I have proposed a solution to this use case a while ago but did't get too much support. You can see the issue and the PR there:

https://pagure.io/standard-test-roles/issue/106
https://pagure.io/standard-test-roles/pull-request/109

Please weight in if you think it solves your needs.

Thanks,
Fred

On Tue, Apr 24, 2018 at 7:39 AM, Vít Ondruch <vondruch@redhat.com> wrote:
I concur with Miro, I don't want to run the test suite directly on my
machine and the less I want to run it with root privileges. I think the
best option would be to use mock, since we are using mock all the time
to build packages.

However, I have SystemTap tests which needs to build and load Kernel
module. While it is possible to load kernel modules in container, I am
not sure it is wise to do that. So Vagrant or something similar could be
used instead (or in parallel?).


V.


Dne 23.4.2018 v 18:51 Miro Hrončok napsal(a):
> On 23.4.2018 18:18, Andrei Stepanov wrote:
>>     I want to execute the playbook as root inside a container.
>>
>>
>> There are test-runner and test-environment
>> (https://fedoraproject.org/wiki/CI/Standard_Test_Interface)
>
> I understood that this is a specification. As a user, I'm not really
> interested in a specification, I want to be able to create integration
> tests with ease. I feel lost in all the MUSTs, etc.
>
>> Standard_Test_Interface expects that tests start at test-runner.
>>
>> There could be some preparation steps on test-runner (like installing
>> packages, etc). To make this possible and STI defines unified
>> requirements: "MUST execute the playbook as root" on test-runner.
>>
>> CI pipeline runs all playbooks with root credentials.
>
> I understand that. Yet I struggle to understand the following:
>
> How do I test that my tests are correct without running them on my own
> machine under root? Please provide examples, preferably link to a how
> to (or if it is not yet documented, we can do that together).
>
>> Could you please say: id churchyard ?
>
> I'm in the docker group.
>
> uid=1000(churchyard) gid=1000(churchyard)
> groups=1000(churchyard),10(wheel),18(dialout),135(mock),1002(taskotron),1004(docker)
>
>> The point is: user that can start/stop/act on containers can do any
>> modification to all system. It is the same as you act from root account.
>> Short: "Giving them full root access to the host system."
>> Long:
>> https://www.projectatomic.io/blog/2015/08/why-we-dont-let-non-root-users-run-docker-in-centos-fedora-or-rhel/
>
> I understand that this is not secure. However I wrote the tests and I
> am not running some arbitrary (possibly malicious) code. I just want
> to do this to avoid the tests to create and modify files in my system.
>
> -----------------------
>
> Let me explain a bit about what's my "goal", so we are not burning
> time on Y problem.
>
> I wrote a script that runs some commands (pdflatex in particular). If
> that script exits with 0, I consider it good. If it exits with >0, I
> consider it bad. I can successfully run the script on my machine to
> test if my pdflatex works as expected.
>
> Now I want to put this into CI, so when a new version of texlive is
> built, this script runs on a system with the newly built latex. If it
> fails, somebody needs to be notified.
>
> In order to do this, I went trough [1] and I created a bunch of
> boilerplate in yaml to run the script (which is tedious, but
> acceptable, I guess).
>
> Now I want to verify that my yaml boilerplate works. I want to say:
>
>     run-this-standard-test-in-docker --image fedora:rawhide \
>                                      --nvr texlive-2017-3.fc29
>
> Yet I struggle to find a way how.
>
> Note that the following works for me as well:
>
>
>     run-this-standard-test-in-mock --mock fedora-rawhide-x86_64 \
>                                    --nvr texlive-2017-3.fc29
>
> [1] https://fedoraproject.org/wiki/CI/Tests#Wrapping
>
_______________________________________________
CI mailing list -- ci@lists.fedoraproject.org
To unsubscribe send an email to ci-leave@lists.fedoraproject.org