Add RHEL-9 support

- Uses el8/el8 instead of just centos. Because el8/el9 are the RPM dist
  tags used in RHEL and derivativies, this should be safe to use
  regardless of distro
- Use RH UBI as the base image instead of centos
- Renames the el8 Dockerfile from ./images/centos/Dockerfile to
  ./images/el8/Dockerfile
- Adds Alma Linux 9 VM host for e2e testing

Signed-off-by: Jakub Hrozek <[email protected]>

Author: jhrozek

.github/workflows/build_image.yaml

@@ -22,8 +22,8 @@ jobs:
         dockerfiles: |
           ./images/fedora/Dockerfile
 
-  build-centos:
-    name: Build CentOS image
+  build-el8:
+    name: Build EL8 image
     runs-on: ubuntu-20.04
 
     steps:
@@ -32,7 +32,22 @@ jobs:
     - name: Buildah Action
       uses: redhat-actions/buildah-build@v2
       with:
-        image: selinuxd-centos
+        image: selinuxd-el8
         tags: latest ${{ github.sha }}
         dockerfiles: |
-          ./images/centos/Dockerfile
+          ./images/el8/Dockerfile
+
+  build-el9:
+    name: Build EL9 image
+    runs-on: ubuntu-20.04
+
+    steps:
+    - uses: actions/checkout@v3
+
+    - name: Buildah Action
+      uses: redhat-actions/buildah-build@v2
+      with:
+        image: selinuxd-el9
+        tags: latest ${{ github.sha }}
+        dockerfiles: |
+          ./images/el9/Dockerfile

.github/workflows/build_test.yaml

@@ -11,13 +11,13 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        almalinux: ["8"]
+        ubi: ["8", "9"]
     container:
-      image: almalinux:${{ matrix.almalinux }}
+      image: registry.access.redhat.com/ubi${{ matrix.ubi }}/ubi:latest
     steps:
       - uses: actions/checkout@v3
       - name: install packages
-        run: yum -y --enablerepo=powertools install golang make libsemanage-devel
+        run: dnf -y install container-selinux go-toolset make findutils git-core
       - name: build selinuxd
         run: |
           make

.github/workflows/e2e.yml

@@ -9,7 +9,7 @@ jobs:
     runs-on: ubuntu-20.04
     strategy:
       matrix:
-        base: ["fedora", "centos"]
+        base: ["fedora", "el8", "el9"]
     steps:
       - uses: actions/checkout@v3
       - run: make ${{ matrix.base }}-image
@@ -25,7 +25,7 @@ jobs:
     timeout-minutes: 80
     strategy:
       matrix:
-        base: ["fedora", "centos"]
+        base: ["fedora", "el8", "el9"]
     env:
       RUN: ./hack/ci/run.sh
       IMG: quay.io/security-profiles-operator/selinuxd-${{ matrix.base }}:latest
@@ -84,7 +84,7 @@ jobs:
     timeout-minutes: 80
     strategy:
       matrix:
-        base: ["fedora", "centos"]
+        base: ["fedora", "el8", "el9"]
     env:
       RUN: ./hack/ci/run.sh
       IMG: quay.io/security-profiles-operator/selinuxd-${{ matrix.base }}:latest

.github/workflows/verify.yaml

@@ -11,13 +11,13 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-       almalinux : ["8"]
+       ubi: ["8", "9"]
     container:
-      image: almalinux:${{ matrix.almalinux }}
+      image: registry.access.redhat.com/ubi${{ matrix.ubi }}/ubi:latest
     steps:
       - uses: actions/checkout@v3
       - name: install packages
-        run: yum -y --enablerepo=powertools install golang make libsemanage-devel diffutils
+        run: dnf -y install container-selinux go-toolset make findutils git-core diffutils tar
       - name: run verify
         run: |
           make verify

Makefile

@@ -26,6 +26,9 @@ IMAGE_TAG=latest
 IMAGE_REF=$(IMAGE_NAME):$(IMAGE_TAG)
 
