Merge pull request #22706 from edsantiago/debian-modernize

Debian: switch to crun and cgroups v2

.cirrus.yml

@@ -33,7 +33,7 @@ env:
     DEBIAN_NAME: "debian-13"
 
     # Image identifiers
-    IMAGE_SUFFIX: "c20240513t140131z-f40f39d13"
+    IMAGE_SUFFIX: "c20240528t194313z-f40f39d13"
 
     # EC2 images
     FEDORA_AMI: "fedora-aws-${IMAGE_SUFFIX}"
@@ -58,6 +58,7 @@ env:
     DISTRO_NV:               # any {PRIOR_,}{FEDORA,DEBIAN}_NAME value
     VM_IMAGE_NAME:           # One of the "Google-cloud VM Images" (above)
     CTR_FQIN:                # One of the "Container FQIN's" (above)
+    CI_DESIRED_RUNTIME: crun    # As of 2024-05-28 there are no other supported runtimes
     CI_DESIRED_DATABASE: sqlite # 'sqlite' or 'boltdb'
     CI_DESIRED_STORAGE: overlay # overlay or vfs
 
@@ -103,12 +104,10 @@ build_task:
               VM_IMAGE_NAME: ${FEDORA_CACHE_IMAGE_NAME}
               CTR_FQIN: ${FEDORA_CONTAINER_FQIN}
               # ID for re-use of build output
-              CI_DESIRED_RUNTIME: crun
         - env:
               DISTRO_NV: ${PRIOR_FEDORA_NAME}
               VM_IMAGE_NAME: ${PRIOR_FEDORA_CACHE_IMAGE_NAME}
               CTR_FQIN: ${PRIOR_FEDORA_CONTAINER_FQIN}
-              CI_DESIRED_RUNTIME: crun
               CI_DESIRED_DATABASE: boltdb
               CI_DESIRED_STORAGE: vfs
         - env:
@@ -119,7 +118,6 @@ build_task:
         - env:
               DISTRO_NV: ${DEBIAN_NAME}
               VM_IMAGE_NAME: ${DEBIAN_CACHE_IMAGE_NAME}
-              CI_DESIRED_RUNTIME: runc
               CI_DESIRED_NETWORK: netavark
               # Ignore cgroups-v1 warnings on debian
               PODMAN_IGNORE_CGROUPSV1_WARNING: true
@@ -222,7 +220,6 @@ build_aarch64_task:
         DISTRO_NV: ${FEDORA_AARCH64_NAME}
         VM_IMAGE_NAME: ${FEDORA_AARCH64_AMI}
         CTR_FQIN: ${FEDORA_CONTAINER_FQIN}
-        CI_DESIRED_RUNTIME: crun
         TEST_FLAVOR: build
     clone_script: *full_clone
     prebuild_script: *prebuild
@@ -684,12 +681,10 @@ container_integration_test_task:
               DISTRO_NV: ${FEDORA_NAME}
               VM_IMAGE_NAME: ${FEDORA_CACHE_IMAGE_NAME}
               CTR_FQIN: ${FEDORA_CONTAINER_FQIN}
-              CI_DESIRED_RUNTIME: crun
         - env:
               DISTRO_NV: ${PRIOR_FEDORA_NAME}
               VM_IMAGE_NAME: ${PRIOR_FEDORA_CACHE_IMAGE_NAME}
               CTR_FQIN: ${PRIOR_FEDORA_CONTAINER_FQIN}
-              CI_DESIRED_RUNTIME: crun
               CI_DESIRED_DATABASE: boltdb
     gce_instance: *fastvm
     timeout_in: 50m
@@ -903,7 +898,6 @@ rootless_remote_system_test_task:
               # Not used here, is used in other tasks
               VM_IMAGE_NAME: ${FEDORA_CACHE_IMAGE_NAME}
               CTR_FQIN: ${FEDORA_CONTAINER_FQIN}
-              CI_DESIRED_RUNTIME: crun
     <<: *local_system_test_task
     alias: rootless_remote_system_test
     gce_instance: *standardvm

test/buildah-bud/apply-podman-deltas

@@ -293,6 +293,12 @@ skip "FIXME: 2023-06-13 buildah PR 4746 broke this test" \
 skip "FIXME: 2024-04-16 nixery is down" \
      "bud-implicit-no-history"
 
