Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update container tests to use Podman #4759

Merged
merged 1 commit into from
May 29, 2024
Merged

Update container tests to use Podman #4759

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
106 changes: 60 additions & 46 deletions .github/workflows/acme-container-test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,15 @@ jobs:
env:
SHARED: /tmp/workdir/pki
steps:
- name: Install dependencies
run: |
sudo apt-get update

# Currently certbot fails to run inside podman.
# TODO: Replace docker with podman when the issue is resolved.
# sudo apt-get -y purge --auto-remove docker-ce-cli
# sudo apt-get -y install podman-docker

- name: Clone repository
uses: actions/checkout@v4

Expand All @@ -30,12 +39,10 @@ jobs:

- name: Set up client container
run: |
tests/bin/runner-init.sh client
env:
HOSTNAME: client.example.com

- name: Connect client container to network
run: docker network connect example client --alias client.example.com
tests/bin/runner-init.sh \
--hostname=client.example.com \
--network=example \
client

- name: Install dependencies in client container
run: docker exec client dnf install -y certbot
Expand Down Expand Up @@ -81,14 +88,14 @@ jobs:
ls -l data \
| sed \
-e '/^total/d' \
-e 's/^\(\S*\) *\S* *\(\S*\) *\(\S*\) *\S* *\S* *\S* *\S* *\(.*\)$/\1 \2 \3 \4/' \
-e 's/^\(\S*\) *\S* *\S* *\(\S*\) *\S* *\S* *\S* *\S* *\(.*\)$/\1 \2 \3/' \
| tee output

# everything should be owned by pkiuser:root (UID=17, GID=0)
# everything should be owned by root group (GID=0)
# TODO: review owners/permissions
cat > expected << EOF
drwxrwxrwx 17 root conf
drwxrwxrwx 17 root logs
drwxrwxrwx root conf
drwxrwxrwx root logs
EOF

diff expected output
Expand All @@ -99,25 +106,25 @@ jobs:
ls -l data/conf \
| sed \
-e '/^total/d' \
-e 's/^\(\S*\) *\S* *\(\S*\) *\(\S*\) *\S* *\S* *\S* *\S* *\(.*\)$/\1 \2 \3 \4/' \
-e 's/^\(\S*\) *\S* *\S* *\(\S*\) *\S* *\S* *\S* *\S* *\(.*\)$/\1 \2 \3/' \
| tee output

# everything should be owned by pkiuser:root (UID=17, GID=0)
# everything should be owned by root group (GID=0)
# TODO: review owners/permissions
cat > expected << EOF
drwxrwxrwx 17 root Catalina
drwxrwxrwx 17 root acme
drwxrwxrwx 17 root alias
-rw-rw-rw- 17 root catalina.policy
lrwxrwxrwx 17 root catalina.properties -> /usr/share/pki/server/conf/catalina.properties
drwxrwxrwx 17 root certs
lrwxrwxrwx 17 root context.xml -> /etc/tomcat/context.xml
-rw-rw-rw- 17 root jss.conf
lrwxrwxrwx 17 root logging.properties -> /usr/share/pki/server/conf/logging.properties
-rw-rw-rw- 17 root password.conf
-rw-rw-rw- 17 root server.xml
-rw-rw-rw- 17 root tomcat.conf
lrwxrwxrwx 17 root web.xml -> /etc/tomcat/web.xml
drwxrwxrwx root Catalina
drwxrwxrwx root acme
drwxrwxrwx root alias
-rw-rw-rw- root catalina.policy
lrwxrwxrwx root catalina.properties -> /usr/share/pki/server/conf/catalina.properties
drwxrwxrwx root certs
lrwxrwxrwx root context.xml -> /etc/tomcat/context.xml
-rw-rw-rw- root jss.conf
lrwxrwxrwx root logging.properties -> /usr/share/pki/server/conf/logging.properties
-rw-rw-rw- root password.conf
-rw-rw-rw- root server.xml
-rw-rw-rw- root tomcat.conf
lrwxrwxrwx root web.xml -> /etc/tomcat/web.xml
EOF

diff expected output
Expand All @@ -128,15 +135,15 @@ jobs:
ls -l data/conf/acme \
| sed \
-e '/^total/d' \
-e 's/^\(\S*\) *\S* *\(\S*\) *\(\S*\) *\S* *\S* *\S* *\S* *\(.*\)$/\1 \2 \3 \4/' \
-e 's/^\(\S*\) *\S* *\S* *\(\S*\) *\S* *\S* *\S* *\S* *\(.*\)$/\1 \2 \3/' \
| tee output

