -fsSL https://api.github.com/repos/lima-vm/lima/releases/latest | jq -r .tag_name)
+        FILE="lima-${LIMA_VERSION:1}-Linux-x86_64.tar.gz"
+        curl -fOSL https://github.com/lima-vm/lima/releases/download/${LIMA_VERSION}/${FILE}
+        sudo tar Cxzvf /usr/local "${FILE}"
+        rm -f "${FILE}"
+        # Export LIMA_VERSION For the GHA cache key
+        echo "LIMA_VERSION=${LIMA_VERSION}" >>$GITHUB_ENV        
+
+    - name: "Cache ~/.cache/lima"
+      uses: actions/cache@v4
+      with:
+        path: ~/.cache/lima
+        key: lima-${{ env.LIMA_VERSION }}
+
+    - name: E2E ${{ matrix.distro }}
+      run: make e2e-${{ matrix.distro }}

Dockerfile

@@ -4,30 +4,7 @@ ARG POLICY
 # to build the SELinux policies and package them as RPM for each
 # of the target platforms.
 
-FROM quay.io/centos/centos:centos7 as centos7
-
-# CentOS7 is now EOL and the DNS it relied on for mirror lists
-# (mirrorlist.centos.org), no longer resolves.
-# The adhoc solution is to disable the use of the mirrorlist and default
-# to vault.centos.org instead.
-#
-# https://blog.centos.org/2023/04/end-dates-are-coming-for-centos-stream-8-and-centos-linux-7/
-RUN sed -i 's/mirrorlist/#mirrorlist/g' /etc/yum.repos.d/CentOS-* && \
-        sed -i 's|#baseurl=http://mirror.centos.org|baseurl=http://vault.centos.org|g' /etc/yum.repos.d/CentOS-*
-
-RUN yum install -y \
-        createrepo_c \
-        epel-release \
-        container-selinux \
-        selinux-policy-devel \
-        yum-utils \
-        rpm-build \
-        rpm-sign expect
-
-# Confirm this is needed, move to final if not.
-COPY hack/centos7_sign /usr/local/bin/sign
-
-FROM quay.io/centos/centos:stream8 as centos8
+FROM quay.io/centos/centos:stream8 AS centos8
 
 # Stream8 is now EOL and the DNS it relied on for mirror lists
 # (mirrorlist.centos.org), no longer resolves.
@@ -47,10 +24,7 @@ RUN yum install -y \
         rpm-build \
         rpm-sign
 
-# Move to final stage if centos7_sign is removed.
-COPY hack/sign /usr/local/bin/sign
-
-FROM quay.io/centos/centos:stream9 as centos9
+FROM quay.io/centos/centos:stream9 AS centos9
 RUN yum install -y \
         createrepo_c \
         epel-release \
@@ -60,21 +34,15 @@ RUN yum install -y \
         rpm-build \
         rpm-sign
 
-# Move to final stage if centos7_sign is removed.
-COPY hack/sign /usr/local/bin/sign
-
-FROM fedora:37 as fedora37
+FROM fedora:37 AS fedora37
 RUN dnf install -y \
         createrepo_c \
         container-selinux \
         selinux-policy-devel \
         rpm-build \
         rpm-sign
 
-# Move to final stage if centos7_sign is removed.
-COPY hack/sign /usr/local/bin/sign
-
-FROM opensuse/tumbleweed as microos
+FROM opensuse/tumbleweed AS microos
 RUN zypper install -y \
         container-selinux \
         selinux-policy-devel \
@@ -84,15 +52,13 @@ RUN zypper install -y \
 # libglib is required to install createrepo_c in Tumbleweed.
 RUN zypper install -y libglib-2_0-0 createrepo_c
 
-# Move to final stage if centos7_sign is removed.
-COPY hack/sign /usr/local/bin/sign
-
 # Pick base image based on the target policy.
-FROM ${POLICY} as final
+FROM ${POLICY} AS final
 
 WORKDIR /src
 
 ARG POLICY
+COPY hack/sign /usr/local/bin/sign
 COPY policy/${POLICY}/rancher-selinux.spec \
      policy/${POLICY}/rancher.fc \
      policy/${POLICY}/rancher.te \

Makefile

@@ -1,5 +1,7 @@
 RUNNER ?= docker
 POLICIES = $(shell find policy -mindepth 1 -maxdepth 1 -type d | sort -u | cut -f 2 -d'/')
+DISTROS = $(shell find hack/e2e -type f | grep .yaml | sort -u | cut -f3 -d'/' | cut -f1 -d.)
+LIMA_DEBUG :=
 
 # GPG Signing
 DRY_RUN ?= false
@@ -98,5 +100,24 @@ endif
 	@echo RPM_CHANNEL: $(RPM_CHANNEL)
 	@echo VERSION: $(VERSION)
 
