fix smoke tests

msander · msander · commit b81c0ced0d7b · 2025-09-22T17:04:38.000+02:00
diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile
@@ -1,45 +1,52 @@
 # syntax=docker/dockerfile:1.4
-ARG VARIANT="1-1.22-bookworm"
+ARG VARIANT="1-1.23-bookworm"
 FROM mcr.microsoft.com/devcontainers/go:${VARIANT}
 
+# Use bash globally for pipefail
+SHELL ["/bin/bash", "-o", "pipefail", "-c"]
+
 ARG DEBIAN_FRONTEND=noninteractive
 
-# Keep the base image packages patched and install common utilities needed for
-# development and release tooling.
-RUN apt-get update \
-    && apt-get upgrade -y \
-    && apt-get install -y --no-install-recommends \
-        ca-certificates \
-        curl \
-        jq \
-    && apt-get autoremove -y \
-    && apt-get clean \
-    && rm -rf /var/lib/apt/lists/*
+RUN set -eux; \
+    apt-get update; \
+    apt-get -y upgrade; \
+    apt-get install -y --no-install-recommends \
+        ca-certificates curl fuse-overlayfs iptables jq podman slirp4netns uidmap; \
+    rm -rf /var/lib/apt/lists/*
+
+# Podman shim
+RUN <<'BASH'
+set -euo pipefail
+echo "vscode ALL=(ALL) NOPASSWD: /usr/bin/install, /usr/bin/podman" >/etc/sudoers.d/010-vscode-podman
+chmod 0440 /etc/sudoers.d/010-vscode-podman
+install -d -m 0755 /usr/local/bin
+BASH
 
-# Install etcd from the latest stable upstream release so local tests can rely
-# on an etcd binary that matches production expectations.
+# Install etcd (arch-aware, ohne Hash)
 ARG ETCD_VERSION="3.6.4"
-ARG ETCD_SHA256="4d5f3101daa534e45ccaf3eec8d21c19b7222db377bcfd5e5a9144155238c105"
-RUN curl -fsSL https://github.com/etcd-io/etcd/releases/download/v${ETCD_VERSION}/etcd-v${ETCD_VERSION}-linux-amd64.tar.gz -o /tmp/etcd.tgz \
-    && echo "${ETCD_SHA256}  /tmp/etcd.tgz" | sha256sum -c - \
-    && tar -xzf /tmp/etcd.tgz -C /tmp \
-    && install -m 0755 /tmp/etcd-v${ETCD_VERSION}-linux-amd64/etcd /usr/local/bin/etcd \
-    && install -m 0755 /tmp/etcd-v${ETCD_VERSION}-linux-amd64/etcdctl /usr/local/bin/etcdctl \
-    && install -m 0755 /tmp/etcd-v${ETCD_VERSION}-linux-amd64/etcdutl /usr/local/bin/etcdutl \
-    && rm -rf /tmp/etcd.tgz /tmp/etcd-v${ETCD_VERSION}-linux-amd64
+RUN set -eux; \
+    arch="$(dpkg --print-architecture)"; \
+    curl -fsSL -o /tmp/etcd.tgz "https://github.com/etcd-io/etcd/releases/download/v${ETCD_VERSION}/etcd-v${ETCD_VERSION}-linux-${arch}.tar.gz"; \
+    tar -xzf /tmp/etcd.tgz -C /tmp; \
+    install -m 0755 /tmp/etcd-v${ETCD_VERSION}-linux-${arch}/etcd /usr/local/bin/etcd; \
+    install -m 0755 /tmp/etcd-v${ETCD_VERSION}-linux-${arch}/etcdctl /usr/local/bin/etcdctl; \
+    install -m 0755 /tmp/etcd-v${ETCD_VERSION}-linux-${arch}/etcdutl /usr/local/bin/etcdutl; \
+    rm -rf /tmp/etcd.tgz /tmp/etcd-v${ETCD_VERSION}-linux-${arch}
 