# everything should be owned by pkiuser:root (UID=17, GID=0)
# everything should be owned by root group (GID=0)
# TODO: review owners/permissions
cat > expected << EOF
-rw-rw-rw- 17 root database.conf
-rw-rw-rw- 17 root issuer.conf
-rw-rw-rw- 17 root realm.conf
-rw-rw-rw- root database.conf
-rw-rw-rw- root issuer.conf
-rw-rw-rw- root realm.conf
EOF

diff expected output
Expand All @@ -147,21 +154,21 @@ jobs:
ls -l data/logs \
| sed \
-e '/^total/d' \
-e 's/^\(\S*\) *\S* *\(\S*\) *\(\S*\) *\S* *\S* *\S* *\S* *\(.*\)$/\1 \2 \3 \4/' \
-e 's/^\(\S*\) *\S* *\S* *\(\S*\) *\S* *\S* *\S* *\S* *\(.*\)$/\1 \2 \3/' \
| tee output

DATE=$(date +'%Y-%m-%d')

# everything should be owned by pkiuser:root (UID=17, GID=0)
# everything should be owned by root group (GID=0)
# TODO: review owners/permissions
cat > expected << EOF
drwxrwx--- 17 root backup
-rw-rw-rw- 17 root catalina.$DATE.log
-rw-rw-rw- 17 root host-manager.$DATE.log
-rw-rw-rw- 17 root localhost.$DATE.log
-rw-rw-rw- 17 root localhost_access_log.$DATE.txt
-rw-rw-rw- 17 root manager.$DATE.log
drwxrwxrwx 17 root pki
drwxrwx--- root backup
-rw-rw-rw- root catalina.$DATE.log
-rw-rw-rw- root host-manager.$DATE.log
-rw-rw-rw- root localhost.$DATE.log
-rw-rw-rw- root localhost_access_log.$DATE.txt
-rw-rw-rw- root manager.$DATE.log
drwxrwxrwx root pki
EOF

diff expected output
Expand Down Expand Up @@ -244,6 +251,11 @@ jobs:
run: |
docker logs acme 2>&1

- name: Check certbot logs
if: always()
run: |
docker exec client cat /var/log/letsencrypt/letsencrypt.log

- name: Check client container logs
if: always()
run: |
Expand All @@ -252,13 +264,15 @@ jobs:
- name: Gather artifacts
if: always()
run: |
docker exec acme ls -la /etc/pki/pki-tomcat
mkdir -p /tmp/artifacts/acme/etc/pki
docker cp acme:/etc/pki/pki-tomcat /tmp/artifacts/acme/etc/pki

docker exec acme ls -la /var/log/pki/pki-tomcat
mkdir -p /tmp/artifacts/acme/var/log/pki
docker cp acme:/var/log/pki/pki-tomcat /tmp/artifacts/acme/var/log/pki
mkdir -p /tmp/artifacts/acme
cp -r certs /tmp/artifacts/acme
cp -r metadata /tmp/artifacts/acme
cp -r database /tmp/artifacts/acme
cp -r issuer /tmp/artifacts/acme
cp -r realm /tmp/artifacts/acme
cp -r data /tmp/artifacts/acme

docker logs acme > /tmp/artifacts/acme/container.out 2> /tmp/artifacts/acme/container.err

docker exec client ls -la /etc/letsencrypt/live
mkdir -p /tmp/artifacts/client/etc/letsencrypt
Expand Down
133 changes: 67 additions & 66 deletions .github/workflows/ca-container-test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,14 @@ jobs:
env:
SHARED: /tmp/workdir/pki
steps:
- name: Install dependencies
run: |
sudo apt-get update

# replace docker with podman
sudo apt-get -y purge --auto-remove docker-ce-cli
sudo apt-get -y install podman-docker

- name: Clone repository
uses: actions/checkout@v4

Expand All @@ -35,12 +43,10 @@ jobs:

- name: Set up client container
run: |
tests/bin/runner-init.sh client
env:
HOSTNAME: client.example.com