 IMAGE_REPO?=quay.io/security-profiles-operator/$(IMAGE_REF)
+EL8_IMAGE_REPO?=quay.io/security-profiles-operator/$(IMAGE_NAME)-el8:$(IMAGE_TAG)
+EL9_IMAGE_REPO?=quay.io/security-profiles-operator/$(IMAGE_NAME)-el9:$(IMAGE_TAG)
+# Tag centos the same as EL8 for now, remove after some SPO releases pass
 CENTOS_IMAGE_REPO?=quay.io/security-profiles-operator/$(IMAGE_NAME)-centos:$(IMAGE_TAG)
 FEDORA_IMAGE_REPO?=quay.io/security-profiles-operator/$(IMAGE_NAME)-fedora:$(IMAGE_TAG)
 
@@ -119,11 +122,21 @@ image: default-image centos-image fedora-image
 
 .PHONY: default-image
 default-image:
-	$(CONTAINER_RUNTIME) build -f images/centos/Dockerfile -t $(IMAGE_REPO) .
+	$(MAKE) el8-image
 
+# backwards compatibility
 .PHONY: centos-image
 centos-image:
-	$(CONTAINER_RUNTIME) build -f images/centos/Dockerfile -t $(CENTOS_IMAGE_REPO) .
+	$(MAKE) el8-image
+	$(CONTAINER_RUNTIME) tag $(EL8_IMAGE_REPO) $(CENTOS_IMAGE_REPO)
+
+.PHONY: el8-image
+el8-image:
+	$(CONTAINER_RUNTIME) build -f images/el8/Dockerfile -t $(EL8_IMAGE_REPO) .
+
+.PHONY: el9-image
+el9-image:
+	$(CONTAINER_RUNTIME) build -f images/el9/Dockerfile -t $(EL9_IMAGE_REPO) .
 
 .PHONY: fedora-image
 fedora-image:

hack/ci/Vagrantfile-centos renamed to hack/ci/Vagrantfile-el8

@@ -20,8 +20,8 @@ Vagrant.configure("2") do |config|
   config.vm.provision "set-env", type: "shell", run: "once" do |sh|
     sh.inline = <<~SHELL
       set -euxo pipefail
-      echo "export IMG='quay.io/security-profiles-operator/selinuxd-centos:latest'" >> /etc/profile.d/selinuxd-env.sh
-      echo "export OS='centos'" >> /etc/profile.d/selinuxd-env.sh
+      echo "export IMG='quay.io/security-profiles-operator/selinuxd-el8:latest'" >> /etc/profile.d/selinuxd-env.sh
+      echo "export OS='el8'" >> /etc/profile.d/selinuxd-env.sh
       echo "export CONTAINER_NAME='selinuxd'" >> /etc/profile.d/selinuxd-env.sh
     SHELL
   end

hack/ci/Vagrantfile-el9

@@ -0,0 +1,50 @@
+# -*- mode: ruby -*-
+# vi: set ft=ruby :
+
+# Vagrant box for testing
+Vagrant.configure("2") do |config|
+  config.vm.box = "almalinux/9"
+  memory = 6144
+  cpus = 4
+
+  config.vm.provider :virtualbox do |v|
+    v.memory = memory
+    v.cpus = cpus
+  end
+
+  config.vm.provider :libvirt do |v|
+    v.memory = memory
+    v.cpus = cpus
+  end
+
+  config.vm.provision "set-env", type: "shell", run: "once" do |sh|
+    sh.inline = <<~SHELL
+      set -euxo pipefail
+      echo "export IMG='quay.io/security-profiles-operator/selinuxd-el9:latest'" >> /etc/profile.d/selinuxd-env.sh
+      echo "export OS='el9'" >> /etc/profile.d/selinuxd-env.sh
+      echo "export CONTAINER_NAME='selinuxd'" >> /etc/profile.d/selinuxd-env.sh
+    SHELL
+  end
+
+  config.vm.provision "install-dependencies", type: "shell", run: "once" do |sh|
+    sh.inline = <<~SHELL
+    whoami
+      set -euxo pipefail
+      dnf install -y \
+        make \
+        golang \
+        podman \
+        container-selinux \
+        oci-seccomp-bpf-hook \
+        udica
+    SHELL
+  end
+
+  config.vm.provision "load-test-image", type: "shell", run: "once" do |sh|
+    sh.inline = <<~SHELL
+      set -euxo pipefail
+      sudo podman load -i /vagrant/image.tar
+    SHELL
+  end
+
+end