-# Install nfpm so packaging workflows inside the container can build .deb/.rpm
-# artefacts without extra manual setup.  Assets are fetched from the official
-# release and verified using the published SHA256 checksum.
+# Install nfpm (arch-aware, ohne Hash)
 ARG NFPM_VERSION="2.43.1"
-ARG NFPM_SHA256="2bc2c0b4a13ddbf8ffb0e1df36c43208db6d65a38832c9fe0de097f985653267"
-RUN curl -fsSL https://github.com/goreleaser/nfpm/releases/download/v${NFPM_VERSION}/nfpm_${NFPM_VERSION}_Linux_x86_64.tar.gz -o /tmp/nfpm.tgz \
-    && echo "${NFPM_SHA256}  /tmp/nfpm.tgz" | sha256sum -c - \
-    && tar -xzf /tmp/nfpm.tgz -C /tmp \
-    && install -m 0755 /tmp/nfpm /usr/local/bin/nfpm \
-    && rm -f /tmp/nfpm /tmp/nfpm.tgz /tmp/LICENSE.md /tmp/README.md \
-    && rm -rf /tmp/completions /tmp/manpages
+RUN set -eux; \
+    arch="$(dpkg --print-architecture)"; \
+    case "$arch" in \
+      amd64) nfpm_arch="x86_64" ;; \
+      arm64) nfpm_arch="arm64" ;; \
+      *) echo "Unsupported arch: $arch" >&2; exit 1 ;; \
+    esac; \
+    curl -fsSL -o /tmp/nfpm.tgz "https://github.com/goreleaser/nfpm/releases/download/v${NFPM_VERSION}/nfpm_${NFPM_VERSION}_Linux_${nfpm_arch}.tar.gz"; \
+    tar -xzf /tmp/nfpm.tgz -C /tmp; \
+    install -m 0755 /tmp/nfpm /usr/local/bin/nfpm; \
+    rm -f /tmp/nfpm /tmp/nfpm.tgz /tmp/LICENSE.md /tmp/README.md; \
+    rm -rf /tmp/completions /tmp/manpages
 
-# Validate the installation early so container builds fail fast if upstream
-# assets change or become unavailable.
-RUN etcd --version && etcdctl version && nfpm --version
+# Smoke test
+RUN set -eux; etcd --version; etcdctl version; nfpm --version
diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json
@@ -6,9 +6,7 @@
     "args": {
       "VARIANT": "1-1.23-bookworm",
       "ETCD_VERSION": "3.6.4",
-      "ETCD_SHA256": "4d5f3101daa534e45ccaf3eec8d21c19b7222db377bcfd5e5a9144155238c105",
-      "NFPM_VERSION": "2.43.1",
-      "NFPM_SHA256": "2bc2c0b4a13ddbf8ffb0e1df36c43208db6d65a38832c9fe0de097f985653267"
+      "NFPM_VERSION": "2.43.1"
     }
   },
   "remoteUser": "vscode",
@@ -17,6 +15,13 @@
   "containerEnv": {
     "ETCDCTL_API": "3"
   },
+  "runArgs": [
+    "--privileged",
+    "--cgroupns=host"
+  ],
+  "mounts": [
+    "source=/sys/fs/cgroup,target=/sys/fs/cgroup,type=bind"
+  ],
   "customizations": {
     "vscode": {
       "settings": {
diff --git a/README.md b/README.md
@@ -126,6 +126,9 @@ etcd --data-dir /tmp/etcd-data \
   --advertise-client-urls http://127.0.0.1:2379
 ```
 
+The dev container now ships Podman alongside a passwordless `docker` shim that proxies to `sudo podman`,
+enabling the packaging smoke tests to build and launch privileged containers without extra setup.
+
 ## Operations
 
 The [Operations Guide](docs/OPERATIONS.md) expands on deployment, maintenance windows, health script practices, and
diff --git a/docs/STATE.md b/docs/STATE.md
@@ -23,9 +23,9 @@
 - The orchestration loop now retries transient runtime failures with a
   jittered exponential backoff and listens for SIGINT/SIGTERM so operators can
   stop the daemon cleanly when managed by service supervisors.
-- A reproducible dev container (Go 1.22 with etcd 3.6.4 and nfpm 2.43.1) is
-  available for local development, packaging experiments, and integration
-  testing.
+- A reproducible dev container (Go 1.22 with etcd 3.6.4 and nfpm 2.43.1) now also ships Podman with a
+  passwordless docker shim so local smoke tests can build and run privileged containers without extra host
+  setup, keeping packaging experiments and integration testing self-contained.
 - CLI run mode now wires the reporter into a JSON logger on stderr and an
   optional Prometheus metrics listener, exporting the address to the health
   script environment for runtime validation.
diff --git a/packaging/smoke_test.go b/packaging/smoke_test.go