- name: Connect client container to network
run: docker network connect example client --alias client.example.com
tests/bin/runner-init.sh \
--hostname=client.example.com \
--network=example \
client

- name: Create CA signing cert
run: |
Expand Down Expand Up @@ -227,14 +233,14 @@ jobs:
ls -l data \
| sed \
-e '/^total/d' \
-e 's/^\(\S*\) *\S* *\(\S*\) *\(\S*\) *\S* *\S* *\S* *\S* *\(.*\)$/\1 \2 \3 \4/' \
-e 's/^\(\S*\) *\S* *\S* *\(\S*\) *\S* *\S* *\S* *\S* *\(.*\)$/\1 \2 \3/' \
| tee output

# everything should be owned by pkiuser:root (UID=17, GID=0)
# everything should be owned by docker group
# TODO: review owners/permissions
cat > expected << EOF
drwxrwxrwx 17 root conf
drwxrwxrwx 17 root logs
drwxrwxrwx docker conf
drwxrwxrwx docker logs
EOF

diff expected output
Expand All @@ -245,26 +251,26 @@ jobs:
ls -l data/conf \
| sed \
-e '/^total/d' \
-e 's/^\(\S*\) *\S* *\(\S*\) *\(\S*\) *\S* *\S* *\S* *\S* *\(.*\)$/\1 \2 \3 \4/' \
-e 's/^\(\S*\) *\S* *\S* *\(\S*\) *\S* *\S* *\S* *\S* *\(.*\)$/\1 \2 \3/' \
| tee output

# everything should be owned by pkiuser:root (UID=17, GID=0)
# everything should be owned by docker group
# TODO: review owners/permissions
cat > expected << EOF
drwxrwxrwx 17 root Catalina
drwxrwxrwx 17 root alias
drwxrwxrwx 17 root ca
-rw-rw-rw- 17 root catalina.policy
lrwxrwxrwx 17 root catalina.properties -> /usr/share/pki/server/conf/catalina.properties
drwxrwxrwx 17 root certs
lrwxrwxrwx 17 root context.xml -> /etc/tomcat/context.xml
-rw-rw-rw- 17 root jss.conf
lrwxrwxrwx 17 root logging.properties -> /usr/share/pki/server/conf/logging.properties
-rw-rw-rw- 17 root password.conf
-rw-rw-rw- 17 root server.xml
-rw-rw-rw- 17 root serverCertNick.conf
-rw-rw-rw- 17 root tomcat.conf
lrwxrwxrwx 17 root web.xml -> /etc/tomcat/web.xml
drwxrwxrwx docker Catalina
drwxrwxrwx docker alias
drwxrwxrwx docker ca
-rw-rw-rw- docker catalina.policy
lrwxrwxrwx docker catalina.properties -> /usr/share/pki/server/conf/catalina.properties
drwxrwxrwx docker certs
lrwxrwxrwx docker context.xml -> /etc/tomcat/context.xml
-rw-rw-rw- docker jss.conf
lrwxrwxrwx docker logging.properties -> /usr/share/pki/server/conf/logging.properties
-rw-rw-rw- docker password.conf
-rw-rw-rw- docker server.xml
-rw-rw-rw- docker serverCertNick.conf
-rw-rw-rw- docker tomcat.conf
lrwxrwxrwx docker web.xml -> /etc/tomcat/web.xml
EOF

diff expected output
Expand All @@ -275,26 +281,26 @@ jobs:
ls -l data/conf/ca \
| sed \
-e '/^total/d' \
-e 's/^\(\S*\) *\S* *\(\S*\) *\(\S*\) *\S* *\S* *\S* *\S* *\(.*\)$/\1 \2 \3 \4/' \
-e 's/^\(\S*\) *\S* *\S* *\(\S*\) *\S* *\S* *\S* *\S* *\(.*\)$/\1 \2 \3/' \
-e '/^\S* *\S* *\S* *CS.cfg.bak /d' \
| tee output