images/centos/Dockerfile renamed to images/el8/Dockerfile

@@ -12,33 +12,22 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-FROM docker.io/almalinux:8 AS build
-ARG GO_VERSION=go1.19.3
-ENV GOPATH="/go"
-ENV PATH="$GOPATH/bin:$PATH"
-USER root
-WORKDIR /work
+FROM registry.access.redhat.com/ubi8/ubi-minimal:latest as build
 
-RUN mkdir -p bin
-RUN mkdir -p /go
+WORKDIR /work
 
-RUN dnf install -y \
-    --enablerepo=powertools \
+RUN microdnf install -y \
     container-selinux \
-    golang make libsemanage-devel
-
-# NOTE(jaosorior): This allows us to use a specific golang version in CentOS as
-# opposed to the older one that comes with the distro.
-RUN go install golang.org/dl/${GO_VERSION}@latest
-RUN ${GO_VERSION} download
+    go-toolset \
+    make \
+    findutils \
+    git-core && microdnf clean all
 
 COPY . /work
 
-RUN GO=${GO_VERSION} SEMODULE_BACKEND=policycoreutils make
+RUN SEMODULE_BACKEND=policycoreutils make
 
-FROM docker.io/almalinux:8
-# TODO(jaosorior): Switch to UBI once we use static linking
-#FROM registry.access.redhat.com/ubi8/ubi-minimal:latest
+FROM registry.access.redhat.com/ubi8/ubi-minimal:latest
 
 # TODO(jaosorior): See if we can run this without root
 USER root
@@ -47,9 +36,8 @@ LABEL name="selinuxd" \
       description="selinuxd is a daemon that listens for files in /etc/selinux.d/ and installs the relevant policies."
 
 # TODO(jaosorior): Remove once we use static linking
-RUN dnf install -y \
-    --enablerepo=powertools \
-    policycoreutils
+RUN microdnf install -y \
+    policycoreutils && microdnf clean all
 
 RUN mkdir -p /usr/share/selinuxd/templates
 COPY --from=build /usr/share/udica/templates/* /usr/share/selinuxd/templates/

images/el9/Dockerfile

@@ -0,0 +1,46 @@
+# Copyright © 2020 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+FROM registry.access.redhat.com/ubi9/ubi-minimal:latest as build
+
+WORKDIR /work
+
+RUN microdnf install -y \
+    container-selinux \
+    go-toolset \
+    make \
+    findutils \
+    git-core && microdnf clean all
+
+COPY . /work
+
+RUN SEMODULE_BACKEND=policycoreutils make
+
+FROM registry.access.redhat.com/ubi9/ubi-minimal:latest
+
+# TODO(jaosorior): See if we can run this without root
+USER root
+
+LABEL name="selinuxd" \
+      description="selinuxd is a daemon that listens for files in /etc/selinux.d/ and installs the relevant policies."
+
+# TODO(jaosorior): Remove once we use static linking
+RUN microdnf install -y \
+    policycoreutils && microdnf clean all
+
+RUN mkdir -p /usr/share/selinuxd/templates
+COPY --from=build /usr/share/udica/templates/* /usr/share/selinuxd/templates/
+COPY --from=build /work/bin/selinuxdctl /usr/bin/
+
+ENTRYPOINT ["/usr/bin/selinuxdctl"]