+# 2024-05-28 FIXME FIXME FIXME new VMs barf on all git tests, can't connect
+skip "FIXME: 2024-05-28 new VMs from #338" \
+     "bud-git-context" \
+     "bud-git-context-subdirectory" \
+     "bud using gitrepo and branch"
+
 # END   temporary workarounds that must be reevaluated periodically
 ###############################################################################
 

test/e2e/container_iface_name_test.go

@@ -9,13 +9,10 @@ import (
 	. "github.com/onsi/gomega"
 )
 
-func isDebianRunc(pTest *PodmanTestIntegration) bool {
+// FIXME 2024-05-14: "Debian" here is a proxy for "netavark < 1.10"
+func isDebian() bool {
 	info := GetHostDistributionInfo()
-	if info.Distribution == "debian" && pTest.OCIRuntime == "runc" {
+	return info.Distribution == "debian"
-		return true
-	}
-
-	return false
 }
 
 func createNetworkDevice(name string) {
@@ -104,7 +101,7 @@ var _ = Describe("Podman container interface name", func() {
 			}
 
 			for _, driverType := range []string{"macvlan", "ipvlan"} {
-				if driverType == "ipvlan" && isDebianRunc(podmanTest) {
+				if driverType == "ipvlan" && isDebian() {
 					GinkgoWriter.Println("FIXME: Fails with netavark < 1.10. Re-enable once Debian gets an update")
 					continue
 				}
@@ -157,7 +154,7 @@ var _ = Describe("Podman container interface name", func() {
 		SkipIfRootless("cannot create network device in rootless mode.")
 
 		for _, driverType := range []string{"macvlan", "ipvlan"} {
-			if driverType == "ipvlan" && isDebianRunc(podmanTest) {
+			if driverType == "ipvlan" && isDebian() {
 				GinkgoWriter.Println("FIXME: Fails with netavark < 1.10. Re-enable once Debian gets an update")
 				continue
 			}
@@ -223,7 +220,7 @@ var _ = Describe("Podman container interface name", func() {
 		createContainersConfFileWithDeviceIfaceName(podmanTest)
 
 		for _, driverType := range []string{"macvlan", "ipvlan"} {
-			if driverType == "ipvlan" && isDebianRunc(podmanTest) {
+			if driverType == "ipvlan" && isDebian() {
 				GinkgoWriter.Println("FIXME: Fails with netavark < 1.10. Re-enable once Debian gets an update")
 				continue
 			}

test/e2e/run_test.go

@@ -743,6 +743,11 @@ USER bin`, BB)
 
 	It("podman run limits host test", func() {
 		SkipIfRemote("This can only be used for local tests")
+		info := GetHostDistributionInfo()
+		if info.Distribution == "debian" {
+			// "expected 1048576 to be >= 1073741816"
+			Skip("FIXME 2024-05-28 fails on debian, maybe because of systemd 256?")
+		}
 
 		var l syscall.Rlimit
 
@@ -2187,6 +2192,12 @@ WORKDIR /madethis`, BB)
 	})
 