+e2e:
+	$(MAKE) $(addprefix push-tool-, $(DISTROS))
+
+e2e-%:
+	make $(subst :,/,$*)-build-image
+	make $(subst :,/,$*)-build-artefacts
+
+	limactl start $(LIMA_DEBUG) --tty=false --cpus 6 --memory 8 --plain --name=$(subst :,/,$*) hack/e2e/$(subst :,/,$*).yaml
+	limactl cp build/$(subst :,/,$*)/noarch/rancher-*.rpm $(subst :,/,$*):/tmp/rancher-selinux.rpm
+	limactl cp hack/e2e/setup-vm.sh $(subst :,/,$*):/tmp/setup-vm.sh
+	limactl shell $(subst :,/,$*) sudo /tmp/setup-vm.sh
+
+	limactl stop $(subst :,/,$*)
+	limactl delete $(subst :,/,$*)
+
+e2e-%-clean:
+	limactl stop $(subst :,/,$*)
+	limactl delete $(subst :,/,$*)
+
 help: ## display Makefile's help.
 	@awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n  make \033[36m<target>\033[0m\n"} /^[a-zA-Z_0-9-]+:.*?##/ { printf "  \033[36m%-15s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST)

hack/e2e/centos8.yaml

@@ -0,0 +1,33 @@
+# Originally from: https://github.com/lima-vm/lima/blob/7ce6a7a5d1497753c27c30f8aad8f5861c008da0/templates/rocky-8.yaml
+
+# This template requires Lima v0.8.3 or later.
+
+# NOTE: EL8-based distros are known not to work on M1 chips: https://github.com/lima-vm/lima/issues/841
+# EL9-based distros are known to work.
+
+images:
+- location: "https://dl.rockylinux.org/pub/rocky/8.10/images/x86_64/Rocky-8-GenericCloud-Base-8.10-20240528.0.x86_64.qcow2"
+  arch: "x86_64"
+  digest: "sha256:e56066c58606191e96184de9a9183a3af33c59bcbd8740d8b10ca054a7a89c14"
+- location: "https://dl.rockylinux.org/pub/rocky/8.10/images/aarch64/Rocky-8-GenericCloud-Base-8.10-20240528.0.aarch64.qcow2"
+  arch: "aarch64"
+  digest: "sha256:946b5b9845aa5e3ed98f1bc6ee9873201712a2aef01b87731aed16857e0ca13f"
+# Fallback to the latest release image.
+# Hint: run `limactl prune` to invalidate the cache
+- location: "https://dl.rockylinux.org/pub/rocky/8/images/x86_64/Rocky-8-GenericCloud.latest.x86_64.qcow2"
+  arch: "x86_64"
+- location: "https://dl.rockylinux.org/pub/rocky/8/images/aarch64/Rocky-8-GenericCloud.latest.aarch64.qcow2"
+  arch: "aarch64"
+mountTypesUnsupported: ["9p"]
+mounts: []
+cpuType:
+  # Workaround for "vmx_write_mem: mmu_gva_to_gpa XXXXXXXXXXXXXXXX failed" on Intel Mac
+  # https://bugs.launchpad.net/qemu/+bug/1838390
+  x86_64: "Haswell-v4"
+
+provision:
+- mode: system
+  script: |
+    #!/bin/sh
+
+    yum in -y git container-selinux

hack/e2e/centos9.yaml

@@ -0,0 +1,27 @@
+# Originally from: https://github.com/lima-vm/lima/blob/7ce6a7a5d1497753c27c30f8aad8f5861c008da0/templates/rocky-9.yaml
+
+# This template requires Lima v0.11.1 or later.
+
+images:
+- location: "https://dl.rockylinux.org/pub/rocky/9.5/images/x86_64/Rocky-9-GenericCloud-Base-9.5-20241118.0.x86_64.qcow2"
+  arch: "x86_64"
+  digest: "sha256:069493fdc807300a22176540e9171fcff2227a92b40a7985a0c1c9e21aeebf57"
+# No 20240609.1 for aarch64
+- location: "https://dl.rockylinux.org/pub/rocky/9.5/images/aarch64/Rocky-9-GenericCloud-Base-9.5-20241118.0.aarch64.qcow2"
+  arch: "aarch64"
+  digest: "sha256:5443bcc0507fadc3d7bd3e8d266135ab8db6966c703216933f824164fd3252f1"
+# Fallback to the latest release image.
+# Hint: run `limactl prune` to invalidate the cache
+- location: "https://dl.rockylinux.org/pub/rocky/9/images/x86_64/Rocky-9-GenericCloud.latest.x86_64.qcow2"
+  arch: "x86_64"
+- location: "https://dl.rockylinux.org/pub/rocky/9/images/aarch64/Rocky-9-GenericCloud.latest.aarch64.qcow2"
+  arch: "aarch64"
+mountTypesUnsupported: ["9p"]
+mounts: []
+
+provision:
+- mode: system
+  script: |
+    #!/bin/sh
+
+    yum in -y git container-selinux

hack/e2e/leap.yaml

@@ -0,0 +1,17 @@
+# Originally from: https://github.com/lima-vm/lima/blob/7ce6a7a5d1497753c27c30f8aad8f5861c008da0/templates/opensuse-leap.yaml
+
+# This template requires Lima v0.7.0 or later
+images:
+# Hint: run `limactl prune` to invalidate the "Current" cache
+- location: "https://download.opensuse.org/distribution/leap/15.6/appliances/openSUSE-Leap-15.6-Minimal-VM.x86_64-Cloud.qcow2"
+  arch: "x86_64"
+- location: "https://download.opensuse.org/distribution/leap/15.6/appliances/openSUSE-Leap-15.6-Minimal-VM.aarch64-Cloud.qcow2"
+  arch: "aarch64"
+# Hint: to allow 9p and virtiofs, replace the `kernel-default-base` package with `kernel-default` and reboot the VM.
+# https://github.com/lima-vm/lima/issues/3055
+mountType: "reverse-sshfs"
+mountTypesUnsupported: ["9p", "virtiofs"]
+mounts:
+- location: "~"
+- location: "/tmp/lima"
+  writable: true