# everything should be owned by pkiuser:root (UID=17, GID=0)
# everything should be owned by docker group
# TODO: review owners/permissions
cat > expected << EOF
-rw-rw-rw- 17 root CS.cfg
-rw-rw-rw- 17 root adminCert.profile
drwxrwxrwx 17 root archives
-rw-rw-rw- 17 root caAuditSigningCert.profile
-rw-rw-rw- 17 root caCert.profile
-rw-rw-rw- 17 root caOCSPCert.profile
drwxrwxrwx 17 root emails
-rw-rw-rw- 17 root flatfile.txt
drwxrwxrwx 17 root profiles
-rw-rw-rw- 17 root proxy.conf
-rw-rw-rw- 17 root registry.cfg
-rw-rw-rw- 17 root serverCert.profile
-rw-rw-rw- 17 root subsystemCert.profile
-rw-rw-rw- docker CS.cfg
-rw-rw-rw- docker adminCert.profile
drwxrwxrwx docker archives
-rw-rw-rw- docker caAuditSigningCert.profile
-rw-rw-rw- docker caCert.profile
-rw-rw-rw- docker caOCSPCert.profile
drwxrwxrwx docker emails
-rw-rw-rw- docker flatfile.txt
drwxrwxrwx docker profiles
-rw-rw-rw- docker proxy.conf
-rw-rw-rw- docker registry.cfg
-rw-rw-rw- docker serverCert.profile
-rw-rw-rw- docker subsystemCert.profile
EOF

diff expected output
Expand All @@ -305,22 +311,22 @@ jobs:
ls -l data/logs \
| sed \
-e '/^total/d' \
-e 's/^\(\S*\) *\S* *\(\S*\) *\(\S*\) *\S* *\S* *\S* *\S* *\(.*\)$/\1 \2 \3 \4/' \
-e 's/^\(\S*\) *\S* *\S* *\(\S*\) *\S* *\S* *\S* *\S* *\(.*\)$/\1 \2 \3/' \
| tee output

DATE=$(date +'%Y-%m-%d')

# everything should be owned by pkiuser:root (UID=17, GID=0)
# everything should be owned by docker group
# TODO: review owners/permissions
cat > expected << EOF
drwxrwx--- 17 root backup
drwxrwx--- 17 root ca
-rw-rw-r-- 17 root catalina.$DATE.log
-rw-rw-r-- 17 root host-manager.$DATE.log
-rw-rw-r-- 17 root localhost.$DATE.log
-rw-rw-rw- 17 root localhost_access_log.$DATE.txt
-rw-rw-r-- 17 root manager.$DATE.log
drwxrwxrwx 17 root pki
drwxrwx--- docker backup
drwxrwx--- docker ca
-rw-rw-r-- docker catalina.$DATE.log
-rw-rw-r-- docker host-manager.$DATE.log
-rw-rw-r-- docker localhost.$DATE.log
-rw-rw-rw- docker localhost_access_log.$DATE.txt
-rw-rw-r-- docker manager.$DATE.log
drwxrwxrwx docker pki
EOF

diff expected output
Expand All @@ -339,14 +345,13 @@ jobs:

- name: Set up DS container
run: |
tests/bin/ds-container-create.sh ds
env:
IMAGE: ${{ env.DB_IMAGE }}
HOSTNAME: ds.example.com
PASSWORD: Secret.123

- name: Connect DS container to network
run: docker network connect example ds --alias ds.example.com
tests/bin/ds-container-create.sh \
--image=${{ env.DB_IMAGE }} \
--hostname=ds.example.com \
--network=example \
--network-alias=ds.example.com \
--password=Secret.123 \
ds

# https://github.com/dogtagpki/pki/wiki/Setting-up-CA-Database
- name: Initialize CA database
Expand Down Expand Up @@ -565,13 +570,9 @@ jobs:
run: |
tests/bin/ds-artifacts-save.sh ds

docker exec ca ls -la /etc/pki
mkdir -p /tmp/artifacts/ca/etc/pki
docker cp ca:/etc/pki/pki.conf /tmp/artifacts/ca/etc/pki

docker exec ca ls -la /var/log/pki
mkdir -p /tmp/artifacts/ca/var/log
docker cp ca:/var/log/pki /tmp/artifacts/ca/var/log
mkdir -p /tmp/artifacts/ca
cp -r certs /tmp/artifacts/ca
cp -r data /tmp/artifacts/ca

docker logs ca > /tmp/artifacts/ca/container.out 2> /tmp/artifacts/ca/container.err

Expand Down
Loading
Loading