 	It("podman run --shm-size-systemd", func() {
+		// FIXME Failed to set RLIMIT_CORE: Operation not permitted
+		info := GetHostDistributionInfo()
+		if info.Distribution == "debian" {
+			Skip("FIXME 2024-05-28 fails on debian, maybe because of systemd 256?")
+		}
+
 		ctrName := "testShmSizeSystemd"
 		run := podmanTest.Podman([]string{"run", "--name", ctrName, "--shm-size-systemd", "10mb", "-d", SYSTEMD_IMAGE, "/sbin/init"})
 		run.WaitWithDefaultTimeout()

test/e2e/toolbox_test.go

@@ -62,6 +62,11 @@ var _ = Describe("Toolbox-specific testing", func() {
 		if podmanTest.RemoteTest {
 			Skip("Ulimit check does not work with a remote client")
 		}
+		info := GetHostDistributionInfo()
+		if info.Distribution == "debian" {
+			// "expected 1048576 to be >= 1073741816"
+			Skip("FIXME 2024-05-28 fails on debian, maybe because of systemd 256?")
+		}
 		var session *PodmanSessionIntegration
 		var containerHardLimit int
 		var rlimit syscall.Rlimit

test/e2e/update_test.go

@@ -3,6 +3,7 @@ package integration
 import (
 	"github.com/containers/common/pkg/cgroupv2"
 	. "github.com/containers/podman/v5/test/utils"
+	"github.com/containers/storage/pkg/fileutils"
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
 )
@@ -115,8 +116,10 @@ var _ = Describe("Podman update", func() {
 		// checking cpu quota and period
 		podmanTest.CheckFileInContainerSubstring(ctrID, "/sys/fs/cgroup/cpu.max", "500000")
 
-		// checking blkio weight
+		// checking blkio weight (as of 2024-05 this file does not exist on Debian 13)
+		if err := fileutils.Exists("/sys/fs/cgroup/system.slice/io.bfq.weight"); err == nil {
 			podmanTest.CheckFileInContainerSubstring(ctrID, "/sys/fs/cgroup/io.bfq.weight", "123")
+		}
 
 		// checking device-read/write-bps/iops
 		podmanTest.CheckFileInContainerSubstring(ctrID, "/sys/fs/cgroup/io.max", "rbps=10485760 wbps=10485760 riops=1000 wiops=1000")

test/system/260-sdnotify.bats

@@ -595,7 +595,22 @@ READY=1" "podman-system-service sends expected data over NOTIFY_SOCKET"
     assert "$output" !~ "EXTEND_TIMEOUT_USEC="
 
     # Give the system-service 5sec to terminate before killing it.
-    /bin/kill --timeout 5000 KILL --signal TERM $mainpid
+    kill -TERM $mainpid
+    timeout=5
+    while :;do
+        if ! kill -0 $mainpid; then
+            # Yay, it's gone
+            break
+        fi
+
+        timeout=$((timeout - 1))
+        if [[ $timeout -eq 0 ]]; then
+            kill -KILL $mainpid
+            break
+        fi
+        sleep 1
+    done
+
     run_podman rmi $image_on_local_registry
     _stop_socat
 }

test/system/280-update.bats

@@ -90,6 +90,7 @@ device-write-iops   = /dev/zero:4000 | - | -
             fi
         fi
 
+        # Determine the "path = newvalue" string for this cgroup
         tuple=$cgv1
         if is_cgroupsv2; then
             tuple=$cgv2
@@ -99,6 +100,13 @@ device-write-iops   = /dev/zero:4000 | - | -
             continue
         fi
 
+        # Sigh. bfq doesn't exist on Debian (2024-03)
+        read path op expect <<<"$tuple"
+        if [[ ! -e /sys/fs/cgroup/$path ]]; then
+            echo "[ skipping --$opt : /sys/fs/cgroup/$path does not exist ]"
+            continue
+        fi
+
         # OK: setting is applicable. Preserve it. (First removing whitespace)
         opt=${opt// /}
         opts+=("--$opt")

test/system/520-checkpoint.bats

@@ -22,6 +22,14 @@ function setup() {
         skip "checkpoint does not work rootless"
     fi
 
+    # As of 2024-05, crun on Debian is not built with criu support:
+    # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1008249
+    runtime=$(podman_runtime)
+    run $runtime checkpoint --help
+    if [[ $status -ne 0 ]]; then
+        skip "runtime $runtime does not support checkpoint/restore"
+    fi
+
     basic_setup
 }