Merge pull request #43 from cgwalters/status-container

cli: More gracefully handle client commands in a container

Author: cgwalters

.github/workflows/ci.yml

@@ -125,4 +125,17 @@ jobs:
         run: sudo install bootc /usr/bin && rm -v bootc
       - name: Integration tests
         run: sudo podman run --rm -ti --privileged -v /run/systemd:/run/systemd -v /:/run/host -v /usr/bin/bootc:/usr/bin/bootc --pid=host quay.io/fedora/fedora-coreos:testing-devel bootc internal-tests run-privileged-integration
-
+  container-tests:
+    name: "Container testing"
+    needs: build
+    runs-on: ubuntu-latest
+    container: quay.io/fedora/fedora-coreos:testing-devel
+    steps:
+      - name: Download
+        uses: actions/download-artifact@v2
+        with:
+          name: bootc
+      - name: Install
+        run: install bootc /usr/bin && rm -v bootc
+      - name: Integration tests
+        run: bootc internal-tests run-container-integration

lib/src/cli.rs

@@ -80,6 +80,8 @@ pub(crate) struct ManOpts {
 pub(crate) enum TestingOpts {
     /// Execute integration tests that require a privileged container
     RunPrivilegedIntegration {},
+    /// Execute integration tests that target a not-privileged ostree container
+    RunContainerIntegration {},
 }
 
 /// Deploy and upgrade via bootable container images.
@@ -214,6 +216,11 @@ async fn stage(
 /// A few process changes that need to be made for writing.
 #[context("Preparing for write")]
 async fn prepare_for_write() -> Result<()> {
+    if ostree_ext::container_utils::is_ostree_container()? {
+        anyhow::bail!(
+            "Detected container (ostree base); this command requires a booted host system."
+        );
+    }
     ensure_self_unshared_mount_namespace().await?;
     if crate::lsm::selinux_enabled()? {
         crate::lsm::selinux_ensure_install()?;
@@ -329,10 +336,7 @@ where
         Opt::Install(opts) => crate::install::install(opts).await,
         Opt::Status(opts) => super::status::status(opts).await,
         #[cfg(feature = "internal-testing-api")]
-        Opt::InternalTests(ref opts) => {
-            ensure_self_unshared_mount_namespace().await?;
-            crate::privtests::run(opts).await
-        }
+        Opt::InternalTests(ref opts) => crate::privtests::run(opts).await,
         #[cfg(feature = "docgen")]
         Opt::Man(manopts) => crate::docgen::generate_manpages(&manopts.directory),
     }

lib/src/privtests.rs

@@ -87,16 +87,41 @@ fn run_bootc_status() -> Result<()> {
 //     Ok(())
 // }
 
-pub(crate) fn impl_run() -> Result<()> {
+/// Tests run an ostree-based host
+#[context("Privileged container tests")]
+pub(crate) fn impl_run_host() -> Result<()> {
     run_bootc_status()?;
     println!("ok bootc status");
     //run_bootc_install()?;
     //println!("ok bootc install");
+    println!("ok host privileged testing");
+    Ok(())
+}
+
+#[context("Container tests")]
+pub(crate) fn impl_run_container() -> Result<()> {
+    assert!(ostree_ext::container_utils::is_ostree_container()?);
+    let sh = Shell::new()?;
+    let stout = cmd!(sh, "bootc status").read()?;
+    assert!(stout.contains("Running in a container (ostree base)."));
+    drop(stout);
+    let o = Command::new("bootc").arg("upgrade").output()?;
+    let st = o.status;
+    assert!(!st.success());
+    let stderr = String::from_utf8(o.stderr)?;
+    assert!(stderr.contains("this command requires a booted host system"));
+    println!("ok container integration testing");
     Ok(())
 }
 
 pub(crate) async fn run(opts: &TestingOpts) -> Result<()> {
     match opts {
-        TestingOpts::RunPrivilegedIntegration {} => tokio::task::spawn_blocking(impl_run).await?,
+        TestingOpts::RunPrivilegedIntegration {} => {
+            crate::cli::ensure_self_unshared_mount_namespace().await?;
+            tokio::task::spawn_blocking(impl_run_host).await?
+        }
+        TestingOpts::RunContainerIntegration {} => {
+            tokio::task::spawn_blocking(impl_run_container).await?
+        }
     }
 }

lib/src/status.rs

@@ -53,6 +53,12 @@ pub(crate) struct DeploymentStatus {
     pub(crate) deploy_serial: Option<u32>,
 }
 
+/// This struct is serialized when we're running in a container image.
+#[derive(serde::Serialize)]
+pub(crate) struct StatusInContainer {
+    pub(crate) is_container: bool,
+}
+
 impl DeploymentStatus {
     /// Gather metadata from an ostree deployment into a Rust structure
     pub(crate) fn from_deployment(deployment: &ostree::Deployment, booted: bool) -> Result<Self> {
@@ -102,6 +108,16 @@ fn get_deployments(
 
 /// Implementation of the `bootc status` CLI command.
 pub(crate) async fn status(opts: super::cli::StatusOpts) -> Result<()> {
+    if ostree_ext::container_utils::is_ostree_container()? {
+        if opts.json {
+            let mut stdout = std::io::stdout().lock();
+            serde_json::to_writer(&mut stdout, &StatusInContainer { is_container: true })
+                .context("Serializing status")?;
+        } else {
+            println!("Running in a container (ostree base).");
+        }
+        return Ok(());
+    }
     let sysroot = super::cli::get_locked_sysroot().await?;
     let repo = &sysroot.repo().unwrap();
     let booted_deployment = sysroot.booted_deployment();